Digital transformation, or DX, is driving enterprises worldwide to adapt their network and security strategies. Two key trends in particular have accelerated due to the pandemic: the adoption of cloud infrastructures, and the growth of a distributed workforce. Together, these trends have forced a restructuring of both networking and security. Now, enterprises need to deploy security services anytime, anywhere, across a diverse set of architectures and endpoints. Further, they need to control and secure the distributed workforce, internal resources and cloud infrastructures.

To read this article in full, please click here

Read More

First cybersecurity book written exclusively by women and non-binary experts published

Read More

Graham Cluley Security News is sponsored this week by the folks at Keeper Security. Thanks to the great team there for their support! The mass migration to distributed work presented IT and DevOps teams with new challenges as they were forced to perform infrastructure monitoring and management remotely. IT and DevOps personnel needed a secure, … Continue reading “Keeper Connection Manager : Privileged access to remote infrastructure with zero-trust and zero-knowledge security”

Read More

Software supply chains have become a tasty target for adversaries fueled by successful, high-profile attacks on companies like Solarwinds and Kaseya and open-source offerings like Log4j. Now a software applications security company seeks to address the problem with what it’s saying is the first attack surface management (ASM) product to address threats across the application full stack of APIs, cloud services, SDKs, and open-source software.

To read this article in full, please click here

Read More

Passwords: we entrust our most important data to these strings of letters, numbers, and special characters. So, we should make sure our passwords are words or phrases that we can easily remember, right? While this might be the most convenient option, there are more secure ways to digitally lock up your most sensitive personally identifiable information (PII). In celebration of World Password Day, we’re diving into how you can practice top-notch password security without compromising convenience.1  

The Nature of the Password 

Over the years, the password has remained a good first line of defense against cyberattacks. However, most of us tend to choose passwords based on memorable things from our lives, like family names or our pets’ birthdays. As it turns out, these details are easy for hackers to find on social media sites like Facebook or LinkedIn. It’s also human nature to opt for convenience, and for many people that means setting easy-to-remember and easy-to-guess passwords. Plus, out of convenience, people often reuse passwords across multiple accounts and services. The downside is that if one account becomes compromised, all accounts become compromised. 

As an alternative to single-word passwords, many security experts advocate for passphrases over passwords. Passphrases are longer strings of words and characters that are easier for you to remember and harder for nefarious software and cybercriminals to guess than random strings of upper and lowercase letters, numbers and symbols. But, according to a study, the average American internet user was projected to have 300 online accounts by 2022.2 Can you imagine memorizing 300 different passphrases? We can all agree that sounds pretty unrealistic, so users tend to look for other solutions.  

Do You Save Your Password in a Browser?  

If the answer is yes, you may want to reconsider, as there are several risks associated with this practice. Although it’s convenient to have your browser save your passwords, they tend to do a lousy job of safeguarding your passwords, credit card numbers and personal details, such as your name and address. 

Let’s take Google Chrome, for example. Unlike most dedicated password managers, Chrome doesn’t use a primary password to encrypt all your credentials. (Note that some browsers do use one, and are therefore more secure, though you’ll still need to trust your browser provider.) This makes your Chrome-stored passwords relatively weak to “local” attacks. For example, if someone gets hold of—or guesses—your Windows password, they can then see all the logins stored in your browser’s password manager. 

Another consideration to note is that the security of all your accounts is tied to your browser account’s security. Let’s say you use the sync option to make your credentials available on all your devices. This means that logins are stored in the cloud and, though encrypted, if someone manages to hack into your browser account, they will gain access to all your logins.  

Keep Your Accounts Secure Without Compromising Convenience 

What can you do to help ensure your online profiles are kept safe without spending hours managing a complex list of passwords? Here are some easy ways to lock down your digital life without sacrificing convenience:  

Use a password manager to store unique, complex passwords for all your accounts 

A password manager is a software application that stores your passwords and other sensitive information. You can install it on computers or mobile devices and store all passwords in an encrypted file (or database). The best option is to use a password manager like McAfee True Key to store and create strong, random passwords for each site you visit. You’ll have one primary password that grants access to the rest of them—ideally, a long and random passphrase that you can remember. Once everything is set up, it should be seamless. As you log in to new sites, the password manager will offer to save your credentials for later use. 

