Russian Cyberattack against Ukrainian Power Grid Prevented

Read Time:36 Second

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used.

Key points:

ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
We assess with high confidence that the APT group Sandworm is responsible for this new attack

Read More

Corporate structure and roles in InfoSec

Read Time:7 Minute, 29 Second

This blog was written by an independent guest blogger.

When assessing the corporate governance of modern companies, one cannot help but note the obvious problems with information security. To solve these problems, it is crucial to carry out initiatives that, on the one hand, are complex, multifaceted, and nonobvious, and on the other, assume the involvement of all employees of the company, including the heads of key departments.

Information security is impossible without help from within the organization

Let us analyze the roles and possible points of interaction of several different management positions (skipping the CISO) responsible for operational resiliency, secure infrastructure, proper resource allocation, reputational risks, incident response, and other aspects of information security.

Chief Executive Officer (CEO)

The company’s management ensures the creation and maintenance of an internal environment that allows employees to participate in achieving strategic goals fully. Information security starts with the CEO and goes down, covering all staff. The CEO is responsible for creating a strong culture of safe behavior. CEOs must personally set an example of the correct attitude towards information security requirements. This attitude and position of the company leader will stimulate the communication between departments allowing them to fight against ransomware and other serious threats more effectively.

Companies today need leaders who combine a high level of technology awareness with an open mind. These leaders must create an open environment in which not only information about success is encouraged but also about information about any negative processes. Creating an atmosphere of transparency is an important task of top management when developing a ransomware protection strategy.

Chief Human ResourcesPeople Officer (CHRO/CPO)

Information security largely depends on the organizational structure and corporate culture of the company, and the role of the HR leader is one of the key ones in ensuring information security.

How is this expressed? First of all, such a leader must take responsibility for all employees hired by the company. These days, many information security incidents happen due to malicious insiders or employee incompetence. Understanding the day-to-day interests and motivations of employees is an important part of the work of the HR department.

Organizations can treat their employees on a “hired and fired” basis. But in this case, you should not expect high levels of personnel loyalty and a good reputation in the labor market. Managing the recruitment and departure of employees, taking into account emerging risks associated with, for example, data breaches, is one of the most important contributions of the HR leader to the security of the company.

Another significant part of HR is the application of advanced information security training programs.

The role of the HR department is also crucial in ensuring the ethics of security measures adopted by the company and in aligning these measures with the tasks and goals of employees. Effective corporate governance cannot rely on employees who are forced to act against their own interests and habits. Monitoring employee actions often raises questions about trust in the staff. HR director should understand the ethical underpinnings of these issues best and can provide advice to the CEO and information security department on whether the adopted security policies will be effective and if they are in line with the corporate culture.

Chief Information Officer (CIO)

It is essential for the CIO that information security increases the stability and reliability of IT systems, affecting the operational resiliency of all business processes.

On the technical side, the company’s top managers are primarily concerned about outages of IT systems or employee dissatisfaction with the use of IT infrastructure.

Throughout the life cycle of company development, it often happens that the information security team comes in and leaves after a short time, while the IT team remains for a long time. This is a consequence of the business’s strategic priorities, which were formed with the development and implementation of IT technologies. Indeed, a mature company has been living with the IT service for about 40 years and is used to following and trusting everything IT people say.

The business has been familiar with information security for the last 10-15 years at best. And it is the information security team that informs the CEO about all the problems of the IT team like the bad habits of employees in terms of using passwords, clicking links, the presence of technical accounts in Active Directory, update management, etc. For instance, employees might be recommended to download VPN services for security reasons whenever they work remotely.

In the fight of the security team with infosec issues, the IT team is formally on the side of information security. Still, in the real world, there is a misunderstanding, rivalry, explicit or hidden actions on the part of IT engineers (IT gurus) who are accustomed to creating certain rules independently. The CIO should make his employees realize the importance of information security for the company’s sustainability.

Chief Risk Officer (CRO)

Continuous development and improvement should be obligatory and constant strategic objectives of any company. Identifying risks in the context of business priorities is one of the company’s key goals in the field of information security. Therefore, the participation of the CRO in ensuring the information security of the company is directly related to his duties.

Risk prioritization is not a technical task. This is the matter of managing the company. The Chief Risk Officer should play an important role in developing the information security program and overseeing how identified risks are documented and eliminated.

At the same time, tech people need to get rid of the illusion that only they are able to understand information security risks. IT and security departments should share more information about various infosec subtleties so that company executives and risk management staff understand them better.

Chief Audit Executive (CAE)

The activities of the internal audit department are vital both for the information security and IT services as well as for the company’s executives. For information security and IT services, this is a third-party view of cybersecurity problems, focused on the most critical areas of the company’s business activities. For top managers, the internal audit department significantly saves time and eliminates routine supervision procedures.

There are, however, some pitfalls in the way the internal audit department works. For this unit, complying with information security requirements may be less of a priority than complying with industry standards and regulations. Top managers should not think that compliance with standards will protect the company from all trouble. It is important here not to neglect other preventive measures proposed by all company stakeholders.

