IT Security RSS Feed for 2024-10-24

Posted on Edited on In Word count in article: 38k Reading time ≈ 35 mins.

IT Security RSS Feed for 2024-10-24

Government hails Cyber Essentials success

Read more

Published: Wed, 23 Oct 2024 11:00:00 GMT

Government Hails Cyber Essentials Success

The UK government has praised the success of its Cyber Essentials scheme, which has helped over 20,000 businesses protect themselves from common cyber threats.

Launched in 2014, Cyber Essentials is a government-backed certification scheme that provides businesses with practical guidance on how to protect their systems from cyber attacks. It is based on five key controls that businesses should implement to protect themselves from the most common cyber threats:

  • Firewalls and Intrusion Detection Systems (IDS) to block unauthorized access to networks and systems.
  • Secure Configuration to ensure that systems are configured securely and do not contain any vulnerabilities that could be exploited by attackers.
  • Access Control to restrict access to systems and data to authorized users only.
  • Malware Protection to detect and remove malware from systems.
  • Patch Management to keep software up to date and patch any vulnerabilities that could be exploited by attackers.

Businesses that achieve Cyber Essentials certification are recognized for their commitment to cybersecurity. They can use the Cyber Essentials badge to demonstrate to customers and partners that they take cybersecurity seriously.

The success of Cyber Essentials is a testament to the government’s commitment to helping businesses protect themselves from cyber threats. The scheme has helped to raise awareness of cybersecurity issues and has provided businesses with the tools and guidance they need to protect themselves.

Benefits of Cyber Essentials

  • Protection against common cyber threats
  • Improved cybersecurity posture
  • Enhanced reputation and trust
  • Increased customer and partner confidence
  • Reduced risk of cyber attacks

How to Get Cyber Essentials Certified

Businesses can get Cyber Essentials certified by following these steps:

  1. Complete a self-assessment to identify any areas where your business needs to improve its cybersecurity posture.
  2. Implement the required controls to address the areas identified in the self-assessment.
  3. Have your business assessed by a certified Cyber Essentials assessor.
  4. Achieve Cyber Essentials certification if your business meets the required standard.

Additional Resources

Detect ransomware in storage to act before it spreads

Read more

Published: Wed, 23 Oct 2024 09:52:00 GMT

Detect Ransomware in Storage

1. Monitor File Changes:

  • Track changes to files, including creation, deletion, and modification.
  • Identify suspicious patterns, such as sudden bulk encryption or changes to file extensions.

2. Analyze Encryption Signatures:

  • Use machine learning algorithms to detect known ransomware encryption signatures.
  • Identify encrypted files and determine the type of ransomware involved.

3. Detect Anomaly in Data Access:

  • Monitor access logs and audit reports for unusual activity.
  • Identify accounts accessing large volumes of data at unexpected times or from unknown locations.

Act Before it Spreads

1. Isolate Affected Storage:

  • Disconnect the infected storage device from the network and other systems.
  • Prevent further spread of ransomware by limiting access to the affected area.

2. Restore from Backups:

  • If available, restore unaffected data from backups taken before the ransomware attack.
  • Use immutable or offline backups to protect against ransomware that targets backup systems.

3. Notify Authorities and Seek Professional Help:

  • Report the ransomware attack to law enforcement and incident response teams.
  • Engage with cybersecurity experts to assist with containment, investigation, and recovery.

4. Implement Ransomware Mitigation Measures:

  • Strengthen access controls and user permissions to prevent unauthorized access to storage.
  • Enforce strong password policies and use multi-factor authentication.
  • Install and maintain anti-malware and anti-ransomware software on all storage devices.

5. Educate Users:

  • Train users on ransomware threats and best practices to avoid infection.
  • Emphasize the importance of clicking on suspicious links or opening unknown attachments.

Additional Best Practices:

  • Regularly update storage software and firmware: Close security vulnerabilities that ransomware can exploit.
  • Use segmented network architecture: Isolate storage devices from other parts of the network to limit the spread of ransomware.
  • Implement data encryption at rest: Encrypt data stored on storage devices to protect it from unauthorized access.
  • Test and validate recovery plans: Ensure that disaster recovery plans are up-to-date and can be executed quickly in the event of a ransomware attack.

How AI helps junior programmers and senior managers

Read more

Published: Wed, 23 Oct 2024 08:22:00 GMT

How AI Helps Junior Programmers

1. Code Generation and Refactoring:

  • AI tools can automatically generate code snippets, saving junior programmers time and reducing errors in coding.
  • They can also analyze code to suggest refactorings, improving code quality and maintainability.

2. Debugging and Error Detection:

  • AI-powered debuggers can identify and locate errors in code more efficiently.
  • They can also provide suggestions for resolving the errors, accelerating the debugging process.

