Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Building a Career in Cybersecurity: Entry-Level Roles Guide

    Building a Career in Cybersecurity: Entry-Level Roles Guide

    The cybersecurity industry continues to experience rapid growth, driven by the increasing frequency and sophistication of cyber threats. For those looking to start a career in this field, there are numerous entry-level opportunities that offer a solid foundation and promising career trajectory. This guide provides an overview of some common entry-level cybersecurity roles, highlighting key responsibilities, essential skills, and educational requirements.

    Information Cybersecurity Analyst

    An Information Cybersecurity Analyst plays a critical role in safeguarding an organization’s computer networks and systems. They are responsible for monitoring, detecting, and responding to cyber threats. Their tasks include implementing security measures, conducting risk assessments, and educating staff on security protocols. This role is essential in defending against cyber attacks and maintaining the integrity of an organization’s data.

    Key Responsibilities:

    • Monitoring network traffic for security incidents.
    • Implementing and updating security measures and controls.
    • Conducting vulnerability assessments and penetration testing.
    • Responding to and mitigating cyber threats and incidents.

    Essential Skills:

    • Proficiency in using security platforms and tools.
    • Strong understanding of network security principles.
    • Ability to analyze and interpret security logs and alerts.
    • Knowledge of regulatory standards and compliance requirements.

    Educational Requirements:

    • Bachelor’s degree in Computer Science, Information Technology, or a related field.
    • Certifications such as CompTIA Security+ or Certified Ethical Hacker (CEH) are beneficial.

    System Administrator

    System Administrators are responsible for the day-to-day operation of an organization’s computer systems and networks. They ensure that systems are running efficiently and securely. Their duties include installing and configuring hardware and software, managing user accounts, and troubleshooting technical issues.

    Key Responsibilities:

    • Maintaining and updating system software and hardware.
    • Ensuring system security and data integrity.
    • Performing regular backups and recovery operations.
    • Monitoring system performance and troubleshooting issues.

    Essential Skills:

    • Proficiency with various operating systems (Windows, Linux, macOS).
    • Understanding of networking concepts and protocols.
    • Ability to automate tasks using scripting languages like PowerShell or Python.
    • Strong problem-solving and analytical skills.

    Educational Requirements:

    • Bachelor’s degree in Information Technology, Computer Science, or a related field.
    • Certifications like Red Hat Certified Engineer (RHCE) or Cisco Certified Network Associate (CCNA) are advantageous.

    IT Support Specialist

    An IT Support Specialist provides technical support and assistance to users within an organization. They help troubleshoot and resolve hardware and software issues, ensuring that users can effectively utilize technology in their daily tasks.

    Key Responsibilities:

    • Providing technical support to end-users.
    • Installing and configuring computer systems and applications.
    • Troubleshooting and resolving hardware and software issues.
    • Maintaining system documentation and IT asset inventory.

    Essential Skills:

    • Strong technical knowledge of computer systems and software.
    • Excellent problem-solving and communication skills.
    • Ability to work under pressure and handle multiple tasks simultaneously.
    • Familiarity with remote support tools and helpdesk software.

    Educational Requirements:

    • Associate’s or bachelor’s degree in Information Technology or a related field.
    • Entry-level certifications such as CompTIA A+ or Network+ are helpful.

    Junior Forensic Analyst

    A Junior Forensic Analyst assists in investigating cybercrimes by analyzing digital evidence. They work under the supervision of senior analysts to uncover and interpret electronic data that can be used in legal proceedings.

    Key Responsibilities:

    • Collecting and preserving digital evidence from electronic devices.
    • Analyzing data to identify signs of cybercrime or security breaches.
    • Documenting findings and preparing reports for legal proceedings.
    • Assisting in the recovery of deleted or encrypted data.

    Essential Skills:

    • Knowledge of digital forensics tools and techniques.
    • Understanding of file systems and storage technologies.
    • Attention to detail and strong analytical skills.
    • Ability to follow established forensic procedures and protocols.

    Educational Requirements:

    • Bachelor’s degree in Cybersecurity, Computer Forensics, or a related field.
    • Certifications such as GIAC Certified Forensic Analyst (GCFA) or IACIS Certified Forensic Computer Examiner (CFCE) are beneficial.

    Junior Penetration Tester

    A Junior Penetration Tester, or ethical hacker, tests the security of an organization’s systems by attempting to exploit vulnerabilities. They help identify and fix security weaknesses before malicious actors can take advantage of them.

    Key Responsibilities:

    • Conducting penetration tests on networks, applications, and systems.
    • Identifying and documenting security vulnerabilities.
    • Collaborating with development and IT teams to remediate findings.
    • Staying updated on the latest security threats and testing techniques.

    Essential Skills:

    • Proficiency with penetration testing tools such as Metasploit, Nmap, and Burp Suite.
    • Strong understanding of network protocols and security mechanisms.
    • Ability to think like an attacker and creatively find security flaws.
    • Excellent report-writing and communication skills.

    Educational Requirements:

    • Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
    • Certifications like Offensive Security Certified Professional (OSCP) or Certified Penetration Tester (CPENT) are highly recommended.

