Christopher Hodson

If you're grappling with the complexities of managing compliance across frameworks like ISO 27001, NIST CSF, SOC 2, DORA, or UK Cyber Essentials, our upcoming webinar is designed just for you. Scheduled for Wednesday, 15 May 2024, at 9 am AEST, "Mastering Security Compliance" will showcase how 6clicks can help streamline your compliance processes through intelligent automation and prepare you confidently for audits. Mark Harris, our Alliance Partner Director, and Ryan Ingle, Senior Solution Delivery Manager for US/EMEA, will provide valuable insights into: ➡️ Overcoming multi-framework compliance challenges, ➡️ Strategies for centralizing control implementation, and ➡️ Utilizing our advanced AI engine, Hailey, for efficient compliance mapping and assessment completion. Register now: https://bit.ly/3WiKS4s #Webinar #AI #GRC #Compliance #Cybersecurity #ISO27001 National Institute of Standards and Technology (NIST) National Cyber Security Centre ISO - International Organization for Standardization

11

1 Comment

👉🏽 Cyber researchers recommend sticking with the best security practices, such as only downloading official apps from official sources, ensuring that Google Play Protect is enabled, being careful with permissions, not clicking on suspicious links delivered to the phone via SMS or emails, among other things. Cybercriminals have been ramping up dangerous attacks since September. No antivirus engines have detected the retooled version of Cerberus. To evade detection, the trojan now includes session-based droppers, native libraries, and encrypted payloads. It employs keylogging, overlay attacks, and VNC (Virtual Network Computing, a remote screen-sharing protocol). The campaign generates domains on the fly using a Domain Generation Algorithm to change command and control (C&C) servers. Cyble researchers first suspected they were looking at a completely new malware variant. A deeper analysis revealed code similarities to Cerberus, which was first identified in 2019. They dubbed the new campaign ErrorFather after the corresponding Telegram Bot ID. “We have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and their associated payloads,” the researchers said. They noted that the attacks are ongoing, and some C&C servers are still active. Attackers rely on users making a mistake – falling for social engineering lures. The malware masquerades as legitimate banking or authentication apps or updates and uses Google Play and Chrome icons. Attackers use phishing sites for malware distribution. #android #cellphone #security #phishing #malware

1

1 Comment

Regulators more active in enforcing cybersecurity than ever before! A recent case highlights the critical need for financial firms to tighten cybersecurity measures. US company Equiniti Trust Company has agreed to pay an $850,000 penalty for violating SEC cyber rules after mishandling two incidents that led to the theft of over $6.6 million. Hackers hijacked email communications and created fake accounts, exploiting vulnerabilities to transfer millions and steal Social Security numbers. In today's digital landscape, financially driven cyber threats like Business Email Compromise (BEC) are increasingly sophisticated and costly. The FBI reported $2.9 billion in losses from BEC fraud in the U.S. in 2023 alone. This incident underscores the importance of robust cybersecurity measures: - Implement multi-factor authentication and regular security audits. - Invest in AI and machine learning for enhanced threat detection. - Conduct regular employee training on cybersecurity best practices. Are your firm's cybersecurity measures up to par in protecting client assets? What steps are you taking to prevent similar incidents?

6

2 Comments

as always, incredibly proud to see watchTowr Labs' research discussed in the wider industry. watchTowr clients have been proactively made aware of vulnerable MOVEit instances in their attack surface over the last few weeks. Despite the absolute hysteria driven by certain vendors throwing random numbers of affected appliances into the proverbial wind - the number of organisations that expose both the SFTP and HTTPS interfaces simultaneously is a subset of Progress MOVEit customers. As I've always said, real Attack Surface Management is proactive - you should not be scrambling each time we see a vendor talk about a new vulnerability, or - in this case the exact opposite - try to embargo information. Please reach out to myself or my team on how we can help your organisation - we do this every day. https://lnkd.in/gie8rcrU

80

1 Comment

Any recommended Youtube | Podcasts | Blogs for latest breach/vuln news? Like something technical, but also something I can grasp and understand the impact of a given breach/vuln in the wild. Comment below.

