We’ve all heard about the Metaverse. And there’s no doubt it has certainly captured the attention of the world’s biggest companies: Facebook has changed its name to Meta, Hyundai has partnered up with Roblox to offer virtual test drives, Nike has bought a virtual shoe company and Coca-Cola is selling NFT’s there too. (Non-Fungible Tokens – think digital assets).  

But if you are confused about exactly what this all means and most importantly, what the metaverse actually is, then you are not alone. I’m putting together a 2-part series for parents that will help us get a handle on exactly what this new digital frontier promises and what we need to know to keep our kids safe. It will also ensure we don’t feel like dinosaurs! So, let’s get started. 

What is this Metaverse? 

I think the best way of describing the Metaverse is that it’s a network of online 3D virtual worlds that mimic the real world. Once users have chosen their digital avatar, they can meet people, play games, do business, design fashion items, buy real estate, attend events, earn money, rear a pet – in fact, almost anything they can do in the ‘real’ world! And of course, all transactions are via cryptocurrencies. 

If you are an avid Science Fiction reader, then you may have already come across the term in the 1992 novel ‘Snow Crash’ by Neal Stephenson. In the book, Stephenson envisions a virtual reality-based evolution of the internet in which his characters use digital avatars of themselves to explore the online world. Sounds eerily familiar, doesn’t it?  

Still confused? Check out either the book or Steven Spielberg’s movie adaption of Ernest Cline’s Ready Player One. Set in 2045, the book tells the story of people living in a war-ravaged world on the brink of collapse who turn to OASIS, a massively multiplayer online simulation game that has its own virtual world and currency. In the OASIS, they engage with each other, shop, play games and be transported to different locations.  

How Do You Access The Metaverse? 

The best and most immersive way to access the metaverse is using a Virtual Reality (VR) headset and your internet connection, of course. VR headsets completely take over users’ vision and replace the outside world with a virtual one. Now, this maybe a game or a movie but VR headsets have their own set of apps which once downloaded, allows users to meditate, learn piano, work out at the gym or even attend a live concert in the metaverse!  

Now access to the Metaverse is not just limited to those who own expensive headsets. Anyone with a computer or a smartphone (that is internet connected) can also have a metaverse experience. Of course, it won’t be as intense or immersive as the VR headset experience but it’s still a commonly used route to access the metaverse. Some of these ‘worlds’ suggest users can access their world using smartphones however experienced users don’t think this is a good idea as phones don’t have the necessary computational power to explore the metaverse properly. 

As some of the most popular metaverse worlds can be accessed using your computer, why not check out Decentraland, The Sandbox, Somnium or even Second Life. In most of these worlds, users don’t have to create an account or spend money to start exploring however if you want the full experience then you’ll need to do so.  

How Much Does It Cost? 

Entering the metaverse doesn’t cost anything, just like going on the internet doesn’t cost anything – apart from your internet connection and hardware, of course! And don’t forget that if you want a truly immersive 3D experience, then you might want to consider investing in a VR headset. 

But, if you do want to access some of the features of the metaverse and invest in some virtual real estate or perhaps buy yourself a Gucci handbag, then you will need to put your hand into your virtual pocket and spend some of your virtual dollars. But the currency you will need depends entirely on the metaverse you are in. 

Decentraland’s currency MANA is considered to be the most commonly used currency in the metaverse and also one of the best to invest in, according to some experts. MANA can be used to buy land, purchase avatars, names, wearables, and other items in the Decentraland marketplace. 

The Sandbox has a different currency, SAND, which is also used to buy items from The Sandbox marketplace. This is the second most popular currency however be prepared to buy the currency of the world you choose to spend your time in. 

Now, I totally appreciate that the whole concept of the Metaverse is a lot to get your head around. But if you have a tribe of kids, then chances are they are going to want to be part of it so don’t put it in the too-hard basket. Take some time to get your head around it: do some more reading, talk to your friends about it and check out some of the metaverses that you can access from your PC. Nothing beats experiencing it for yourself! 

In Part 2, I will be sharing my top tips and strategies to help us, parents, successfully guide our kids through the challenges and risks of the metaverse. So watch out for that. 

Till, next time – keep researching! 

 

Alex x 

The post A Parent’s Guide To The Metaverse – Part One appeared first on McAfee Blog.

Read More

The advisory was compiled by CISA with the Multi-State Information Sharing & Analysis Center

Read More

The package manager started enforcing MFA on owners of gems with over 180 million total downloads

Read More

The study queries more than 950 IT and security professionals across the Americas, EMEA and APAC

Read More

Google Cloud Wednesday announced the general availability of what it calls “curated detection” for its Chronicle security analysis platform. The new detection feature leverages the threat intelligence that Google gains from protecting its own user base into an automated detection service that covers everything from ransomware, infostealers and data theft to simple misconfigured systems and remote access tools.

The new product will integrate authoritative data sources like MITRE ATT&CK to help organizations contextualize and better understand potential threats, as well as providing constantly updated threat information from Google’s own security team.

