Monthly Archives: May 2017

It didn’t make the cut as one of the many announcements to emerge from Microsoft’s Build 2017 event this week, but this morning the company unveiled that Minecraft – the game it acquired a few years ago for $2.5 billion – has now made its way to the Nintendo Switch. The new game will include the same features found in console versions, Microsoft says, including the multiplayer mini games, Battle and Tumble.

But it will also take advantage of the Switch’s flexibility, allowing eight players to get together online or play locally if everyone has a Switch; or up to four can play together in a split-screen view on the TV from a single console. Players can also use the device’s kickstand to play in tabletop mode if the TV is unavailable, which will also support up to four players through a split-screen mode. And players can use either Joy-Cons or the Pro Controller, depending on their preferences.

Because the Switch is portable, you can continue to play when you venture out of the home – Microsoft claims the game will run smoothly at 60fps and 720p resolution, no matter if you’re playing on the big screen TV or in the handheld mode.

In this edition of the Minecraft game, Microsoft is also introducing a Super Mario Mash-Up Pack. (The Wii U version has Mario textures and skins, too.)

This includes a Mario-themed world with mushrooms, chomping plants, and the iconic pipes, as well as the Mario music and characters. There are 15 tracks from Super Mario 64 included and 40 characters from Mario games, including Princess Peach, Toad, Yoshi, the Koopalings, Wario, and others.

The Nintendo Switch version of Minecraft adds several extra worlds, too, like Chinese Mythology, Halloween, Festive and Greek Mythology, plus more skin packs including Redstone Specialists, multiple Battle and the Beast skin packs, and two of the Festive packs.

Microsoft says the game is launching today, but will first be available on the Nintendo eShop in North America, before rolling out in Europe and Japan tomorrow. A physical version will arrive in the future.

via:  techcrunch

WhatsApp is a perfect messaging app for staying in touch with friends and family. It is super-fast, works on nearly all phones (including desktop computers) and Facebook has no plans to charge WhatsApp users.

You have been using WhatsApp primarily for text messaging and calling but there are a couple of other interesting uses for WhatsApp that will help boost the utility value of this app even further. Other than communicating with the external world, you can also use WhatsApp to:

1. Capture and save ideas, notes, voice memos, scanned documents and everything else in you own private storage space that is accessible from everywhere.
2. Quickly transfer web links, documents, screenshots, and other files between your computer and phone without having to sign-up for another service.

The idea is simple. You create a new virtual contact inside WhatsApp and, everything that you wish to capture privately, you can just share it with this virtual contact.

It is not possible to send WhatsApp messages to your own number but there’s a simple hack to get around this problem. Create a new WhatsApp group with just a single participant – you. Here’s how:

1. Open WhatsApp on your phone and create a new group.
2. Add any contact from your address book to this group. Give your group a name and save.
3. Now go to the group in WhatsApp, tap the subject to view the list of participants.
4. Tap and hold the lone participant in this list and remove them from the group.

That’s it. What you now have a private store in WhatsApp that is visible only to you and accessible from the web (desktop) and your mobile phone.

If you wish to transfer a document from computer to phone, open web.whatsapp.com on the computer, send the file to this group and it will instantly become available on your phone. There’s search built-in so you can easily find messages by keyword later.

Thank you Sidin Vadukut (blog, books, twitter) for this useful tip.

via:  labnol

A report from security company G DATA said that 8,400 new Android malware samples are discovered every day, stemming from the fragmentation issues with the OS.

A new instance of Android malware pops up nearly every 10 seconds, according to a report from security firm G DATA. The information is especially troubling, given that Android commands 81.7% of mobile OS market share worldwide, according to Gartner data.

If new malware every 10 seconds sounds a little too frequent, let’s break the numbers down. G DATA security researchers found over 750,000 new Android malware apps in Q1 2017, which translates to about 8,400 new malware instances every day, the report said. Given that there are 86,400 seconds in a single day, if that number is divided by 8,400 it comes to roughly 10.29 seconds.

