British Airways Fined £183 Million Under GDPR Over 2018 Data Breach

Britain’s Information Commissioner’s Office (ICO) today hit British Airways with a record fine of £183 million for failing to protect the personal information of around half a million of its customers during

last year’s security breach

.

British Airways, who describes itself as “The World’s Favorite Airline,” disclosed a breach last year that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks.

At the time, the company confirmed that customers who booked flights on its official website (ba.com) and British Airways mobile app between August 21 and September 5 had had their details stolen by attackers.

The cyberattack was later attributed to the infamous

Magecart

threat actor, one of the most notorious hacking groups specialized in stealing credit card details from poorly-secured websites, especially online eCommerce platforms.

Magecart hackers have been known for using digital credit card skimmer wherein they secretly insert a few lines of malicious code into the checkout page of a compromised website that captures payment details of customers and then sends it to a remote server.

Besides British Airways, Magecart groups have also been responsible for card breaches on sites belonging to high-profile companies like

TicketMaster

,

Newegg

, as well as sites belonging to other

small online merchants

.

In a statement

released today

, ICO said its extensive investigation found that a variety of information related to British Airways’ customers was compromised by “poor security arrangements” at the company, including their names and addresses, log-ins, payment card data, and travel booking details.

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience,” Information Commissioner Elizabeth Denham said.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

However, ICO also said that British Airways has cooperated with its investigation and has made improvements to the security arrangements since the last year data breach came to light.

Since the data breach happened after the EU’s General Data Protection Regulation (GDPR) took effect on May 2018, the fine of £183.39 million has been imposed on British Airways, which is the equivalent of 1.5% of the company’s worldwide turnover for its 2017 financial year but is still less than the possible maximum of 4%.

In response to the ICO announcement, British Airways, owned by IAG, said the company was “surprised and disappointed” by the ICO penalty.

“British Airways responded quickly to a criminal act to steal customers’ data,” said British Airways chairman and chief executive Alex Cruz.

“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”

The company has 28 days to appeal the penalty.

Until now, the most significant penalty by the UK’s data protection watchdog was £500,000, which was

imposed on Facebook

last year for allowing political consultancy firm Cambridge Analytica to gather and misuse data of 87 million users improperly.

The same penalty of £500,000 was also imposed on

credit reporting agency Equifax

last year for its 2017’s massive data breach that exposed the personal and financial information of hundreds of millions of its customers.

Since both the incidents in Facebook and Equifax occurred before GDPR took effect, £500,000 was the maximum penalty ICO can impose under the UK’s old Data Protection Act.

Read the Full Article here: >The Hacker News [ THN ]

OWASP ZAP’s new version of its ZAP Project now includes a Heads Up Display

OWASP ZAP (Open Web Application Security Project Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser.

Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.

ZAP is a free, easy to use integrated penetration testing tool. With the addition of the Heads Up Display, ZAP can be used by security professionals and developers of all skill levels to quickly and more easily find security vulnerabilities in their applications.

Given the unique and integrated design of the Heads Up Display, developers and functional testers who might be new to security testing will find ZAP an indispensable tool to build secure software.

In addition to being the most popular free and open source security tools available, ZAP is also one of the most active with hundreds of volunteers around the globe continually improving and enhancing its features.

ZAP provides automated scanners as well as a set of tools that allows new users and security professionals to manually identify security vulnerabilities. ZAP has also been translated into over 25 languages including French, Italian, Dutch, Turkish and Chinese.

Simon Bennetts, OWASP ZAP Project Leader, commented: “This is a really important release for the project team and developers who want to build great and secure applications. The HUD is a completely new interface for ZAP, and one that is unique in the industry. It shows that open source projects continue to create high-quality, new and exciting tools that deliver real value to the market – and at no cost to users.”

“ZAP is the Foundation’s most popular software tool,” said Mike McCamon, interim executive director of the OWASP Foundation. McCamon continued, “For nearly two decades OWASP continues to be a great destination for innovators to host, develop, and release software that will secure the web. Simon and the entire ZAP community deserves great recognition for their continued devotion to open source excellence.”