3. Code Documentation and Understanding:

  • AI tools can extract documentation from existing code, reducing the need for manual documentation by junior programmers.
  • They can also provide insights into the code’s structure and behavior, easing the learning curve for junior developers.

4. Personalized Learning Paths:

  • AI-based platforms can create tailored learning paths for junior programmers, identifying areas where they need support and providing customized content to bridge skill gaps.

5. Automated Code Review:

  • AI-powered code review tools can assist junior programmers in understanding code quality guidelines and identify potential issues.
  • This helps them develop their coding practices and improve their code early on.

How AI Helps Senior Managers

1. Project Management Optimization:

  • AI algorithms can analyze project data to optimize resource allocation, task scheduling, and risk management.
  • This helps senior managers make informed decisions, allocate resources effectively, and reduce project complexity.

2. Software Development Cost Estimation:

  • AI-based tools can predict software development costs more accurately by considering project size, complexity, and team composition.
  • This assists senior managers in budgeting and making informed investment decisions.

3. Resource Optimization:

  • AI algorithms can identify skill gaps and recommend suitable candidates for hiring or training.
  • They can also optimize team structures and manage workload distribution, ensuring efficient resource utilization.

4. Quality Assurance and Testing:

  • AI-powered testing tools can automate the testing process, reducing manual effort and increasing test coverage.
  • This allows senior managers to focus on strategic quality initiatives and ensure the delivery of high-quality software.

5. Agile Development Support:

  • AI can facilitate agile development practices by tracking progress, identifying bottlenecks, and providing insights to improve team collaboration and productivity.
  • This helps senior managers monitor project status and make timely adjustments to stay on schedule and within budget.

Democracy campaigner to sue Saudi Arabia over Pegasus and QuaDream spyware in UK court

Read more

Published: Wed, 23 Oct 2024 05:00:00 GMT

Democracy Campaigner to Sue Saudi Arabia over Pegasus and QuaDream Spyware in UK Court

A democracy campaigner is set to sue Saudi Arabia in a UK court over allegations that the kingdom used Pegasus and QuaDream spyware to target his phone.

Background:

  • The democracy campaigner, Craig Murray, is a former British diplomat who has been critical of the Saudi government’s human rights record.
  • In 2020, Murray’s phone was hacked using the Pegasus spyware, which can remotely access and control a target’s device.
  • Murray believes that Saudi Arabia was behind the hack and has accused the kingdom of using the spyware to target dissidents and human rights activists.

Legal Action:

  • Murray is now preparing to file a lawsuit against Saudi Arabia in the UK High Court.
  • The lawsuit accuses the kingdom of:
    • Illegally hacking Murray’s phone
    • Violating his privacy rights
    • Engaging in surveillance that targeted his political activities and advocacy work

Evidence:

  • Murray has provided evidence to support his claims, including:
    • A forensic analysis of his phone, which confirmed the presence of Pegasus spyware
    • Data from Amnesty International’s “Saudi Cables” investigation, which revealed that Saudi Arabia had purchased QuaDream spyware from the French company Exxelia Technologies
    • Information from former Saudi intelligence officials, who have alleged that the kingdom has used Pegasus and QuaDream spyware to target dissidents

Significance:

  • The lawsuit is significant because it is the first time that a private individual has taken legal action against Saudi Arabia over the use of spyware.
  • It could set a precedent for future cases and hold the kingdom accountable for its surveillance activities.
  • It also highlights the growing concerns about the use of spyware by authoritarian governments to silence critics and suppress dissent.

Saudi Arabia’s Response:

  • Saudi Arabia has denied the allegations and has not commented on the impending lawsuit.
  • However, the kingdom has a history of using spyware to target dissidents and has been accused of human rights violations.

The lawsuit is expected to be filed in the coming months. The outcome of the case will be closely watched by human rights advocates and observers of the Saudi government’s behavior.

Danish government reboots cyber security council amid AI expansion

Read more

Published: Tue, 22 Oct 2024 08:00:00 GMT

Danish Government Reboots Cyber Security Council Amid AI Expansion

Copenhagen, Denmark - The Danish government has re-established its National Cyber Security Council (NCSC) to address the evolving cyber security landscape and the rapid expansion of artificial intelligence (AI).

The NCSC, which was originally established in 2017, will be responsible for advising the government on cyber security policy and strategy. It will also play a key role in coordinating efforts between the public and private sectors to enhance Denmark’s cyber resilience.

The council’s re-establishment comes at a time when AI is rapidly transforming various aspects of society, including cyber security. AI-enabled technologies have the potential to both increase and mitigate cyber threats.

“The rapid advances in AI present both opportunities and challenges for cyber security,” said Danish Minister of Defense Morten Bødskov. “The NCSC will play a crucial role in ensuring that Denmark is prepared to address the evolving cyber security landscape.”

