Cybersecurity Snapshot: 6 Things That Matter Right Now

Read Time:8 Minute, 54 Second

Topics that are top of mind for the week ending Aug. 19 | A ransomware defense blueprint for SMBs. Why phishing is getting worse and what to do about it. The government revises its cybersecurity guidance for pipeline operators. A roundup of important vulnerabilities, trends and incidents. And much more!

1. A ransomware defense guide for SMBs

Here’s a new resource for small and medium-sized businesses looking for help preventing ransomware attacks. Using the Center for Internet Security (CIS) Critical Security Controls as a foundation, the Institute for Security and Technology (IST) has just released its “Blueprint for Ransomware Defense.” 

This 16-page guide offers SMBs “an action plan for ransomware mitigation, response and recovery” and recommends 40 safeguards, including:

Identify what’s on your network, both in terms of technology being used and of data being stored or transmitted. Create an asset inventory and a data management process.

Protect what’s on your network, via secure configurations, account and access management, vulnerability management and employee security awareness.

Have an incident response plan in place so that you can act quickly and deliberately if an attack occurs.

Establish and maintain a data recovery process.

For more information:

7 Steps to Help Prevent & Limit the Impact of Ransomware(CIS)
Ransomware Preparedness: Why Organizations Should Plan for Ransomware Attacks Like Disasters(Tenable)
7 Simple Things You Can Do Right Now to Protect Your Business from a Ransomware Attack(U.S. Chamber of Commerce)
CISA guidance for SMBs

2. Phishing risk: It’s getting worse

A new phishing study shows that this form of cybercrime is booming, with the number of attacks spiking and profits swelling. Bottom line: Phishing risk is a serious concern for organizations, as employees get bombarded with legit-looking emails and texts that try to dupe them into revealing confidential data about themselves or their employers. Plus, many threat actors like ransomware groups, initial access brokers and even APTs use as phishing as initial vectors to more complex attacks. 

Based on an analysis of millions of phishing reports, Interisle Consulting Group’s “Phishing Landscape 2022: An Annual Study of the Scope and Distribution of Phishing” found that, comparing the 12-month period of May 2021 to April 2022 with the same period the prior year:

Phishing attacks grew 61% to 1.12 million
Domain names reported for phishing rocketed 72% to 854,000
Malicious domain name registrations surged 83% to 588,321
Cryptocurrency phishing increased 257%

So what can be done? Here are some of the report’s recommendations:

Enterprises can eliminate silos in the naming, addressing and hosting ecosystem so that policies and mitigation practices are more effective.
Registrars, registries and hosting providers must respond more quickly in a more coordinated and determined manner to phishing complaints and incidents.
Governments need to pass legislation and adopt regulations that clarify what operators must do to validate user identity, lawful access and respond to phishing incidence.

More information about phishing:

Phishing scams Mac users should look out for(Cult of Mac)
10 Ways To Avoid Phishing Scams(Phishing.org)
Phishing attacks: defending your organisation(U.K. National Cyber Security Centre)
Counter-Phishing Recommendations for Federal Agencies(CISA)
US govt warns Americans of escalating SMS phishing attacks(BleepingComputer)
Avoiding Social Engineering and Phishing Attacks(CISA)

3. Vulnerabilities associated with 2021’s top malware

Right after the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) outlined the top malware of 2021, Tenable’s Security Response Team identified vulnerabilities associated with these malicious strains.

In a blog post, SRT research engineers Claire Tills and Satnam Narang explain that, while the list of vulnerabilities isn’t exhaustive, it offers a starting point for organizations looking to cut off known attack paths exploited by the most prolific malware.

Check out the table below for the vulnerabilities and read the blog post to get detailed analysis and insights, including:

14 of the 17 vulnerabilities are in Microsoft products.
Nine of the flaws could lead to code execution.
All but four of the vulnerabilities are more than two years old.
The oldest was patched in 2015.
Only one is an elevation of privilege flaw.

