The websites could not be accessed on Tuesday evening, but they were restored hours later

Read More

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers

Read more in my article on the Hot for Security blog.

Read More

IHG is assessing the nature, extent and impact of the incident and implementing response plans

Read More

This article makes Lockbit sound like a legitimate organization:

The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom.

LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it.

“I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum.

The gang also promised to share over torrent 300GB of data stolen from Entrust so “the whole world will know your secrets.”

LockBit’s spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.

They’re expanding: locking people out of their data, publishing it if the victim doesn’t pay, and DDoSing their network as an additional incentive.

Read More

Password protection is one of the most common security protocols available. By creating a unique password, you are both proving your identity and keeping your personal information safer. However, when every account you have requires a separate password, it can be an overwhelming task. While you should be concerned about the safety of your data, you also want to avoid the frustration of forgetting your password and being blocked from the information you need. However, the benefits of using strong, unique passwords outweigh the occasional inconvenience.

Benefits of Strong Passwords

The main benefit of a strong password is security. Hackers work quickly when they are trying to access accounts. They want to steal as much information as they can in as short a time as possible. This makes an account with a strong password less inviting because cracking the code is much more involved.

A strong password also limits the damage that hackers can do to your personal accounts. A common strategy involves cracking the passwords of less secure sites with limited personal information. The hackers hope that they can use the password from your gym membership app to access information in your online banking account. Strong password protection prevents this situation.

Common Poor Password Practices

When someone is registering an online account, it can be tempting to blaze through the password process. In order to move quickly, there are several poor password practices that people employ.

Simple passwords: Password-cracking programs start by entering obvious combinations. These are passwords where the user puts no thought into the code such as “password” or “1234567”.
Repeated passwords: You may think you have such an unbreakable password that you want to use it for all of your accounts. However, this means that if hackers compromise one of your accounts, all of your other accounts are vulnerable.
Personal information: The number combinations that you are apt to remember easily are the ones that hackers can find. You may have put your birthday or graduation year on public display in a social media account. Your dog’s name may be unusual, but if you share information about your canine friend with the world, its name is a weak password.

The Meaning of a Strong Password

A password is considered strong when it is difficult for a hacker to crack it quickly. Sophisticated algorithms can run through many password combinations in a short time. A password that is long, complex and unique will discourage attempts to break into your accounts.

Long: The combinations that protect your accounts should be long enough that it would be difficult for a computer program to run through all the possible configurations. The four-digit pin on a bank card has 10,000 possible combinations. This might take some time for a human being to crack, but a computer program with unlimited tries could break it in a few seconds. If you were only using numbers, every character in your password would raise the possible combinations by a power of 10. To stump the algorithms, you want a password that is a minimum of 12 characters long.
Complex: To increase the challenge of your password, it should have a combination of uppercase letters, lowercase letters, symbols and numbers. Hacking algorithms look for word and number patterns. By mixing the types of characters, you will break the pattern and keep your information safe.
Unique: If you have been reusing your passwords, it is time for you to start the work of changing them. Every one of your accounts should have its own password. At the very least, make certain that you have not reused passwords for your financial institutions, social media accounts and any work-related accounts.

Creating a Layered Password

If you want a password that is memorable but strong, you can easily turn a phrase into a layered, complex password. In this process, it is important to note that you should not use personal information that is available online as part of your phrase.

Pick a phrase that is memorable for you: It should not be a phrase you commonly use on social media accounts. If you are an avid runner you might choose a phrase like, “Running 26.2 Rocks!”
Replace letters with numbers and symbols: Remove the spaces. Then, you can put symbols and numbers in the place of some of the letters. Runn1ng26.2R0ck$!
Include a mix of letter cases: Finally, you want both lower and uppercase letters that are not in a clear pattern. Algorithms know how to look for common patterns like camelCase or PascalCase. Runn1NG26.2R0cK$!

Now, you have a password that you can remember while challenging the algorithms hackers use.

Employing a Password Manager

When you consider the number of accounts you need to protect, coming up with a properly layered password is a time-consuming task. Even if you are able to decide on a memorable phrase, there are just too many accounts that need passwords. A password manager is a helpful tool to keep you safe while you are online. It acts as a database for all of your passwords. Each time you create a new code, it stores it so that you can automatically enter it later. You only need to remember a single password to access the tools of your manager.

Most managers can also do the work of creating complex, layered passwords for your accounts. These will be a string of random numbers, letters and characters. They will not be memorable, but you are relying on the manager to do the memorizing. These machine-generated passwords are especially helpful for accounts you rarely access or that do not hold significant information.

Maintaining an Offline Password List

For critical accounts like your bank account or a work-related account, it can be helpful to keep an offline list of your passwords. Complex passwords are meant to be difficult to remember. You may recall the phrase but not all the detailed changes that make it layered. Keeping a document on a zip drive or even in a physical paper file or journal will allow you to access your information if your hardware fails or you are switching to a new system.