The NCSC will be chaired by the Danish minister of defense and will include representatives from academia, industry, and government agencies. It will meet regularly to discuss current and emerging cyber security issues and provide guidance to the government.

In addition to its advisory role, the NCSC will also be responsible for coordinating research and development efforts in the field of cyber security. It will work closely with universities, research institutions, and industry partners to promote innovation and develop new technologies to protect Denmark from cyber threats.

The re-establishment of the NCSC is a significant step forward for Denmark’s cyber security preparedness. The council will provide the government with the necessary expertise and guidance to address the evolving cyber security landscape and ensure that Denmark remains a secure and prosperous digital society.

Labour’s 10-year health service plan will open up data sharing

Read more

Published: Tue, 22 Oct 2024 05:18:00 GMT

Labour’s 10-year health service plan will open up data sharing

Labour has announced a 10-year plan to reform the NHS, which includes a commitment to open up data sharing. The plan, which was unveiled at the party’s annual conference, aims to make the NHS more efficient and effective, and to improve patient care.

One of the key elements of the plan is a commitment to open up data sharing across the NHS. This means that data on patients’ health and care will be made available to researchers and other healthcare professionals, in order to improve the quality of care and develop new treatments.

The plan also includes a commitment to invest in new technology, such as artificial intelligence (AI), to help improve the efficiency of the NHS. AI could be used to automate tasks, such as scheduling appointments and processing test results, freeing up clinicians to spend more time with patients.

Labour’s 10-year health service plan is a welcome step towards improving the NHS. The commitment to open up data sharing and invest in new technology has the potential to make the NHS more efficient and effective, and to improve patient care.

Key points

  • Labour has announced a 10-year plan to reform the NHS.
  • The plan includes a commitment to open up data sharing across the NHS.
  • This means that data on patients’ health and care will be made available to researchers and other healthcare professionals.
  • The plan also includes a commitment to invest in new technology, such as AI, to help improve the efficiency of the NHS.

What does this mean for you?

  • If you are a patient, the plan could mean that you have access to better care and treatment.
  • If you are a healthcare professional, the plan could mean that you have access to more data and resources to help you provide better care to your patients.

What are the next steps?

  • Labour will need to develop a detailed plan for how it will open up data sharing across the NHS.
  • The party will also need to work with the NHS and other stakeholders to ensure that the plan is implemented effectively.

What is tailgating (piggybacking)?

Read more

Published: Thu, 17 Oct 2024 18:01:00 GMT

Tailgating (Piggybacking)

Tailgating, also known as piggybacking, is an unauthorized method of gaining access to a protected area or system by following closely behind an authorized person who opens a door, gate, or access point. The unauthorized individual “piggybacks” on the access of the authorized person.

How it Works:

  • The unauthorized person waits near an access point until an authorized person approaches and uses their credentials to open the door or gate.
  • The unauthorized person quickly follows behind the authorized person, taking advantage of the open door before it closes.
  • This method exploits the fact that access control systems often do not have a mechanism to differentiate between authorized and unauthorized individuals once the access point is open.

Risks and Consequences:

  • Security breach: Tailgating can allow unauthorized individuals to gain access to sensitive areas or systems.
  • Data theft: Tailgaters could potentially access confidential data or steal devices.
  • Physical harm: Tailgaters could harm employees or other authorized individuals within the protected area.

Prevention Measures:

  • Employ access control systems that require multi-factor authentication or biometrics.
  • Install anti-tailgating systems, such as sensors that detect unauthorized individuals behind authorized persons.
  • Educate employees about the risks of tailgating and train them to be vigilant in observing and challenging suspicious individuals.
  • Consider limiting employee access to sensitive areas only when necessary.
  • Implement policies and procedures for reporting any suspected tailgating attempts.

How to build an incident response plan, with examples, template

Read more

Published: Wed, 16 Oct 2024 11:00:00 GMT

Building an Incident Response Plan

Step 1: Define the Incident

  • Determine the types of incidents that your organization may face (e.g., data breaches, security attacks, natural disasters).
  • Establish criteria for defining what constitutes an incident.

Step 2: Establish Roles and Responsibilities

  • Identify key roles and responsibilities within the incident response team.
  • Assign clear lines of authority and communication channels.

Step 3: Develop Response Procedures

  • Establish specific steps and actions to take in response to different types of incidents.
  • Include containment, eradication, recovery, and follow-up measures.

Step 4: Establish Communication Plan

  • Define channels for internal and external communication during incidents.
  • Identify key stakeholders to be notified and the frequency of updates.

Step 5: Conduct Training and Testing

  • Train incident response team members on the plan and procedures.
  • Conduct regular simulations or tabletop exercises to test and improve the plan.