Read the Full Article here: >Help Net Security – News

D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges

Taiwanese networking equipment manufacturer D-Link has agreed to implement a “comprehensive software security program” in order to settle a Federal Trade Commission (FTC) lawsuit alleging that the company didn’t take adequate steps to protect its consumers from hackers.

Your wireless router is the first line of defense against potential threats on the Internet.

However, sadly, most widely-used routers fail to offer necessary security features and have often found vulnerable to serious security flaws, eventually enabling remote attackers to unauthorizedly access networks and compromise the security of other devices connected to it.

In recent years, the security of wireless networks has been more of a hot topic due to cyber attacks, as well as has gained headlines after the discovery of critical vulnerabilities—such as

authentication bypass

,

remote code execution

,

hard-coded login credentials

, and information disclosure—in routers manufactured by various brands.

In 2017, the US Federal Trade Commission (FTC)

filed a lawsuit against D-Link

, one of the more popular router manufacturers, over the poor security of its wireless routers, IP cameras, and other Internet-connected devices.

According to the FTC complaint, D-Link allegedly misrepresented the security of its products to its customers, didn’t adequately test its products for well-known and easy-to-fix security flaws, and also failed to secure devices when security vulnerabilities were reported by independent security researchers.

“Defendants D-Link repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well known and easily preventable software security flaws,” the FTC complaint says. “In truth and in fact, Defendants did not take reasonable steps to secure their products from unauthorized access.”

In 2015, D-Link also accidentally published its

private code signing keys

on the Internet that could have allowed hackers to sign their malware and evade detection.

On Tuesday, the FTC published [

PDF

] an “amicable” settlement which says D-Link is required to follow proper security planning, threat modeling, vulnerability testing, and remediation before its routers and IP cameras hit the market.

The deal also makes it mandatory for the company to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.

Besides this, D-Link has also agreed to go through security audits of its software security program every other year for the next 10 years from a third-party, independent firm, an assessor approved by the FTC.

In a press release, D-Link

claims

the FTC has not found the company liable for any alleged violations, but ironically the company has reached an amicable resolution with the FTC, as mentioned above.

The FTC settled

similar charges with ASUS

over the security of its routers in 2016, when the company agreed to undergo independent security audits every 2 years for the next 20 years.

Read the Full Article here: >The Hacker News [ THN ]

China’s Border Guards Secretly Installing Spyware App on Tourists’ Phones

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed.

Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.

The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.

According to a joint investigation by

New York Times

, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.

This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.

The spyware, called

Feng Cai

(蜂采) or 

BXAQ

, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.

Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.

The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.

According to researchers at German cybersecurity firm Cure53, who analyzed [

PDF

] a sample of the surveillance app, the names that appear in Feng Cai app’s source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.

“The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall,” the researchers said.

However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

It’s not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it’s the first time when tourists are believed to have been the primary target.

In 2017, Chinese authorities had

forced Xinjiang residents

as well into installing a similar spyware app, called

Jingwang

, on their mobile devices that was intended to prevent them from accessing terrorist information.

Read the Full Article here: >The Hacker News [ THN ]

The art and science of password hashing

The recent FlipBoard breach shines a spotlight again on password security and the need for organizations to be more vigilant. Password storage is a critical area where companies must take steps to ensure they don’t leave themselves and their customer data vulnerable.

Storing passwords in plaintext is recognized as a major cybersecurity blunder. Despite this, many companies, including Facebook and Google, have committed this faux pas. When hackers gain access to a plaintext password database, they then have access to all the user accounts in that system, but often, due to the reuse of passwords, it can create a breach domino effect for other organizations.

Why password hashing is essential

Password hashing, where companies encode passwords using a mathematical algorithm, has long been touted as the answer to this problem. Hashing is a one-way cryptographic transformation on a password, turning it into another string, called the hashed password.

When a user chooses a new password, the password is passed through a chosen hash algorithm that performs a mathematical transformation on it, creating a hash value. This hash value is typically represented in hexadecimal format.

This hash is the only thing that is stored for the user’s password. Since the hash algorithm only works in one direction, it’s infeasible to back out the original password using just the hash value (there are other ways to deduce the original password from the hash, but more on that in a minute).

