Week in review: How to avoid lateral phishing, what’s the right time to red team?

Here’s an overview of some of last week’s most interesting news and articles:

Your supplier’s BEC problem is your BEC problem
BEC scammers don’t care what business the potential targets are in: all they care is that they have money that can be stolen – preferably lots of it – and that they have vulnerabilities they can exploit to pull off the heist.

PayPal becomes phisher’s favorite brand, Office 365 phishing techniques evolve
PayPal has overtaken Microsoft to claim the number one ranking for phisher’s favorites for the first time. Netflix was not far behind as the streaming giant moved up to the third spot with a 14.1 percent QoQ and 73.7 percent YoY growth in unique phishing URLs, according to Vade Secure.

Automated systems: Flag smarter, not everything
Cybersecurity professionals are constantly receiving a large number of security alerts from these automated systems – most of which are near-to-useless information. As opposed to flagging potential incidents in the network, these systems are flagging alerts every time it encounters anything – any anomaly, any intrusion attempt, any suspicious code, any unusual data movement.

Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks
Intel’s Patch Tuesday releases are rarely so salient as those pushed out this month: the semiconductor chip manufacturer has patched a slew of high-profile vulnerabilities in their chips and drivers.

Speeding MTTR when a third-party cloud service is attacked
We all know you can’t stop every malicious attack. Even more troublesome is when an externally sourced element in the cloud – engaged as part of your infrastructure – is hit and it impacts customers using your digital service.

Enterprise cybersecurity in the Asia-Pacific region
Almost one in five business organizations in the Asia-Pacific (APAC) region experienced more than six security breaches in the past two years, a new ESET enterprise cybersecurity survey has revealed.

Whitepaper: Cybersecurity is improving, but is it enough?
Digital transformation initiatives are pushing many organizations into unfamiliar territory that they are not equipped to protect.

Attack tools and techniques used by major ransomware families
Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report.

GitHub Security Lab aims to make open source software more secure
“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub.

Believe the hype, but control the threat: Reducing the risk of ransomware
Ransomware is becoming an epidemic for any collection or repository of data. Each day the attacks seem to be getting larger and more lucrative for cybercriminals. According to Europol’s annual report, the Internet Organised Crime Threat Assessment (IOCTA), file-encrypting malware attacks could become far more destructive as cybercriminals change their tactics.

When is the right time to red team?
Red teaming has become increasingly popular in recent years as firms become more aware of the threats they are facing. However, because it is often thought of as an extension of pen testing, we often find that businesses are keen to jump straight into red teaming before they are ready for it.

Product showcase: SpyCloud Active Directory Guardian
SpyCloud Active Directory is a browser-based application that runs locally and easily installs in minutes. It can be custom-configured to scan automatically or on-demand.

The password reuse problem is a ticking time bomb
Passwords, like email, seem future proof; but they are also the source of many cybersecurity problems. Key drivers of these issues are human behavior and the desire for convenience, which results in password reuse across multiple accounts.

The FBI multi-factor authentication notification that should have never been
While reviewing the recent Private Industry Notification from the FBI about using social engineering and technical attacks to circumvent multi-factor authentication, I was floored at how each of these account takeover scenarios seemed completely preventable.

Fraud rates increasing as criminals become more sophisticated
Fraud rates have been skyrocketing, with 90 voice channel attacks occurring every minute in the U.S., Pindrop reveals.

Lateral phishing makes for dangerous waters, here’s how you can avoid getting caught in the net
As companies and consumers have become more aware of phishing, hackers have refined their techniques and are now launching a more advanced form of attack known as lateral phishing. This technique is highly convincing and, consequently, highly effective.

Attackers continue to leverage greater levels of social engineering and sophistication
Despite a nearly four-month absence, the return of Emotet within the last two weeks of September accounted for nearly 12 percent of all malicious email samples in Q3, delivering millions of messages with malicious URLs or attachments, Proofpoint found.

November 2019 Patch Tuesday: Actively exploited IE zero-day fixed
November 2019 Patch Tuesday comes with patches for an IE zero-day exploited by attackers in the wild and four Hyper-V escapes.

Download: Internal compliance assessment templates
The Comprehensive Security Guide provides security executives with a single document that gathers standardized and easy to use templates of all main compliance frameworks: PCI-DSS, HIPAA, NIST Cyber Security Framework and GDPR.

5,183 breaches from the first nine months of 2019 exposed 7.9 billion records
According to Risk Based Security’s Q3 2019 Data Breach QuickView Report, the total number of breaches was up 33.3% compared to Q3 2018, with 5,183 breaches reported in the first nine months of 2019.

New infosec products of the week: November 15, 2019
A rundown of infosec products released last week.

More about

Don't miss