LastPass, the popular password manager trusted by millions of people around the world, has announced that it suffered a security breach two weeks ago that saw hackers break into its systems and steal information.
Read more in my article on the Tripwire State of Security blog.
libtar-1.2.20-25.fc35
fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646)
fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
libtar-1.2.20-25.fc36
fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646)
fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
libtar-1.2.20-25.fc37
fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646)
fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
Despite using low-skill methods, the campaign compromised a large number of well-known companies
I’ve been saying that complexity is the worst enemy of security for a long time now. (Here’s me in 1999.) And it’s been true for a long time.
In 2018, Thomas Dullien of Google’s Project Zero talked about “cheap complexity.” Andrew Appel summarizes:
The anomaly of cheap complexity. For most of human history, a more complex device was more expensive to build than a simpler device. This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device. This is because of economies of scale: complex general-purpose CPUs are cheap. On the other hand, custom-designed, simpler, application-specific devices, which could in principle be much more secure, are very expensive.
This is driven by two fundamental principles in computing: Universal computation, meaning that any computer can simulate any other; and Moore’s law, predicting that each year the number of transistors on a chip will grow exponentially. ARM Cortex-M0 CPUs cost pennies, though they are more powerful than some supercomputers of the 20th century.
The same is true in the software layers. A (huge and complex) general-purpose operating system is free, but a simpler, custom-designed, perhaps more secure OS would be very expensive to build. Or as Dullien asks, “How did this research code someone wrote in two weeks 20 years ago end up in a billion devices?”
This is correct. Today, it’s easier to build complex systems than it is to build simple ones. As recently as twenty years ago, if you wanted to build a refrigerator you would create custom refrigerator controller hardware and embedded software. Today, you just grab some standard microcontroller off the shelf and write a software application for it. And that microcontroller already comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot more. And since those features are there, engineers use them.
This blog was written by an independent guest blogger.
Cloud adoption has gained solid momentum over the past few years. The technology has been helping organizations revolutionize their businesses and optimize their processes for increased productivity, reduced cost, and better scalability. But as organizations pour their entire focus on improving their businesses, they tend to lose control of governance.
One of the many reasons that data governance tends to get more out of control is when organizations increasingly adopt a hybrid or multi-cloud model. This is due to the explosion of data that’s been increasing every year, forcing organizations to turn to data lakes or data warehouses to dump all their data.
Furthermore, the irregular growth of data and the increasing adoption of the cloud model without an effective cloud data management strategy has led organizations to face tremendous challenges. Here, a Cloud Data Management Capabilities (CDMC) framework can enable organizations to streamline their cloud adoption and data management processes effectively.
Before we dive into the definition of CDMC and learn more about its varying best-practice capabilities, let’s first talk about the myriad challenges organizations face in a single or hyper-cloud environment.
Challenge #1: According to a survey, it has been reported that 80% of employees admit that they use SaaS applications without the approval of their IT team. Similarly, it has also been reported that an average company has over 900 unknown cloud services. The growing number of shadow IT or dark data assets create security vulnerabilities that may come back to bite the organization in the form of internal abuse, ransomware, or any other cyber breach.
These circumstances may arise when those dark data assets are moved to the cloud during the life-and-shift process, and there’s no proper catalog of those assets. This also leaves organizations with little to no visibility into the security posture of those assets, especially those that contain sensitive data.
Challenge #2: According to a cloud security report, 56% of organizations cite security as the primary concern behind slow cloud adoption. Security threats may also arise when an organization has sensitive data in its assets, and there are little to no security measures set to protect that data.
When it comes to data protection, especially sensitive data, it is imperative for organizations to have adequate security controls. These are necessary to prevent data leakage, insider threats, or any other cyber threats. A clear inventory of cataloged metadata of sensitive data can best enable organizations to prioritize security and establish appropriate controls.
Data Intelligence – securiti-1
Challenge #3: Global privacy regulations are gaining momentum gradually. Countries are improving their privacy laws to enhance consumers’ right to privacy and freedom. As part of the compliance, it is necessary for businesses to have clear visibility into where the sensitive data resides, who has access to it, and what they can do with that level of access. In case of non-compliance, organizations may face not only hefty penalties from regulatory authorities but may also have to experience other chaotic consequences, such as loss of customer trust or business partnerships.
Traditional data management frameworks are not engineered around the complications and challenges that are exclusive to the cloud. Therefore, organizations need a framework that takes the exclusivities of the cloud into account. Here, the CDMC framework by the EDM Council comes into the picture.
The Cloud Data Management Capabilities (CDMC) framework outlines the best practices and capabilities to help organizations make sure seamless cloud migration, effective data protection, and robust data management in the cloud.
The CDMC framework was designed through the contributions of the world’s top-rated internet services along with top-rated data governance, intelligence, and data privacy services. Securiti, for example, is also one of the major contributors to the CDMC framework. The joint effort was headed by the EDM Council which is an international association that advocates for the development and implementation of data standards and best practices.