CVE
Description
CVSSv3
VPR*

CVE-2015-5122
Adobe Flash Player user-after-free
v2 10.0
9.7

CVE-2016-0189
Scripting Engine memory corruption
7.5
9.8

CVE-2016-4171
Adobe Flash Player arbitrary code execution (apsa16-03)
9.8
8.9

CVE-2017-0144
Windows SMB remote code execution (EternalBlue)
8.1
9.6

CVE-2017-0199
Microsoft Office/WordPad remote code execution
7.8
9.8

CVE-2017-11882
Microsoft Office memory corruption
7.8
9.9

CVE-2017-8570
Microsoft Office remote code execution
7.8
9.8

CVE-2017-8750
Microsoft Browser memory corruption
7.5
8.9

CVE-2017-8759
.NET Framework remote code execution
7.8
9.8

CVE-2018-0798
Microsoft Office memory corruption
8.8
9.8

CVE-2018-0802
Microsoft Office memory corruption
7.8
9.8

CVE-2018-14847
MikroTik RouterOS remote code execution
9.1
8.8

CVE-2020-0787
Windows Background Intelligent Transfer Service elevation of privilege
7.8
9.8

CVE-2021-34527
Windows Print Spooler remote code execution (PrintNightmare)
8.8
9.8

CVE-2021-40444
Microsoft MSHTML remote code execution
7.8
9.8

CVE-2021-43890
Windows AppX installer spoofing vulnerability
7.1
9.7

CVE-2022-30190
Microsoft Windows Support Diagnostic Tool remote code execution (Follina)
7.8
9.8

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. These VPR scores are current as of Aug. 18.

Source: Tenable Research, August 2022

More information:

Joint CISA/ACSC alert
The most prolific malware strains of 2021 are yesterday’s news with a modern twist(SC Media)
What are the Top 2 Malware Strains Last Year According to CISA, ACSC?(ITechPost)

4. Among IoT adopters, security is now less of a concern

Security concerns aren’t as big of a barrier to IoT adoption as they were five years ago, according to the Wi-SUN Alliance’s “The Journey to IoT Maturity” report, which surveyed 300 IT pros in the U.S. and the U.K. involved in IoT implementation projects. Security is also seen as less of a technical challenge today.

By contrast, respondents are more worried about data privacy issues, as well as about big data rollouts and regulation, according to the industry group’s report.

That’s not to say that security has become a non-issue. On the contrary, it remains a major challenge for IoT success, along with the cost of implementation failures, the IT infrastructure’s complexity and the need to see proven return-on-investment (ROI.)

Security also features prominently elsewhere in the report – specifically the “security and surveillance” use case, which ranks among the top IoT initiatives respondents are most likely to roll out in the next 12 to 18 months, along with:

Distribution automation
Advanced meter infrastructure
Smart parking
Electric vehicle charging

For more information:

What is IoT security?(TechTarget)
Securing the Internet of Things Supply Chain(IoT Security Foundation white paper)
Top 5 IoT security threats and risks to prioritize(TechTarget)
Securing the Internet of Things(U.S. Department of Homeland Security)
NIST Cybersecurity for IoT Program

5. TSA updates security requirements for pipeline operators

After facing criticism, the U.S. government’s Transportation Security Administration (TSA) has revised its cybersecurity requirements for oil and natural gas pipelines, aiming to make them clearer and more flexible by basing them on performance and outcomes. 

The first iteration of the requirements, released in mid-2021 in response to the Colonial Pipeline ransomware attack, were more prescriptive, and that made them confusing and difficult to adopt.

The revised directive’s guidance includes:

Implement network segmentation so that compromises of operational technology (OT) systems don’t hobble IT systems, and vice versa.

Prevent unauthorized access to critical systems via access control measures.

Continuously monitor and detect cyberthreats and fix anomalies that affect systems.

Patch and update critical systems with a timely, risk-based process.

Requirements include:

Establish and execute a TSA-approved implementation plan that describes the cybersecurity measures being used to achieve security outcomes.

Develop and maintain a plan to respond to cybersecurity incidents that disrupt operations or impact business.

Establish an assessment program to test and audit cybersecurity measures and identify and resolve vulnerabilities in devices, networks and systems.

Report significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA.)

Establish a cybersecurity point of contact. 

Conduct an annual cybersecurity vulnerability assessment.

More information:

“‘TSA has screwed this up’: Pipeline cyber rules hitting major hurdles(Politico)
What TSA’s updated cybersecurity guidelines mean for pipeline security(Smart Industry)
TSA revises cybersecurity guidelines for gas pipeline owners and operators(FedScoop)
TSA unveils updated cybersecurity regulations of oil and gas pipelines(The Record)
How Can We Strengthen the Cybersecurity of Critical Infrastructure?(Tenable)

6. Quick takes

Here’s a roundup of vulnerabilities, trends, news and incidents from the world of cybersecurity to have on your radar screen.

Vulnerabilities to watch

Zoom has patched a vulnerability affecting its MacOS app.

A Google Chrome zero-day vulnerability is being actively exploited in the wild.

