nodejs-18.12.1-1.fc37

Read Time:23 Second

FEDORA-2022-1667f7b60a

Packages in this update:

nodejs-18.12.1-1.fc37

Update description:

November 2022 Security Updates

https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

Update to 18.10.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.10.0

September Security Updates for Node.js

Update to 18.9.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.9.0

Read More

nodejs-16.18.1-1.fc36

Read Time:32 Second

FEDORA-2022-52dec6351a

Packages in this update:

nodejs-16.18.1-1.fc36

Update description:

November 2022 Security Updates

https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

September Security Updates for Node.js

Update to Node.js 16.17.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0

Fix dependency typo

Update to 16.15.0

Update to Node.js 16.14.1

Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora’s openssl package.

Read More

The Conviction of Uber’s Chief Security Officer

Read Time:21 Second

I have been meaning to write about Joe Sullivan, Uber’s former Chief Security Officer. He was convicted of crimes related to covering up a cyberattack against Uber. It’s a complicated case, and I’m not convinced that he deserved a guilty ruling or that it’s a good thing for the industry.

I may still write something, but until then, this essay on the topic is worth reading.

Read More

How Cyberbullying Looks In Australia in 2022

Read Time:6 Minute, 47 Second

There’s no doubt that cyber bullying ranks towards the top of most parents ‘worry list’. As a mum of 4, I can tell you it always came in my top five, usually alongside driving, drugs, cigarettes and alcohol! But when McAfee research in May revealed that Aussie kids experience the 2nd highest rate of cyberbullying out of the 10 countries interviewed, my heart skipped a beat. Clearly cyberbullying is a big problem for Aussie kids. Bigger than I had previously thought. But many of us parents had so many more questions: what can it look like? where does it happen? and could my child be a perpetrator? 

So, as an ally of connected families, McAfee set out to answer these questions so undertook more research through a detailed 10-country online questionnaire to 11,687 parents and their children in June. And the answers were quite revealing… 

What is Cyberbullying? 

Before we get into the results, let’s clarify what cyberbullying means. There is often a lot of confusion because let’s be honest, different kids have different tolerances, standards and cultural lenses for what is and isn’t acceptable behaviour. The definition of cyberbullying used in McAfee’s report was based on the definition by StopBullying.Gov:   

Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behaviour.  

McAfee’s definition was then expanded to include specific acts of cyberbullying, such as: 

flaming – online arguments that can include personal attacks 
outing – disclosing someone’s sexual orientation without their consent  
trolling – intentionally trying to instigate a conflict through antagonistic messages 
doxing – publishing private or identifying information without someone’s consent  

Along with other acts, including:  

name calling  
spreading false rumours  
sending explicit images or messages  
cyberstalking, harassment, and physical threats  
exclusion from group chats and conversation 

What Is The Most Common Form of Cyberbullying for Aussie Kids? 

Even though racially motivated cyberbullying is on the rise, name-calling is the most common form of cyberbullying with 40% of kids globally reporting that they have been on the receiving end of it. Interestingly, in Australia, our kids receive this style of bullying more frequently, with 49% of Aussie kids affected.  

Exclusion from group chats and conversations is the 2nd most commonly reported form of cyberbullying with 36% of kids globally experiencing it. In Australia, this is higher at 42%. 

The spreading of false rumours rounds out the top three forms and was reported by 28% of children globally. Curiously, Aussie kids don’t seem to use this form just as commonly with just 24% affected. Japan stands out as the leader in this reported form of cyberbullying at 44% followed by Germany at 35% and India at 39%. 

1 in 8 Aussie kids reports receiving extreme cyberbullying threats eg stalking, harassment and physical threats online. This is in line with the global average however in India and the US, more young people are affected with 1 in 5 reporting this behaviour. 

Where Is Cyberbullying Taking Place? 

It’s All About Social Media 

It’s no surprise that the bulk of cyberbullying is happening on social media with 32% of kids affected globally. Group chats come in as the 2nd most commonplace with 24% of kids involved followed by online gaming being an issue for 22% of kids surveyed. 21% of kids experienced cyberbullying on websites and forums and 19% identified that they experienced cyberbullying via text messages.  

Globally, Facebook is the social media site where cyberbullying is most likely to occur. 53% of children report witnessing it and 50% report experiencing it. This is followed by Instagram (40% witnessing and 30% experiencing), YouTube, TikTok and then Twitter. 

Overall, Aussie kids appear to experience less cyberbullying on social media with just 47% witnessing it on Facebook and 37% experiencing it. Our kids also report lower levels on Instagram as well with 34% witnessing and 30% experiencing.  

Snapchat Is a Cyberbullying Hot Bed for Aussie Kids 

It appears that Snapchat is unfortunately where a lot of undesirable behaviour happens for our Aussie kids with 34% reporting that they have been affected on this platform – a huge 10% above the international average and the highest of any country included in the survey. 