The CDMC framework v1.1 outlines 6 different components, containing 14 capabilities and 37 sub-capabilities. These capabilities provide us with the much-needed guidance on how to securely manage data in the cloud, stay compliant with global privacy laws, and enable automation for enhanced data management and governance. The 14 best practices and capabilities outlined under the CDMC framework are as follows:
A data control compliance metric must be established for an organization’s all data assets that contain sensitive data. The metric is derived from all the key controls of the CDMC framework.
The ownership field in a data catalog must be properly populated for all the sensitive data.
A catalog of metadata, such as authoritative sources and authorized distributors, for all the data assets, must be populated, especially for the assets that contain sensitive data.
An auditable and controlled record of cross-border movements and data sovereignty must be kept in accordance with a defined policy.
A catalog of all personal and sensitive data needs to be created at the point of data creation or ingestion.
A real-time automated data classification must be established for all data at the point of creation or ingestion.
The framework must be capable of tracking ownership, entitlement, and access to all sensitive data.
The data consumption purpose must be provided.
Appropriate security controls must be established around sensitive data, and a record should be maintained for audit trail and for checking any anomalies.
Automated data privacy impact assessment should be set up for all sensitive data according to its jurisdictions.
Data quality measurement should be enabled.
Manage data retention and streamline purging and archiving of data.
A clear view of data lineage for all sensitive data.
An understanding of the cost associated with the usage, storage, and movement of data.
The CDMC framework’s best practices and capabilities are highly critical for organizations that deal with sensitive data or regulate that sensitive data in hybrid, multi, or dynamic cloud environments. Organizations that collect, store, process, share or sell the following data must pay attention to the key controls defined under the CDMC. Those data include:
Personally identifiable information.
Healthcare information.
Financial information.
Business information.
Sensitive personal information.
Confidential information.
Non-public information.
Topics that are top of mind for the week ending Aug. 26 | The “platformization” of hybrid cloud security. Budgeting guidance for CISOs. Tackling IT/OT cybersecurity challenges. Tips for complying with HIPAA’s cybersecurity rule. A roundup of patches, trends and incidents to keep an eye on. And much more!
Expect cloud workload security offerings to evolve from being siloed products into becoming integrated components of broader security and IT platforms in the next two years. That’s according to IDC’s “Worldwide Cloud Workload Security Forecast, 2022-2026.”
What’s driving this “platformization” shift? A search for simplicity by security teams, as digital transformation extends organizations’ attack surface, complicating the protection of increasingly hybrid and multi-cloud IT environments.
“Separate and disconnected offerings to support applications developers, security practitioners, or cloud operations will give way to comprehensive solutions to address the complexity that customers bring upon themselves,” reads the report.
IDC predicts that the “platform reality” will materialize by 2024 in this market, which it defines as products that protect three software-defined compute environments – virtual machine software, containers and cloud system software.
Meanwhile, organizations will spend $5.1 billion globally on cloud workload security software in 2026, up from $2.2 billion last year, a compound annual growth rate of 18.5%, according to IDC.
(Source: IDC “Worldwide Cloud Workload Security Forecast, 2022-2026: Complexity Drives the Market Up and to the Right”, Doc # US49522022, August 2022.)
More information about cloud security:
“Cloud Security Definition (TechTarget)
“Top Threats to Cloud Computing Pandemic Eleven” (Cloud Security Alliance)
“Cloud security in 2022: A business guide to essential tools and best practices” (ZDNet)
“CNAPP: What Is It and Why Is It Important for Security Leaders?” (Tenable)
“Cloud Security for Beginners: Part 1 – Starting Off in the Cloud” (SANS Institute)
It wasn’t that long ago that CEOs and board directors viewed cybersecurity as one of many technology areas with a somewhat weak and unclear impact on the business. Not anymore.
The latest proof comes from a PwC survey of 722 U.S. business leaders in which respondents ranked cybersecurity as – wait for it – the top business risk for their organizations.
Specifically, 40% of all respondents listed it as a “serious” risk, while 38% labeled it a “moderate” risk.
Among the different categories of business leaders, board members are the most worried about cybersecurity: 51% of them ranked it as a “serious” risk.
Moreover, 84% of respondents said they’re either acting on or closely monitoring policy areas related to cybersecurity, while 79% are revising or enhancing their cyber risk management.
Recommendations include:
Incorporate cybersecurity into the agendas of the C-suite and the board, and view it as a business issue, not purely a technology one.
Have a security awareness program in place to train employees on cybersecurity practices.
Ensure cybersecurity considerations and plans are part of all business initiatives.
Use data to regularly assess and analyze your cybersecurity risks.
More information:
“Manage the business risks behind cybersecurity” (Grant Thornton)
“Leaders agree that cybersecurity is a business risk, but are they acting on that belief?” (TechRepublic)
“The SEC Is Serious About Cybersecurity. Is Your Company?” (Harvard Business Review)
“Cybersecurity Isn’t an IT Risk, It’s a Business Risk” (CMSWire)
“Creating a technology risk and cyber risk appetite framework” (McKinsey & Co.)
