The fun started at the same time as border skirmishes
Updated Security intelligence firm Recorded Future’s Insikt Group has written a paper alleging China was behind attacks on India’s electricity grid.…
TrustRadius recently awarded Veracode with a 2021 Best Application Security Feature Set Award and Best Application Security Customer Support Award. These honors are given to companies that have gone above and beyond to delight their users.
To win the Best Feature Set Award, each nominated organization had to receive 10 TrustRadius reviews in the past year that featured specific mention of their product???s feature set. Winners also had to rank in the top three positions of their category in terms of what percentage of positive responses they earned this year. Additional vetting via textual review analysis was also performed by the TrustRadius research team ??ｦ And Veracode came out on top!
Veracode offers a comprehensive selection of SaaS-based application security (AppSec) analysis methods and supports over 24 programming languages as well as a wide array of frameworks. We also provide visibility into the application status across all common testing types in a single view. By having visibility into the health of your applications, you are able to focus on fixing ??? not just finding ??? vulnerabilities.
The Best Application Security Feature Set Award is a great honor and a true testament to our products and services. ???At Veracode, we strive to provide our customers with the latest and most innovative tools and technology,??? said Elana Anderson, CMO of Veracode.
Veracode also won the 2021 Best Application Security Customer Support Award. This award was given to Veracode for its ability to provide efficient and effective support for a wide variety of projects. Since Veracode AppSec is SaaS-based, it needs to be able to support a more robust set of code functionalities than on-premises platforms ??? and it does so with ease.
???We are committed to providing developers and security teams with a comprehensive SaaS application security platform that integrates into their workflows along with highly responsive customer support. Receiving these awards is a testament to our effort to provide unparalleled software security solutions and support,??? said Elana Anderson.
By reviewing the recipients of TrustRadius awards and learning more about their products and services, AppSec buyers can make more informed decisions.
As the CEO of TrustRadius, Vinay Bhagat, stated, ???We are excited to announce our first-ever ???Best of??? Award winners. Let???s face it: not all products are created equal, and neither are all technology buyers. That???s why at TrustRadius we???re always looking for new ways to help buyers make great decisions. By highlighting products that have first-class feature sets, we can help more buyers navigate to products that will meet their unique needs.???
To learn more about the winners of the TrustRadius awards, and for more information on Veracode???s AppSec feature set and customer support, check out the TrustRadius blog,ﾂ?Best of Security Software 2021.
The United States Department of Justice has charged three North Korean computer programmers with a range of cyber attacks that made headlines around the world. Read more in my article on the Tripwire State of Security blog.
Cybersecurity firm Qualys seems to have suffered a data breach, threat actors allegedly exploited zero-day flaw in their Accellion FTA server.
Cybersecurity firm Qualys is the latest victim of a cyber attack, the company was likely hacked by threat actors that exploited a zero-day vulnerability in their Accellion FTA server.
A couple of weeks ago, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.
“Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE.” reported FireEye. “The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.”
The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.
The attackers exfiltrate sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site.
It has been estimated that the group has targeted approximately 100 companies across the world between December and January.
FireEye pointed out that despite FIN11 hackers are publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks.
In response to the wave of attacks, the vendor has released multiple security patches to address the vulnerabilities exploited by the hackers. The company is also going to retire legacy FTA server software by April 30, 2021.
Recently other organizations were hit with the same technique, including Transport for New South Wales, and Bombardier.
Now, Clop ransomware operators claimed to have stolen data from Qualys and shared screenshots of stolen files on its leak site as proof of the hack.
The leaked data includes invoices, purchase orders, tax documents, and scan reports.
According to LegMagIT and BleepingComputer, Qualys was using an Accellion FTA server that was was located at fts-na.qualys.com since February 18th, 2021.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, GootKit)
The post Clop ransomware gang leaks data allegedly stolen from cybersecurity firm Qualys appeared first on Security Affairs.
We regularly hear chief information security officers (CISOs) lament that they have too many tools and solutions that overlap. Although layered security controls are a desirable way of reducing the risk posed to systems and data, if this is done haphazardly it can result in increased user friction and wasted resources.
Sometimes this is caused by product features that were prioritized in the selection process, but never actually made it into production. Other times, budget holders are sold the utopian promise of a single tool that will work across the diverse range of devices, platforms and systems that are typical of enterprise networks today. All too often, employees discover that the security control does not work as expected in production, or may have taken so long to deploy that its cost is more than the value of the assets it intended to protect. Organizations spend much of their budget trying to make these tools work but end up needing to buy compensating controls or start from scratch. Yet another new solution is sought to remedy to issue, with vendors presenting more tools, and the cycle starts again.