Chief Legal Officer (CLO)

If the specialists of the legal department are well versed in legislation related to the protection of personal data, understand the basics of technology, know reliable legal practices in the field of compliance with information security legislation, then this may indicate that the company has deep legal expertise in security technologies.

Legal specialists play a key role in determining the company’s policy on exchanging information with government agencies. They participate in court proceedings. A significant part from the point of view of information security is played by the legal department when responding to data breaches.

Chief Security Officer (CSO)

In modern companies, the organization of physical security is usually outsourced, and the security department primarily deals with internal, strategic, operational, financial, and reputational risks. When investigating incidents, the security service traditionally comes to the fore. The information security team provides all evidence like logs or emails, and the security department brings the investigation to its logical conclusion.

Conclusion

The above-mentioned business divisions and their leaders often look at information security issues differently. Still, under the strong leadership of the CEO, they may come to a mutual understanding of arising problems and effectively determine the cybersecurity strategy.

One of the key conditions for a large number of participants to cooperate successfully is to recognize the roles that each group should play in the company. Top managers play the leading roles in these processes. They have the authority to determine what is vital to the company and what is not.

There are peculiarities and differences in how each department ensures the strong cybersecurity posture of the company. But there is one area where all efforts converge. It is the cybersecurity incident response. Developing and implementing sound, consistent incident response plans is a formidable task that is absolutely essential to a company’s success in dealing with negative events. Developing such plans is a multidisciplinary project in which each of the key leaders must play a role.

The solution to many information security problems is impossible without finding a compromise between the participants. Top managers are not used to acting on someone else’s orders. Rules introduced by technology leaders who have unexpectedly appeared (CISO) in the company often limit their freedom and infringe upon their pride. Today’s business leaders should understand the hidden technological risks and rely on a wide range of opinions in the company when developing a security strategy.

Read More

Who is your biggest insider threat?

Read Time:39 Second

Penetration testing has shown cybersecurity manager David Murphy just how problematic people can be.

In his career, he has seen people pick up and use dropped thumb drives, give up passwords over the phone and, yes, even click on simulated phishing links.

He has also seen the real-world consequences of such actions.

[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting cybersecurity to the board. | Sign up for CSO newsletters. ]

Murphy, manager of cybersecurity at Schneider Downs, a certified public accounting and business advisory firm, says he once investigated the root cause of a ransomware attack at a company and traced the incident back to a worker who had clicked on an invoice for pickles.

To read this article in full, please click here

Read More

Post Title

Read Time:20 Second

Multiple vulnerabilities have been discovered in Citrix SD-WAN. Citrix SD-WAN is a software defined Wide Area Network (WAN) which can allow for easier management of multiple networks. The most severe of these vulnerabilities contains hard-coded credentials. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Read More

USN-5377-1: Linux kernel (BlueField) vulnerabilities

Read Time:2 Minute, 47 Second

It was discovered that the network traffic control implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-1055)

Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the
Linux kernel did not properly restrict access to the cgroups v1
release_agent feature. A local attacker could use this to gain
administrative privileges. (CVE-2022-0492)

Jürgen Groß discovered that the Xen subsystem within the Linux kernel did
not adequately limit the number of events driver domains (unprivileged PV
backends) could send to other guest VMs. An attacker in a driver domain
could use this to cause a denial of service in other guest VMs.
(CVE-2021-28711, CVE-2021-28712, CVE-2021-28713)

Jürgen Groß discovered that the Xen network backend driver in the Linux
kernel did not adequately limit the amount of queued packets when a guest
did not process them. An attacker in a guest VM can use this to cause a
denial of service (excessive kernel memory consumption) in the network
backend domain. (CVE-2021-28714, CVE-2021-28715)

It was discovered that the simulated networking device driver for the Linux
kernel did not properly initialize memory in certain situations. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2021-4135)

Brendan Dolan-Gavitt discovered that the Marvell WiFi-Ex USB device driver
in the Linux kernel did not properly handle some error conditions. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2021-43976)

It was discovered that the ARM Trusted Execution Environment (TEE)
subsystem in the Linux kernel contained a race condition leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service or possibly execute arbitrary code. (CVE-2021-44733)

It was discovered that the Phone Network protocol (PhoNet) implementation
in the Linux kernel did not properly perform reference counting in some
error conditions. A local attacker could possibly use this to cause a
denial of service (memory exhaustion). (CVE-2021-45095)

Wenqing Liu discovered that the f2fs file system in the Linux kernel did
not properly validate the last xattr entry in an inode. An attacker could
use this to construct a malicious f2fs image that, when mounted and
operated on, could cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-45469)

It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel did not properly deallocate memory in
some error conditions. A local attacker could possibly use this to cause a
denial of service (memory exhaustion). (CVE-2021-45480)

Samuel Page discovered that the Transparent Inter-Process Communication
(TIPC) protocol implementation in the Linux kernel contained a stack-based
buffer overflow. A remote attacker could use this to cause a denial of
service (system crash) for systems that have a TIPC bearer configured.
(CVE-2022-0435)

It was discovered that the IPsec implementation in the Linux kernel did not
properly allocate enough memory when performing ESP transformations,
leading to a heap-based buffer overflow. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-27666)

Read More