    Source Code Auditor

    A Source Code Auditor examines software source code to identify security vulnerabilities and ensure compliance with coding standards. They play a crucial role in preventing security breaches by ensuring that software is secure and reliable.

    Key Responsibilities:

    • Reviewing source code for security vulnerabilities and coding errors.
    • Ensuring compliance with industry standards and best practices.
    • Collaborating with development teams to fix identified issues.
    • Conducting static and dynamic code analysis.

    Essential Skills:

    • Proficiency in multiple programming languages (e.g., Python, Java, C++).
    • Strong understanding of secure coding principles.
    • Attention to detail and ability to identify subtle code issues.
    • Knowledge of automated code analysis tools.

    Educational Requirements:

    • Bachelor’s degree in Computer Science, Software Engineering, or a related field.
    • Experience in software development and familiarity with code review processes.

    Security Auditor

    A Security Auditor evaluates an organization’s information systems to ensure they comply with security policies and standards. They identify vulnerabilities and provide recommendations to improve security posture.

    Key Responsibilities:

    • Conducting security assessments and audits.
    • Evaluating compliance with security policies and regulations.
    • Identifying and documenting security risks and vulnerabilities.
    • Providing recommendations for improving security controls.

    Essential Skills:

    • Strong understanding of information security frameworks and standards.
    • Experience with audit tools and methodologies.
    • Ability to analyze and interpret audit results.
    • Excellent communication and report-writing skills.

    Educational Requirements:

    • Bachelor’s degree in Information Security, Computer Science, or a related field.
    • Certifications such as Certified Information Systems Auditor (CISA) are highly beneficial.

    Junior Security Analyst

    A Junior Security Analyst assists in protecting an organization’s computer networks and systems. They monitor for security breaches, analyze threats, and help implement protective measures.

    Key Responsibilities:

    • Monitoring security alerts and responding to incidents.
    • Assisting in risk assessments and vulnerability management.
    • Supporting the implementation of security measures and controls.
    • Documenting security incidents and maintaining logs.

    Essential Skills:

    • Proficiency in using security information and event management (SIEM) tools.
    • Understanding of cybersecurity principles and best practices.
    • Strong analytical and problem-solving skills.
    • Ability to work collaboratively in a team environment.

    Educational Requirements:

    • Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
    • Certifications such as CompTIA Cybersecurity Analyst (CySA+) are recommended.

    Conclusion

    Entering the field of cybersecurity offers a rewarding career path with numerous opportunities for growth. By acquiring the necessary skills and certifications, gaining hands-on experience, and staying updated with the latest industry trends, aspiring professionals can build a strong foundation and excel in various entry-level cybersecurity roles. Continuous learning and adaptability are key to succeeding in this dynamic and ever-evolving field.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • NGFW vs Traditional Firewalls: What’s the Difference?

    NGFW vs Traditional Firewalls: What’s the Difference?

    Firewalls play a crucial role in safeguarding data and preventing unauthorized access. As cyber threats have evolved, so too have firewall technologies, resulting in the development of Next Generation Firewalls (NGFWs). This analysis examines the distinctions between traditional firewalls and NGFWs, highlighting their features and respective contributions to modern cybersecurity.

    Traditional Firewalls

    Traditional firewalls serve as a fundamental component of network security, primarily offering stateful inspection of network traffic. These devices monitor and control data flow based on state, port, and protocol, providing essential protection at the network’s entry and exit points. Additionally, traditional firewalls typically include Virtual Private Network (VPN) capabilities. However, they are increasingly inadequate in countering the varied cyber threats encountered today.

    Next Generation Firewalls (NGFWs)

    Next Generation Firewalls (NGFWs) represent an advanced evolution in firewall technology. Beyond the stateful inspection capabilities of traditional firewalls, NGFWs incorporate a multitude of features designed to address contemporary cybersecurity challenges comprehensively. NGFWs, often abbreviated as NGFW, offer enhanced security through a combination of advanced technologies and integrated solutions.

    Key Features of NGFWs

    NGFWs distinguish themselves with several advanced capabilities:

    • Application Awareness and Control: Ability to identify, monitor, and manage applications.
    • Integrated Intrusion Prevention System (IPS): Combines firewall functions with intrusion prevention for real-time threat mitigation.
    • Deep Packet Inspection (DPI): Analyzes the content of data packets beyond just the header information.
    • Cloud-Delivered Threat Intelligence: Utilizes real-time threat data from cloud-based sources for enhanced protection.
    • SSL and SSH Inspection: Decrypts and inspects encrypted traffic to detect hidden threats.
    • Sandboxing: Employs isolated environments to safely execute and analyze potentially malicious code.
    • Performance Efficiency: Maintains robust security without compromising network performance.
    • Advanced Threat Protection: Defends against complex threats, including zero-day exploits.
    • Web Filtering: Controls and restricts access to potentially harmful websites.
    • Integrated Antivirus, Antispam, and Antimalware: Offers comprehensive protection against a range of malware.

    What is the Difference Between a NGFW and a Traditional Firewall?