Turn on two-factor authentication for every site that offers it 

One of the best ways to protect your accounts against unauthorized access is to turn on two-factor authentication for every site that offers it. Using two-factor authentication means a site will prompt you for a unique security code, in addition to your password, whenever you log in to an account for which you have enabled this feature.  

Two-factor authentication adds an extra layer of security by requiring another form of identification after you enter your username and password. Some services send a temporary passcode over a text message. Others require the user to approve login attempts from new devices using an app. If someone steals your device or gains access to your account details, they’re out of luck unless they also have access to this second piece of information. Two-factor authentication is available on a wide range of websites and can help keep your accounts safe from would-be hackers, so you should always use it when available.  

Use a virtual private network (VPN) when out and about 

A VPN, or virtual private network, encrypts your data and masks your online behavior from snooping third parties. When you go to a website, your computer connects to the server where the site is hosted, and that website can see a certain amount of data about you and your computer. With a VPN, you connect to a private server first, which scrambles your data and makes it more difficult for digital eavesdroppers to track what you’re doing online. 

VPNs can provide users with greater peace of mind when on the go. Say you’re traveling on a business trip and need to connect to the Wi-Fi network provided by your hotel. Shifty characters often lurk on unprotected, free networks (such as those provided by hotels, coffee shops, airports, etc.) to lift PII from people handling sensitive emails, making banking transactions, or shopping online.  encrypts your online activity with bank-grade encryption to protect your data from prying eyes. With a premium paid plan, you can protect up to five devices at once and enjoy unlimited data protection.  

The Best of Both Worlds: Security and Convenience 

With your growing number of accounts all requiring passwords—emails, social media profiles, online banking—it’s no wonder that people tend to reuse passwords across multiple sites. This may be convenient, but it creates significant security risks if a suspicious actor manages to obtain one of your passwords and attempts to use it elsewhere. That’s why having strong passwords matters. 

Do yourself a favor and opt for a dedicated password manager that will auto-save and store your credentials for you, so you only have one password to remember. Who says security and simplicity can’t coexist?  

The post This World Password Day, Here’s How a Password Manager Can Simplify Your Life appeared first on McAfee Blog.

Read More

Concerns raised over South Africa’s proposal to tie people’s biometric data to their SIM cards

Read More

Imagine – your favorite brand on Instagram just announced a giveaway. You’ll receive a free gift! All you have to do is provide your credit card information. Sounds easy, right? This is a brand you’ve followed and trusted for a while now. You’ve engaged with them and even purchased some of their items. The link comes directly from their official page, so you don’t think to question it. 

This is the same mindset that led to several Bored Ape Yacht Club (BAYC) NFTs being stolen by a cybercriminal who had hacked into the company’s official Instagram account. Let’s dive into the details of this scam.  

Sneaking Into the Bored Ape Yacht Club 

Bored Ape Yacht Club, the NFT collection, disclosed through Twitter that their Instagram account had been hacked, and advised users not to click on any links or link their crypto wallets to anything. The hacker managed to log into the account and post a phishing link promoting an “airdrop,” or a free token giveaway, to users who connected their MetaMask wallets. Those who linked their wallets before BAYC’s warning lost a combined amount of over $1 million in NFTs. 

Despite the large price tag attached to NFTs, they are often held in smartphone wallets rather than more secure alternatives. MetaMask, the crypto wallet application, only allows NFT display through mobile devices and encourages users to use the smartphone app to manage them. While it may be a good method for display purposes, this limitation provides hackers with a new and effective way to easily steal from users’ mobile wallets. 

BAYC does not yet know how the hacker was able to gain access to their Instagram account, but they are following security best practices and actively working to contact the users affected. 

N.F.T. – Not For Taking 

This scam was conducted through the official BAYC account, making it appear legitimate to BAYC’s followers. It is incredibly important to stay vigilant and know how to protect yourself and your assets from scams like these. Follow the tips below to steer clear of phishing scams and keep your digital assets safe:  

Ensure wallet security 

A seed phrase is the “open sesame” to your cryptocurrency wallet. The string of words is what grants you access to all your wallet’s assets. Ensuring that your seed phrase is stored away safely and not easily accessible by anyone but yourself is the first step to making sure your wallet is secure. 