According to the G DATA report, some 3.2 million new Android malware files were discovered in 2016. For 2017, G DATA expects that number to hit 3.5 million.

The report claims that Android’s fragmentation is to blame for the growth of the malware, with a paltry 7.1% of Android users running the latest version of the OS, Android 7.0 or 7.1 Nougat. TheApril 2017 Android developer dashboard from Google shows that 32% of users are running Android 5.0 or 5.1 Lollipop, while 31.2% of users are running Android 6.0 Marshmallow.

The big issue with fragmentation has to do with updates. If a given device is running an older version of Android, it won’t necessarily be protected from emerging threats that are addressed in later versions. Patches and updates often have to go through an OEM partner first, before they are pushed to the phone.

To avoid malware, start with your app store. Don’t download apps from third-party app stores, if possible. Instead focus on the Google Play Store. Also, a lot of malware comes from phishing, so be careful when opening emails from unfamiliar contacts, especially when it contains a link or attachment.

Removing malware is a little more difficult. Try an antivirus application, or you can reboot your phone into safe mode and try to remove the malware that way.

The 3 big takeaways for TechRepublic readers

1. A recent report from G DATA said that a new instance of malware is discovered every 20 seconds or so, which will lead to 3.5 million Android malware files this year.
2. The prevalence of malware is due, in part, to Android fragmentation, as users running older versions of the software are easier to target.
3. Be careful when downloading applications and opening emails from unknown senders to help avoid malware infection.

via:  techrepublic

Cybercriminals are after any size company that has access to people’s information.

Over the last few years, we have seen so many news about stolen data information from large enterprises and agencies such as Yahoo, LinkedIn, CIA, and Google. However, these are not the real victims of the cyber-attacks. According to the recently released 2016 State of SMB Cybersecurity Report, there have been more than 14 million breaches in small and medium businesses solely in the US. To put this into perspective, this is roughly about 50% of all the small and medium sized companies registered in the United States.

As an owner of a small or medium sized business, you have to wear many hats.

Sometimes you need to tackle a shipping problem, or may be an accounting error, an HR misunderstanding, or an IT issue. Very often budgets for IT security are overlooked for the sake of something that is considered “more important,” or it will bring an actual visible ROI. The fact that 50% of all US businesses have had a data breach in the last 12 months confirms the notion that small and medium sized companies are facing a real problem that will only grow bigger if it not addressed soon.

Sometimes, the reasoning behind not being protected is not only because of the lack of resources or budget but also because of pure ignorance. Business owners massively believe that ‘this will not happen to them.’ Every business owner chooses its path. However, one of the main issues is the fact that by being vulnerable, they are not only exposing their company secrets but the data of their customers. Finding an excuse for this one is hard!

The inside guy

More than 50% of the cyber crimes that happen within a company start from a person who is already in the enterprise. A recent example happened right under our noses in one of the stores of the largest wireless carrier in the US – Verizon Wireless. Store of big companies operate as small businesses. Some of the store managers were tied to identity theft ring. Yet another nail in the coffin of the dying mobile carrier. Luckily, the authorities managed to catch them on time, so they could not cause much damage. What is the takeaway? Do not give employees access to more information than they need.

Say NO to the easy passwords

Make sure your employees use strong passwords. We recommend requesting a password change from every employee at least once every three months. It is a common practice in the big corporations, and this is how it should be for small and medium-sized businesses too. Stronger passwords are harder to crack so very often hackers get discouraged and just move to another victim.

They do not want to waste their time into many tries – instead, they can find another business whose system is easier to crack. So briefly, change your already strong passwords onto even stronger ones. Staffs can use also a password manager that will allow them to avoid to use the same password all the time.

Use Cyber Security Software

Last but not least, there are tons of software companies who provide cyber security solutions for small and medium business. Some of them even include cybersecurity insurance as a bundled price. It may sound obvious to most, but you will be surprised by the amount of small and medium businesses who do not have any protection.