The general idea is that storing hashes rather than plaintext password significantly reduces the possibility that a hacker could retrieve all of the passwords in the system—even if they gain access to the database.

Later when the user logs in and we must verify that the user entered the correct password, the same process is performed again: the entered password is hashed using the same algorithm and the hash is compared to the stored one. If they match, the user is allowed access.

It’s critical to understand the different approaches to password hashing as all hashing algorithms are not created equal.

Hashing 101

Hashing algorithms take an input of any length and return an output of fixed length. This output will look nothing like the original password. While it may seem like the algorithm is pumping out a random number, it is actually a deterministic process. A mathematical formula and hashing table decide which symbols in the input data will become which symbols in the output data. Hackers cannot directly turn a hashed value into the password, but they can determine what the password is if they continually generate hashes from passwords until they find one that matches. This is referred to as a brute-force attack.

With enough time and access to hashing tables, a hacker could reverse engineer a password, which is where salting comes in. For example, they will know the hashes for the most common passwords such as “Password1” or “qwerty,” by using a rainbow table which displays common passwords and their corresponding hashes. This means that, without any additional security, if you input the same password you would see the same output every time.

To protect passwords further, some random characters, called salts, are added to the end of the user’s password, therefore producing a completely different hashing output.

Hashing algorithms

SHA-256 hash – With cryptographic hashing algorithms, similar inputs produce vastly different outputs. Using the SHA-256 hash generator creates an entirely different hashed output even if only one character is changed. This makes it much more difficult for hackers to reverse engineer the input values from the output values. As a result, SHA-256 is the hashing algorithm with Bitcoin cryptocurrency.

MD5 (Message Digest Algorithm) – MD5 is a cryptographic algorithm that will always produce an output of 128 bits (typically expressed as a 32 digit hexadecimal number) no matter the length of the input. It was one of the most widely used hashing algorithms but is now no longer recommended. MD5 is not collision resistant, meaning it’s possible to produce the same hash with different inputs, which makes it a poor cryptographic hashing function.

MD5’s downfall when it comes to passwords was that it was too fast and too popular. As a result, brute force attacks are more likely to be successful due to the thousands of inputs tested, and the popularity of the function makes it attractive to hackers. Today you can find the input to a MD5 hash in seconds by Googling it. Since many businesses already use MD5, they have taken to adding salt to it, creating a salted MD5 output.

MD5Crypt – MD5Crypt added extra functionality to MD5 to make it more resistant to brute force attacks. However, in 2012, the author of MD5Crypt, Poul-Hennin Kamp, declared it as insecure due to the speed of modern hardware.

SHA-1 – SHA-1 suffers from many of the same problems as MD5; it’s very fast, it’s also experienced collision attacks, and is now considered unsafe. Faster computations result in faster brute force attacks, making SHA-1 inherently insecure for storing passwords.

BCrypt – Unlike SHA-1 and MD5, Bcrypt is intentionally slow, which is a good thing when it comes to password security as it limits the attacker’s ability to perform successful brute force attacks. A key aspect of hashing is that it should be a one-way form of encryption. It should be easy to go from the input to the output, but infeasible to find the input from the output. This slowed down hashing function makes cracking the hashes more impervious because it is time-consuming and uses a lot of computing power.

Companies must remain vigilant so that their customer data is not vulnerable. With hashing, there are many different options available; however, it’s vital to recognize that not all hashing algorithms are equal. Some can be cracked with very little time and effort, others require a lot more energy and time to crack.

Hashing is a critical component of password security, but it requires a nuanced approach to protect customer data. Organizations must ensure that their password hashing strategy utilizes robust, modern algorithms that make it almost impossible for hackers to reverse the hashing and read passwords in plain text. By taking a proactive approach companies can reduce the risk of breaches and hackers gaining access to valuable customer data.

Read the Full Article here: >Help Net Security – News

AppTrana — Website Security Solution That Actually Works

Data loss and theft continues to rise, and hardly a day goes by without significant data breaches hit the headlines.

In January 2019 alone, 1.76 billion records were leaked, and according to IBM’s Data Breach study, the average cost of each lost or stolen record has reached about $148.

