Week in review: Kali Linux 2020.2, sensor-based ransomware detection, 10 most exploited vulns

Here’s an overview of some of last week’s most interesting news, articles and podcasts:

Have you patched these top 10 routinely exploited vulnerabilities?
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.

Kali Linux 2020.2: New look, new packages, new installer options
Offensive Security has released Kali Linux 2020.2, the latest iteration of the popular open source penetration testing platform. Kali’s Mobile pentesting platform, Kali NetHunter, got support for additional devices.

May 2020 Patch Tuesday: Microsoft fixes 111 flaws, Adobe 36
For the May 2020 Patch Tuesday, Microsoft has fixed 111 CVE-numbered flaws (including PrintDemon) and Adobe 36, but none are under active attack.

Leveraging automation to maximize security budgets
With the economic impact of COVID-19 increasingly looking like an imminent recession and the way we do work altered perhaps forever, CIOs and CISOs will most likely be managing reduced budgets and a vastly different threat landscape. With the average cost of a breach continuing to skyrocket, the already slim margin for error will shrink even further.

COVID-19 has contributed to record breaking cybercriminal activity
There has been an exponential growth in phishing and website scams in Q1 2020, according to a Bolster analysis of over 1 billion websites. 854,441 confirmed phishing and counterfeit pages and 4M suspicious pages were detected.

Why a single online name and social cards will be the new norm
Over the last decade, the rise of social media giants sparked one of the most relevant conversations about privacy. The truth is that not much has changed in how platforms collect and handle our information. As users realize data is a commodity, they will start taking much more control of the usage, ownership, and value of their information than ever before.

Debunking myths related to client-side security and Magecart attacks
Many companies assume their current security stack ensures protection for these seemingly basic attacks, but in reality, they open a can of worms and you may not even know you’ve been attacked.

New software enables existing sensors to detect ransomware
Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage.

Have you updated SaltStack Salt? Attacks are underway!
Even though F-Secure researchers declined to publish PoC exploit code for two critical Salt flaws they recently discovered and privately disclosed, it didn’t take long for others to do it and for attackers to try to exploit them.

vBulletin fixes critical vulnerability, patch immediately!
If you’re using vBulletin to power your online forum(s), you should implement the newest security patches offered by the developers as soon as possible.

How to implement least privilege in the cloud
According to a recent survey of 241 industry experts conducted by the Cloud Security Alliance (CSA), misconfiguration of cloud resources is a leading cause of data breaches.

Open source algorithms for network graph analysis help discover patterns in data
StellarGraph has launched a series of new algorithms for network graph analysis to help discover patterns in data, work with larger data sets and speed up performance while reducing memory usage.

Are you sure you would never fall for a phishing scam?
We believe we are less likely than others are to fall for phishing scams, thereby underestimating our own exposure to risk, a cybersecurity study has found. The research also reports that this occurs, in part, because we overlook data, or “base rate information,” that could help us recognize risk when assessing our own behavior yet use it to predict that of others.

Home workplaces introduce new risks, poor password hygiene
Entrust Datacard released the findings of its survey which highlights the critical need to address data security challenges for employees working from home as a result of the pandemic based on responses from 1,000 US full-time professionals.

Is remote work here to stay?
In a study conducted by OpenVPN, 30% of employees polled say their company recently implemented remote work capabilities for the first time. 61% already had remote work rules in place.

(ISC)² CISSP certification recognized as equal to a Masters by UK NARIC
(ISC)² – the world’s largest nonprofit association of certified cybersecurity professionals – announced that the Certified Information Systems Security Professional (CISSP) certification has been found comparable to Level 7 of the Regulated Qualifications Framework (RQF) in the UK, denoting that the certification is comparable to Masters degree standard.

New third-party healthcare data rules: Increased access alongside privacy considerations
It would be an understatement to say that 2020 is a monumental year for healthcare. The COVID-19 pandemic brought many aspects of care to the forefront – from technology and its ability to connect us, to the necessity for records to be quickly disseminated to patients and their providers, and patients’ rights to exercise informed control over their treatment.

Ransomware on the rise, companies prioritizing disaster recovery
The rampant rise of ransomware persists, with 100% of respondents – who include ITOps, backup, disaster recovery and storage admins, application and workload owners in the U.S. – reporting that their company experienced a ransomware attack in the last 12 months, Datrium reveals.

5 easy steps to immediately bolster cybersecurity during the pandemic
The new remote work environment ushers in an entirely new security landscape and in record-time. Long-term solutions can be found in zero trust models and cloud security adoption, but time is of the essence. Organizations should act now.

Criminals boost their schemes with COVID-19 themed phishing templates
The crooks have put in a lot of effort into creating convincing phishing page templates to impersonate these organizations and make it easier to quickly set up new pages once current ones get blacklisted.

Modern crypto standards pave the way to stronger security
What’s being done to bolster information security as cyberattacks continue to happen? The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, has been at the forefront of guiding cryptographic security programs and standards for more than 20 years.

Eye-opening statistics about open source security, license compliance, and code quality risk
99% of commercial codebases contain at least one open source component, with open source comprising 70% of the code overall, according to Synopsys.

(ISC)2 Professional Development Institute: Timely and continuing education opportunities
In this Help Net Security podcast, Mirtha Collin, Director of Education for (ISC)², talks about the Professional Development Institute (PDI), a valuable resource for continuing education opportunities to help keep your skills sharp and curiosity piqued.




Share this