Code hosting platform to make 2FA mandatory for all code contributors by the end of 2023
Yearly Archives: 2022
Cybersecurity and resilience: board-level issues
Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it’s vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions.
Cyber resiliency can’t be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language. Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. The languages used to manage the business and manage cybersecurity are different. This might obscure both the understanding of the real risk and the best approach to address the risk. Early on in my career, I was told to think of how to transform geek to CEO speak. That piece of advice still holds true.
Why? The argument for board-level cybersecurity understanding
The reality today is that cybersecurity is a critical business issue that must be a priority for every organization. As business operations become increasingly digitized, data has become one of the most valuable assets of any organization. This has resulted in increased expectations from customers, employees, regulators, and other stakeholders that an organization has developed appropriate resilience measures to protect against the evolving cyber threat landscape. The failure to do so presents substantial risks, including loss of consumer confidence, reputational damage, litigation, and regulatory consequences.
How? Changing the narrative away from the ‘team of no.’
The ‘how’ equation comes in two distinct yet equally important parts. One is levelling-up of the board’s cybersecurity knowledge. The other ensures that security teams get board-level support. The second of these requires those teams to help change the narrative: instead of being the ‘team of no,’ security teams need to be seen as influencers. Enablers and not enforcers, in other words.
It’s time to stop repeating how things can’t be done (on security grounds). Rather, we need to preach from the business transformation book and explain how they can be. We must stop operating out of silos and build out relationships with all business players, embedding ‘scenario thinking’ and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to proactively plan and prepare for a cyber-crisis; only by understanding the risks can the business be in the right strategic place to combat them successfully.
Cybersecurity teams should equip the board with the following as a starting point.
A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
A summary of recent cyber incidents, how they were handled, and lessons learned.
Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed today
Business and cybersecurity success go hand in hand
As the board’s role in cyber-risk oversight evolves, the importance of having a robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk.
If this sounds like a cybersecurity grooming exercise, that’s because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn’t such a bad idea, is it? The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2022 is a very risky game.
This World Password Day, Here’s How a Password Manager Can Simplify Your Life
Passwords: we entrust our most important data to these strings of letters, numbers, and special characters. So, we should make sure our passwords are words or phrases that we can easily remember, right? While this might be the most convenient option, there are more secure ways to digitally lock up your most sensitive personally identifiable information (PII). In celebration of World Password Day, we’re diving into how you can practice top-notch password security without compromising convenience.1
The Nature of the Password
Over the years, the password has remained a good first line of defense against cyberattacks. However, most of us tend to choose passwords based on memorable things from our lives, like family names or our pets’ birthdays. As it turns out, these details are easy for hackers to find on social media sites like Facebook or LinkedIn. It’s also human nature to opt for convenience, and for many people that means setting easy-to-remember and easy-to-guess passwords. Plus, out of convenience, people often reuse passwords across multiple accounts and services. The downside is that if one account becomes compromised, all accounts become compromised.
As an alternative to single-word passwords, many security experts advocate for passphrases over passwords. Passphrases are longer strings of words and characters that are easier for you to remember and harder for nefarious software and cybercriminals to guess than random strings of upper and lowercase letters, numbers and symbols. But, according to a study, the average American internet user was projected to have 300 online accounts by 2022.2 Can you imagine memorizing 300 different passphrases? We can all agree that sounds pretty unrealistic, so users tend to look for other solutions.
Do You Save Your Password in a Browser?
If the answer is yes, you may want to reconsider, as there are several risks associated with this practice. Although it’s convenient to have your browser save your passwords, they tend to do a lousy job of safeguarding your passwords, credit card numbers and personal details, such as your name and address.
Let’s take Google Chrome, for example. Unlike most dedicated password managers, Chrome doesn’t use a primary password to encrypt all your credentials. (Note that some browsers do use one, and are therefore more secure, though you’ll still need to trust your browser provider.) This makes your Chrome-stored passwords relatively weak to “local” attacks. For example, if someone gets hold of—or guesses—your Windows password, they can then see all the logins stored in your browser’s password manager.
Another consideration to note is that the security of all your accounts is tied to your browser account’s security. Let’s say you use the sync option to make your credentials available on all your devices. This means that logins are stored in the cloud and, though encrypted, if someone manages to hack into your browser account, they will gain access to all your logins.
Keep Your Accounts Secure Without Compromising Convenience
What can you do to help ensure your online profiles are kept safe without spending hours managing a complex list of passwords? Here are some easy ways to lock down your digital life without sacrificing convenience:
Use a password manager to store unique, complex passwords for all your accounts
A password manager is a software application that stores your passwords and other sensitive information. You can install it on computers or mobile devices and store all passwords in an encrypted file (or database). The best option is to use a password manager like McAfee True Key to store and create strong, random passwords for each site you visit. You’ll have one primary password that grants access to the rest of them—ideally, a long and random passphrase that you can remember. Once everything is set up, it should be seamless. As you log in to new sites, the password manager will offer to save your credentials for later use.