To read this article in full, please click here

Read More

Google Cloud Wednesday announced the general availability of what it calls “curated detection” for its Chronicle security analysis platform, placing the company into the ranks of the contenders in the fast-growing managed detection and response market (MDR).

Chronicle’s new curated detection feature leverages the threat intelligence that Google gains from protecting its own user base into an automated detection service that covers everything from ransomware, infostealers and data theft to simple misconfigured systems and remote access tools.

To read this article in full, please click here

Read More

Non-profit says Google Voice scams were the most reported threat

Read More

This vulnerability was reported to Zoom last December:

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

It seems that it’s not entirely fixed:

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

Read More

Cybersecurity starts with the ability to recognize your cyber risk. We will explore several topics related to taking a practical approach to managing risk and achieving cyber resilience. This is a blog series with collective thoughts from Bindu Sundaresan, Director AT&T Cybersecurity, and Nick Simmons, AVP, Cybersecurity.

Cybercrime has become increasingly frequent, complex, and costly, posing a risk to all businesses regardless of size. How do you plan to respond when falling victim to a breach? Would you know who to call, how to react, or what to tell your employees, customers, and media? Could your organization absorb the potential financial and reputational impact of a lawsuit?

The answer cannot be, “we store everything in the cloud, so we are good.” Who owns the risk? Could your brand’s image survive? What is acceptable, and how do you know your current plan will suffice? What more could your company do to understand better and manage the risk? These questions are all top of mind and need to be addressed from an overall business perspective. This blog summarizes the fundamental steps and offers suggestions to understand, manage, and respond to risk.

Beyond technology, focus on risk and resilience

It can be easy to deploy security technology and think you’ve mitigated risk to your business. Unfortunately, technology investment is no guarantee of protection against the latest threats. It is critical to take a risk-based approach to security, meaning leaders must identify and focus on specific elements of cyber risk to decrease enterprise risk.

Specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts. Organizations are increasingly aiming to shift from cybersecurity to cyber resilience, and the following recommendations can help forge this path: 

Understand the threats
Measure the potential financial impact of cyber exposures compared to the company’s risk appetite level; and
Proactively manage cyber risks with clear action plans based on their capabilities and capacities to protect against cybercrime

Risk-based approach

Cyber resiliency requires a risk-based approach, accomplishing two critical things at once. First, it designates risk reduction as the primary goal, enabling the organization to prioritize investment, including implementation-related problem solving based squarely on a cyber program’s effectiveness at reducing risk. Second, the program distills top management’s risk-reduction targets into pragmatic implementation programs with precise alignment from senior executives to the front line. 

Following the risk-based approach, a company will no longer “build the control everywhere”; rather, the focus will be on building the appropriate controls for the worst vulnerabilities to defeat the most significant threats that target the business’ most critical areas. The risk-based approach to cybersecurity is thus ultimately interactive and a dynamic tool to support strategic decision-making.

Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implementation. The power of the risk-based approach to optimize risk reduction at any level of investment is enhanced by its flexibility, adjusting to an evolving risk-appetite strategy as needed.

A risk-based approach recognizes that there are no perfect security solutions. Still, those that strategically balance security, scalability, access, usability, and cost can ultimately provide the best long-term protection against an evolving adversary.

Fundamentally, risk transformation changes security strategy from an outside-in perspective, where external threats and regulations drive strategy, to an inside-out perspective, where organization-specific business risk dictates security strategy and spending. 

Identify your top five risks based on priority

Can you describe the actual loss impact in business terms for each of your top five risks?
How are these cyber risk impacts aligned to your risk appetite?
Are you reporting on cyber risks, or is it compliance-driven with reporting on control effectiveness? 
Have you considered how you plan to deal with the current and emerging risks and treat these risks on an ongoing basis?

A common business edict is: “if we can measure it, we can manage it.” GRC (Governance, Risk, and Compliance) is expected in security, but a compliance focus has driven most organizations, and spending has been primarily compliance driven. Along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2023 cybersecurity budget, it is critical to follow a strategic approach by understanding cyber risk management frameworks.

To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis. 

Balance risk versus reward

The key is to balance risks against rewards by making informed risk management decisions aligned with your organization’s objectives — including your business objectives. This process requires you to:

Assign risk management responsibilities
Establish your organization’s risk appetite and tolerance
Adopt a standard methodology for assessing risk and responding to risk levels; and
Monitor risk on an ongoing basis

Understanding cyber risk management frameworks

Cyber risk management frameworks present a standardized and well-documented methodology for:

Conducting risk assessments that evaluate business priorities and identify gaps in cybersecurity controls
Performing risk analysis on existing control gaps
Prioritizing future cybersecurity investment based on risk analysis
Executing on those strategies by implementing a range of security controls and best practices
Measuring and scoring cybersecurity program maturity along the way

What is a Risk Assessment?

Cyber risk assessments are defined by NIST as risk assessments used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. The primary purpose of a cyber risk assessment is to keep stakeholders informed and support proper responses to identified risks. They also provide an executive summary to help executives and directors make informed decisions about security. 

Tailored approach 

Despite their apparent importance, many organizations choose not to conduct cyber risk assessments due to the perceived complexity and minimal value. Instead, many will implement standard security controls in response to the risks they read or hear about. This typically leaves businesses exposed to an unbalanced security program focused on the wrong priorities. 