Step 6: Continuously Monitor and Update

  • Regularly review the incident response plan based on lessons learned and changes in the threat landscape.
  • Make necessary updates and improvements to ensure its effectiveness.

Example Incident Response Plan

Incident Type: Data Breach

Roles and Responsibilities:

  • Incident Commander: Overall leadership and coordination
  • Technical Lead: Forensic investigation and remediation
  • Communications Lead: Media and stakeholder updates
  • Legal Counsel: Law enforcement and regulatory compliance

Response Procedures:

  1. Containment:
    • Isolate affected systems and data
    • Identify and block the source of the breach
  2. Eradication:
    • Remove malicious software and restore systems
    • Revoke compromised credentials
  3. Recovery:
    • Restore data from backups
    • Notify affected individuals and organizations
  4. Follow-Up:
    • Conduct a thorough investigation and assessment
    • Implement measures to prevent future breaches

Communication Plan:

  • Internal: Email, instant messaging, phone calls
  • External: Press releases, social media, customer notifications

Template

Incident Response Plan Template

Section 1: Overview

  • Definition of incident
  • Roles and responsibilities

Section 2: Response Procedures

  • Incident classification
  • Response matrix
  • Detailed procedures for different types of incidents

Section 3: Communication Plan

  • Communication channels
  • Key stakeholders
  • Communication protocols

Section 4: Training and Testing

  • Training schedule
  • Exercise plan

Section 5: Monitoring and Updating

  • Review schedule
  • Update process

Cato further expands SASE platform for ‘complete’ UK delivery

Read more

Published: Wed, 16 Oct 2024 04:22:00 GMT

Cato Networks Expands Its SASE Platform in the UK

Cato Networks, a provider of cloud-native Secure Access Service Edge (SASE) solutions, has announced the expansion of its platform in the UK. This expansion is part of Cato’s ongoing efforts to provide comprehensive and secure connectivity and cloud optimization solutions to its global customer base.

Key Platform Enhancements:

  • New UK Data Center: Cato has established a new data center in London, UK, providing local access and performance for UK-based customers.
  • Improved Interconnection: The London data center is fully interconnected with Cato’s global network, enabling secure and high-performance connectivity to applications and data anywhere in the world.
  • Enhanced Security Measures: The SASE platform includes additional security features, such as advanced threat protection, zero-trust network access, and cloud access security broker (CASB) capabilities.
  • Improved Compliance Support: Cato’s platform offers support for various compliance frameworks, including GDPR and ISO 27001, making it suitable for organizations that require a high level of data protection.

Benefits for UK Customers:

  • Reduced Latency: The UK data center reduces latency and improves performance for UK-based users accessing cloud and SaaS applications.
  • Enhanced Security: Cato’s comprehensive security measures protect UK customers from cyber threats and data breaches.
  • Improved Compliance: The platform’s compliance support helps organizations in the UK meet their regulatory obligations.
  • Simplified Management: Cato’s single-pane-of-glass management console provides centralized visibility and control over the entire network.

CEO’s Statement:

“We are excited to expand our SASE platform into the UK to provide our customers with the complete cloud and security solution they need,” said Shlomo Kramer, CEO of Cato Networks. “Our expanded platform will empower UK organizations to securely connect their users and applications, optimize their cloud environments, and protect their data.”

Industry Impact:

Cato Networks’ expansion in the UK is a significant development in the SASE industry. By providing a local presence and enhanced security features, Cato is well-positioned to meet the growing demand for secure and flexible connectivity solutions in the UK market.

NCSC expands school cyber service to academies and private schools

Read more

Published: Tue, 15 Oct 2024 09:55:00 GMT

NCSC Expands School Cyber Service to Academies and Private Schools

The National Cyber Security Centre (NCSC) has announced the expansion of its school cyber service to academies and private schools in England and Wales.

Key Points:

  • The service, previously only available to state-maintained schools, now extends to around 2,800 academies and 250 independent schools.
  • The service provides free online resources, guidance, and support to help schools protect themselves from cyber threats, such as hacking, phishing, and ransomware.
  • It includes resources on topics such as:
    • Cybersecurity for staff and students
    • Managing cyber risks
    • Cyberbullying and online safety
  • The expansion aims to enhance cybersecurity resilience across the UK’s education sector, recognizing the increasing reliance on technology in schools.
  • Schools can access the service through the NCSC’s website: https://www.ncsc.gov.uk/education

Benefits for Schools:

  • Improved cybersecurity defenses
  • Reduced risk of cyber incidents
  • Enhanced protection for school data and systems
  • Increased confidence in the use of technology for education
  • Support for staff and students in maintaining online safety

Quote from NCSC Director of Operations, Paul Chichester:

“Cyber security is essential for schools in today’s digital world. We are delighted to expand our service to academies and private schools, ensuring that all educational institutions in England and Wales have access to the support they need to protect themselves from online threats.”

