In 2018, 93% of breaches began through a phishing or pretexting campaign (Verizon DBIR 2018). All it takes is one user falling for a campaign to potentially put your company at risk. This is why it’s extremely important to make sure the fundamental technical controls are in place, so that you can work on educating your users knowing that the appropriate controls are in place.
Three key controls have been created to help combat phishing and spam — while there may be similarities in a few of these, there are enough differences it is important to implement all three — SPF, DMARC, and DKIM.Medium - Vulnerability Chains: Learning from Pedro Riberio’s IBM Data Risk Manager Zero-Day Disclosure -
Quite often, during security audits, a low severity vulnerability are overlooked, as its impact is not immediately perceived as dangerous. What is missed in this type of scenario is what happens when vulnerabilities of varying severity are combined and could lead to a step by step escalating type of exploit. This process of identifying individual vulnerabilities and links between them is often called chaining vulnerabilities
Researchers have proposed a variety of graph-based algorithms to generate attack trees (or graphs). Either structure represents all possible sequences of exploits, where any given exploit can take advantage of the penetration achieved by prior exploits in its chain, and the final exploit in the chain achieves the attacker’s goal.
...
The big aha that I hope the industry will takeaway from this incident is that sophisticated attackers think in terms of chaining their exploit steps together. In network security, we might call this peeling the onion. Like network security, in AppSec we need to start thinking about vulnerabilities as nodes. It’s not just what data the node contains, but what it also what it has access to. This is how we need to evaluate vulnerabilities. It’s not just the severity of vulnerability but how can it be used to launch the next step in the exploit chain.Cyberscoop - Internal EU report on coronavirus disinformation was harsher on China than public release -
The internal assessment from the European External Action Service (EEAS), the EU’s diplomatic service, was more direct in describing Chinese efforts to manipulate public perceptions of the pandemic. The document, which also covers Russian and Iranian disinformation efforts, singled out “official Chinese sources” for making a “continued and coordinated push” to deflect blame for the virus’s spread. It pointed to reports that China was running “a global disinformation campaign” to both shield itself from criticism and “improve its international image.”
But the public report that the EEAS posted online Friday was less direct in its criticism of Beijing, and said that “other actors,” in addition to China, were deflecting blame.SF Examiner - SF vs. Uber Eats: Service stops food delivery to Treasure Island citing fee cap -
Uber Eats has ended all food deliveries to Treasure Island, citing Mayor London Breed’s cap on delivery fees.
But one city leader has already called the move discriminatory against a community mostly populated by low-income people of color.
...
Supervisor Matt Haney is calling Uber’s explanation out as nonsense. Haney, who represents Treasure Island, among other neighborhoods on the San Francisco Board of Supervisors, said Uber is engaging in discrimination.Fifth Domain - Watchdog finds White House and DHS lack adequate plans for cybersecurity workforce -
According to an April 23 report from the Government Accountability Office, the Department of Homeland Security and White House’s Office of Management and Budget haven’t decided which agency is in charge of several tasks relating to a reform effort of the federal cybersecurity workforce.
DHS and OMB are working on several efforts to bolster the federal cybersecurity workforce, an area where there’s a shortage of qualified candidates. Reform efforts from the White House focus on standardizing cybersecurity training for employees, increasing the mobility of cybersecurity positions, planning a cybersecurity reservist program in case of emergency, and rationalizing the size and scope of cybersecurity education efforts, among other reforms.
...
“Our prior work has shown that establishing a strong and stable team that will be responsible for the transformation’s day-to-day management is important to ensuring that it receives the resources and attention needed to be successful,” the GAO wrote. “A dedicated leadership team responsible for overseeing and implementing the reform can also help ensure that various change initiatives are sequenced and implemented in a coherent and integrated way.”
NCC Group - The Extended AWS Security Ramp-Up Guide -
On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is “to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow your career.” The Ramp-Up is an excellent document, that describes a logical progression in first-party training resources, from the official Overview of Amazon Web Services through the AWS Certified Specialty – Security exam, and beyond.
Even vendors who run their own cloud will typically augment their private clouds with one of the above vendors. The increased demand from COVID-19 has created a “make or break” time for the public clouds themselves as they are now being tested like never before.
...
COVID-19 is a moment of reckoning for the public cloud providers. Time to put up or shut up. The extra loads will show any weakness anywhere and while no cloud provider is perfect, AWS seems to have the early lead, followed by GCP and Azure bringing up the rear. Let’s see if it stays that way.CNBC - Amazon’s top watchdog in Congress says its witness ‘may have lied’ -
Amazon’s witness at a hearing last year “may have lied to Congress” about how the company uses data from its third-party sellers to come up with its private-label products, House Antitrust Subcommittee Chairman David Cicilline said Thursday.
...
At best, Amazon’s witness appears to have misrepresented key aspects of Amazon’s business practices while omitting important details in response to pointed questioning,” Cicilline said in a statement on the report. “At worst, the witness Amazon sent to speak on its behalf may have lied to Congress.”
Cicilline is leading an investigation into Amazon and its tech peers that will culminate in a report about the health of competition in digital markets.Endgadget - US blames China for hacks allegedly targeting COVID-19 research -
It probably won’t surprise you to hear that state-backed hacking is still going on during the COVID-19 pandemic, but the US is reportedly convinced that one country is mounting a large campaign. Officials speaking to CNN claim they’ve seen a surge of cyberattacks against American government agencies and pharmaceutical firms, and they’re pinning the campaign on China. The country is believed to be trying to steal COVID-19 research to aid development of treatments or vaccines.
No comments:
Post a Comment