    Traditional FirewallNext Generation Firewall
    Primarily provides stateful inspection of network traffic.Combines stateful inspection with advanced security features.
    Represents an older generation of firewall technology.Embodies advanced, modern firewall technology.
    Offers limited application visibility and control.Provides comprehensive application visibility and control.
    Operates at OSI layers 2 to 4.Extends functionality across OSI layers 2 to 7.
    Lacks application-level awareness.Supports detailed application-level awareness.
    Does not include reputation and identity services.Integrates reputation and identity services.
    Expensive to manage separate security tools.Simplifies management with integrated security tools, reducing costs.
    Does not offer a complete security package.Provides a full suite of security technologies.
    Cannot decrypt and inspect SSL traffic.Capable of decrypting and inspecting SSL traffic in both directions.
    Supports basic NAT, PAT, and VPN functionalities.Enhances NAT, PAT, and VPN with advanced threat management features like sandboxing.
    IPS and IDS are separate components.Fully integrates IPS and IDS for streamlined security management.

    Conclusion

    While traditional firewalls continue to play a vital role in network security, they fall short in addressing the sophisticated threats of the modern digital landscape. Next Generation Firewalls (NGFWs) offer a comprehensive and advanced security solution, integrating features such as application awareness, deep packet inspection, and SSL inspection. These capabilities make NGFWs indispensable for robust and effective network protection. Selecting the appropriate firewall technology depends on an organization’s specific security needs and risk profile, with NGFWs providing a superior option for comprehensive threat defense.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Analyzing the Autonomy of GPT-4 in Exploiting One-Day and Zero-Day Vulnerabilities

    Analyzing the Autonomy of GPT-4 in Exploiting One-Day and Zero-Day Vulnerabilities

    With the surge in popularity and capability of large language models such as ChatGPT in recent years, cybersecurity professionals are increasingly concerned about the potential misuse of these advanced tools. The question on everyone’s mind: Can these models autonomously launch effective cyberattacks? Recent studies by cybersecurity researchers provide sobering answers. Their conclusion: LLMs, particularly GPT-4, are alarmingly proficient at exploiting both one-day and zero-day vulnerabilities.

    Understanding One-Day and Zero-Day Vulnerabilities

    One-day vulnerabilities, also known as zero-day vulnerabilities after they are publicly disclosed but before a patch is available, represent a critical window of opportunity for attackers. These vulnerabilities are documented in the Common Vulnerabilities and Exposures (CVE) database and are known to be exploitable until a patch is issued and deployed. In a recent effort, cybersecurity researchers focused on 15 real-world one-day vulnerabilities affecting various platforms, including websites, container management software, and Python packages.

    Zero-day vulnerabilities, on the other hand, are those that are not yet known to the hacker community at large. These vulnerabilities are particularly dangerous because there is no patch available, and their existence is unknown to defenders.

    The Study’s Setup and Key Findings

    One-Day Vulnerabilities

    The researchers equipped the GPT-4 model with several capabilities to simulate a real-world hacking scenario:

    • Web Browsing Elements: To retrieve HTML content and interact with web elements.
    • Terminal Access: For executing commands directly on the system.
    • Search Results: To gather information dynamically from the web.
    • File Creation and Editing: To manipulate files necessary for exploitation.
    • Code Interpreter: To understand and execute code.

    A detailed prompt of 1,056 tokens (tokens are necessary to power GPT-4), containing 91 lines of code, including debugging and logging statements, was provided to guide the GPT-4 model. Notably, this prompt did not include sub-agents or a separate planning module, ensuring that the model’s actions were a direct result of the prompt and its integrated capabilities.

    The results were startling. GPT-4 successfully exploited 87% of the one-day vulnerabilities presented, far outperforming other tested methods, including GPT-3.5 and open-source vulnerability scanners. The other models and tools failed to exploit any vulnerabilities, underscoring the advanced capabilities of GPT-4.

    Zero-Day Vulnerabilities and HPTSA Method

    A separate team of researchers University of Illinois Urbana-Champaign expanded their study to include zero-day vulnerabilities, using a novel approach called hierarchical planning with task-specific agents (HPTSA). This method assigns tasks to multiple agents, monitors their progress, and reallocates resources as needed. It mirrors project management methodologies used by humans and significantly boosts the efficiency of finding vulnerabilities.

    Using this approach, multiple instances of a modified version of GPT-4 acted as agents. When benchmarked against real-world applications, the HPTSA method proved to be 550% more efficient in finding vulnerabilities compared to traditional methods.

    Implications for the Threat Landscape

    The findings from these studies have significant implications for the cybersecurity threat landscape. The ability of GPT-4 to autonomously exploit both one-day and zero-day vulnerabilities highlights the increasing sophistication and potential danger of AI-driven cyberattacks. Several key impacts are anticipated:

    • Increased Attack Automation: The high success rate of GPT-4 in exploiting vulnerabilities suggests that future cyberattacks could be more automated and efficient, leading to a higher frequency of attacks.
    • Rapid Exploitation of New Vulnerabilities: With LLMs like GPT-4 capable of quickly exploiting vulnerabilities once they are disclosed, the window of opportunity for defenders to patch systems before they are attacked is drastically reduced.
    • Enhanced Targeting and Precision: The ability of GPT-4 to perform complex, multi-step attacks means that cybercriminals could carry out more targeted and precise attacks, potentially breaching high-value targets more effectively.
    • Greater Accessibility of Hacking Tools: As LLMs become more integrated into hacking tools, the barrier to entry for conducting sophisticated cyberattacks lowers, potentially enabling less skilled hackers to execute complex attacks.
    • Challenges in Detection and Response: AI-driven attacks may be harder to detect and mitigate due to their adaptive and evolving nature. Traditional security measures might struggle to keep up with the speed and variability of AI-powered exploits.