Keeping the Whole System Safe

Cracking passwords is just one of the strategies hackers use to steal information. In addition to using strong passwords, it is important to employ comprehensive security software. Strong passwords will help protect your online accounts. Strong overall security will keep your hardware and network safe from danger.

The post Strong Password Ideas to Keep Your Information Safe appeared first on McAfee Blog.

Read More

Owners of QNAP NAS drives have been advised to “take immediate action” in the wake of a new wave of DeadBolt ransomware attacks.

Read More

Having a full, continuously updated and detailed understanding of all IT assets is one of the holy grails for security teams. To achieve it, we must first understand what “visibility” truly entails, how it’s more than just identifying what’s out there and knowing which challenges must be addressed.

If we looked at the starting point of any Information Security framework or best practice over the last 20 or so years, we’d find the initial phase to be “discovery” or “identify” or “understand” or some variation thereof. Collectively, what they’re all saying is that we can’t protect what we don’t know we have. Or more pointedly, we can’t start to make good decisions about how and where to protect our environments if we don’t know what we have. Having broad visibility into what assets are part of our overall infrastructure is the key, fundamental piece of any successful security program.

Despite this being widely accepted and acknowledged, most security practitioners will tell you that getting to that state of complete visibility is still painfully difficult. Security teams implement a wide array of tools, spend a great deal of time integrating data sets from asset management systems and other potential sources of truth, and yet, few will say they feel confident that they truly understand their environment. Why is that? For the most part, it boils down to two key considerations that aren’t being addressed when organizations try to understand their environments:

Are you actually looking for and identifying all of your assets, or just the ones you think you know about?
Do you understand the context of assets as it pertains to security findings, risk and impact to your organization?

First and foremost, reaching total visibility means identifying and assessing all of the technical assets in your environment, and not just the “easy” ones that are familiar to most IT and security teams. While starting with servers, workstations, network infrastructure equipment and other traditional IT devices is an excellent practice, it’s an all too common situation that other assets are overlooked or completely missed. What else is there? Ask yourself if your team is identifying the following assets:

Databases
Web applications
OT / ICS / SCADA / Industrial IoT devices
Cloud infrastructure
Virtualization platforms
Containers
Cloud orchestration services
Infrastructure as Code (IaC) configurations
Active Directory / Credentials / Groups
Public-facing hosts / hostnames / records

The list can go on. While it may be viewed as being too difficult to identify these kinds of assets, they are still critically important to most businesses, are at risk from cyberattacks, and if compromised, will impact the financial and reputational well-being of the organization. If security teams are to take a meaningful first step toward better visibility and having a more complete understanding of our environment, then we have to get our arms around all of these assets as well as the more traditional ones we’re all familiar with. 

It’s for this very reason that Tenable has continuously broadened the tools available on our platform to be able to safely and properly identify assets like these and pull that data back to a single place. Identifying vulnerabilities and other security risks starts with being able to identify and understand the target. With that level of visibility, organizations are better positioned to understand where the greatest risks are within their environment and start taking the necessary steps to mitigate risk where it matters most.

Now, some organizations may have progressed to the point where they’ve become really good at gathering asset inventory data and have a good understanding of what their environment looks like. But, this is yet another place where it starts to fall apart. Having a lot of disparate data, usually spread out between several different repositories, means that security teams have to do a lot of transformation to not only get the information together into one place for better analysis, but they also need to figure out ways to normalize the information they’ve collected. After all, not every asset has an IP address or a host name. Code repositories won’t have the same identifiers as a container instance. Web applications might be identified by domain name or URL, but an industrial Programmable Logic Controller (PLC) may not even be attached to a known network. 

And it’s not just the base asset identifiers that are varied and complicated. Any type of vulnerability or security finding is going to be just as different and disparate, depending on the asset itself. A server may have an easily identifiable vulnerability that has an assigned CVE number, but an IaC misconfiguration won’t have any standard identifier at all. Web application vulnerabilities like SQL Injection and Cross-Site Scripting are more techniques than specific, consistently identifiable OS vulnerabilities. And in the world of Active Directory, underlying security problems stem from compromises to how AD functions and validates credentials across an entire enterprise, which are not things that are fixed by applying a missing patch. 

If your security team has been tasked with trying to understand the risks within the environment and make the decisions about where and what to mitigate first, where would you even begin when you’re not looking at things in an “apples-to-apples” sort of way? In reality, this type of disparate data isn’t even “apples-to-oranges”, and in fact, is much more like “apples-to-starships-to-penguins-to-adjectives”. Understanding the context behind assets and their security findings is key. We first must pull together all this information and normalize it in a way where there is a consistent and measurable way to understand the risk posed to the business by each of these findings. Then we can start to relate the various risk factors against each other and make the best decision we can about where the organization is most at risk, how much risk it presents, and what we need to do to mitigate it. Gathering data is difficult enough as it is, but even if you manage that part, you won’t get far if you can’t focus on what’s truly important. You’ll be left with a lot of spreadsheets and databases to manage while still asking the same questions about where to begin.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year’s threat landscape that security professionals can use to improve their security right now.

Read More