Most of these data leaks are because of malicious attacks, where exploitation of web application vulnerabilities is one of the most common cyber attack vectors.

An application security breach is a problem facing one and all, and no matter what’s the size of your company, your web applications are prone to cyber attacks.

Hackers breach sites for a variety of reasons—some do it for fame, some to get competitive information, whereas some do it just for financial gains. No matter what the reason is, the cost of a security breach is always higher than the cost of protection, leading to loss of data, substantial financial losses, and most importantly, loss of customers’ trust.

If you are a small or mid-size company beginning to make your mark, such data breaches can be fatal.

What is more worrisome is that the cost of a data breach and extent of breaches are growing exponentially year on year, and all these points that the existing solutions are ineffective.

When it comes to application security—WAF (Web Application Firewall) is one of the best-known defences.

While most of the existing solutions fail to protect your organization from such attacks, as they take “one size fits all cookie-cutter” approach, WAF generally comes with standard out of the box rules without understanding specific application needs.

Perils of such an approach are:

  • There is very little understanding of the application context and vulnerabilities specific to the application that hackers can exploit are left unprotected. As the saying goes, security is as good as the weakest link.
  • Most scanners are ineffective when it comes to single page JavaScript-based heavy sites. Moreover, gaps in business logic vulnerabilities can only be found through pen-testing. Results imported from such scanners are at first inadequate, and most often, protection posture is not accurately identified by WAF.
  • Out of box rules are good in an ideal scenario. But as in life, applications in the real world are far from ideal, leading to a lot of false positives and false negatives, making the solution ineffective.
  • Proper implementation of WAF requires tuning of standard rules to meet application-specific needs, but unfortunately, this needs a lot of expertise and time, which are not easy to find.

All this leads to bad implementation of website security, and right vulnerabilities remain undetectable, where WAF is more often deployed in monitor mode in fear of FP’s.

AppTrana is Indusface’s revolutionary solution that has been built specifically to address such shortcomings in existing cloud security solutions.

AppTrana

provides a completely managed, highly reliable, extremely affordable SaaS solution for securing web applications.

With AppTrana, organizations can get:

  • Protection within minutes with zero downtime during the entire transition,
  • Access to highly scalable PCI compliant, infrastructure for their web application security that is scalable to terabytes of data seamlessly with no configuration required from the customer side,
  • Ability to detect vulnerabilities, protect them instantly through virtual patches created by experts and get round the clock visibility to risk posture through integrated AppTrana portal,
  • Get round-the-clock, experts monitored protection for the site against sophisticated DDOS attacks, and
  • Integrated CDN ensures that customers are not forced to choose between speed and security.

Using AppTrana, organizations can concentrate on business without worrying about security, speed, and availability of their website.

The Approach

Indusface approaches the problem of application security differently from traditional vendors.

With AppTrana, organizations can identify the vulnerabilities in the application through its automated and premium (manual penetration testing done by experts) scans. This guarantees that an organization understands the risk posture of their application upfront.

AppTrana’s advance scanner works seamlessly with new-age JS-based heavy sites and is built bottom-up with the integration of WAF in mind, providing it with the ability to learn from WAF traffic insights as well as feeding back the vulnerability status to WAF for protection.

AppTrana enables organizations to provide immediate website protection through virtual patching with its WAF module.

For this, AppTrana provides:

  • Advance Rules – Rules which are written by security experts and that comes with zero false-positive guarantees.
  • Premium Rules – Complex rules for enhanced protection, which may possibly generate some FPs based on particular application design and behavior. These are applied in log mode, monitored and tuned to ensure 0 FP for an application before being put in block mode.
  • Custom Rules – Application-specific rules written by security experts with zero false-positive guarantees based on customer request.

With this approach, AppTrana ensures that security is tuned to meet specific application needs guaranteeing zero false positives.

Also, AppTrana provides around the clock monitoring and expert support to mitigate sophisticated application DDOS attacks, ensuring the availability of your site.

Typical customer journey looks like follows:

With the tightly integrated WAF and Scanner modules, AppTrana ensures that there is constant learning, which is shared across both, improving the efficacy of detection and protection.