Turn on two-factor authentication for every site that offers it
One of the best ways to protect your accounts against unauthorized access is to turn on two-factor authentication for every site that offers it. Using two-factor authentication means a site will prompt you for a unique security code, in addition to your password, whenever you log in to an account for which you have enabled this feature.
Two-factor authentication adds an extra layer of security by requiring another form of identification after you enter your username and password. Some services send a temporary passcode over text message. Others require the user to approve login attempts from new devices using an app. If someone steals your device or gains access to your account details, they’re out of luck unless they also have access to this second piece of information. Two-factor authentication is available on a wide range of websites and can help keep your accounts safe from would-be hackers, so you should always use it when available.
Use a virtual private network (VPN) when out and about
A VPN, or virtual private network, encrypts your data and masks your online behavior from snooping third parties. When you go to a website, your computer connects to the server where the site is hosted, and that website can see a certain amount of data about you and your computer. With a VPN, you connect to a private server first, which scrambles your data and makes it more difficult for digital eavesdroppers to track what you’re doing online.
VPNs can provide users with greater peace of mind when on the go. Say you’re traveling on a business trip and need to connect to the Wi-Fi network provided by your hotel. Shifty characters often lurk on unprotected, free networks (such as those provided by hotels, coffee shops, airports, etc.) to lift PII from people handling sensitive emails, making banking transactions, or shopping online. McAfee Safe Connect VPN encrypts your online activity with bank-grade encryption to protect your data from prying eyes. With a premium paid plan, you can protect up to five devices at once and enjoy unlimited data protection.
The Best of Both Worlds: Security and Convenience
With your growing number of accounts all requiring passwords—emails, social media profiles, online banking—it’s no wonder that people tend to reuse passwords across multiple sites. This may be convenient, but it creates significant security risks if a suspicious actor manages to obtain one of your passwords and attempts to use it elsewhere. That’s why having strong passwords matters.
Do yourself a favor and opt for a dedicated password manager that will auto-save and store your credentials for you, so you only have one password to remember. Who says security and simplicity can’t coexist?
The post This World Password Day, Here’s How a Password Manager Can Simplify Your Life appeared first on McAfee Blog.
Dell offers data, app recovery support for multicloud assets
Dell is adding data recovery solutions to its APEX portfolio, for data centers and public clouds including Azure and AWS.
Illuminate Data Breach Impacts More School Districts
Colorado now affected by incident that compromised data of 820,000 NYC students
$43 billion stolen through Business Email Compromise since 2016, reports FBI
The FBI’s Internet Crime Complaint Center (IC3) has issued updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.
Read more in my article on the Tripwire State of Security blog.
Latest Cohort Announced for NCSC For Startups
The new cohort was chosen for their innovative approaches to tackling the growing ransomware threat
Chinese APT group Mustang Panda targets European and Russian organizations
A cyberespionage group whose targeting has historically been aligned with China’s geopolitical interests has been targeting European and Russian entities using topical spear-phishing lures connected to the war in Ukraine.
The group, tracked as Mustang Panda, RedDelta, Bronze President or TA416 by different cybersecurity firms, has been active since at least 2012 and over the years has targeted organizations in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic entities, think tanks, non-governmental organizations (NGOs), religious organizations, telecommunication companies, and political activists.
Post Title
Multiple vulnerabilities have been discovered in F5Networks products, the most severe of which could result in arbitrary code execution.
BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.
Traffix SDC is a product that provides load balancing and gateway connectivity.
Big-IQ Centralized Management tracks assets and manages policies for BIG-IP products.
F5 Access for Android is an Android application that allows users to access enterprise networks and applications.
BIG-IP Guided Configuration is a products that provides a way to deploy configurations of BIP-IP APM and Advanced WAF.
The F5OS-A is the operating system software for the F5 rSeries system.
NGINX Service Mesh is a product that allows for traffic control of distributed systems.
BIG-IP APM provides access control and authentication for applications.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
15.3 Million Request-Per-Second DDoS Attack
Cloudflare is reporting a large DDoS attack against an unnamed company “operating a crypto launchpad.”
While this isn’t the largest application-layer attack we’ve seen, it is the largest we’ve seen over HTTPS. HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.
The attack only lasted 15 seconds. No word on motive. Was this a test? Or was that 15-second delay critical for some other fraud?
News article.