    Ethical Considerations and Defensive Measures

    Given the study’s findings, it’s crucial for the cybersecurity community to take proactive measures. This includes:

    • Developing Defensive LLMs: Utilizing LLMs to bolster defensive measures and quickly identify and patch vulnerabilities.
    • Regulating LLM Deployment: Implementing stricter controls and guidelines for the deployment of highly capable LLMs to prevent misuse.
    • Enhancing Vulnerability Management: Improving the speed and efficiency of patch deployment to minimize the window of vulnerability.

    Is the Use of LLMs in Cybersecurity Good or Bad?

    Is the ability of GPT-4 to autonomously exploit vulnerabilities a boon or a bane for cybersecurity? On one hand, the efficiency and precision of AI-driven vulnerability exploitation highlight the potential for these tools to significantly aid in defensive measures. They could be used to identify and patch vulnerabilities faster than ever before, potentially reducing the window of exposure and improving overall security resilience. On the other hand, the same capabilities could be wielded by malicious actors, automating and scaling cyberattacks to an unprecedented level. This duality poses a profound ethical dilemma: while the advancements in AI offer promising tools for improving cybersecurity, they also present new challenges and risks that must be carefully managed. The path forward requires a balanced approach, leveraging AI for defense while implementing stringent controls to prevent its misuse.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Microsoft August 2024 Patch Tuesday: 89 Vulnerabilities, 6 Actively Exploited Zero-Days

    Microsoft August 2024 Patch Tuesday: 89 Vulnerabilities, 6 Actively Exploited Zero-Days

    Today marks Microsoft’s August 2024 Patch Tuesday, addressing a total of 89 security flaws, including six actively exploited zero-day vulnerabilities and three publicly disclosed zero-days. Among these, one critical zero-day vulnerability remains unfixed, though Microsoft is actively working on a resolution.

    Summary of Critical Updates

    This Patch Tuesday resolves eight critical vulnerabilities across various categories, such as elevation of privileges, remote code execution, and information disclosure. Below is the distribution of the vulnerabilities by category:

    • 36 Elevation of Privilege Vulnerabilities
    • 4 Security Feature Bypass Vulnerabilities
    • 28 Remote Code Execution Vulnerabilities
    • 8 Information Disclosure Vulnerabilities
    • 6 Denial of Service Vulnerabilities
    • 7 Spoofing Vulnerabilities

    It is important to note that these counts do not include vulnerabilities in Microsoft Edge that were disclosed earlier this month.

    Zero-Day Vulnerabilities: An Overview

    Among the vulnerabilities patched today, six are classified as zero-day flaws, meaning they were exploited in the wild before a fix was available. Notably, half of these zero-days pertain to local privilege escalation, which allows attackers to gain higher-level privileges on a compromised system.

    • CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 are three such local privilege escalation vulnerabilities. They enable attackers to achieve SYSTEM-level privileges on vulnerable machines, though they affect different components of the Windows operating system. The details provided by Microsoft are sparse, particularly for the last two flaws, but they are recognized as being exploited actively.
    • CVE-2024-38106 resides in the Windows Kernel and is currently being exploited, with Microsoft noting its high attack complexity. This complexity stems from the need for attackers to navigate a race condition, a situation that can vary in difficulty. Trend Micro’s ZeroDay Initiative (ZDI) emphasizes that despite the high complexity rating, the presence of real-world exploitation suggests that the vulnerability is readily actionable by attackers.
    • CVE-2024-38178 is a remote code execution vulnerability found in the Internet Explorer Mode of the Windows Edge browser. This mode, while not enabled by default, is used for legacy websites and applications. The active exploitation of this flaw indicates that attackers are targeting environments where this mode is in use.
    • CVE-2024-38213 allows malware to bypass the “Mark of the Web” security feature, which is responsible for alerting users about files downloaded from the internet. Although this vulnerability is not directly exploitable on its own, it is often part of a larger exploit chain. It may be used to alter malicious documents or executable files to evade detection before distribution.
    • CVE-2024-38189 is a remote code execution flaw affecting Microsoft Project. This vulnerability is only exploitable in environments where notifications about the risks of running VBA Macros are disabled. Given the history of malware hiding within Office Macros, this flaw poses a significant risk to affected users.

    Adobe’s Security Updates

    In addition to Microsoft’s updates, Adobe has released 11 security bulletins addressing at least 71 vulnerabilities across its products, including Illustrator, Photoshop, InDesign, and Acrobat. Adobe has indicated that there is no current evidence of active exploitation of these vulnerabilities.