Protect your privacy 

With all transactional and wallet data publicly available, scammers can pick and choose their targets based on who appears to own valuable assets. To protect your privacy and avoid being targeted, refrain from sharing your personal information on social media sites or using your NFT as a social media avatar. 

Look out for phishing scams 

Phishing scams targeting NFT collectors are becoming increasingly common. Be wary of any airdrops offering free tokens in exchange for your information or other “collectors” doing the same. 

Phishing scams tend to get more sophisticated over time, especially in cases like the Bored Ape Yacht Club where the malicious links are coming straight from the official account. It is always best to remain skeptical and cautious, but when in doubt, here are some extra tips to spot phishing scams: 

Is it written properly? A few spelling or grammar mistakes can be common, but many phishing messages will contain glaring errors that professional accounts or companies wouldn’t make. If you receive an error-filled message or promotion that requires giving your personal information, run in the other direction. 
Does the logo look right? Scammers will often steal the logo of whatever brand or company they’re impersonating to make the whole shtick look more legitimate. However, rarely do the logos look exactly how they’re supposed to. Pay close attention to any logo added in a message or link. Is the quality low? Is it crooked or off-center? Is it almost too small to completely make out? If yes, it’s most likely not the real deal. 

Is the URL legit? In any phishing scam, there will always be a link involved. To check if a link is actually legitimate, copy and paste the URL into a word processor where you can examine it for any odd spelling or grammatical errors. If you receive a strange link via email, hover over it with your mouse to see the link preview. If it looks suspicious, ignore and delete it. Even on mobile devices, you can press and hold the link with your finger to check out the legitimacy of the URL. 

As crypto and NFTs continue to take the world by storm, hackers and scammers are constantly on the prowl for ways to steal and deceive. No matter the source or how trustworthy it may seem at first glance, always exercise caution to keep yourself and your assets safe! 

The post Instagram Hack Results in $1 Million Loss in NFTs appeared first on McAfee Blog.

Read More

Cloud breaches are on the upswing due to preventable misconfigurations. Here’s how you can lower your risk with a new integration between Tenable.cs and Terraform Cloud.

Today’s cloud environments are highly dynamic with new updates continuously released into production and workloads scaling up and down based on customer demand. Within minutes cloud engineers can spin up and fully deploy resources to the cloud. But with increased speed many times comes increased risk. System vulnerabilities caused by misconfigurations are often overlooked and may remain undetected for months. As a result, cloud breaches are increasing in scale and velocity. Over 30 billion records were exposed in 200 breaches between 2018 and 2020 due to cloud infrastructure misconfigurations alone.

How can you reduce your chances of suffering breaches caused by cloud misconfigurations? In this post, we explain how Tenable and HashiCorp can help with this issue via a new integration between Tenable.cs and Terraform Cloud Run Tasks. 

Introduction to cloud provisioning and Terraform

Cloud resource provisioning is a key aspect of deploying cloud workloads. Although most cloud providers have their own provisioning utilities, best-of-breed tools like Hashicorp Terraform offer benefits that go beyond what cloud providers offer. Using Terraform, an open-source Infrastructure as Code (IaC) tool, to provision infrastructure provides many benefits to the management and operations of your environment. HashiCorp Configuration Language (HCL) provides the ability to standardize reusable modules of infrastructure that can be used across projects and environments. When standing up infrastructure, Terraform reads the current state of your environment and determines any changes needed to configure the environment to the state defined in your IaC. This simplifies the process of managing complex architectures which can be fragile if manually maintained. IaC allows for the code to be version controlled and provides better visibility into how the infrastructure has been provisioned and configured.

Terraform key security considerations 

Terraform also offers security benefits. The workflow around infrastructure provisioning can be used to protect your environment from security issues. When enforcing the use of IaC for any changes in your environment, code can be assessed to ensure that any security defects are detected and mitigated before infrastructure is provisioned. Security or operational guardrails can be codified and enforced through CI/CD pipelines, gates, or other automated means to ensure that your environment is compliant with your policies. 