In this case, having something that does not give you an ROI is equally important as something that does bring you profit – antivirus software helps your business grow by keeping it safe and stable. A business without cyber security is similar to a country without defense budget – one way or another, one day they will regret not investing in their security.

The more you wait, the bigger the chance is to get hacked so don’t delay it and protect your business and your clients. By doing this, you are not only doing a favor to yourself, but to the customers who helped you get where you are now.

via:   pandasecurity

That fancy new HP EliteBook laptop you just bought? It may be silently recording every keystroke, according to Swiss infosec firm ModZero.

For what it’s worth, it doesn’t look like there’s malice here – just staggering incompetence.

According to ModZero’s blog post, an update to HP’s audio drivers released in 2015 introduced new diagnostic features. One of these is used to detect if a special key had been pressed or released. Except it seems this was poorly implemented, as the driver ultimately acted like a keylogger, capturing and procesing every single keypress.

A later update to the driver was even more troubling, as it introduced behavior that wrote every single keypress to a log file stored locally on the user’s system. This is found at C:\Users\Public\MicTray.log.

Fortunately, this logfile is wiped every time you logout of your system, but as ModZero points out, if you’ve got any kind of incremental backup system in place, you could effectively be creating a permanent record of everything you type, every day.

ModZero recommends that all users of HP computers “… should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.” If so, it recommends the executable be deleted or renamed, in order to prevent it from logging keystrokes, although it notes that if you do this, certain special keys may no longer work.

It also recommends that users delete the MicTray log file, as it may contain sensitive information, like passwords and login credentials.

In the security advisory, the company published a list of computers known to be affected. These are as follows:

• HP EliteBook 820 G3 Notebook PC
• HP EliteBook 828 G3 Notebook PC
• HP EliteBook 840 G3 Notebook PC
• HP EliteBook 848 G3 Notebook PC
• HP EliteBook 850 G3 Notebook PC
• HP ProBook 640 G2 Notebook PC
• HP ProBook 650 G2 Notebook PC
• HP ProBook 645 G2 Notebook PC
• HP ProBook 655 G2 Notebook PC
• HP ProBook 450 G3 Notebook PC
• HP ProBook 430 G3 Notebook PC
• HP ProBook 440 G3 Notebook PC
• HP ProBook 446 G3 Notebook PC
• HP ProBook 470 G3 Notebook PC
• HP ProBook 455 G3 Notebook PC
• HP EliteBook 725 G3 Notebook PC
• HP EliteBook 745 G3 Notebook PC
• HP EliteBook 755 G3 Notebook PC
• HP EliteBook 1030 G1 Notebook PC
• HP ZBook 15u G3 Mobile Workstation
• HP Elite x2 1012 G1 Tablet
• HP Elite x2 1012 G1 with Travel Keyboard
• HP Elite x2 1012 G1 Advanced Keyboard
• HP EliteBook Folio 1040 G3 Notebook PC
• HP ZBook 17 G3 Mobile Workstation
• HP ZBook 15 G3 Mobile Workstation
• HP ZBook Studio G3 Mobile Workstation
• HP EliteBook Folio G1 Notebook PC

via:  thenextweb

In previous articles on understanding big data, the need for AI, using encryption and tokenization (including the drawbacks of encryption), and the series on human vulnerabilities, we laid down just some of the building blocks necessary to create a robust cybersecurity strategy. Yet there is a larger problem we often experience: losing the trees for the forest. All the tips we have mentioned thus far are great, but only if you are situationally aware of your own challenges.

If you have legal or regulatory compliance issues, such as European Union’s General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPPA), you have no choice but to follow them. However, neither of us are big fans of standards and certifications for the simple reason that they rarely meet your specific needs in addition to being a costly undertaking in both time and money. This is why we are fans of frameworks, such as NIST Cybersecurity Framework (updated in January 2017) for the exact reason that a framework allows you to meet your own needs.