For example, deep learning in WAF allows AppTrana to provide a context of application to the scanner that ensures better crawling and detection.

Such integration provides AppTrana unfair advantage that allows Indusface to provide superior protection to its customers.

Plans

You can choose any of the below-listed plans to start the AppTrana Journey.

  • Basic Plan – Free for life. Get started by Identifying Risk Posture of your site through AppTrana’s automated scanner.
  • Advance Plan – At $99/month with 14 days free trial. Get started with immediate protection to the vulnerabilities detected.
  • Premium Plan – At $399/month get complete AppTrana Protection. It comes with one premium scan for every 12 months and unlimited custom rules.

Getting Started

If your organization is interested, you can sign up for AppTrana protection at any point at apptrana.com, and entire onboarding can be done with zero downtime.

You will be requested to provide the domain you would like to protect and then would be asked to verify the configuration; you can choose to enable CDN now or can do the same from settings page later.

Next, you would be requested to provide your SSL certificate, which is required to decrypt and monitor https traffic for attacks. Indusface assures the certificate is encrypted, stored securely, and no one in the company has direct access to customer certificates.

Alternately, your organization can choose to use LetsEncrypt free certificate in which case AppTrana will automatically generate the certificate for the domain, and the organization need not provide any certificate.

Your organization can also choose to buy an Entrust certificate from Indusface.

That’s it, now you will be asked to make CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and protection will start immediately.

The Journey

Customers journey starts from the point they make their DNS change. Once the protection starts, a few things happen:

  • The sites get immediate protection with Advance Rules that are fine-tuned to ensure any FP’s. DDOS Protection also gets enabled.
  • A request is sent to Indusface’s Managed service team to monitor traffic.
  • Automated Scan of the site starts that helps AppTrana identify the risk posture of the website. Scan generally takes a few hours to complete depending on the complexity of the site. If the customer wants to do an authenticated scan, then they could provide it from the settings page.
  • Once the scan is complete, customers would get a risk profile mail, which will tell them how many vulnerabilities were found that matters. Customers can view further details by logging to the portal.
  • This page provides all the vulnerabilities that have been detected and their protection status, based on which customers can take further action like requesting custom rule, where the request goes to Indusface managed service team and would create specific rules for the site.
  • Customers can also get their manual Pen-Testing audit done. They can request for the same from the detect page. If it is asked for, Indusface’s security experts would reach out to the customers and understand their needs and do a manual audit to find vulnerabilities that automated scanners cannot. It generally takes 3-4 weeks for the experts to complete the audit and publish the report. Once the report is published, the vulnerabilities found will show up in the detect page, and the customers can request for a custom rule as needed.
  • Meanwhile, the company’s managed service team will monitor the traffic for 14 days and move the site to Premium rules after making necessary adjustments.

Once the site is moved to the Premium rules, Manual penetration testing is done, and all vulnerabilities are protected, the onboarding journey is complete, and the site is completely secured.

As you can see, the entire journey is managed by Indusface team as promised, and there is very little activity that is expected from the customers’ except requesting certain action based on their needs.

Continuous Monitoring

Now, the site moves to a continuous monitoring state. Rules are fine-tuned by Indusface’s Managed Service team continuously based on need. Additional rules are added continuously by Indusface team without any action required from the customers.

Customers are encouraged to start automated scans at least once a month to be up to date on their Risk profile.

Even if changes are not made to site as new signatures are added continuously to the scanner, there is a high probability that new vulnerabilities may be found. Customer can monitor the effectiveness of rules from Protect page.

Being a completely managed solution, Indusface team is always on standby 24*7 to help its customers thwart any sophisticated Layer 7 DDOS attacks as the need arises.

Conclusion

If you are an SME or MSE and are looking for an application security solution that works, then you need not look further.

With a tightly integrated scanner, WAF, and CDN modules, AppTrana is one of the effective solutions in the industry that can guarantee comprehensive protections.

The features explained here are just the tip of the iceberg. We would strongly urge you to sign up for a free trial and explore AppTrana’s capabilities firsthand.

Start with

AppTrana free trial

now, and for additional information, check out the

whitepaper section

.

