On the Subversion of NIST by the NSA

Read Time:1 Minute, 15 Second

Nadiya Kostyuk and Susan Landau wrote an interesting paper: “Dueling Over DUAL_EC_DRBG: The Consequences of Corrupting a Cryptographic Standardization Process“:

Abstract: In recent decades, the U.S. National Institute of Standards and Technology (NIST), which develops cryptographic standards for non-national security agencies of the U.S. government, has emerged as the de facto international source for cryptographic standards. But in 2013, Edward Snowden disclosed that the National Security Agency had subverted the integrity of a NIST cryptographic standard­the Dual_EC_DRBG­enabling easy decryption of supposedly secured communications. This discovery reinforced the desire of some public and private entities to develop their own cryptographic standards instead of relying on a U.S. government process. Yet, a decade later, no credible alternative to NIST has emerged. NIST remains the only viable candidate for effectively developing internationally trusted cryptography standards.

Cryptographic algorithms are essential to security yet are hard to understand and evaluate. These technologies provide crucial security for communications protocols. Yet the protocols transit international borders; they are used by countries that do not necessarily trust each other. In particular, these nations do not necessarily trust the developer of the cryptographic standard.

Seeking to understand how NIST, a U.S. government agency, was able to remain a purveyor of cryptographic algorithms despite the Dual_EC_DRBG problem, we examine the Dual_EC_DRBG situation, NIST’s response, and why a non-regulatory, non-national security U.S. agency remains a successful international supplier of strong cryptographic solutions.

Read More

All you need to know about data security and its benefits for small businesses

Read Time:7 Minute, 33 Second

This blog was written by an independent guest blogger.

Cyberthreats don’t affect only large enterprises and governments – they can also affect small businesses. According to research, nearly half of small businesses have experienced a cyberattack, and 69% are concerned about future attacks. Small businesses should be aware of cyber security statistics and take tangible steps to protect their businesses against cyberattacks.

Employee records, customer information, loyalty schemes, transactions, and data collection are critical pieces of information that businesses need to protect. This is to prevent third parties from using the information for fraudulent purposes, such as phishing scams and identity theft.

It’s crucial to safeguard your company from cyberattacks, but some business owners are unsure how to do it.

This article is intended to help small business owners navigate the realm of cyber threats and fortify their data security. The benefits of data security for small businesses are also discussed.

Data security

Data security is the practice of keeping data safe from unauthorized access or corruption.

Data protection entails safeguarding not only your company’s data but also that of your customers and vendors.

Data encryption, hashing, tokenization, and key management are data security strategies that safeguard data across all applications and platforms.

Small firms, unfortunately, appear to be a much easier target for hackers, as their security systems are typically less advanced than those of a medium or large company. Despite this fact, most small business owners believe they are not vulnerable to a data breach.

Why data security?

To secure their essential assets, organizations all over the world are investing extensively in information technology (IT) cyber security capabilities. Every business has to protect its brand, intellectual capital, and customer information. It also needs to provide controls for essential infrastructure. However, incident detection and response have three fundamental elements: people, processes, and technology.

Cyber security problems and their effect on small businesses

Security risks faced by small businesses?

Small businesses may not have the operational know-how or employees to protect their IT systems and networks appropriately.

Small firms confront a variety of cyber security challenges, including:

Attacks by phishers: Phishing refers to a type of social engineering attack that is frequently used to obtain personal data from users; such data includes login credentials and credit card details.
Malware attack: Malware attacks are common cyberattacks in which malware (usually malicious software) performs unauthorized actions on the victim’s system.
Ransomware: Ransomware is a sort of cryptovirology malware that threatens to expose or permanently limit access to the victim’s personal information unless a ransom is paid.
Internal threats: Internal threats are often the result of poor access controls or a lack of proper staff training. Hostile employees or ex-employees might perpetrate cyber attacks in the company, posing internal threats.
Weak passwords: Passwords that aren’t strong enough can expose a company to unauthorized access and security risks.

Use a combination of at least eight different letters, numbers, and symbols in your password to make it strong. It is more difficult to guess a password that is longer and contains more character types (including upper and lowercase letters). For instance, M0l#eb7Qs? employs a unique mix of capital and lowercase letters, numbers, and symbols. It is also recommended to change passwords every 90 days or less.

Organizations should carefully review password security policies and password management since stolen or weak passwords are still the most common cause of data breaches.

What effect does an attack have?

A successful cyber attack on your business can be devastating. It can have a negative impact on your financial line, as well as your company’s reputation and consumer trust. A security breach has three major consequences: financial, reputational, and legal.

Financial cost of a cyberattack

Cyber breaches frequently cause a significant financial loss due to:

Unauthorized access to corporate data
Theft of corporate data
Financial information theft (e.g., bank details or payment card details)
Theft of funds
Trading disruption (e.g., inability to carry out transactions online)
Loss of contract or business

In addition, businesses would typically pay fees for fixing systems, networks, and devices affected, as part of their response to the breach.

Damage to the company’s reputation

A good customer relationship must be based on trust. Cyberattacks can harm your company’s reputation and reduce client trust in you. This might ultimately result in:

Loss of clients
Sales decline
Decrease in profits

Reputational damage may also have a negative impact on your relationships with partners, investors, suppliers, and other interested parties.