Additional Information:

  • The NCSC is a part of GCHQ, the UK’s intelligence and security agency.
  • The expansion of the school cyber service is part of the UK government’s wider efforts to strengthen cybersecurity across the nation.

Telefónica and Halotech integrate post-quantum encryption into IoT devices

Read more

Published: Tue, 15 Oct 2024 05:46:00 GMT

Telefónica and Halotech Integrate Post-Quantum Encryption into IoT Devices

Madrid, Spain and Boston, MA, December 14, 2023 - Telefónica Tech, the technology company of the Telefónica Group, and Halotech DNA, the leading provider of quantum-resistant security for IoT devices, today announced a partnership to integrate post-quantum encryption (PQC) into Telefónica Tech’s IoT devices.

With the rapid advancement of quantum computing, existing encryption algorithms are at risk of being broken, leaving IoT devices vulnerable to cyberattacks. PQC algorithms are designed to be resistant to quantum attacks, ensuring the long-term security of IoT devices and the data they collect.

Key Features of the Partnership:

  • Integration of Halotech’s Qrypt™ PQC Library: Telefónica Tech will integrate Halotech’s Qrypt PQC library into its IoT devices, providing quantum-resistant encryption for data in transit and at rest.
  • Multi-Algorithm Support: Qrypt supports multiple PQC algorithms, including NIST-standardized algorithms Kyber, NTRU, and Rainbow, ensuring compatibility and flexibility.
  • Hardware and Software Compatibility: Qrypt is designed to be compatible with a wide range of hardware and software platforms, enabling easy integration into Telefónica Tech’s existing IoT ecosystem.

Benefits for Telefónica Tech’s Customers:

  • Enhanced Security: Quantum-resistant encryption ensures the long-term security of IoT devices and data, mitigating the risk of cyberattacks.
  • Future-Proofing: Integration of PQC protects against future quantum threats, ensuring continued protection for IoT networks and applications.
  • Regulatory Compliance: PQC aligns with emerging regulatory requirements that mandate quantum-resistant encryption for IoT devices.

“Integrating Halotech’s PQC technology into our IoT devices is a crucial step towards securing our customers’ data and protecting against future quantum threats,” said Gonzalo Martín-Villa, Chief Innovation Officer at Telefónica Tech. “This partnership demonstrates our commitment to providing our customers with the most advanced security solutions.”

“We are excited to partner with Telefónica Tech to enable quantum-resistant security for their IoT devices,” said Ben Gu, CEO of Halotech DNA. “By integrating Qrypt, Telefónica Tech is taking a proactive approach to securing its IoT ecosystem and safeguarding its customers’ data.”

The partnership between Telefónica Tech and Halotech DNA underscores the growing importance of PQC for securing IoT devices and the data they collect. By working together, the two companies are helping to ensure the long-term security of the IoT landscape.

About Telefónica Tech

Telefónica Tech is the leading provider of digital services in the Spanish and Latin American markets, and one of the main providers of cybersecurity solutions in both Europe and LATAM. The company provides a comprehensive portfolio of solutions for the Internet of Things (IoT), Big Data, Cloud, and Cybersecurity, as well as a wide range of professional and managed services. Telefónica Tech’s mission is to provide innovative and differential services that help its customers transform their processes and achieve their business objectives.

About Halotech DNA

Halotech DNA is the leading provider of quantum-resistant security solutions for IoT devices. The company’s flagship product, Qrypt, is a software library that enables the implementation of PQC algorithms on a wide range of hardware platforms. Halotech DNA is headquartered in Boston, MA, with offices in San Francisco, CA, and London, UK. The company is backed by leading investors such as Intel Capital, Airbus Ventures, and NEA.

Media Contacts

Telefónica Tech
Media Relations
press@telefonica.com

Halotech DNA
Ellie Glazer
ellie@halotechdna.com

Robust cloud IAM should align to zero-trust principles

Read more

Published: Fri, 11 Oct 2024 13:26:00 GMT

Aligning Cloud IAM with Zero Trust Principles

Introduction

Zero trust is a security model that assumes breaches are inevitable and focuses on continuously verifying access to resources. Robust cloud Identity and Access Management (IAM) should align with zero-trust principles to ensure secure access control.

Key Principles

1. Least Privilege:

  • Only grant users the minimum permissions necessary to perform their tasks.
  • Use IAM roles to define predefined sets of permissions.

2. Continuous Authentication:

  • Require multi-factor authentication (MFA) for all sensitive operations.
  • Implement session management and expiration policies.

3. Resource-Centric Access Control:

  • Define access policies based on specific resources (e.g., files, databases).
  • Use access control lists (ACLs) or Cloud IAM conditions to limit access.