1

11 Comments

Did you know that ISO27001 doesn't require you to do annual pentesting? 👀 The compliance people amongst you are probably thinking "of course it doesn't, it just requires you to consider the control" but in fact it doesn't even do that... To my knowledge 27001 makes no mention at all of pentesting... All it says is that "Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken" - ISO 27001:2022 Annex A objective 8.8 Of course we can discuss what ISO27002 says or what a framework really is… But the point I'm trying to make here is that you are probably free to be a lot more creative and sophisticated with your security testing approach than you might realise.

55

53 Comments

"50% of organizations have experienced an increase in attacks in the past 12 months" Aside from being an unsupported claim from a random website, what does that bland assertion even mean? Allegedly, half of organisations saw 'an increase in attacks' in the year to date, whereas (by inference) half didn't. 50% is a suspiciously round number. I'm already on guard. What is 'an increase in attacks'? Does that mean they had more than the year before, more than ever, at least one more attack than a year ago, at least one more 'significant' or 'successful' attack, or what? Did the other half experience the same number or a reduced number or significance of attacks, relative to an unstated prior period? Why? What are the differences between the halves? What are 'attacks' anyway? And who are the 'organisations' supposedly reporting their attacks? Most are understandably reluctant to disclose anything so embarrassing ... so does the 50% figure include an 'adjustment' for the suspected under reporting? Without any basis except my personal experience and understanding (clearly acknowledged), I assert that the vast majority of 'attacks' go unnoticed because they are trivial/inconsequential and/or are not even recognised as 'attacks'. A further substantial tranche are more significant but don't lead to any obvious signs of compromise, mostly because nobody's looking but some more insidiously because they are not looking hard enough, in the right places, at the right times, and an unknown number are actively and successfully evading detection. As an infosec pro, those are the ones that keep me up at night. This post is more than just a rant. It's a comment on critical thinking, on digging beneath the marketing fluff all around us and challenging the very basis for our emotional reactions. Imagine you've just read that quoted statement above, but haven't yet considered this post: how would you react? Would you swallow the hook, choke on it or spit it out?

8

13 Comments

Following the ICO's initial finding that software provider OneAdvanced failed to implement adequate measures to protect personal data leading to a ransomware attack, they published a provisional decision to impose a £6m fine in August. This is notable for two key reasons: 1/ It is the first potential fine by the ICO on a data processor under UK GDPR and highlights the risks posed to data subjects where sensitive personal data is processed on behalf of multiple controllers. 2/ It serves as an important reminder that every organization should implement MFA as part of their technical and organizational security measures. This is not hard and not expensive and the NCSC has useful guidelines on when MFA is appropriate. The ICO is increasingly clear they will take a dim view of organizations that don't get the basics right, including (1) checking for vulnerabilities, (2) implementing MFA and (3) keeping security patches up to date.

4

1 Comment

Excellent summary by Marc Krisjanous of the new smart contract controls in version 9 of the CCSS.

6

**Sensitive Data Exposure:** Moving on from our last discussion on the OWASP Top 10, let’s dive into **Sensitive Data Exposure**, a critical vulnerability in web applications. This issue arises when applications fail to protect sensitive information—like personal identifiers, financial records, or health data—due to weak encryption, poor cryptographic practices, or insufficient access controls. When sensitive data is exposed, the consequences can be severe, leading to identity theft, financial loss, and significant reputational damage. **Exploitation:** Attackers can intercept unencrypted data during transmission or exploit improperly secured databases to access sensitive information. This exposure opens doors to identity theft, financial fraud, and large-scale data breaches. **Mitigation:** - Encrypt data both in transit (using TLS) and at rest. - Use strong, up-to-date cryptographic algorithms. - Implement proper access controls to ensure only authorized users can access sensitive data. Protecting sensitive data isn't just a technical requirement; it’s essential to maintaining trust and compliance in today’s digital world. Until next week, when we talk about **XML External Entities (XXE)**, remember: **"Security is not a product, but a process."** Stay vigilant and keep your data safe! #OWASP #Cybersecurity #Network #Infosec #Data #Dataprotection.