    Best Practices for Users

    Given the critical nature of these updates, it is crucial for users to stay up-to-date with the latest security patches from Microsoft and Adobe. While it’s recommended to install these updates promptly, waiting a day or two can be prudent. This approach allows time for any immediate issues with the updates to be addressed. Furthermore, backing up data or imaging the Windows drive before applying new updates can prevent data loss in case of problems during the update process.

    For a detailed breakdown of the vulnerabilities addressed, refer to the SANS Internet Storm Center’s list. Administrators managing large Windows environments should also keep an eye on Askwoody.com for insights into any issues specific updates may cause.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (8/12/2024)

    Netizen: Monday Security Brief (8/12/2024)

    Today’s Topics:

    • Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach
    • Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks
    • How can Netizen help?

    Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach

    In a recent cybersecurity breach involving National Public Data, a background checking company, approximately 2.7 billion records containing sensitive personal information of U.S. citizens were leaked on a hacking forum, leading to a significant class-action lawsuit. The breach has exposed names, Social Security numbers, physical addresses, and possible aliases of individuals across the United States. None of this information was encrypted in any fashion.

    The lawsuit was filed by the plaintiff against National Public Data. It centers around the company’s failure to safeguard the personal identifiable information (PII) of its users. According to the lawsuit, National Public Data had a legal duty to protect the PII of the plaintiff. They also had an ethical duty to protect class members. This duty arises from several sources. These sources include the Federal Trade Commission (FTC) Act, contractual obligations, industry standards, and representations made to customers. The complaint argues that National Public Data didn’t adopt reasonable enough measures to protect the PII from unauthorized access and disclosure.

    The plaintiff claims that National Public Data derived substantial economic benefits from collecting and using the PII of its customers. The lawsuit alleges that without the submission of this sensitive information, the company could not have provided its services. National Public Data needed this information to operate. National Public Data assumed legal and fair duties by obtaining, collecting, and using the PII. It failed to protect this information from disclosure.

    The exact details of how and when the breach occurred are not fully disclosed. The lawsuit provides information suggesting that a cybercriminal group known as “USDoD” gained access to National Public Data’s network before April 2024. The cybercriminals were able to exfiltrate billions of unencrypted PII records stored on the company’s network.

    On April 8, 2024, USDoD posted a database titled “National Public Data” on the Dark Web hacker forum “Breached.” They claimed that the database contained 2.9 billion records of U.S. citizens and offered it for sale at $3.5 million. According to reports from VX-Underground, a malware repository, the database contained extensive details. These details were about individuals who had not used data opt-out services. These details included:

    • First and last names
    • Current and historical addresses spanning over three decades
    • Social Security numbers
    • Information about family members, including parents, deceased relatives, and siblings

    Malware repository VX-Underground confirmed the authenticity of the data after reviewing the 277.1 GB uncompressed file. The report highlighted that individuals who had used data opt-out services were not present in the database. Those who had not opted out were immediately found.

    Following the first sale attempt by USDoD, portions of the stolen data were released by other threat actors. On August 6, 2024, a hacker named “Fenice” leaked the most complete version of the stolen records. The records were posted for free on the Breached forum. Fenice clarified that the breach was actually carried out by another hacker named “SXUL.”

    The leaked data consisted of two text files totaling 277GB and containing approximately 2.7 billion plaintext records. While it is unknown whether the leak included data for every individual in the U.S., many individuals have verified that their and their family members’ information was included, even for deceased relatives.

    The breach has led to multiple class-action lawsuits against Jerico Pictures, the entity believed to be operating as National Public Data, for failing to protect people’s information adequately.

    Questions You Might Have

    • 1. What legal obligations did National Public Data have to protect my information?
      The lawsuit argues that National Public Data had obligations under the FTC Act, contractual agreements, industry standards, and representations made to customers. These obligations required the company to keep your PII confidential and protect it from unauthorized access.
    • 2. How does the lawsuit claim National Public Data benefited from my information?
      The lawsuit alleges that National Public Data derived substantial economic benefits from collecting and using your PII. The company could not provide its services without requiring customers to submit this sensitive information.
    • 3. What should I do if I suspect my information was part of the breach?
      If you believe your information was compromised in this breach, it is crucial to monitor your credit report for fraudulent activity. You should also be vigilant against phishing attempts and scams that may try to exploit your compromised data.

    This data breach has exposed the personal information of millions of people, leading to serious legal and security concerns. As the aforementioned lawsuit progresses, it will likely provide more insights into the breach’s causes and the potential consequences for National Public Data and those affected.

    Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks

    Web browser extensions have evolved from niche tools into essential components of the Internet ecosystem, enabling various functionalities and enhancements for users. Many users have extensions that are quintessential for their browsing experience, like uBlock origin for adblock or Honey for discounts. Nautrally, with this rise in utility comes an increased risk, as bad actors exploit these tools as a new vector for malware distribution. The ReasonLabs Research Team has recently identified a large-scale polymorphic malware campaign. This campaign targets web browsers by forcefully installing malicious extensions. These extensions range from simple adware to complex scripts designed to steal sensitive information and execute unauthorized commands.

