Nessus has long been the undisputed leader in vulnerability assessment. With the introduction of Nessus Expert, you can now protect against new, emerging cyberthreats across cloud infrastructure and understand what’s in your external attack surface.

Since it was released over 20 years ago, Nessus has become the industry standard for vulnerability assessments. When Tenable co-founder and former CTO Renaud Deraison dropped out of college to pursue his idea of creating a tool to find software vulnerabilities, no one could have imagined the impact Nessus would have on the cybersecurity industry.

In the time since Nessus was first released in 1998, much has changed about the industry, adding complexity and challenge to the work of security professionals:

The attack surface has expanded well beyond traditional IT assets, such as servers, workstations and network infrastructure, to include cloud deployments and workloads and internet-connected assets.
The reliance on the cloud and infrastructure as code (IaC) to streamline development lifecycles has become a key part of every organization’s business. Yet, developers aren’t following security best practices before pushing to production, which increases risk.
Technological advances have made it relatively easy for individuals to spin up cloud instances without involving IT or security, leaving security professionals with limited visibility into the variety of internet-facing assets that may be in the environment.

To help infosec pros meet the challenges highlighted above, Tenable has developed a number of innovative new assessment capabilities available with Nessus Expert.

Introducing the newest member to the Nessus line-up, Nessus Expert

Nessus Expert is a new offering that builds upon Nessus Professional. Nessus Expert provides vulnerability assessment for your modern attack surface — adding Infrastructure as Code (IaC) scanning along with external attack surface discovery capabilities to identify all domains and subdomains that make up an organization’s external-facing attack surface.

When it comes to IaC, Nessus Expert enables users to programmatically detect cloud infrastructure misconfigurations and vulnerabilities in the design and build phases of the software development lifecycle.

Leveraging 500 prebuilt policies, Nessus Expert checks configuration files and code repositories for security and configuration issues before production — helping to eliminate the costly and time-intensive mistakes that can arise when developers unknowingly push vulnerabilities and misconfigurations into production. Nessus Expert allows users to:

Identify policy violations in automated pipelines
Leverage 500 prebuilt policies for IaC scanning
Prevent misconfigurations and vulnerabilities from reaching cloud instances
Prevent the downtime and additional costs and resources associated with remediating code after deployment.

Nessus Expert also contains external attack surface management functionality to continuously discover and inventory an organization’s internet-facing assets from an attacker’s perspective. Nessus Expert seamlessly scans domains to uncover the sub-domains into which security teams previously had low or no visibility. This functionality allows users to:

Scan up to five domains every 90 days to understand all associated subdomains
Gain important contextual information about internet-facing assets, such as ports secure socket layer (SSL) details and domain name system (DNS) information
Purchase additional domains as needed
Easily launch a scan on newly identified assets

Nessus Expert features at a glance

Features

Nessus Professional

Nessus Expert

Designed for…

Pen testers, consultants and SMBs

Pen testers, consultants, developers and SMBs

Real-time vulnerability updates

✓

✓

Vulnerability scanning

✓

✓ 

External attack surface scanning

X

✓ five domains per quarter

Ability to add domains

X

✓

Scan cloud infrastructure

X

✓

Compliance audits of cloud infrastructure

X

500 prebuilt policies

Learn more

Want to see firsthand how Nessus Expert can help you? Try Nessus Expert today.

Read More

A virtual private network (VPN) is a tool that hides your geolocation and protects your privacy while you’re online. It does this by creating an encrypted tunnel from your home network to a VPN provider’s server.  

When you buy an internet plan, your internet service provider (ISP) gives your equipment (like your router and modem) an Internet Protocol (IP) address. Your IP address helps you communicate with the broader internet by letting a website you’re on know where data is coming from and where to send it.  

In other words, your IP address lets online companies know where you are. Most online businesses store IP addresses for data analysis, but cybercriminals can use your IP to track your activity online, steal your personal information, and target you for scams.  

A VPN reroutes your internet through a server address with a different IP than your own. That way, no one online can trace your internet activity back to you. A VPN also encrypts your internet data to protect your personal information.  

VPNs aren’t just for desktop computers, though. All sorts of devices — from iPads to smart TVs — can benefit from a VPN connection. If you’re the type of person who handles your finances or does business online using a mobile device, it’s wise to get a VPN to protect yourself.  

This article will show you how to choose and install a VPN on your iPhone.  

Why use a VPN? 