Although the voluminous cyber risk assessment standards and frameworks can be dizzying, they’re beneficial as guidelines to form a simple starting point. Organizations can create a feasible approach, basing the approach on their structure, culture, and risk profile. For example, NIST 800-30 includes simple risk assessment templates in the appendices. Four general steps are consistent throughout any risk assessment, irrespective of the framework adopted: preparation, assessment, communication, and maintenance.

The following tactical activities are recommended as a focus for risk management and resilience:

Asset inventory

First, we must understand what we are protecting. Unless you know your IT assets and how important each is to your organization, making strategic decisions about IT security and incident response is almost impossible. You can’t protect what you don’t know you have. Perhaps that seems obvious, but if you do not have an asset inventory or your asset inventory is not managed and updated, you risk not knowing what is connected to your network.

The ability to track and audit your inventory is a baseline requirement for most security standards, including the CIS Top 20, HIPAA, and PCI. All these standards have an element of risk assessment required of organizations. And if you perform a documented risk assessment, you’ll need to understand your threats, vulnerabilities, and assets.

Information security policy

It is okay to start by writing down what you have implemented in your IT environment. Take the implemented policies, and then write them into a document. If, when compared against a target standard, the practice does not meet the standard, it can be modified in both the written and the implemented policy.

To be effective, an information security policy should: 

Focus on the business goals and strategy
Cover end-to-end security processes across the organization
Include continuous updates and monitoring; and
Promote accountability and enforcement 

Prioritize vulnerability remediation

Companies won’t be able to fix all vulnerabilities for various reasons. For example, having limited resources and patching is not always possible. Therefore, discerning critical vulnerabilities from non-critical ones becomes imperative. Information security teams must be able to delimit and make pragmatic decisions to make vulnerability management more manageable. In this regard, companies must use internal and external intelligence sources to prioritize vulnerabilities. These should be correlated with internal sources, such as business importance, security posture, risk registers, change management systems, CMDBs, and Pentest data.

The risk associated with the Patch Management discipline has significantly increased over the last three years. The number of critical vulnerabilities in our operating systems, applications, and network appliances in the previous twelve months has shown that patch management will continue to haunt organizations due to the sheer scale of systems and the number of patches required every month. Automated patch management solutions can reduce the effort needed and need to be managed to ensure no interruption of critical services. 

Incident response plan

An incident response plan must identify those individuals responsible for invoking the plan and leading the response to any data security incident. It should identify one person (or a cohort of people, such as a security incident response team) who is accountable for leading the response and clearly defined roles and responsibilities for all other response team members. Once a plan is crafted, tabletop exercises can crystalize team members’ respective roles, hone the necessary skills to navigate an incident, and facilitate teamwork in the wake of an incident.

Be sure to create rigorous backup and disaster recovery plans that are tested and refreshed regularly; this will be key for survival, given the heightened threat of ransomware attacks.

The goal of incident management is to identify and respond to any unanticipated, disruptive event and limit its impact on your business. These events can be technical — network attacks such as denial of service (DoS), malware, or system intrusion, for example — or they may result from an accident, a mistake, or a system or process failure. Today, a robust Incident Response Plan is more important than ever. The difference between a mere inconvenience and a total catastrophe for your organization may come from your ability to detect and assess the event, identify its source and causes, and have readily available solutions.

Cybersecurity insurance

Transferring a portion of the risk is critical to any cybersecurity risk strategy. As the threat landscape evolves, obtaining new insurance and renewing existing policies has become increasingly difficult. The rise in ransomware attacks and cybersecurity claim payouts are vital contributors. Organizations must prove due diligence in today’s environment by implementing proper controls, plans, and measurements of security controls commensurate with risk.

Key controls include the following:

Endpoint detection & response
Email filtering & web security 
Secured, encrypted & tested backups
Vulnerability & patch management
Privileged access management & access control
Infrastructure & Segmentation
Continuous monitoring
Penetration testing
Incident response planning & testing
Employee awareness training, phishing, & social engineering

Cyber insurance has become popular as a cyber-risk mitigation measure. Although insurance is a lucrative option to cover cyber risks, businesses must understand that insurance premiums are directly proportional to their cyber security preparedness. Organizations need to review their policy to confirm specific coverage for ransomware, as many providers have separated this from the standard language.

Take the necessary steps to prevent, detect, and respond, with insurance being the final step to reduce overall risk to an acceptable level. Cyber insurance can complement an organization’s active security measures by providing insurance coverage. However, cyber insurance cannot offer you coverage for a reputation risk to your brand. 

Conclusion

Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. The current level of security and privacy controls that effectively reduce cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize.

It is a truism that different types of risk require different defensive strategies. The more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring. The key is to balance risk and reward.

Risk management is at a fascinating point in its evolution. It is recognized as fundamental to an organization’s financial stability and regulatory compliance and an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and risk tolerance. All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap to help them reduce risk as their business expands. 

Read More

Manufacturing was most exposed to OT threats in 2021

Read More