While using tools such as Terraform simplify managing infrastructure, it’s still common for critical misconfigurations of cloud infrastructure to happen. Key areas of concerns for vulnerability management for Terraform environments include:

Secrets Management: Terraform requires credentials in order to authorize any API actions necessary to provision the infrastructure specified in your code. Since these credentials provide privileged access to create, manage, and destroy your environment, care should be taken to ensure that they are not exposed to unauthorized people or processes.
System State Management: Terraform uses a state file to track the state of provisioned infrastructure resources. By default, the state file is stored on the local file system of the system where Terraform is executed. Persisting state files with your source code is a bad idea as these could contain secrets or other sensitive information.
Dependency Management: Terraform uses plugins called “providers” to interact with remote APIs for the resources defined in your code. These are downloaded to the system where Terraform is executed when performing the “terraform init” command. As providers manage powerful operations in your infrastructure, it is important to download these from trusted sources and confirm that they have not been tampered with prior to using them.
Drift Management: In any complex enterprise environment, manual changes can occur in runtime through “break the glass” mechanisms or other means. These changes cause a deviation, referred to as “drift,” between your runtime environment and what has been defined in your Terraform code. If not corrected in the source code, build teams will continue to use the old version and/or systems will no longer meet security requirements. 

For more on Terraform security key considerations read the whitepaper “DevOps Guide to Terraform Security”. 

Preventing Terraform vulnerabilities with Tenable.cs

Tenable.cs is a developer-friendly, Cloud-Native Application Security Platform (CNASP) that enables your organization to secure cloud resources, container images and cloud assets, providing end-to-end security from code to cloud to workload. To enforce best practices, you can evaluate your code using a static code analysis tool such as Terrascan. Terrascan is an open source project that was created by Tenable and is the underpinning scanning engine for Tenable.cs. Terrascan includes hundreds of policies across multiple providers written in the Rego language, and assesses for misconfigurations using the Open Policy Agent (OPA) engine. These policies can be extended to include any standards specific to your environment. To enforce these as part of your workflow, you can include a job as part of your CI/CD pipeline that uses Terrascan to scan any changes to your HCL files for security issues. If any issues are detected, the job will fail with an error message indicating that a security issue has been found that needs to be addressed. 

Tenable.cs enables cloud operations and security teams to assess Terraform templates for policy violations. You can integrate cloud infrastructure security into the DevOps pipeline to prevent security issues from reaching production. You can also quickly remediate IaC misconfigurations directly in development tools to enforce policies in both build-time and runtime.
 

Failing Tenable.cs Policy for a Terraform template (Storage encryption not enabled on RDS instance)

Tenable.cs recommended remediation action to resolve failing policy. (Enable storage encryption in Terraform Template)

New! Enhanced automated remediation support with HashiCorp Terraform Cloud Run Tasks

Now Tenable is boosting its capabilities for securing Terraform with support for HashiCorp’s new Terraform Cloud Run Tasks. Terraform Cloud provides a hosted solution to build and deploy Terraform Templates. Using the new Terraform Cloud Run Tasks, you can leverage Tenable.cs to scan your Terraform Templates during the Terraform cloud deploy step. The integration allows Terraform Cloud customers to detect any security issues within their IaC using Tenable.cs as part of the planning phase of the Terraform execution. By adding this support for Terraform Cloud Run Tasks in Tenable.cs, we’re helping developers detect and fix compliance and security risks in their IaC so they can mitigate issues before cloud infrastructure is provisioned. 

Additionally, knowing the exact remediation steps can be time intensive and challenging. That’s why remediation recommendations are provided as part of the integration, in the form of a pull request to the source code repository associated with the Terraform workspace, to help with fixing issues found in Terraform templates before they are provisioned. Customers can leverage over 1,500 policies in the Tenable.cs commercial offering to perform deep scans in Terraform Cloud. Users interested in viewing the setup guide on how to connect Tenable.cs with Terraform Cloud Workspace can find detailed documentation here.

To learn more about Tenable.cs view the data sheet or access the on-demand webinar “Introducing Tenable.cs: Secure Every Step From Code to Cloud”.

Read More

Office of Inspector General slams department’s security program four years running

Read More

GitHub has announced its largest-ever push toward two-factor authentication (2FA). The world’s leading development platform said it will require all code-contributing users to enroll in 2FA by the end of 2023 to enhance the security of developer accounts and bolster security within the software supply chain. Given the number of developers and enterprises on the platform, GitHub’s move is significant with the risks surrounding software supply chains continuing to threaten and expose organizations more than a year after the infamous SolarWinds Sunburst attack.

To read this article in full, please click here

Read More