Here are a few of the main ways getting a VPN like McAfee Safe Connect VPN can benefit you:  

A VPN can help you remotely access your work intranet. An intranet is a small subsection of the internet that doesn’t connect to the larger internet. Businesses use intranets — where companies may store important internal-only files — to give their employees quick access to company work tools and improve communication.  
A VPN uses bank-grade encryption to hide your personal information and actions from cybercriminals and advertisers. This lets you shop, bank, and do everything else online without worrying about someone stealing your information, even if you’re using a public Wi-Fi network. 
A VPN can keep your browsing private. It does this by hiding your IP address, so your physical location, banking information, and credit card information are protected while you surf online.  

How to choose a VPN provider

The best VPN for you depends on your situation and what you plan to do online.  

You’ll need a VPN that’s compatible with all of your devices. Many VPNs work with Windows, Android, macOS, Linux, and iOS. However, not all VPNs are compatible with every operating system. For instance, if you have an iPhone but someone else in your home has an Android, it’s important to choose a provider with an app in the Apple App Store and the Google Play Store.  

Consider which features you’ll need:  

Will you be traveling? If so, get a VPN with server locations where you’re going.  
Do you have a large family with a lot of devices? Then, a router-based VPN can be a good choice.  
Will you use your VPN for things like streaming movies on Netflix and gaming? You’ll want a VPN with a lot of speed and bandwidth.  

Be careful when choosing a VPN service, though. Some free VPN services will still pass along your information to ad agencies. If online privacy is your main goal, you’ll want to find a VPN that doesn’t store logs of your internet activity or pass along your data.  

VPN protocols also matter, and they vary in speed and security. For example, Point-to-Point Tunneling Protocol (PPTP) is a fast protocol, but it’s not as secure as other protocols like OpenVPN or Wireguard. Some VPN providers will let you use multiple protocols.  

Finally, look for a VPN that’s easy to use. Some VPNs have convenient features like virtual setup and intuitive interfaces that make using them easier. Some providers will even give you a free trial to test out the VPN before committing to it. Be sure your VPN network also has a reliable support team to help you if you ever have problems. 

How to set up a VPN on an iPhone

We’ll show you how to complete VPN setup on your iPhone in the next few sections.  

Install the iOS app of a VPN provider

Go to the Apple App store on your iPhone and find an app for the VPN provider you’ve chosen. Tap “Get” and “Install” or double-check to install the app on your phone.  

Create an account on the VPN app

Open the VPN app. Create an account with the VPN provider. Sign up for the service.  

Open iPhone settings and connect to the VPN

You’ll have to enter your passcode after creating your account to allow a change in your phone’s VPN settings and enable the VPN.  

You might have to manually configure your VPN if you need access to a private network at a business or school. Here’s how to manually enable a VPN to work on your iPhone:  

Tap on your “Settings” app on the Home Screen of your iPhone. 
Choose “General.” 
Press “VPN.” 
Tap “Add VPN Configuration.”  
Press “Type” and pick the type of VPN protocol you’re using. It could be IKEv2, IPSec, or L2TP.  
Type in a description, remote ID, and a server for the VPN.  
Type in your username and password.  
Click “Manual” or “Auto” to enable your proxy server (if using one).  
Press “Done.” 

Use the VPN on your iPhone

After you’ve enabled the VPN on your iPhone settings, you’ll have to activate it when you want to use it. Here’s how you can make your VPN active: 

Go to the “Settings” app on your phone.  
Go to “General.”  
Choose “VPN.”  
Tap the status switch on your VPN to turn it on.  

Be sure to turn off your VPN whenever you’re not using it so it doesn’t use up your battery. It’s especially important to turn off your VPN if you’re on a limited plan from your provider.  

Keep your device safe with McAfee Security for Mobile

A VPN is a great tool for keeping your internet connection private. When you install a VPN on your iPhone, you can enjoy the internet from anywhere knowing that your personal information has an extra layer of protection against advertisers and hackers.  

Whether you use an Android or an iOS device, though, McAfee can help you stay safe online. With McAfee Security for Mobile, you can access quality security tools like a VPN and safe browsing.  

Our award-winning app allows you to connect safely and seamlessly to the digital world while keeping unwanted visitors from entering your digital space. Enjoy one of our most comprehensive security technologies while living your best life online. 

The post How to Set Up a VPN on an iPhone in 2022 appeared first on McAfee Blog.

Read More

Honda vehicles from 2021 to 2022 are vulnerable to this attack:

On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin2600, who works for cybersecurity firm Star-V Lab, dubbed the attack RollingPWN.

[…]

In a phone call, Kevin2600 explained that the attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. In some cases, he said, the attack can be performed from 30 meters (approximately 98 feet) away.

In the videos, Kevin2600 and his colleagues show how the attack works by unlocking different models of Honda cars with a device connected to a laptop.

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that­—in theory­—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

Read More

Amazon Prime Day is growing in popularity as pretext for hackers

Read More

Catalogic Software has announced the latest version of its DPX enterprise data protection software, DPX 4.8.1, which now includes GuardMode for early detection of ransomware, and DPX vPlus, cloud backup support for Microsoft 365 and other open virtualization platforms.