Humorous (scary?) aside: in our encryption and tokenization article, we mentioned the benefits of HTTPS (which Tripwire uses). Yet the official European Union Law Access Portal (which we link to above for GDPR) does not use HTTPS. C’mon, girls and boys. Time to step up your game, especially since you’re trying to regulate an entire continent and want the world to follow!

Let’s get back to dealing with your own challenges. A necessary requirement for cybersecurity decision-making is something amazingly simple but – in our experience – poorly done: being aware of your surroundings. Without that awareness, during the best of times, you will be literally flying by the seat of your pants at the speed of light and at the worst of times, tripping over falling “logs” hoping not to break your legs.

Let’s get back to basics, and we will do so by asking the following question: what do you pack when you go on vacation? We’re willing to bet a bright shiny penny that you are about to ask: well, it depends… where am I going?

And by asking that simple question, you just took the first step to being situationally aware (with much more on that topic, self-quiz and all, courtesy of US Coast Guard).

Much like you would not pack a winter parka on a summer trip to Florida “just in case” there is some freak cold spell, you really should not be investing heavily in technologies and techniques that you have little likelihood of using. For example, it may look great that you are ABC:12345 certified, but you may have also spent valuable resources on a whole bunch of things you are never going to have any use for, in turn, leaving some of your most critical vulnerabilities unaddressed or underfunded.

Back to the “what to pack” question. There are some things you will almost certainly take on all of your vacations, such as a toothbrush, a piece of IDnand local currency. In “cyber-speak,” we could say these “must-have” travel items include encryption, reviewing your privacy/access settings and having backups.

Spoiler alert: chances are you not only use a toothbrush, a piece of ID and local currency on vacation but also in your daily life at home, wherever your home happens to be. So, why aren’t you using encryption, reviewing your privacy/access settings and creating regular backups?

Encryption may be widely used by the generic user if it is implemented for them end-to-end, such as iMessages or WhatApp, but otherwise, only 20% of the US population has encrypted a phone call or e-mail.

Reviewing privacy/access settings should be standard practice for everybody. (C’mon, be honest: you’ve NEVER scrolled down to the bottom of something and clicked “I Accept” in all of your web/computer experiences?). Understandably, most people do not because doing so easily becomes a head-spinning exercise, with privacy policies taking at least 10 minutes to read. But is that really a good enough excuse? Even a step-by-step process on how to make your Facebook profile private is not necessarily an easy or time-efficient task.

And did you know that March 31^st is World Backup Day? If you did, that’s impressive. More impressive would be if you actually back up your data! While the results of this 2017 survey are encouraging, namely that 42% of respondents say they backup their data daily and 67% were able to restore virtually all their data after a loss, we still remain skeptical about how widespread data backup is and how well data backup is practice.

The survey does note that many backups are unencrypted (oops, forgot my toothbrush!), but a sample size of 1,000 respondents from North America, Europe and Australia with no profiles of the respondents still makes us believe that most people do not make regular backups of their data.

Another red flag for us that came out of this survey is that most backup activity is cloud-based. That is all fine and dandy if you have a plan for when you cannot access your cloud. (Also, would it be untimely to ask if you read your cloud provider’s privacy agreement?)

All these little pieces of information add to your situational awareness, and when applied correctly, they make a world of difference. To prove our point, we have curated just a few small pieces of information with no alteration from the USCG text, but when applied to a cybersecurity environment, they apply just wonderfully:

To ensure a Shared Mental Model of the situation, team members must share their knowledge relative to:

• The task and team goals.
• Their individual tasks.
• Team member roles and responsibilities.

The loss of Situational Awareness usually occurs over a period of time and will leave a trail of clues. Be alert for the following clues that will warn of lost or diminished Situational Awareness:

• Confusion or gut feeling.
• No one watching or looking for hazards.
• Use of improper procedures.
• Departure from regulations.
• Failure to meet planned targets.
• Unresolved discrepancies.
• Ambiguity.
• Fixation or preoccupation.

Maintenance of situational awareness occurs through effective communications and a combination of the following actions.

