[KIS-2022-01] ImpressCMS <= 1.4.2 (autologin.php) Authentication Bypass Vulnerability

Read Time:14 Second

Posted by Egidio Romano on Mar 22

———————————————————————–
ImpressCMS <= 1.4.2 (autologin.php) Authentication Bypass Vulnerability
———————————————————————–

[-] Software Link:

https://www.impresscms.org

[-] Affected Versions:

Version 1.4.2 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the /plugins/preloads/autologin.php script:

45.   …

Read More

5 Industries that need advanced Cybersecurity measures

Read Time:3 Minute, 53 Second

This blog was written by an independent guest blogger.

Cybersecurity is more important today than ever before, with virtual threats surging to historic highs. Organizations in every industry need to take steps to protect themselves from cybercrime. A few sectors, in particular, should be especially concerned about safety. These industries are at the highest risk of being targeted by cyberattacks, with damages that can cost billions of dollars.

1. E-commerce

Online shopping was steadily becoming more popular throughout the 2000s and 2010s, but the COVID-19 pandemic has sparked an incredible boom in the 2020s. This is great news for businesses since e-commerce can pull in revenue from a larger audience than brick-and-mortar stores.

However, these companies must have top-notch cybersecurity. When online shopping rose in popularity in 2020, cybercrimes also skyrocketed, amounting to $1 trillion in damages. E-commerce businesses can protect their customers from these threats using online checkout security, multifactor authentication, secure data storage and other practices that put client information first.

2. Finance

A shocking 74% of financial institutions reported experiencing a surge in cyber threats connected to the COVID-19 pandemic in 2021. It should come as no surprise that financial institutions are at the top of cybercriminals’ lists. The trend will only continue as more customers turn to online banking.

Organizations in the finance industry have to take extra steps to protect themselves and their customers from digital threats. For example, mobile banking apps should have an option for biometric authentication, which is more difficult to hack than a conventional alphanumeric password. Internally, cybersecurity must be impenetrable, which requires a culture of security among employees and leaders.

3. Healthcare

Hackers noticed when the COVID-19 pandemic channeled massive amounts of attention and money into the health care industry. Providers, institutions, and businesses of all types have become targets for cybercrime. Patients’ sensitive data can be especially valuable around the dark web and cybercrime networks since it allows for impersonation and identity theft.

Health care organizations must be extremely careful and focused to protect their patients and customers. Studies have found that misdelivery alone is responsible for 36% of breaches in the medical industry. Telemedicine only increases the danger of individual mistakes and inconsistencies. Every password, device, file and user must be extremely well-fortified. AI cybersecurity software is on the rise for this exact purpose, helping autonomously detect threats and vulnerabilities.

4. Manufacturing

The manufacturing industry may not be a traditional target for cybercrime, but the supply chain crisis has changed that. Cybercriminals know that manufacturers are working against the clock already, making it much easier for certain attacks, like ransomware, to gain leverage. As a result, manufacturers’ security gaps have put the entire supply chain at risk.

More manufacturers are using automation, IoT and other connected technologies to stay ahead of the curve during the supply chain crisis. Protecting these devices is crucial. Additionally, manufacturing facilities’ networks must have strong firewalls and login protections to keep out intruders. Any computers employees use to access business information need to be secured and backed up regularly, as well.

5. Government

Government institutions and the private sector businesses they work with have always been prime targets for cybercrime. Their cybersecurity methods will need to evolve in the years ahead, though. In fact, government organizations and their private sector partners will need to lead the way at the cutting edge of safety practices to stay ahead of the rising tide of cybercrime.

Specific types of attacks are increasing faster than others, which governmental bodies must be aware of. For example, they need to start requiring anti-phishing training to teach federal employees how to recognize and deal with suspicious emails and domains. INTERPOL found that phishing attacks have increased more than any other type of cyberattack in response to the COVID-19 pandemic. They are especially dangerous for governments since they handle sensitive and even classified information regularly.

Cybersecurity in the next digital era

Cybersecurity is a continuous process that must be constantly monitored and improved to stay ahead of criminals. Innovation has exploded in recent years in response to evolving threats. For example, artificial intelligence is becoming a popular tool for outsmarting cybercriminals and preventing attacks altogether. Friendly hacking is also becoming commonplace as organizations seek to test their defenses safely.

Education and training are crucial for digital safety. This is especially important with the rising popularity of remote work, where employees are solely responsible for the security of their devices and connections. A security-first mindset allows organizations in every industry to protect themselves and their customers from the advancing threats of the digital landscape.

Read More

6 steps to getting risk acceptance right

Read Time:37 Second

Cybersecurity and risk expert David Wilkinson has heard some executives put off discussions about risk acceptance, saying they don’t have any appetite or tolerance for risk.

“But every organization has to have some level of risk acceptance,” says Wilkinson, senior managing partner with The Bellwether Group, a firm providing security and risk services. Otherwise, they’d be unable to function.

Yet there are indicators that many CISOs aren’t having productive conversations around risk acceptance.

According to Gartner research, only 66% of CISOs identified as top performers collaborate with senior business decision-makers to define their organization’s risk appetite. (The number drops to only 37% of CISOs identified by Gartner as “bottom performers.”)

To read this article in full, please click here

Read More

Internet sanctions against Russia pose risks, challenges for businesses

Read Time:46 Second

Whether we wish to admit it, the way the internet is used is in the midst of a major morph due to the consequences of Russia’s invasion of Ukraine. Russia is moving to cut off internet access to Ukraine and to limit internet access to its own populace. Ukraine is seeking to limit Russia’s disinformation and ability to conduct commerce. Organizations continue to navigate their way through a world of sanctions and direct government requests to take specific actions

While the situation may appear to be black and white, it is, in reality, several shades of gray and is happening in the midst of the internet’s transition to multistakeholder governance. On March 10, 2022, the internet community issued a paper titled “Multistakeholder Imposition of Internet Sanctions.” This “conversation document,” signed by a plethora of individuals from companies and organizations, posited seven principles:

To read this article in full, please click here

Read More

Yes, you can measure cybersecurity efficacy

Read Time:51 Second

I hate to do this but consider the following thought exercise: Transport yourself back to fall 2020 when literally the entire world was waiting for a COVID vaccine. We knew there were a few candidates (in fact, one mRNA vaccine was formulated in late January) and were just waiting on the proof – the efficacy studies. Most of the world was elated to find out in early December 2020 that efficacy rates were 95%. Of course, some folks needed to know that a typical flu vaccine provides about 60% efficacy.

Now consider how you would have felt if, instead of conducting randomized control trials that tested outcomes from the vaccine, Pfizer and Moderna had asserted that the vaccine would work because the scientists who created it had strong credentials, the lab environment was properly managed, procedures were impeccably followed, and all the paperwork was in order. I’m not sure about you, but I would have been devastated and probably irate.

To read this article in full, please click here

Read More

LAPSUS$ ransomware group claims Okta breach

Read Time:31 Second

Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta.

The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.

According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.

To read this article in full, please click here

Read More