Catalogic DPX is a proprietary data protection platform that offers the capability to backup data and applications from virtualized machines. 

According to Catalogic COO Sathya Sankaran, VMWare and HyperV make up about 80% of the virtualization hypervisor market, while the remaining 20% is attributed to a mix of players, including Microsoft 365, and various open source options such as XenServer, Oracle VM, KVM, RedHat, Acropolis, OpenStack and RHV/oVirt. Catalogic DPX vPlus will provide support for these other hypervisors that are “usually neglected” by other backup solutions, according to Sankaran.

To read this article in full, please click here

Read More

The poll is published as the UK government moves forward with its Online Safety Bill

Read More

This is the final article of the DevSecOps series and how it overlays onto DevOps lifecycle. In the first article, we discussed build and test in DevSecOps. In the second article, we covered securing the different components of the deploy and operate process. The final phases of the DevOps lifecycle are monitoring the deployed applications and eventually decommissioning when they are no longer needed.

The goal for DevSecOps is to have awareness and visibility into the entire application lifecycle to keep the system secured, healthy, and available. And when it’s time to decommission, follow the business processes to safely transition users and retire the application.

Monitoring

A system must be able to manage the failure of any application or hardware component. The goal of monitoring is to reduce the risk of failure by providing awareness and visibility into the behavior and health of applications and the overall system. When establishing a continuous monitoring program, consider the following security related items as part of the overall strategy.

The health of all applications and systems are visible through monitoring.
Understand the threats and vulnerabilities that put each application at risk.
Identify and create policies that define what security controls are needed, where they should be applied, and track gaps in controls using a risk register.
Logs and event data gathered by the tools should be segmented from the application, centrally collected, correlated, analyzed, and reported on for investigation.
All stakeholders have a role in security, and they need to be trained on how to take action to protect the organization.
Risk management must be dynamic to provide continuous monitoring and proactive resolution of security issues.

Monitoring starts with the planning phase and continues through the entire lifecycle of the application. It should be designed into the application and not an afterthought at the end of delivery. Empowering stakeholders with monitoring information can provide greater security to keep applications healthy and available throughout their lifecycle.

Decommission

The most important step when decommissioning an application is obtaining awareness and support through a transition plan and schedule with the stakeholders and users. Companies can ease the transition by having an overlap period between the new application and the one being retired. During the overlap period, users can be moved in groups to ease the efforts needed to support and troubleshoot migrating users.

Once users are transitioned and the legacy application is ready to be decommissioned, backups of the system should be performed. Any supporting infrastructure is turned down and returned to the pool of available resources. This reduces the attack surface of the organization and the administrative overhead of keeping a system secured.

Developers also have a role in decommissioning the application. The following items should be addressed as part of retiring an application.

Developers and any stakeholders with code checked out of the application source code repository need to check in their final versions and delete the code off their development workstations.
The repository should have any merge requests to feature, or the master branches denied or approved before archiving.
Developers should clean up the feature branches to reduce the size and complexity of the archived repository.
Once the source code repository is cleaned up, it should be set to read-only and access removed for everyone except the necessary] stakeholders.
Only the DevOps administrator should have access to the application code repository. In the future, the administrator can give access on a case-by-case basis.

Turning down the infrastructure and development resources for the decommissioned application reduces the company’s attack surface, helps maintain a clean DevOps environment, reduces infrastructure costs, and removes unnecessary monitoring.

Conclusion

This series has covered many of the fundamental security practices used by DevSecOps and shows how it overlays onto DevOps. The role of DevSecOps is to help the stakeholders (who ultimately own and are responsible for the risk) protect their business systems. For DevSecOps to be successful, the organization must make the cultural shift from traditional siloed groups to an integrated DevOps team. With the integrated team operating as one, digital transformation using DevOps and DevSecOps is delivered at the speed, scale, and security needed for success.

Read More

Stephanie Benoit Kurtz thought she had a good deal when, in one of her former CISO roles, she signed a three-year contract with a vendor for vulnerability management as a service.

Benoit Kurtz inked the deal thinking that her security operations program would make full use of all the offered features. But she found early into the three-year stretch that her team only used about 60% of them.

She says she was in a bind: paying for a product that wasn’t really the right fit with no way to get out of the contract.

“It’s hard to go back to the manufacturer and say, ‘I didn’t need that module so can I get my money back?” They don’t seem to want to engage in that conversation,” says Benoit Kurtz, a former security executive who is now lead faculty for the College of Information Systems and Technology at the University of Phoenix.

To read this article in full, please click here

Read More