• Recognize and make others aware when the team deviates from standard procedures.
• Monitor the performance of other team members.
• Provide information in advance.
• Identify potential or existing problems (i.e. equipment-related or operational).
• Demonstrate awareness of task performance.
• Communicate a course of action to follow as needed.
• Demonstrate ongoing awareness of mission status.
• Continually assess and reassess the situation in relation to the mission goal(s).
• Clarifying expectations of all team members eliminates doubt.

Chains of human error are normal and should be expected. There are three levels of human error.

• Slips.
• Mistakes.
• Errors.

Did anything seem familiar to you or perhaps ring a bell? Did the first series of points look like something you would look at during a vulnerability assessment? Did the second series look like a bunch of compensating controls? They sure looked like that to us and tie in very nicely with the NIST Cybersecurity Framework. One of the main reasons we are supporters of the framework is because it is adaptable to your situation.

Imagine how well your cybersecurity strategy would work if you are situationally aware. Imagine how well your cybersecurity strategy would work if all the members of your team are situationally aware! Every single point listed above applies to a cybersecurity environment, and we challenge anybody to prove otherwise.

So, for all the solutions out there, make sure you are packing the right material for you because you only have a finite amount of resources. This is what it means to be situationally aware. And this exercise also helps you prioritize what data you value most.

Industry-changing technologies will be developed and will hopefully make widespread adoption of cybersecurity techniques more prevalent. Some will almost certainly change the cybersecurity business forever, such as AI and machine learning. But until these technologies are fully deployed, we still need to make do with what we have at our disposal, like encryption, tokenization, two-factor authentication, and educating yourself and your staff. Also, take advantage of knowledge bases that help prepare you for things that may impact you, like GDPR, and employ quick (and easy) tips that help jump start your efforts on the cheap.

And just as we said in our earlier articles, the cybersecurity problem is really a combination of problems, making one issue: network security + information security = data security. If you are situationally aware of what is happening on with your network and what is going on with your information, you’ll be ahead of all others.

via:  tripwire

A “huge, startlingly fast-moving, and perplexing” phishing attack made its way to an estimated one million-plus Gmail users on Wednesday.

The scam, which spread via legitimate-looking invites that came from a trusted contact asking the potential victim to view a Google Docs file, quickly became the talk of the cyber world after it appeared to first target media organizations and then spread like wildfire soon after.

“[W]hen you click on the [invite] link to open the file, you are directed to grant access to an app that looks like Google Docs but is actually a program that sends spam emails to everyone you’ve emailed,” according to a Recode story, which cited a thread on Reddit.

3 May

Zeynep Tufekci

✔ @zeynep

Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON’T CLICK. pic.twitter.com/fSZcS7ljhu

Follow

Zach Latta @zachlatta

@zeynep Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX

2:52 PM – 3 May 2017

Google quickly fixed the issue, which did not relate to a vulnerability on its end, by removing the bogus pages and applications involved in the attack. Adding to the intrigue is that an ethical hacking student at U.K.-based Coventry University is now claiming the whole incident was an accident and was merely meant as a test for a final project he was working on – although there is rightful skepticism abound.

Google on Wednesday night suggested fewer than 0.1 percent of its Gmail user base was affected, although our own (admittedly unscientific and short-sampled) Twitter poll found that 39 percent of respondents received or know someone who received the phishing message. Did you? Please vote.

But beyond the attack itself, it is worth reminding you that phishing messages only seem to be getting savvier and more authentic-looking, fooling even seasoned experts. Gone are the days when obvious misspellings and grammatical errors provide a dead giveaway that shenanigans are at play.

I asked Trustwave VP of Security Research Ziv Mador whether organizations should just wave the white flag of surrender – or if there are still steps they can take to keep phishing at bay.

“Some attacks are so well crafted that while we can provide some tips, they are so slight that you really can’t blame the victim anymore for doing something unreasonable,” Ziv told me. “The Grand Mars operation is another good example.”

(That op, by the way, uses phone calls to add legitimacy).