At the heart of why this cycle occurs is insufficient security control assessment. Such assessments are crucial for demonstrating that an organization has practiced due diligence by thoroughly evaluating the effectiveness of security controls. Failing to conduct rigorous evaluations could expose senior management to liability in the event of a data breach and makes it more difficult to identify gaps in an organization’s security posture. Any assessment of a security control needs to be done in the context of the organization’s existing controls. If the scope of an assessment is too narrow or performed without knowledge of the other controls, the recommendations risk missing efficiencies or underlying issues that a comprehensive review would spot. For example, an evaluation of the security controls protecting an e-commerce system shouldn’t just focus on patching and access control, but also assess any third-party services and whether the controls guard against supply chain attacks, such as if the third party is compromised by web-skimming malware.
Often the task of evaluating the effectiveness of security controls is inadequately split between several security roles:
- Auditors are critical for understanding if a security policy meets legal and regulatory requirements, but they usually don’t focus on the efficiency of the deployed solutions.
- Administrators have the challenging job of keeping existing systems working and have immense insight into how they are used but are usually siloed into work tasks to enforce a separation of duties.
- Security operations center (SOC) personnel stop attacks in motion and report lessons learned after remediating incidents. However, the scope of this feedback is limited to the controls affected by an incident.
- Assessors, such as penetration testers and red teams, are skilled at uncovering flaws in systems and applications, but the scope of their assessments and recommendations are usually narrow.
- Even purple teams, while excellent for coordinating offensive and defensive efforts, may lack the information to identify unnecessary overlaps in an organization’s security posture.
Each of these roles plays an essential part in designing, maintaining and testing an organization’s security stance, but aren’t necessarily best placed to optimize it.
So how do we break free from the cycle of tool churn? First, CISOs should recognize the importance of security control assessments and the potential benefits of reduced costs and complexity while maintaining the same level of security. With this in mind, we recommend CISOs establish a distinct role dedicated to security control assessments so that the position isn’t burdened with day-to-day functional security tasks. Where this isn’t possible, consider broadening the scope of the team that currently performs security control assessments beyond measuring security value and cost, for example by considering the impact on user experience and how easy or difficult it is to maintain a control.
Second, give the assessment team access to the organization’s security policies, procedures and incident reports so that their recommendations consider the whole security posture. This should include an inventory of all the deployed security controls, whether technical, administrative or physical. Third, as well as technical security experience, CISOs should use personnel who have experience in risk analysis, user experience and project management.
Above all, the personnel performing the assessments should be encouraged to adopt the mindset of security solution optimizers or cybersecurity inspectors, similar to the role of building inspectors in the physical world.
Figure 1 – Attributes of the Cybersecurity Inspector role.
The cybersecurity inspector looks at the components of a security posture, understands how they are being used, or misused, and then verifies each component is being used to its potential. Just like a real building inspector, they would look at the actual deployment, understand what was intended, and the gaps between the two situations. And just as a building inspector would know if a power panel was no longer in production, and therefore needed to be replaced, a cybersecurity inspector would know that a tool is no longer supported, thus obsolete in their deployment, and therefore must be replaced.
The biggest impact a building inspector can have on a construction project is to find a weakness in a building’s foundation that would deem it structurally unsafe. The strongest walls and roof on a cracked foundation are vulnerable. Similarly, the cybersecurity inspector would be keeping an eye out for warning signs, uncovering foundational issues that could make an entire deployment vulnerable, no matter how many tools are added.
Many IT systems and cybersecurity tools are misconfigured. A 2020 study by Accurics found misconfigurations in 93% of cloud storage deployments, potentially exposing data to the risk of being breached. It’s the job of the cybersecurity inspector to examine a cloud deployment for design and implementation flaws, be able to understand potential security issues to be addressed, and review the billing to optimize the deployment to reduce costs—just as if a building inspector were to find a cracked basement they would suggest options to fix it based on time, cost and effectiveness.
A cybersecurity inspector looks at the existing tools, reviews the expected benefit of each security control, and identifies overlap and redundancy. For example, they would recognize that turning on an existing feature in an already deployed product in the network is much easier and cheaper than trying to add a new product and integrating it into the current security stack. The goal is to streamline a security posture by reducing the number of tools while still protecting assets to an acceptable level of risk. If your new cloud environment has a built-in password reset tool, do you need to maintain your older existing tool, or can you retire it and simplify your operation?
As security professionals, we can all learn from building inspectors by adopting the cybersecurity inspector mindset. Networks continue to grow in complexity, and the process of securing assets is an ever-growing and evolving challenge. Optimizing an organization’s security stance requires a holistic approach—a difficult, but worthy ambition.
This article was contributed by Stuart Phillips, Global Cybersecurity Practice Lead at HP.
The post Security Control Assessments: What Security Professionals Can Learn from Building Inspectors appeared first on Bromium.