4. Least Exposure:

  • Restrict external access to only essential resources.
  • Use firewalls, proxies, and security groups to limit exposure.

5. Assume Breach:

  • Prepare for and respond to breaches by monitoring access logs and setting up alerts.
  • Implement automated incident response plans.

Implementation in Cloud IAM

1. Identity Management:

  • Use strong passwords and MFA for user accounts.
  • Manage identities in a centralized directory (e.g., Active Directory).

2. Authorization Management:

  • Define IAM roles with the least privilege necessary.
  • Use conditions and resource-centric policies to limit access.

3. Authentication and Session Management:

  • Require MFA for all privileged operations.
  • Enforce session timeouts and implement session revocation mechanisms.

4. Monitoring and Auditing:

  • Monitor access logs and Cloud Audit Logs for suspicious activity.
  • Implement automated alerts and incident response plans.

5. Zero Trust Network Access (ZTNA):

  • Use ZTNA solutions to verify access from untrusted networks.
  • Implement network segmentation to limit the scope of breaches.

Benefits

  • Improved Security: Reduces the risk of unauthorized access and data breaches.
  • Reduced Complexity: Simplifies access management by aligning with zero-trust principles.
  • Increased Compliance: Meets regulatory requirements for secure access control.
  • Improved Auditability: Provides granular visibility into access patterns for easier auditing.
  • Scalability: Allows for efficient management of access as cloud environments grow.

Conclusion

Aligning cloud IAM with zero-trust principles is essential for robust access control in the cloud. By implementing least privilege, continuous authentication, resource-centric policies, and assuming breach, organizations can strengthen their security posture and minimize the risk of data breaches.

What is the Mitre ATT&CK framework?

Read more

Published: Fri, 11 Oct 2024 00:00:00 GMT

Mitre ATT&CK Framework

The Mitre ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally-accessible knowledge base that provides a structured way to describe the tactics, techniques, and procedures (TTPs) used by attackers and defenders in cybersecurity operations.

Key Features:

  • Comprehensive: Covers a wide range of attacker and defender actions across multiple platforms (Windows, macOS, Linux, etc.) and industries.
  • Structured: Organized into 14 tactics and 181 techniques, each with specific descriptions and references.
  • Continuously Updated: Regularly updated to track the latest TTPs observed in the wild.
  • Free to Use: Available at no cost for cybersecurity professionals, researchers, and defenders.

Components:

  • Tactics: High-level goals or objectives pursued by attackers or defenders.
  • Techniques: Specific methods or actions used to achieve a tactic.
  • Sub-Techniques: More granular details about how techniques are implemented.
  • Matrix: A matrix that links tactics and techniques together.
  • Examples: Real-world examples of how techniques have been observed in the wild.

Benefits:

  • Improved Threat Detection: Helps defenders identify potential threats by mapping attack activity to known TTPs.
  • Enhanced Cyber Threat Intelligence: Provides a common language for describing and sharing cyber threat information.
  • Cybersecurity Research: Supports research by providing a structured framework for analyzing and comparing attack strategies.
  • Education and Training: Used as a learning tool for cybersecurity professionals to improve their knowledge and skills.

Applications:

  • Threat detection and response
  • Vulnerability management
  • Security operations
  • Cyber threat intelligence
  • Incident investigation and triage
  • Threat hunting and threat actor analysis
  • Red team and purple team exercises
  • Security assessment and penetration testing

NCSC issues fresh alert over wave of Cozy Bear activity

Read more

Published: Thu, 10 Oct 2024 12:37:00 GMT

NCSC Issues Fresh Alert Over Wave of Cozy Bear Activity

The National Cyber Security Centre (NCSC) has issued a fresh alert warning of a wave of malicious activity by the Russian state-backed hacking group known as Cozy Bear.

Cozy Bear’s Tactics

  • Targeting organizations in the UK and internationally.
  • Exploiting known vulnerabilities in popular software, such as Microsoft Office and Adobe Flash.
  • Using phishing emails and malicious websites to trick victims into handing over sensitive information.
  • Stealing sensitive data, including intellectual property, financial information, and personal data.

NCSC Recommendations

To protect against Cozy Bear, the NCSC recommends organizations take the following steps:

  • Patch software regularly: Install the latest software updates to fix known vulnerabilities.
  • Use strong passwords: Create complex passwords and change them frequently.
  • Be wary of phishing emails: Avoid clicking links or opening attachments in suspicious emails.
  • Use two-factor authentication: Enable two-factor authentication to add an extra layer of security to your accounts.
  • Report suspicious activity: Inform the NCSC or your IT security team if you suspect a cyberattack.

Cozy Bear’s History

Cozy Bear has been active for over a decade and is believed to be responsible for several high-profile cyberattacks, including the 2016 Democratic National Committee hack and the SolarWinds supply chain attack.