Nobody wants to go through life thinking everyone is out to get them, but practicing extreme cautiousness on the web these days still can pay dividends. Ziv suggested that you:

1) Think Before You Click

“Don’t rush to click links even if they seem legit and sent by someone you know. If you did not expect them, check with your contact first to see if they intended to send it. Remember, once your machine is infected, the malware may send emails on your behalf.”

2) Dig Deeper

“If you have doubts about an email or invite – such as the tactic used with Google Docs – first check the developer information or any other information about the application or website involved. If the information there doesn’t seem right, don’t continue (e.g. do not grant permissions).”

3) Turn to Technology and Teaching

“For businesses especially, deploy a secure web gateway, which leverages sophisticated logic to detect web-based attacks. Also, continually educate your employees on how to identify phishing attacks, especially the ones that are so good, you just can’t believe they are malicious.”

via:  trustwave

A backdoor espionage trojan known as Kazuar has API access that it can leverage to run commands on the systems it compromises.

The malware, which is written in Microsoft’s .NET Framework and uses the ConfuserEX open source packer, initializes by gathering system and malware information and using those items to generate a mutex. It then creates a series of folder groups, including “sys” for storing configuration settings and “plg” for plugins that extend the trojan’s functionality. Throughout this setup process, it logs debugging messages to its “log” folder.

Once initialization is complete, Kazuar follows one of four execution paths. Its main entry point specifies the malware to install itself as a service, to inject itself into the explorer.exe process if it detects it’s running on a machine running Windows, or to run the method containing its functional code if it detects a Unix or Mac environment. From there, it attempts to establish persistent access on the machine, contacts its command and control (C&C) server, and upon successful connection transmits an action identifier to its C&C that corresponds with one of a series of commands.

The response parser listens for new tasks to be received from the command and control server. (Source: Palo Alto Networks)

Some of these instructions allow the malware to capture screenshots or take an image from an active webcam. Others allow it to gather system information or copy files. But one command in particular stands out.

Brandon Levene, Robert Falcone, and Tyler Halfpop of Palo Alto Networks’ Unit 42 threat research team identify that feature in a blog post:

“While many backdoor Trojans have extensive command handlers and plugin frameworks, Kazuar’s ‘remote’ command provides a functionality that is rarely seen in backdoors used in espionage campaigns. This command instructs the Trojan to start a thread to listen for inbound HTTP requests, which effectively turns Kazuar into a webserver. This functionality provides an API for the Trojan to run commands on the compromised system.”

HTTP method handler used by Kazuar to provide threat actors with API access. (Source: Palo Alto Networks)

The “remote” command essentially flips Kazuar’s relationship with its C&C in that the latter begins sending requests directly to the former. Such functionality helps the malware avoid detection if the compromised asset is a remotely accessible server that might raise red flags when initiating outbound requests. Threat actors could also leverage the API access to create one accessible server as a location for exfiltrating an infected machine’s data.

As of this writing, Unit 42 is currently investigating ties between Kazuar and the Turla threat actor group. Some evidence suggests the attackers began using the malware as a replacement for another tool of theirs named Carbon. But researchers still have yet to confirm if Kazuar is indeed Turla’s new second-stage backdoor.

via: tripwire

Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy.

Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years.

Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 Wikileaks revelations around security flaws in virtually every major operating system and application.

It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.

Cut Ties with Outdated Tech
Cybersecurity is often described as an arms race between security professionals and skilled attackers, as both parties rush to gain the upper hand. While even cutting-edge defenses are inevitably thwarted by determined attackers, cybersecurity professionals are able to quickly react and nullify attacks.

But many businesses don’t keep tabs on the front lines of cybersecurity development, leaving them several generations behind with regard to best practices and current threats. For example, while multifactor authentication has been recommended for more than a decade, many organizations are only now adopting the technology across their applications and platforms.

Making matters worse, many organizations fail to follow best practices for maintaining and protecting their current environments, creating countless avenues of attack for even inexperienced attackers. More than 9% of devices are still running Windows XP, three years after Microsoft discontinued support, giving malicious actors ample time to attack millions of vulnerable yet critical systems.