Who’s Doing The Bullying? 

Most Cyberbullying Comes From Someone Known To The Victim 

I’m sure it’s not a surprise to many parents that most cyberbullying comes from someone known to the victim. In fact, 57% of kids worldwide confirmed this with just 45% nominating that the cyberbullying they received had been initiated by a stranger. And Aussie kids’ experiences reflect the global norm with 56% expressing that they also knew the perpetrator but only 36% experienced cyberbullying from a stranger. Interestingly, only India, reported more cyberbullying at the hands of strangers (70%) than by someone the child knows (66%). 

Most Kids Don’t Think They’ve Ever Been Cyberbullied But The Results Show Otherwise 

Globally, 81% of all children surveyed stated that they had never cyberbullied anyone while just 19% admitted that they had. But when questioned further, it became apparent that there may be some disconnect. In fact, when asked about specific cyberbullying behaviours, more than half of children worldwide (53%) admitted to committing one or more types of cyberbullying —perhaps indicating that their definition of cyberbullying differs from the clinically accepted definition. The most common acts that they admitted to included making a joke at someone else’s expense (22%), name-calling (18%) and excluding someone from a chat or conversation (15%).  

Are Aussie Kids and Parents Worried? 

It appears that our kids are calmer about the state of cyberbullying that their peers worldwide. Only 46% of our kids reported they were more concerned about being cyberbullied now than last year, compared to a 59% average worldwide. Aussie children said they are among the least concerned children in the world, alongside Canada at 44%, the U.K. at 43%, and Germany at 38%. 

And Aussie parents also appear calmer than parents from other countries with only 61% nominating they were more concerned about their child being cyberbullied today versus last year, compared to the 72% international average.  Australian parents also showed the least level of worry that their child may be a cyberbully. Only 41% said that they worried this was more likely this year than last, compared to 56% of parents elsewhere. 

Now, this could be because the online learning and tech-heavy phase of the pandemic is, thankfully, over and we are not as focussed on technology-related issues. Or perhaps it’s because we really are a nation of ‘laid-back’ types! The jury is still out… 

What Do We Do About It? 

We all know that it’s impossible to fix a problem if you don’t truly understand it. So, while these statistics might be a little overwhelming, please soak them in. Appreciating the complexities of this problem and digesting how cyberbullying can look and impact our kids is essential. Now, as first-generation digital parents, it may take us a little longer to wrap our heads around it and that’s ok. The most important thing is that we commit to understanding the problem so that we are in the best position possible to support and guide our kids. 

In my next blog post, I will be sharing more detailed strategies that will help you minimise the risk of your child becoming a victim of cyberbullying. I will also include advice on what to do if your child is affected by cyberbullying plus what to do if your child is in fact a cyberbully. 

‘Till next time. 

Stay Safe Online 

Alex  

The post How Cyberbullying Looks In Australia in 2022 appeared first on McAfee Blog.

Read More

10 Cybersecurity predictions for 2023

Read Time:8 Minute, 51 Second

As we head into 2023, we look back at the last year and the focus will continue to be on reducing risk exposure and resilience. Organizations are strengthening their ransomware defense, security, and privacy approach to product development, cyberattack response, supply chain risk management and operational technology (OT) security and based on working with customers across industry sectors, here is a compilation of some trends we predict for 2023.

1. Critical Infrastructure and Public Sector will continue to become attractive targets.

As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors will be crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats. The public sector has become a favored target for cybercriminals. Armed with automated botnets, hackers rummage through computer systems to locate “soft targets.” In recent years, US state and local government agencies have fallen prey to cyber-attacks.

Legacy security is proving ineffective against the growing legion of diverse, sophisticated, and confrontational cyber threats. Public agencies collect and store sensitive data. Like the private sector, government institutions have gone digital. The addition of cloud, mobile, and SaaS have expanded an organization’s attack surface, and it further illuminates that your cyber security is only as strong as your weakest point.

2. OT attack patterns will become more prevalent.

IT and OT teams must find common ground to eliminate the substantial risk factors of planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security, and control needed to thwart new cyber threats but also brings these once separate teams together for the common security of every manufacturing, critical infrastructure and industrial organization will need to fulfill its core mission efficiently and securely.

The rising demand for improved connectivity of systems, faster maintenance of equipment, and better insights into the utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs).  With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food, and agriculture) are becoming exposed to threats that may be more profound than data breaches. In the coming years, OT attacks will become more prevalent and be used in cyber warfare.

3. Privacy will start getting more attention within the US.

We are going to see more states pass laws with a focus on privacy. Data privacy laws in the United States have been primarily sector-based, with different data privacy laws applying to other sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, etc. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation.

Recognizing these gaps, these state consumer data privacy laws will seek to establish a comprehensive framework for controlling and processing personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles around establishing standards and responsibilities regarding a business’s collection of personal data from consumers; granting consumers certain individual rights concerning their data, such as the rights to access, correct, delete, and obtain a copy of the personal data a business holds about them; and establishing an enforcement mechanism allows state governments to hold businesses accountable for law violations.

