TTL;DR don't place any trust in anyone else securing the open source components of your software stack. This is your opportunity to contribute back to the OSS community by actively looking for and fixing vulnerabilities...: [...] According to the report, 929 next generation software supply chain attacks were recorded from July 2019 through May 2020. By comparison 216 such attacks were recorded in the four years between February 2015 and June 2019. The difference between “
We carry out fire drills on a regular basis, and make everyone leave the building, why don't businesses take cyber incident practise seriously?...: Only 2% of organizations have run incident response scenarios related to the pandemic response. According to research by Immersive Labs of 402 organizations, nearly 40% are not fully confident in their teams training to handle a data breach if one occurred, and 65% of exercises consist of reviewing PowerPoint slides. In an
Would you be able to spot if someone was forwarding mail outside of your domain?...: [...] SANS Institute confirmed to Infosecurity that the exposed data belonged to individuals that had registered for one of its virtual summits and "was intended for community outreach purposes." That means no customer or instructor records were compromised. In total, 513 emails were forwarded to the external address, exposing nearly 30,000 records of PII. A malicious Office 365 add-on wa
I'm more interested in Zoom's ability to patch and roll out updates than in the vulnerabilities existing...: [...] In a write-up, Ahmed explained the flaws he found and how Zoom responded. One of the flaws was in the Zoom Launcher implementation. Attackers could exploit Zoom Launcher for Linux to run their own software, which he says "breaks all of the protection of application whitelisting" and could let malware run as a subprocess of Zoom. Attackers would need to compro
Who has access to PowerShell in your organisation? Do you allow local admin accounts? Maybe it's time to run a validation tool to check what policies are actually running on your endpoints and servers...: [...] In total, the analysis of anonymized data from incident response (IR) cases showed that 18 various legitimate tools were abused by attackers for malicious purposes. The most widely used one was PowerShell (25% of cases). This powerful administration tool can be used f
An example of the message given out to US users of TikTok. I note there is no comparison to the data gathered by the US-based giants...: [...] Cybersecurity experts said the moment you download the app and agree to the terms of service, you just gave the company the ‘OK’ to harvest your data and track your history. “There is increased concern not because of all the data that’s being collected by TikTok, but also because of who has access to the data, where it’s being stor...
I rarely open any document attached to an email. But I'm on the more paranoid wing of internet users...: [...] According to the report, email phishing exploits were the second most common type after web-based exploits, compared to Q1 where email was third. The reason for this change may be the easing of global Covid-19 related restrictions, which have seen businesses re-opening and employees returning to work, Checkpoint says. Making up nearly a quarter (24%) of all ph
I've seen several ways to come at security controls for cloud services. Firstly: use your threat modelling process (you have one of those, right?) to identify the controls that are needed. Some platform tools like Threatmodeller even let you compare the recommended controls to what's actually implemented. Secondly: use asset management tools (generally seen as unsexy, but necessary) to report on what's actually in place then compare with recommended best practise. Thirdly: in
I too have experience of changing roles. For one startup I'm the DPO, focused on data privacy issues and spending most of my time on working with customers and suppliers on compliance and audit issues. For other contracts I'm the 'security guy' who has to design and implement the controls that protect data. But the most challenging role change is as CTO where the priority is to get to market quickly...: Security engineering and software engineering teams have much to learn...