Business leaders need to listen to their IT departments and devote more time and resources to security best practices such as regular updates, security audits, and penetration testing, resisting the urge to focus solely on revenue-driving activities at the expense of loss prevention.

Invest in Security Training & Skills
Most organizations understand the importance of regular security training for employees, but IT professionals within the company are often overlooked. While your resident system administrator or network engineer are unlikely to fall for a phishing attempt, what about the rest of your employees? A single oversight is all it takes to undermine many other precautions. Regular, top-to-bottom training is crucial for any organization that wants to avoid becoming the victim of the next major attack.

Overcoming Security Apathy
Many businesses suffer from the delusion that they are immune to cybersecurity threats until it’s too late. Whether relying on security through obscurity or simply disregarding consistent warnings as hyperbolic nonsense, organizations have shown that they’re willing to risk massive losses and reputation damage rather than overhaul their approach to security. Although some organizations have taken note, many will have to learn the hard way; attacks will escalate until businesses understand the costs of neglecting security.

via:  darkreading

Knowing how to test for security flaws is vital, but it’s a complicated and changing field.

Welcome to the exciting field of software security. There are so many opportunities with testing Web applications, mobile apps and even traditional client-server software and not enough people to fill positions — a core element behind why we still struggle with software security testing basics. The more we hear about how important it is to integrate security into the software development lifecycle, the more security incidents and breaches we hear about.

The first order of business is to understand the different types of software security testing basics so you’ll know which area you’d like to focus on. I’m particular to vulnerability assessments and penetration testing, since that’s what I focus on in my work. Vulnerability assessments look at the application environment and determine the weaknesses that can be exploited by criminal hackers and trusted users alike. Penetration testing takes security testing a bit further — it’s the active process of simulating a threat exploiting the vulnerability to demonstrate what can happen in a real world situation.

I think we get too caught up in the verbiage around the different types of security testing basics. I like to refer to this exercise as “security assessments” whereby all aspects of the application are tested. It’s not just vulnerability scans, and it’s not just a capture the flag-type scenario with penetration testing. In most cases, the ultimate business goal of such an assessment is to find — and fix — security weaknesses. You can do this type of work in an IT or security role. You can also do it from a development or QA perspective. Whether you work for someone else or for yourself, it doesn’t matter. What’s important is to get as much hands-on experience as you can.

If I’ve learned anything, it’s to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things — staying on top of the latest software exploits, tools and testing techniques (both manual and automated). If you ignore these important areas, you’ll struggle to build the credibility and the buy-in you need to be successful in the field long term. If you focus on what’s important, keeping the business goals in mind, it’s easy to stand out from the noise in this field.

You’ll find that as you build your career in software security testing, there’s always something new and exciting. For instance, I have been doing a lot of testing of mobile apps and the Internet of Things (IoT) devices lately. IoT systems are unique in that they tend to be very specialized and design and development teams often cut corners in order to minimize the systems footprint. As with Web applications, IoT devices are most interesting because each system tends to present its own unique challenges, especially as it relates to balancing security, usability and convenience. It’s this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security. In the end, it’s in the best interest of the business and that’s what counts.

It’s also important to remember the basics of security. Protecting the business against all the newest threats won’t mean much if decades-old gotchas involving weak passwords, improper encryption, insecure data storage and the like can still find a foothold. If you are going to contribute to a solid information security program, you have to walk before you can run. That said, we would be remiss by not recommending compensating controls such as TLS, identity management and advanced malware protection to improve the security of any given application environment. As you develop your career in software security, you’ll want to share your knowledge with others so make sure you have processes in place to train users and developers about the importance of security.

For now, create your own lab environment using Kali Linux and related tools to get your hands dirty. The OWASP website has a ton of resources for those wanting to learn more about software security testing basics. The most important thing is to never stop learning. The core security principles that we work with really haven’t changed all that much; however, the technologies we use have changed and that’s what makes for some great opportunities in and around this field.

via:  techtarget