Legal consequences of a cyberattack

You are required by data protection and privacy laws to manage the security of all personal data you hold, whether it relates to your customers or your personnel. You may be subject to penalties and regulatory sanctions if this data is compromised unintentionally or on purpose, and you fail to implement the necessary data security measures.

Essential tips for data security

1. Manage mobile devices, apps, and computer operations

To ensure the user’s experience is as smooth as possible, manage important applications rather than the device itself. Also, make sure everything you’re doing is transparent, particularly when it comes to your employees’ devices.

2. Enable secure collaboration

To guarantee that your staff has access to the information they require, set up secure tools for data sharing.

If you’re sending sensitive information via email, ensure you’ve set up a digital rights management system (or another secure email solution).

3. Reduce malware exposure

Create a training plan that ensures your employees get adequate awareness training on a regular basis.

It would help if you also considered using an email protection solution that includes time-of-click protection to guard against the inevitable human errors.

Implement regulations and procedures that limit specific actions, such as checking personal emails at work or installing apps from a trusted source, among other things.

4. Prevent data loss via email

Data Loss Prevention (DLP) skills can aid in the security of your company’s data. Identify how DLP can be implemented in your workflow.

Also, limit the circulation of specific emails or files, or impose a digital rights management condition that limits who has access to the information.

5. Set up other key security measures

Securing your company’s data is crucial, especially in today’s world of remote work. Antivirus software, network analytics, firewalls, virtual private networks (VPNs), AI-enabled behavioral monitoring, data encryption, and other security measures may be used.

6. Focus on sensitive data

The sensitive data you are storing and processing can be an asset, but it is also a liability in terms of security and compliance. It is important to always know where sensitive data (such as personal identifiable information) is stored, and to apply measures like dynamic data masking to protect its anonymity while keeping it valuable.

Benefits of data security for small businesses

Small businesses that take data security seriously and take strategic actions to improve it are less prone to attack.

These businesses will also be able to meet their compliance obligations more efficiently and prevent reputational damage. All of these factors make business more convenient and profitable.

Because the cybersecurity world is constantly changing, you’ll need to commit to monitoring and updating your network security on a regular basis to reap these benefits. This will help you stay current and safe.

Here are some proven strategies to help your business reap these benefits while avoiding cyber threats.

• Protect your business from external threats

Outsiders were responsible for over 70% of data breaches this year.

Minimizing external risks necessitates the use of thorough device security measures and the appropriate cybersecurity software.

• Protect your business from internal threats

While internal threats aren’t as widespread as externally perpetrated attacks, they still warrant special attention.

Many of these attacks are absolutely avoidable. While hostile employees or ex-employees can always cause problems, many internal attacks result from poor access controls or a lack of staff training.

• Ensure your business is compliant

Ensuring that your company is compliant with data protection regulations is very important.

When it comes to data protection, a number of businesses are already living up to expectations by intensifying their cybersecurity.

Many regulatory agencies now require you to make the necessary efforts to secure your company and its data from hackers. You could risk substantial fines or trading restrictions if you don’t comply.

• Ensure customer data security

It’s not just the regulators that are concerned about data security. Consumers have been more interested in how firms protect their data; their awareness of the risks of organizations having large amounts of personal data has grown.

Furthermore, if you can establish an active dedication to data protection, you may gain loyal, long-term clients and increase your revenue.

Summary

Cyberattacks are becoming increasingly common among small businesses, but you don’t have to be affected. You can avoid falling victim to preventable cyberattacks by implementing the necessary security measures, from employee training to suitable cybersecurity software. This will not only save you time and effort, but it will also save you money by preventing revenue losses, regulatory fines, and other costs.

Read More

USN-5487-2: Apache HTTP Server regression

Read Time:1 Minute, 12 Second

USN-5487-1 fixed a vulnerabilities in Apache. Unfortunately, that update introduced
a regression when proxying balancer manager connections in some configurations
on Ubuntu 14.04 ESM. This update reverts those changes till further fix.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Apache HTTP Server mod_proxy_ajp incorrectly handled
certain crafted request. A remote attacker could possibly use this issue to
perform an HTTP Request Smuggling attack. (CVE-2022-26377)

It was discovered that Apache HTTP Server incorrectly handled certain
request. An attacker could possibly use this issue to cause a denial
of service. (CVE-2022-28614)

It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to cause a crash or expose
sensitive information. (CVE-2022-28615)

It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-29404)

It was discovered that Apache HTTP Server incorrectly handled certain
request. An attacker could possibly use this issue to cause a crash.
(CVE-2022-30522)

It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to execute arbitrary code or cause
a crash. (CVE-2022-30556)

It was discovered that Apache HTTP Server incorrectly handled certain request.
An attacker could possibly use this issue to bypass IP based authentication.
(CVE-2022-31813)

Read More

MITRE’s Inside-R Protect goes deep into the behavior side of insider threats

Read Time:35 Second

Insider threat and risk management programs are the Achilles heel of every corporate and information security program, as many a CISO can attest to. The MITRE Inside-R Protect program is the organization’s latest initiative to assist both public and private sector efforts in addressing the insider threat. The Inside-R program’s bar for success is high. The focus of Inside-R is on evolving analytic capabilities focused on the behavior of the insider. To that end, MITRE invites the participation of government and private organizations to provide their historical insider incident data to the organization’s corpora of information from which findings are derived.

To read this article in full, please click here

Read More