The group is known for its sophisticated techniques and its ability to remain undetected for long periods of time.

Impact of the Wave

The current wave of Cozy Bear activity has already targeted organizations in various sectors, including government, healthcare, and academia.

The attacks have resulted in stolen data, disrupted operations, and damaged reputation.

Conclusion

The NCSC’s alert highlights the ongoing threat posed by Cozy Bear and the importance of implementing robust cybersecurity measures. By following the NCSC’s recommendations, organizations can reduce their risk of falling victim to this malicious group.

What is threat intelligence?

Read more

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat intelligence is the structured and continuous process of gathering, analyzing, and disseminating information about potential threats to an organization. Its purpose is to provide decision-makers with the knowledge they need to make informed decisions about how to protect their assets and mitigate risks.

Threat intelligence can come from a variety of sources, including:

  • Internal sources: Security logs, incident reports, vulnerability assessments, and employee interviews
  • External sources: Publicly available information, such as news articles, social media posts, and security advisories
  • Commercial sources: Threat intelligence vendors and research firms

Once gathered, threat intelligence is analyzed to identify patterns and trends, and to assess the likelihood and potential impact of threats. This information is then disseminated to decision-makers in a timely and actionable manner.

Threat intelligence is an essential component of any effective security program. By providing decision-makers with the knowledge they need to understand and respond to threats, it helps organizations to reduce their risk of being victimized by cyberattacks and other security incidents.

Government launches cyber standard for local authorities

Read more

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

Summary

The UK government has introduced a new cyber security standard specifically designed for local authorities to enhance their protection against cyber threats.

Details

  • The Cyber Security Standard for Local Government (CSS-LG) was developed in collaboration with local councils and experts in the field.
  • It provides a comprehensive framework for local authorities to assess and improve their cyber resilience.
  • The standard covers various aspects, including:
    • Risk assessment and management
    • Incident response planning
    • Secure system configuration
    • Training and awareness
    • Partnership and collaboration

Benefits

  • Improved cyber security: CSS-LG helps local authorities identify and address cyber risks, reducing the likelihood of successful attacks.
  • Enhanced resilience: By implementing the standard, local councils can increase their ability to withstand and recover from cyber incidents, ensuring continuity of services.
  • Compliance with regulations: CSS-LG aligns with the UK’s National Cyber Security Strategy and other relevant regulations, making it easier for local authorities to demonstrate compliance.
  • Public trust: By adopting strong cyber security practices, local authorities can build public trust and demonstrate their commitment to protecting residents’ data and privacy.

Implementation

Local authorities are encouraged to use CSS-LG as a guide for enhancing their cyber security posture. The standard provides self-assessment tools and resources to support implementation.

Quotes

  • “This standard is a game-changer for local authorities. It provides them with the tools and guidance they need to protect their systems and data from cyber threats,” said Minister of State for Tech and the Digital Economy, Chris Philp.
  • “Cyber security is essential for protecting our residents and enabling us to deliver vital services,” said Cllr James Jamieson, Chairman of the Local Government Association. “CSS-LG will help us build a resilient and secure local government sector.”

Conclusion

The Cyber Security Standard for Local Government is a significant step towards strengthening the cyber security of local authorities across the UK. By implementing this standard, local councils can significantly reduce their vulnerability to cyber attacks and ensure the safety and privacy of their constituents.

How Recorded Future finds ransomware victims before they get hit

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future is a threat intelligence company that helps organizations identify and mitigate cyber threats. One of the ways Recorded Future does this is by tracking ransomware activity and identifying potential victims before they get hit.

Recorded Future’s ransomware tracking capabilities are based on a combination of human intelligence and machine learning. The company’s team of analysts monitors ransomware activity on the dark web and other underground forums. They also use machine learning algorithms to identify patterns and trends in ransomware attacks.

This information is then used to create a database of potential ransomware victims. Recorded Future shares this database with its customers, who can use it to identify and prioritize their own security measures.

In addition to tracking ransomware activity, Recorded Future also provides its customers with a range of other threat intelligence services. These services include:

  • Threat analysis: Recorded Future’s team of analysts provides in-depth analysis of the latest cyber threats, including ransomware.
  • Vulnerability management: Recorded Future’s vulnerability management service helps customers identify and patch vulnerabilities that could be exploited by ransomware attackers.
  • Incident response: Recorded Future’s incident response service helps customers respond to and recover from ransomware attacks.

By providing these services, Recorded Future helps organizations protect themselves from ransomware and other cyber threats.

Internet Archive web historians target of hacktivist cyber attack

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Web Historians Targeted by Hacktivist Cyber Attack

The Internet Archive, a non-profit organization that preserves and provides access to digital content, has become the target of a hacktivist cyber attack. The attack, which began on February 20th, 2023, has disrupted the organization’s website and services.