Multiple Zimbra CVEs are being exploited.

There’s an RSA private key leak vulnerability impacting Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software

Microsoft called on Windows users to patch the DogWalk zero-day vulnerability as part of its August Patch Tuesday announcement.

Apple patched two critical zero-day vulnerabilities exploited in the wild affecting iOS and IPadOS, as well as MacOS Monterey.

Trends

Data stolen in ransomware attacks is getting leaked and fueling a spike in business email compromise (BEC) attacks.

The Log4j vulnerability is driving a surge in threat activity.

Fraudulent crypto apps have netted cybercrooks almost $43 million stolen from 244 victims, the FBI warned.

Incidents

Cisco was hit by an attack against its corporate IT infrastructure. More information from Cisco’s Talos team here, as well as from CSO Magazine and Dark Reading.

It may take weeks for a partner of the U.K.’s National Health Service to fully recover from a recent ransomware attack that disrupted various NHS services.

Twilio got breached via a social engineering attack.

News

CISA has released an elections-protection toolkit for state and local government officials, election officials and vendors.

A “quantum computing resistant” algorithm chosen recently as a finalist in a U.S. government competition barely put up a fight against a single-core CPU.

Check out guidance about the Zeppelin ransomware from the FBI and CISA.

(Tenable Senior Research Engineer Claire Tills contributed to this blog.)

Read More

Five things security pros want from CNAPP

Read Time:35 Second

According to new research from ESG and the Information Systems Security Association (ISSA), 58% of organizations are consolidating or considering consolidating the number of security vendors they do business with.

Security technology consolidation is bigger than simply winnowing down vendor count.  Organizations are shifting from traditional best-of-breed security technologies to tightly integrated security technology platforms.  The research illustrates this point: While 24% of respondents say their organization tends to continue to purchase best-of-breed security technologies, 38% say they purchase integrated security technology platforms, while 15% are transitioning purchases from best-of-breed products to security technology platforms (note: the remainder responded “don’t know”).

To read this article in full, please click here

Read More

A Parent’s Guide To The Metaverse – Part Two

Read Time:7 Minute, 41 Second

Welcome back to part 2 of my Metaverse series. If you are after tips and strategies to help your kids navigate the Metaverse safely then you’re in the right place. In this post I’ll share with you how your kids are likely already accessing the Metaverse, the benefits plus how to ensure they have a safe and positive experience. Now, if you’d like a refresher on exactly what the Metaverse is before we get underway, then check out part one here. 

How Many Kids Are Using The Metaverse? 

If your kids have played Roblox, Fortnite or Minecraft then they have already taken the step into this new virtual frontier. Yes, it’s that easy! But how many kids are playing on these platforms?  

Last year, Roblox reported that its online community grew from 30 to 50 million daily users across 180 countries with just under half of the community reportedly under the age of 13. 
Fortnite has more than 350 million registered players and as of August 2022, has between 2.5 and 4 million people playing at any one time. Around ¼ of the players are under 18, with the bulk of players (62%) between 18 and 24 years old. 
53% of Aussie kids aged 6 to 8 and 68% of 9 to 12 year olds are actively playing Minecraft once a week, according to Australian research. 

So, if you’ve got a couple of kids, tweens or teens in your house, then chances are they have probably already had a Metaverse experience! Or, if not yet, then it won’t be long… 

Is There Any Difference Between Video Games And The Metaverse? 

There are actually a lot of similarities between online video games and the Metaverse including the use of avatars and the availability of items to purchase eg a horse in a game or an NFT (non-fungible token) in the Metaverse. However, the biggest difference is that the Metaverse is not just about gaming – it is so much more. In the Metaverse, there are no limitations to the number of participants nor on the type of activity – you can attend meetings, concerts, socialise without the gaming aspect, even undertake study! 

What Are The Benefits Of The Metaverse For Our Kids? 

There are so many good things about the Metaverse for our kids, particularly from an educational perspective. As a mum of 4, I am really excited at the possibilities the Metaverse will offer our kids. Imagine being able to experience a country in virtual reality – walk around, see the sights, its geographical features. I have no doubt that would enthuse even the most reluctant learners. And a recent US study confirmed this. It found that taking students on a Virtual Reality field trip to Greenland to learn about climate change resulted in higher interest, enjoyment and retention than students who simply watched a traditional 2-D video. How good! 