Read the Full Article here: >The Hacker News [ THN ]

Google Releases Basic Homomorphic Encryption Tool

Google has released an open-source cryptographic tool: Private Join and Compute. From a Wired article:

Private Join and Compute uses a 1970s methodology known as "commutative encryption" to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys are used in. This is helpful for multiparty computation, where you need to apply and later peel away multiple layers of encryption without affecting the computations performed on the encrypted data. Crucially, Private Join and Compute also uses methods first developed in the ’90s that enable a system to combine two encrypted data sets, determine what they have in common, and then perform mathematical computations directly on this encrypted, unreadable data through a technique called homomorphic encryption.

True homomorphic encryption isn’t possible, and my guess is that it will never be feasible for most applications. But limited application tricks like this have been around for decades, and sometimes they’re useful.

Boing Boing article.

Read the Full Article here: >Schneier on Security: Cybercrime Paper

Offensive Security launches OffSec Flex, a new cybersecurity training program for enterprises

Offensive Security, the leading provider of hands-on cybersecurity training and certification, announced OffSec Flex, a new program for enterprises designed to simplify the cybersecurity training process and allow organizations to invest more in cybersecurity skills development.

Organizations can now use OffSec Flex to purchase blocks of Offensive Security’s industry-leading practical, hands-on training, certification and virtual lab offerings, allowing them to proactively increase and enhance the level of cybersecurity talent available within their organizations.

With Offensive Security’s hands-on courses, labs and exams readily available, organizations are able to offer educational opportunities to new hires and non-security team members alike, improving their security posture and equipping their employees with the adversarial mindset necessary to protect modern enterprises from today’s threats.

“Cybersecurity training is not just for security professionals anymore,” said Kerry Ancheta, VP of Worldwide Sales, Offensive Security.

“Increasingly we see organizations recommend pentest training courses for their software development or application security teams in order to improve their understanding for how their systems and applications are attacked.

“With the OffSec Flex program, it will now be easier for organizations to access more training options, offering cyber skills growth opportunities to more employees to better defend IT systems from sophisticated attackers outside of their companies.”

Cybersecurity spending reached new heights in 2019. Gartner estimates that it will reach $124 billion by the end of the year1. Yet, while organizations are increasingly willing to spend on cybersecurity solutions, security incidents continue at an alarming rate.

Over 1.9 billion records were exposed during the first quarter of 2019, an increase of almost 30 percent2. Despite increasing their cyber spend, most organizations are unable to close the cybersecurity skills gap due to a lack of available training options.

With the launch of OffSec Flex, Offensive Security simplifies the allocation and use of training budgets, making it significantly easier for organizations to invest in cybersecurity skills.

Once an organization sets its training budget, it can pre-purchase a block of Offensive Security training from across its range of offerings. It is then able to utilize that training time as needed throughout the year while extending its budget through Flex Bonus Funds, contributed by Offensive Security.

Offensive Security not only provides some of the industry’s most sought-after training courses and certifications, including the Penetration Testing with Kali Linux (PWK) course and the Offensive Security Certified Professional (OSCP) along with the Advance Web Attacks and Exploitations (AWAE) course and the Offensive Security Web Expert (OSWE).

The company’s rigorous training programs force students to develop adversarial mindsets and persistent work habits, demanding that they think like attackers and try harder to earn the industry’s most sought-after certifications.

Read the Full Article here: >Help Net Security – News

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Tenable Research Release Highlights are posted for significant new releases or updates to existing plugins or audit files that are important for early customer notification. Here, we discuss new audit guidance for Microsoft Exchange.

Tenable Research Release Highlights

Microsoft Exchange remains one of the most widely adopted email and calendar solutions. Establishing a secure baseline configuration for Exchange, based on industry leading guidance, is essential but the complexity in deployments can present a challenge. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) have issued guidance on hardening and auditing these deployments. Tenable released plugin enhancements and audits to help customers implement this guidance on July 1. 

CIS Benchmarks for Microsoft Exchange

DISA STIGs for Microsoft Exchange

Usage Overview

Tenable customers can audit an MS Exchange server with all of the same check types as in our Windows Compliance Plugin, as well as with a new check type, AUDIT_EXCHANGE. This new check type leverages the Exchange-specific cmdlets suggested for use in the audit steps of DISA and CIS recommendations.