4. Culture of resilience and safety versus compliance and prevention of breaches.

Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it’s vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions. Cyber resiliency can’t be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language.

Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error.

Unfortunately, many businesses still mistakenly believe that cyber-resilience means investing in bleeding-edge technologies while paying scant heed to the human factor. Fixing human vulnerabilities start with culture. Business leaders must reassure staff that it’s okay to develop questioning attitudes and challenge high-risk requests, such as emailing sensitive information or processing payments.

5. Strengthening of fundamentals- Vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR).

As digital transformation initiatives accelerate, CSOs require a deep and accurate understanding of their organization’s cyber risk. Understanding the details of your risk, what should be prioritized, and how it can be effectively reduced is the best foundation for building a holistic plan for managing threats across the organization—priorities for cyber resilience now and into 2023.

This will be the year for MXDR with a unified platform that automates incident investigation such as enrichment, analysis, classification, and response rather than relying on an overworked security Organizations will look for MXDR to include 24/7 monitoring, critical alerting, root cause analysis and around-the-clock “eyes on glass” support. 

6. Growth of cybersecurity as a service – Security at scale and not a roadblock!

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service provider will continue to become an optimal solution for many companies. Internal security teams can concentrate on their core missions because they can count on their partners to focus on specific vectors. Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer’s business needs are met.

7. CISO –role change and mindset of the future, the impact of burnout and blame game.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational. The CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans.

The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. It’s time to stop repeating how things can’t be done (on security grounds). Instead, we need to preach from the business transformation book and explain how they can be.

We must stop operating out of silos and build relationships with all business players, embedding ‘scenario thinking’ and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to plan and prepare for a cyber-crisis proactively; only by understanding the risks can the business be in the right strategic place to combat them successfully.

8. Security mesh, Zero Trust and SASE- Consolidation and optimization.

As 2023 planning kicks off, it would be interesting to look at how many Zero Trust initiatives have surfaced during budget discussions, how many product investments are tied to this initiative, and, more importantly, which are real Zero Trust or ones just seeking a budget home?  Organizations in the early strategy stages for Zero Trust need to think of this as a multi-year plan which is probably starting to take shape, but it’s not the playbook you need to make today’s priority calls.  Many teams will struggle to move an emerging Zero Trust strategy to practical implementation. The need will arise further for approaches that can help with practical implementation and accelerate Zero Trust data initiatives.

9. Board with more cyber knowledge and investment.

Business and cybersecurity success go hand in hand. As the board’s role in cyber-risk oversight evolves, the importance of robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk. If this sounds like a cybersecurity grooming exercise, that’s because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn’t such a bad idea.

The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2023 is a risky game. Cybersecurity teams should equip the board with the following as a starting point. 

A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
A summary of recent cyber incidents, how they were handled, and lessons learned.
Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed

10. Skills shortages and product silos exacerbate the situation.

There’s no question that cybersecurity should be a number one focus for businesses that want to keep growing. But improving and scaling cybersecurity efforts in a constantly changing environment is challenging, with new threats and technologies continually being developed. To make things worse, the cybersecurity labor crisis is going to intensify.

A saturation of cybersecurity products with umpteen features is a desperate cry for consolidation, and the future is about cyber platforms and not siloed feature sets. The focus should not just be on finding issues but instead on remediation. There is going to be a need to demonstrate speed to value. We need technology that shows immediate value with simple implementation. Everyone talks about tech spending but forgets to include all the labor to roll out and maintain the technology platforms and the reason to consider cyber as a service.

Our current global landscape is testing resiliency. As organizations continue to digitally transform it has created new and heightened cyber risk concerns. Protecting these digital connections needs to stay top of mind for leaders looking to help their organizations adapt to these changes while continuing to innovate. 

Read More

How to prepare for a SOC 2 audit – it’s a big deal, so you’d better get ready

Read Time:51 Second

Organizations that want to prove to others – and to themselves – that they have a solid cybersecurity and data privacy program will undergo a SOC 2 audit. As such, a SOC 2 audit is a big deal, and it’s demanding, and it requires some serious preparation.

SOC audits were created by the American Institute of CPAs (AICPA) under several evaluation and reporting frameworks comprising the System and Organization Controls headers SOC 1, SOC 2, and SOC 3.Although each of those holds value, many organizations ask their vendors and business partners – and are themselves asked – specifically to provide the results of a SOC 2 Type 2 audit. For that type, auditors evaluate organizations against the SOC 2 framework and the AICPA’s five Trust Service Criteria – security, availability, processing integrity, confidentiality, and privacy. Organizations use SOC 2 audit reports as a trusted standard that informs others in detail about how well they’re protecting data in each of those five areas.

To read this article in full, please click here

Read More