4

When it comes to Cyber Risk, did you know Kroll is the world’s #1 incident response provider? Follow our Kroll Cyber Risk showcase page for: 💡 Insights 💼 Case studies 📈 Latest trends 🗓 Upcoming events ⚠ High-severity vulnerabilities ✅ Solutions and much more!

48

Huge SBOM Update! We've revamped the SBOM Labs in the latest revision for the SANS SEC547 Defending Product Supply Chains course, and will be releasing this new content at SANSFIRE in July! In this update we've added over 20 new tools to the course virtual machine, a purpose-built Linux OS designed for supply chain security work. And many of these tools feature in 3 completely new labs that will show you how to: ✅ Generate SBOM from open source, binaries, firmware and containers ✅ How to request SBOM from suppliers and validate what they provided ✅ Analyzing SBOMs for vulnerabilities and other risks and managing them at scale ✅ Working with multiple vulnerability databases ✅ Verifying SBOM quality and enriching content such as software provenance and pedigree ✅ Comparing tool output to evaluate your SBOM tool providers ✅ Supply Chain Incident Response ✅ And much more! This is a full lifecycle process that can take you from just getting started, to achieving meaningful value from your SBOM initiative. We cover a lot more than just SBOM across vendor risk, geopolitical and supply chain threats, hardware and HBOM, and supply chain attestations, so check out the course and register below. I can't wait to have you in class this July! https://lnkd.in/eNYNBY7R #sbom #cybersecurity #supplychainsecurity #scrm #softwaretransparency

39

2 Comments

Transparency in our digital infrastructure is crucial. Just as we insist on knowing the ingredients in our food, we must demand detailed 'receipts' for the complex software and hardware systems in our enterprise stack—including laptops, servers, networking devices, IoT, OT, GenAI and more.

10

1 Comment

🚀 Unlocking Compliance Success with P J Networks 🌐 Have you ever faced the daunting task of navigating the complex world of industry security standards? You're not alone. Many businesses struggle with this challenge, but that's where P J Networks steps in to make a difference. 1. Overview of Security Standards In today's digital landscape, maintaining regulatory compliance is more crucial than ever. Every industry has its own set of mandates and security standards that businesses must adhere to, ranging from GDPR and HIPAA to PCI DSS. Failing to comply can lead to hefty fines and reputational damage. 2. P J Networks' Role So, how does P J Networks assist with these critical compliance needs? Let me break it down for you: - Customized Solutions: We tailor our approach to meet each client's unique requirements, ensuring seamless alignment with relevant standards. - Expert Support: Our team of seasoned professionals provides hands-on guidance, from initial assessments to full implementation and beyond. - Data Protection: We place a strong emphasis on safeguarding sensitive data, employing advanced technologies and strategies to keep your information secure. 3. Client Success Stories Consider a small healthcare provider, overwhelmed by HIPAA regulations. With P J Networks' assistance, they not only achieved compliance but also enhanced their data protection practices, leading to greater patient trust and operational efficiency. 4. Conclusion Staying compliant doesn't have to be intimidating. Whether you're a global enterprise or a local startup, P J Networks is here to help you navigate the complexities of industry security standards. We are committed to your success, offering robust compliance services tailored to your needs. Curious about how your business can achieve compliance confidence? Let's connect and explore how P J Networks can support you. What are your biggest compliance challenges, and how are you tackling them? Share your thoughts and experiences below. Let's start a conversation. 👇 ComplianceAssistance PJNetworks SecurityStandards

1