    The malware, active since 2021, proliferates through imitation download websites, particularly those part of online games and video streaming. These sites deceive users into downloading seemingly legitimate software while actually delivering a trojan that installs harmful extensions. This campaign has affected at least 300,000 users across Google Chrome and Microsoft Edge. Unfortunately, most antivirus engines have yet to detect the installer and the extensions, leaving countless users vulnerable.

    The initial phase of the attack begins with imitation websites. These websites promise popular software like Roblox FPS Unlocker, YouTube, VLC, or KeePass. Users who download software from these lookalike sites unwittingly get a trojan instead. The trojan typically registers a scheduled task using a pseudonym that mimics legitimate system processes, such as Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2. These tasks are configured to run PowerShell scripts stored in critical system directories, such as C:/Windows/System32/NvWinSearchOptimizer.ps1. This script then downloads additional malicious payloads from a remote server and executes them on the affected machine.

    The malicious PowerShell script contains several functions, each critical to the success of the malware:

    1. Registry Manipulation: The script adds specific registry keys to force the installation of the malicious extensions on Chrome and Edge. These keys ensure the extensions remain active, hijacking search queries and redirecting them to adversary-controlled search engines. Moreover, these extensions cannot be disabled by the user, even with Developer Mode enabled. This manipulation results in the browser displaying the message, “Your browser is managed by your organization,” further complicating detection.
    2. Tampering with Browser Shortcuts: The script modifies browser shortcut files (.lnk) to include parameters that load the local extension dropped by the malware. This local extension focuses on stealing search queries and communicating with a command-and-control (C2) server, making it difficult for users to detect or remove.
    3. Communication with C2 Servers: The script frequently contacts a C2 server to report the malware’s status and receive instructions for further actions. These instructions often involve tampering with browser DLL files, such as msedge.dll, to override default settings like the search engine. The C2 domain used for these communications is relatively new, and few security systems currently recognize it as malicious.

    The PowerShell script employed in this malware campaign is both precise and detailed, designed to carry out multiple stages of the attack with precision. Below is a detailed breakdown of the script’s key components:

    1. addRegKeys Function: This function is responsible for adding necessary registry paths to ensure the extensions are force-installed. It checks if the relevant registry keys exist and creates them if they do not. The script then uses these keys to install the malicious extensions on Chrome and Edge.
    2. addRegVal Function: After establishing the registry paths, the script contacts the C2 server to receive specific instructions, including which extensions to install. The C2 response contains variables that dictate the installation parameters, such as the extension IDs and registry paths. The script then applies these values, ensuring the extensions are installed and active.
    3. removeUpdates Function: To maintain persistence, the script disables all updates for Chrome and Edge. Browser updates often reset settings to their default state, which would disrupt the malware’s activities. By disabling updates, the script ensures that its modifications remain intact.
    4. Main Function: The final stage of the script involves modifying browser shortcuts and downloading additional files from the C2 server. The script checks the current version of the extension installed and, if necessary, downloads and installs the latest version from the C2. It then traverses all .lnk files on the system, injecting parameters to load the malicious extension. These parameters include disabling Chrome’s outdated build detector and removing protections for Chrome’s sensitive pages.
    5. Command Execution: The script also has a mechanism for executing more commands received from the C2 server. These commands often involve downloading and executing new scripts, ensuring the malware can adapt and evolve over time.

    The widespread nature of this malware campaign highlights the significant threat posed by malicious browser extensions. By leveraging PowerShell scripts and C2 communication, the attackers have created a highly persistent and adaptable form of malware. The impact on affected users is severe. There are stolen search queries, unauthorized command execution, and the potential for further data exfiltration.

    To mitigate this threat, it is crucial to stay vigilant when downloading software, especially from unverified sources. Users should also regularly review their browser extensions and system processes for any signs of unusual activity. Organizations should consider implementing more security measures, like endpoint protection solutions, to detect and block such attacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Case Study: 2024 KnowBe4 North Korean Insider Threat

    Case Study: 2024 KnowBe4 North Korean Insider Threat

    Overview

    KnowBe4, a cybersecurity firm based in Florida that specializes in providing phishing training simulations recently faced a security incident involving a threat. The situation unfolded in mid July when KnowBe4 hired an employee who was later discovered to have used an identity to gain access, to their systems. This individual, initially hired as a Principal Software Engineer, had been posing as a candidate with the help of an AI generated photo and a stolen US based identity.

    On July 15th, 2024, KnowBe4 sent the employee a Mac workstation. Upon receiving and starting up the workstation it initiated the installation of malware, which triggered alerts from KnowBe4s endpoint detection and response software. The Security Operations Center (SOC) team observed activities originating from the employees account at 9;55 pm EST. The SOC team contacted the hire to investigate these anomalies. The individual initially attributed the issues to troubleshooting actions on their router; however further scrutiny revealed attempts to alter session history files, transfer files and run software. It was also discovered that the perpetrator utilized a Raspberry Pi device to facilitate the download of malware.