Healthcare organizations looking for guidance on how to comply with the security rule in the U.S. Health Insurance Portability and Accountability Act (HIPAA) now have a new resource, at a time when this industry faces intensifying attacks from cybercriminals.
A new draft publication from the National Institute of Standards and Technology (NIST) goes deep into how to protect patients’ electronic records in accordance with the HIPAA security rule.
Specifically, this document, which revises a NIST guide from 2008, maps the HIPAA security rule to NIST’s Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) framework.
Readers will find guidance, templates, tools and more, on topics including:
Risk assessment and risk management
Telehealth/telemedicine guidance
Mobile device security
Cloud services
Ransomware and phishing
Education, training and awareness
Medical device and medical Internet of Things (IoT) security
More information:
“NIST revises cybersecurity guidelines specifically for HIPAA” (FCW)
“NIST Updates Guidance for Health Care Cybersecurity” (NIST)
“NIST Updates Guidance on HIPAA Security Rule Compliance” (HIPAA Journal)
“NIST revises healthcare guidance to improve HIPAA Security Rule compliance” (Healthcare IT News)
“Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm” (DarkReading)
Budget planning season is here for many organizations, so what should CISOs and other security and risk management leaders be focusing on for 2023? Forrester has some suggestions for them on how to best allocate their cybersecurity budgets.
For example, among the key cybersecurity areas Forrester recommends prioritizing are:
API security
Cloud workload security
Multifactor authentication
Security analytics
Zero Trust network access
Crisis simulation exercises
It also suggests evaluating and experimenting with emerging technologies such as extended detection and response, attack surface management and privacy-preserving technology.
For more details, check out the blog “New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities” and the full report “Planning Guide 2023: Security & Risk,” which is available to Forrester subscribers and for purchase.
More information about cybersecurity budgeting:
“5 key considerations for your 2023 cybersecurity budget planning” (CSO)
“Cybersecurity budget breakdown and best practices” (TechTarget)
“Cybersecurity Budget Process” (video by Steve Murphy)
The draft report about the cybersecurity issues of IT and OT convergence from the U.S. National Security Telecommunications Advisory Committee (NSTAC) is out. Good news or bad news first?
Ok, the bad news: There’s plenty to do to properly protect the converged IT/OT systems of critical infrastructure facilities. The good news? The U.S. has the technology and the knowledge to fix the problems. All that’s missing is a sense of urgency.
Key findings from the report:
IT/OT convergence cybersecurity challenges aren’t new. But this would be new: Prioritizing the allocation of required resources to implement solutions.
Organizations are confused about what cybersecurity protections they need. Why?
The government hasn’t provided clear guidance.
They lack visibility into their OT environments.
Some lack enough staff and money, especially smaller ones.
There’s essential legacy OT equipment that wasn’t designed to be connected to the internet.
IT and OT teams are often siloed. They must be brought together to better secure converged IT/OT environments.
The government and the private sector rarely include cybersecurity capabilities among the requirements of OT products they’re shopping around for.
There’s not enough cybersecurity education and training available to the staff of critical infrastructure providers.
So what can be done? Recommendations include:
The Cybersecurity and Infrastructure Security Agency (CISA) should require U.S. government agencies to maintain a real-time, continuous inventory of all OT assets.
CISA should ensure that agencies include cybersecurity provisions in their OT procurement requirements.
CISA and the National Security Council should develop and implement “interoperable, technology-neutral and vendor-agnostic” mechanisms for sharing sensitive information.
For more information:
“President’s NSTAC advisory committee proposes real-time monitoring of operational technology across federal agencies” (FedScoop)
“Smart factories unprepared for cyberattacks” (CSO)
“Proactive OT Cyber Maintenance Practices” (S4 Events)
“Why ICS/OT Infrastructure is Insecure” (International Society of Automation)
“How Can We Strengthen the Cybersecurity of Critical Infrastructure?” (Tenable)
And finally, a roundup of vulnerabilities, trends, news and incidents you might be interested in.
Vulnerabilities in Mozilla Firefox and Mozilla Thunderbird could open the door for arbitrary code execution by attackers.
Common configuration errors are at the root of more than 80% of ransomware attacks, according to Microsoft.
Cybercriminals are leveraging legitimate red teaming tool Brute Ratel for attacks.
The BlackByte ransomware group has added a tiered payment system to its data leak site.
A ransomware attack hobbled a French hospital to such an extent it had to transfer patients and cancel scheduled surgeries due to the impact to its operations.
Beware that DDoS alert: It could be an attempt to infect you with a RAT malware.
Google said it blocked the largest HTTPS DDoS attack on record. Launched in June, it reportedly peaked at 46 million requests per second.
Twitter’s former head of security is alleging that the company is plagued by significant cybersecurity problems. Twitter brushed off the allegations, saying they’re inconsistent and inaccurate.
A researcher is warning about possible keylogging by TikTok.