Taking care of my family’s mental health has always been a huge focus of my parenting approach and I am really excited at the great options the Metaverse can offer in the area. As a family, we’ve spent multiple hours using apps like Calm and Headspace to help us meditate and practice mindfulness. But the thought of being able to don a VR headset and be transported to the actual rainforest or the roaring fire that I often listen to, is even more appealing! One of the best parts of the VR experience is that it completely blocks out the ‘real world’ which would make it easier to stay in the flow. Very appealing! 

And while we’re talking benefits, let’s not gloss over the potential role the Metaverse can play in fostering empathy and promoting understanding between communities. There is a growing group of digital creators who are designing Metaverse experiences to do this using Virtual Reality. Homeless Realities is a project from the University of Southern California (USC) where students use virtual reality to tell stories, usually of marginalized communities that have been overlooked by traditional journalism. So powerful! 

How Do We Keep Our Kids Safe? 

As parents, it’s essential that we add the Metaverse to our list of things to get our head around so we can keep our kids safe. Here are my top tips: 

1. Commit To Understanding How It All Works 

While I very much appreciate you reading this post, it’s important that you take action and get involved – particularly if your kids are already. If your kids are using Minecraft, Fortnite or Roblox – sign up and understand yourself how it all works. If your kids have a VR headset and you’re not sure how it works – ask them for a turn and a lesson. Only by experiencing it for yourself, will you truly understand the attraction but also the pitfalls and risks.   

2. Direct Your Kids To Age Appropriate Platforms 

As the Metaverse is still evolving and very much a work in progress, there are very minimal protections in place for users. However, the 3 platforms that tend to attract younger players (Roblox, Minecraft and Fortnite) all have parental control features. So, please direct them here – if you can – as you’ll be able to have more control over their online safety. 

Minecraft and Fortnite allow parents to disable chat functions which means your kids can’t communicate with people they don’t know. Roblox will automatically apply certain safety settings depending on the age group of their account. But regardless of what their platform of choice is, always protect your credit card details!! I know Fortnite will only allow kids to make ‘in game’ purchases if these supply credit card details in the checkout. 

3. Make Online Safety Part Of Your Family’s Dialogue 

If your kids are older, it’s likely, you’ll have far less say over where they spend their time in the Metaverse so that’s when your kids will need to rely on their cyber safety skills to help them make safe decisions. Now, don’t assume that your child’s school has ticked the cyber safety box and it’s all been taken care of. Cybersafety needs to be weaved into your family’s dialogue and spoken about regularly. Even from the age of 5, your kids should know that they shouldn’t talk to strangers online or offline, if they see something that makes them upset online then they need to talk to a parent asap and, that they should never share their name or anything that could identify them online.  

The goal of this is to make safe online behaviour part of their routine so that when they are faced with a challenging situation anywhere online, they automatically know how to respond. And of course, as kids get older, the advice becomes appropriate to their age. 

4. Don’t Forget About Physical Safety Too 

Most kids are busting to get access to a VR headset but please take some time to do your research to work out which headsets are more suitable for your kids and your lounge room! There are 2 basic types: some that require a ‘tethered’ connection to a PC or standalone models with built-in computing power. The tethered headsets have traditionally delivered a more immersive user experience due to the extra computational power the PC provides however experts predict it won’t be long before standalone headsets are just as good. The biggest selling VR headset, Occulus Quest 2, can in fact connect wirelessly to your PC with the option to connect via a cable in case the game or experience needs extra oomph! 

Regardless of which type you choose, it’s important that there is a safe play area in which to use the headset. VR headsets completely removes any visual of the real world so please remove special vases and keepsakes and ensure the dog isn’t roaming around. 

‘Cybersickness’ aka motion sickness can be a real issue for some VR users. When you don the headset and are immersed in a different time and space, your body can get very confused. If your brain thinks you are moving (based on what you are seeing through the headset) but in fact you’re standing still, it creates a disconnect that causes enough confusion to make you feel nauseous. If this happens to your kids, consider reducing the time they spend with the headset, having fewer but smaller sessions to get your ‘VR legs’ and checking the VR headset is being worn correctly. 

So, it’s over to you now parents: it’s time to get involved and understand this Metaverse once and for all. Always start with the games and experiences your kids spend their time on but when you’re ready, make sure you check out some of the more adult places such as Decentraland or The Sandbox. Who knows, you might just become a virtual real estate tycoon or set up a business that becomes quite the side hustle! The sky is the limit in the Metaverse! 

Till next time! 

Alex  

The post A Parent’s Guide To The Metaverse – Part Two appeared first on McAfee Blog.

Read More