    Initially cooperative with SOC inquiries, the new hire later stopped responding. By 10:20 pm EST the security operations center successfully managed to secure the device and stop any activities. Further inquiries, in cooperation with Mandiant and the FBI revealed that the person involved was a North Korean agent who had assumed a false identity. The deployment of malware was deliberate. Formed part of a plan that also included utilizing VPNs and gaining remote access, from North Korea.

    Impact

    This incident raised significant concerns; however, it’s worth noting that KnowBe4’s systems remained secure, with no data compromised (or malware executed). Once the suspicious activity was detected, KnowBe4’s SOC acted swiftly to contain the threat. The hacker had access only to basic communication tools—such as email, Slack, and Zoom—with no permissions to enter sensitive systems, customer data, or the company’s internal networks. The workstation provided to the hacker was also highly restricted, containing no preloaded data and equipped solely with endpoint security and management tools. Quick detection and isolation prevented any unauthorized data access, or malware execution.

    What the incident did do, however, was reveal weaknesses in KnowBe4’s hiring and vetting processes, especially concerning remote employees. Consequently, the company has tightened these procedures; this includes implementing more stringent steps for shipping workstations and verifying the identities of new hires.

    Although there were no direct financial losses or legal consequences, the company did incur various costs related to investigating the breach, reinforcing security, and updating hiring practices. These measures are essential for maintaining the organization’s ongoing integrity and security.

    The impact and overview provided here are based on public statements and FAQs from KnowBe4 regarding the incident. While Netizen did not directly assist KnowBe4 in this case, the tactics used in this attack are similar to those observed in other social engineering incidents handled by Netizen for various clients.

    What Can Be Learned From This?

    In addressing insider threats similar to the North Korean hacker case reported by KnowBe4, organizations can implement several preventive measures to enhance their security posture and through that mitigate the effects of such threats.

    One of the most effective strategies for preventing insider threats is comprehensive end-user awareness and training. Insiders, whether malicious or inadvertently negligent, often contribute to security breaches through a lack of knowledge or improper behavior. Regular training sessions—ideally conducted on a quarterly basis—should focus on educating employees about the dangers of insider threats, recognizing suspicious activity, and adhering to best practices for data protection. Training should cover topics such as maintaining strong passwords, recognizing phishing attempts, and understanding the importance of reporting unusual behavior. For example, employees should be instructed on how to handle confidential information and the importance of verifying unusual requests or communications.

    User and Entity Behavior Analytics (UEBA) tools are essential for identifying potential insider threats. UEBA tools analyze user behavior patterns to detect anomalies that may indicate malicious activity. A notable example is Splunk UBA, which helps establish baselines for normal user activities and flags deviations. Data loss prevention solutions also play an important role in monitoring and controlling the movement of sensitive data. Symantec Data Loss Prevention is a widely used DLP tool that can help organizations prevent unauthorized access and data transfers.

    Multifactor Authentication (MFA) is another very important component of a layered security approach designed to ward off insider threats. While MFA is often associated with mitigating external threats, it is also proven effective in preventing unauthorized access by insiders. MFA requires users to provide multiple forms of verification before gaining access to critical systems or data, including verification methods like one-time passcodes, biometric verification, or hardware tokens. By implementing MFA, organizations add an additional layer of security—reducing the risk of unauthorized access, even if credentials are compromised.

    Implementing network segmentation and strict access controls helps to contain and limit the potential impact of insider threats. By segmenting the network into distinct areas and applying access controls based on job roles and responsibilities, organizations can ensure that sensitive data and systems are accessible only to authorized personnel. For instance, a finance department should have separate network segments from other departments, with restricted access controls in place. This approach not only prevents unauthorized access but also limits the spread of malicious activity within the network.

    Effective monitoring and incident response are essential for managing insider threats. Continuous monitoring of user activities and network traffic can help identify unusual behavior that may indicate a potential threat. SIEM tools like Wazuh provide scalable and flexible log and event monitoring—enabling organizations to track user actions and detect anomalies. Coupled with a well-defined incident response plan, organizations can ensure that any suspicious activities are promptly investigated and addressed. This includes having clear procedures for handling and mitigating security incidents.

    Policy and procedure documentation is vital for managing insider threats. Organizations should develop and maintain detailed policies that outline procedures for reporting suspicious behavior, handling data breaches, and conducting regular security audits. Clear documentation helps ensure that all employees are aware of their responsibilities and the steps to take if they suspect malicious activity. Well-defined policies and procedures contribute to a structured and effective response to insider threats—minimizing confusion and improving overall security posture.

    By adopting these preventive measures, organizations can better safeguard against insider threats and reduce the impact of any potential incidents. Effective training, detection tools, access controls, and monitoring systems are key components of defense strategies—helping to protect sensitive information and maintain organizational security.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding Policy Enforcement Points (PEP)

    Understanding Policy Enforcement Points (PEP)

    A Policy Enforcement Point (PEP) is a critical component within the Attribute-Based Access Control (ABAC) architecture, ensuring the protection of enterprise data by enforcing access control. ABAC, also known as policy-based access control for Identity and Access Management (IAM), determines a subject’s authorization to perform specific operations by evaluating attributes associated with the subject, object, requested operations, and environmental factors.

