Week in review: CVE + MITRE ATT&CK methodology, new issue of (IN)SECURE Magazine


Here’s an overview of some of last week’s most interesting news, articles and interviews:

(IN)SECURE Magazine issue 70 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 70 has been released today.
It’s a free download, no registration required.

Tens of thousands unpatched GitLab servers under attack via CVE-2021-22205
Attackers are actively exploiting an “old” vulnerability (CVE-2021-22205) to take over on-premise GitLab servers, Rapid7 researcher Jacob Baines warns. The additional bad news is that at least half of the 60,000 internet-facing GitLab installations the company detects are not patched against this issue.

Trojan Source bugs may lead to extensive supply-chain attacks on source code
Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, allowing for extensive supply-chain attacks.

Mapping ATT&CK techniques to CVEs should make risk assessment easier
Vulnerability reporters should start using MITRE ATT&CK technique references to describe what the attacker is trying to achieve by exploiting a given CVE-numbered vulnerability, the MITRE Engenuity team urges.

Rooting malware discovered on Google Play, Samsung Galaxy Store
Researchers have discovered 19 mobile apps carrying rooting malware on official and third-party Android app stores, including Google Play and Samsung Galaxy Store.

The antidote to brand impersonation attacks is awareness
In this interview with Help Net Security, Dirk Jan Koekkoek, VP, DMARC at Mimecast, talks about the growing threat of brand impersonation attacks, their increasing level of sophistication and how security awareness as well as adequate tehcnology can tackle this threat.

Financial services need to prioritize API security to protect their customers
Noname Security and Alissa Knight, Partner at Knight Ink and recovering hacker, announced a research which unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries.

Advice from a young, female CISO: Key lessons learned
In this interview with Help Net Security, Ellen Benaim, the newest CISO at Copenhagen-based SaaS provider Templafy, talks about her take on the CISO role and offers advice for those who aspire to fulfill it one day.

Top ten worldwide IT industry predictions for 2022 and beyond
IDC announced its worldwide IT industry predictions for 2022 and beyond.
While the disruptive forces unleashed by the COVID-19 pandemic continue to shape the global business ecosystem, one important trend remains unchanged: the steady march toward a digital-first world.

Avoiding the costly ESU cycle: Lessons learned from Windows 7 end-of-life
In June 2021, Microsoft announced the end-of-life date for Windows 10: 14 October 2025. From that point on, there will be no new updates or security fixes for the Home or Pro versions.

80% of organizations plan to increase spending on cybersecurity posture management
80% of IT and security professionals plan to increase spending on their cybersecurity posture management over the next 12-18 months, according to a Balbix survey. Organizations will put that money toward cyber-risk quantification tools, cloud security posture management and security asset management.

Cybersecurity can drive business transformation instead of holding it back
Security is often seen as a burden rather than a strategic business enabler. According to a survey by McKinsey, 70 percent of organizations are not embedding security into products, services and processes, and 71 percent of executives say cybersecurity concerns impede innovation at their organization.

40% of organizations suffered a cloud-based data breach in the past 12 months
Despite increasing cyberattacks targeting data in the cloud, 83% of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cyber criminals can have. 40% of organizations have experienced a cloud-based data breach in the past 12 months, according to a study conducted by 451 Research.

What is wrong with developer security training?
Security professionals love the journey from vulnerability identification to system compromise. Turning a bug into an exploitable remote code execution vulnerability brings joy to those tasked with software security assessment. Unfortunately, what excites a security professional is not exciting for developers because, at the end of the day, a developer needs to build, not to break.

Cybersecurity threat landscape growing in sophistication, complexity and impact
The 9th edition of the ENISA Threat Landscape (ETL) report released by the European Union Agency for Cybersecurity highlights the surge in cybercriminality motivated by monetization using ransomware or cryptojacking. It covers a period of reporting starting from April 2020 up to July 2021.

Active Directory control: How adversaries score even bigger goals via attack paths
Microsoft Active Directory and Azure Active Directory are directory services products used for identity and access management at most major enterprises all over the world. All Active Directory (AD) environments are vulnerable to a type of attack called identity attack paths.

Ransomware attacks increased 148% in Q3 2021, showing no sign of slowing
SonicWall recorded a 148% increase in global ransomware attacks through the third quarter (Q3) of 2021. With 470 million ransomware attacks logged by the company this year to date, 2021 will be the most costly and dangerous year on record.

Proven third-party risk management strategies
As cyber threats continue to plague enterprises and the third-party partners and suppliers they work with, organizations that have prioritized the development of a robust third-party cyber risk management (TPCRM) program are experiencing success.

Top 10 ways attackers are increasing pressure on their ransomware victims to pay
Sophos researchers have detailed how ransomware attackers are implementing a wide range of ruthless pressure tactics to persuade victims to pay the ransom.

A ransomware reality check for CISOs
The rising tide of ransomware attacks targeting critical infrastructure sectors has reached unprecedented heights. Now at the top of many CISOs’ agendas, a confluence of technical, legal, ethical, and regulatory shifting winds is making this scourge on industrial environments increasingly difficult to navigate.

How to ease password pains while maintaining security
As much as any industry, healthcare must deal with a security landscape that is fraught with challenges and tensions. Health delivery organizations (HDOs) operate under constant threat of cyberattacks and ransomware attempts.

Lean security: How small cybersecurity teams perform at Fortune 2000 levels
There’s a widespread misconception that small IT security teams, or “lean sec teams”, cannot protect their organizations as comprehensively as bigger security teams who enjoy rich portfolios of countless security layers, vendors, and tools.

Nessus 10 is out, with Raspberry Pi support
Tenable has released Nessus 10 and extended supported platforms to include Raspberry Pi, allowing penetration testers, consultants, security teams and students to deploy the power of Nessus anywhere.

The ultimate SaaS Security Posture Management (SSPM) checklist
Cloud security is the umbrella that holds within it: IaaS, PaaS and SaaS. Gartner created the SaaS Security Posture Management (SSPM) category for solutions that continuously assess security risk and manage the SaaS applications’ security posture.

Stand up your SOC with Crystal Eye XDR: Lift your security monitoring and incident response maturity
For most companies, the security journey often starts with assessments, policy review and awareness training so staff can deal with attacks on our infrastructure. Then, we might look at our access control and network segmentation, which are all great first steps. But what’s next in our effort to introduce a holistic program that looks to defence-in-depth to protect our organisations?

Infosec products of the month: October 2021
Here’s a look at the most interesting products from October, featuring releases from Abnormal Security, Aqua Security, AT&T, Avast, Datto, Data Theorem, Huntress, Jumio, Pradeo, Qualys, Quest, Reliaquest, SecLytics, SecurID, Semperis, Socure, Splunk, Swimlane, ThreatConnect and ZeroFox.

New infosec products of the week: November 5, 2021
Here’s a look at the most interesting product releases from the past week, featuring releases from Cynamics, Imperva, Linux Foundation, Netscout and Tenable.

More about

Don't miss