The following is an example check using AUDIT_EXCHANGE:

Adding CIS Benchmark and DISA STIG - Audits for MS Exchange 2013 and 2016

The powershell_args tag contains the core of the audit functionality, with the plugin itself connecting and exposing Exchange specific cmdlets. As a result, the EMS/Exchange cmdlet import is seamless to the user, who can instead focus on writing good powershell.

How to get started

A byproduct of the session setup and cmdlet import is that we need to work with powershell credential objects. In order to avoid unintended disclosure of credential information via powershell logs, users are required to use a pregenerated encrypted password string for each target of the audit as part of what we require in the Exchange Auditing scan setup.

Password/Secure String Generation

In order to generate an encrypted password for use with our Exchange audits, run the following powershell while logged in on the target with the account that will be used for scanning:

Read-Host -AsSecureString | ConvertFrom-SecureString

While logged into the account you’ll be using to scan, type in the password for the account. The output will look like this:

01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ad58de852cc4646b0d9dfa96c67f2100000000002000000000003660000c0000000100

00000d8b09ba7e13918c19d776cc7dfcac82a0000000004800000a0000000100000003654a47ae8a4da017657d57f0706989e180000004acd2fe799

0e1243ed84c380e5d0e8a95a01f12f5662574714000000e5b4783976f1ad76065cf6f91a3b1bebbcf4b169

Read-Host -AsSecureString | ConvertFrom-SecureString

Reminder: An encrypted password is required for each target being scanned. 

After creating the string from the instructions, make sure to select the audit under the Windows category and populate the secure string variable (separating multiple targets with commas). The plugin will determine which string to use on which target. Add your usual credential information on the credential tab and save the policy.

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Once the configuration is saved, run the scan and review the results. 

Example Scan output

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Below is a closer view of one of the results. This page shows:

  • Pass/fail status
  • Remediation steps, if necessary
  • Individual results from the systems scanned

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Summary

Auditing an Exchange Environment with Tenable.io and Nessus requires a little bit of extra setup but allows for a secure and automated method for evaluating your organization’s compliance. Exposing Exchange specific cmdlets allows for much more accurate auditing of the environment, with a direct correlation to industry guidance. At Tenable, we regularly update our policy compliance audits to match the newest versions by CIS and DISA to ensure our customers are able to keep pace with the latest best practices.

Follow Tenable Research Release Highlights on the Tenable Community.

Read the Full Article here: >Tenable Network Security

What is and what is not working for security operations teams in securing cloud data

Security professionals continue to face a number of major challenges as more organizations move legacy IT operations to cloud infrastructure and applications, and traditional security tools often fall short, according to Delta Risk.

cloud data security concerns

The research, produced by Cybersecurity Insiders, clearly shows that organizations must assess their cloud security posture and strategies on a regular basis and have a well-developed incident response plan that includes cloud applications and infrastructure.

Among the findings:

  • The top cloud security concern is data loss and leakage (64 percent).
  • Unauthorized access through misuse of employee credentials and improper access controls (42 percent) takes the number one spot in this year’s survey as the single biggest perceived vulnerability to cloud security, tied with insecure interfaces and APIs (42 percent). This is followed by cloud misconfigurations (40 percent).
  • Most respondents (54 percent) say cloud environments are at higher risk of security breaches than traditional on-premises environments – a 5 percent increase from last year.

cloud data security concerns

“The 2019 Cloud Security Report highlights the fact that IT and security professionals have to take the lead in securing their cloud data, systems, and services under the shared responsibility model,” said Holger Schulze, CEO and Founder of Cybersecurity Insiders.

cloud data security concerns

“The 2019 research supports what we hear from organizations about their challenges with effectively monitoring cloud applications and infrastructure,” said Tempy Wright, Vice President of Marketing at Delta Risk. “High-profile data breaches in the past year have driven increased concerns about the security of cloud environments, and we see this reflected in the survey results.”

Read the Full Article here: >Help Net Security – News