Hackers Demand Removal of Content

The hackers, who have identified themselves as “Distributed Attackers,” are demanding that the Internet Archive remove certain content from its website. The content in question includes materials related to animal cruelty, child exploitation, and terrorism.

Services Disrupted

The attack has caused significant disruptions to the Internet Archive’s services. The organization’s website has been taken down, and access to its vast collection of books, films, and other digital content has been temporarily blocked.

History of Hacktivist Attacks

This is not the first time that the Internet Archive has been targeted by hacktivist groups. In the past, the organization has faced criticism for hosting controversial content, such as neo-Nazi propaganda and white supremacist materials.

Condemnation from Digital Rights Advocates

Digital rights advocates have condemned the attack on the Internet Archive. They argue that the hackers are infringing on the organization’s freedom of speech and the public’s right to access information.

Internet Archive Responds

The Internet Archive has responded to the attack by stating that it will not remove the content in question. The organization has also taken steps to mitigate the damage caused by the attack and restore its services.

Ongoing Investigation

Law enforcement authorities are investigating the attack. They are working to identify the individuals responsible and bring them to justice.

Impact on Digital Preservation

The attack on the Internet Archive highlights the challenges of digital preservation in the face of malicious cyber activity. The organization’s work is essential for preserving and providing access to our cultural heritage, and any disruptions to its services have a significant impact on our collective memory.

MoneyGram customer data breached in attack

Read more

Published: Wed, 09 Oct 2024 10:48:00 GMT

MoneyGram Suffers Data Breach, Exposing Customer Information

MoneyGram, an international money transfer and payment services company, has disclosed a data breach that compromised the personal information of a portion of its customers.

Scope of the Breach:

The breach, which occurred between December 12, 2022, and April 12, 2023, affected approximately 4 million customers in the United States, Canada, and the United Kingdom.

Compromised Information:

The types of information exposed during the breach include:

  • Full name
  • Last four digits of Social Security number
  • Driver’s license or passport number
  • Date of birth
  • Address
  • Phone number
  • Email address

Cause of the Breach:

MoneyGram stated that the breach was the result of a sophisticated phishing attack that targeted MoneyGram employees.

Actions Taken by MoneyGram:

Upon discovering the breach, MoneyGram took immediate steps to contain and investigate the incident. These actions included:

  • Notifying affected customers
  • Resetting customer passwords
  • Offering free credit monitoring and identity theft protection services
  • Reporting the incident to law enforcement and regulatory authorities

Impact on Customers:

Customers whose information was compromised are at risk of identity theft and fraud. MoneyGram recommends that affected individuals:

  • Monitor their credit reports regularly for unauthorized activity
  • Report any suspicious withdrawals or transactions on their financial accounts
  • Use strong passwords and two-factor authentication for online accounts
  • Be cautious of phishing emails and phone calls that appear to be from MoneyGram

Ongoing Investigation:

MoneyGram is continuing its investigation into the data breach. The company is working with cybersecurity experts to enhance its security measures and prevent similar incidents in the future.

Customer Support:

Affected customers can contact MoneyGram’s customer support team at 1-888-858-5558 for more information and assistance.

Five zero-days to be fixed on October Patch Tuesday

Read more

Published: Wed, 09 Oct 2024 09:45:00 GMT

Microsoft has announced that it will patch five zero-day vulnerabilities on its upcoming Patch Tuesday, scheduled for October 11, 2022.

These vulnerabilities affect various products, including Windows, Microsoft Office, and Microsoft Exchange Server.

Here is a summary of the five zero-days:

  1. CVE-2022-41040: This is a remote code execution vulnerability in the Windows Print Spooler service. It could allow an attacker to execute arbitrary code on a targeted system by sending a specially crafted print job.

  2. CVE-2022-41082: This is a security feature bypass vulnerability in the Microsoft Office suite. It could allow an attacker to bypass security features and execute arbitrary code on a targeted system by opening a specially crafted Office document.

  3. CVE-2022-41041: This is an elevation of privilege vulnerability in the Windows kernel. It could allow an attacker to elevate their privileges to SYSTEM on a targeted system by exploiting a flaw in the kernel.

  4. CVE-2022-41080: This is a remote code execution vulnerability in the Microsoft Exchange Server. It could allow an attacker to execute arbitrary code on a targeted Exchange server by sending a specially crafted email message.

  5. CVE-2022-41033: This is a security feature bypass vulnerability in the Windows Defender Antivirus driver. It could allow an attacker to bypass security features and execute arbitrary code on a targeted system by exploiting a flaw in the driver.

Microsoft recommends that all users apply the patches as soon as possible to protect their systems from these vulnerabilities.