    ABAC Architecture Overview

    ABAC comprises several key components:

    • Policy Enforcement Point (PEP): PEPs are responsible for protecting applications and data. They inspect requests and generate authorization requests, which are then sent to the Policy Decision Point (PDP).
    • Policy Decision Point (PDP): PDPs evaluate incoming requests against configured policies, returning a Permit/Deny decision. They may also use Policy Information Points (PIPs) to retrieve missing metadata.
    • Policy Information Point (PIP): PIPs connect the PDP to external attribute sources, such as LDAP or databases.
    • Policy Administration Point (PAP): PAPs manage policies, providing a centralized repository for policy administration.

    How Does a Policy Enforcement Point Work?

    In the ABAC architecture, a PEP functions by intercepting a user’s request to access a resource. It forms an authorization request based on the user’s attributes, the resource in question, the intended action, and other relevant details. This request is then sent to the PDP, which evaluates it against existing policies and decides whether access should be granted. The decision is communicated back to the PEP, which either allows or denies access based on the PDP’s evaluation.

    Importance of Policy Enforcement Points

    PEPs play a crucial role in maintaining security within an application by ensuring access control is enforced consistently and independently at multiple points. They work closely with PDPs to interpret policies and control access, without requiring complex authorization logic. This decentralized approach is particularly effective in SaaS applications, APIs, microservices, or any part of the application requiring stringent access control.

    PEP Implementation

    Implementing a PEP involves determining where access control enforcement should occur within an application. It is recommended to integrate PEPs at API endpoints to serve as logical checkpoints between different application functions. In monolithic applications, PEPs may be embedded within the application’s logic.

    The PEP requests an authorization decision from the PDP, typically by sending a request to a RESTful API exposed by the PDP. The PDP returns the decision in JSON format, which the PEP then evaluates to determine whether access should be granted. For more complex scenarios, PEPs may need to interpret more detailed JSON responses. Packaging PEP code as a reusable library or artifact in the preferred programming language can streamline integration across the application.

    Conclusion

    Policy Enforcement Points (PEPs) are essential for robust access control in modern applications. They ensure that access policies are enforced consistently, adapt to changing security requirements, and provide logging and monitoring capabilities for compliance and post-incident analysis. By effectively implementing PEPs, organizations can enhance their security posture, reduce the risk of unauthorized access, and ensure compliance with security policies.

  • ESXi Hypervisor Critical Vulnerability (CVE-2024-37085) and Ransomware Exploitation

    ESXi Hypervisor Critical Vulnerability (CVE-2024-37085) and Ransomware Exploitation

    Microsoft researchers identified a critical vulnerability in ESXi hypervisors that ransomware operators could exploit to gain full administrative permission over the domain-joined hypervisor. ESXi is an advanced bare-metal hypervisor that allows for direct control over the underlying resources. It’s a host for virtual machines, often quite important ones within a network. In case of a ransomware attack, this grants full administrative access to an ESXi hypervisor, where threat actors could encrypt the file system, thus affecting the functionality of the hosted servers. Moreover, threat actors gain access to all hosted VMs, allowing data exfiltration or lateral movement within the network.

    The vulnerability, identified as CVE-2024-37085, was created by a default domain group in ESXi hypervisors that gives full administrative access without proper validation. Microsoft has now disclosed this finding to VMware through Coordinated Vulnerability Disclosure via Microsoft Security Vulnerability Research. This led to VMware releasing a security update. Microsoft recommends that ESXi server administrators apply these updates and follow the mitigation and protection guidelines therein.

    Vulnerability Analysis and Exploitation Techniques

    Microsoft security researchers observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest exploiting this vulnerability. In many cases, these attacks led to deployments of Akira and Black Basta ransomware. The exploitation technique involves running commands to create a group named “ESX Admins” in the domain and adding a user to it:

    net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add

    This method leverages the vulnerability in domain-joined ESXi hypervisors, allowing attackers to elevate privileges to full administrative access. The vulnerability arises because ESXi hypervisors consider any member of a group named “ESX Admins” to have full administrative access by default, even if the group did not originally exist. This group is not a built-in group in Active Directory and does not exist by default, and the membership is determined by name rather than security identifier (SID).

    Researchers identified three exploitation methods:

    1. Creating the “ESX Admins” Group: This method, actively exploited in the wild, involves creating the “ESX Admins” group and adding a user to it. Any domain user with the ability to create a group can escalate privileges by creating such a group and adding themselves or other users to it.
    2. Renaming a Group: This method involves renaming any group in the domain to “ESX Admins” and adding a user or using an existing member to escalate privileges. This method has not been observed in the wild by Microsoft.
    3. Privileges Refresh: Even if the network administrator assigns another group to manage the ESXi hypervisor, the full administrative privileges of the “ESX Admins” group are not immediately removed, allowing threat actors to abuse it. This method also has not been observed in the wild by Microsoft.

    Ransomware Operators Targeting ESXi Hypervisors

    Over the past year, ransomware actors have increasingly targeted ESXi hypervisors. ESXi hypervisors are popular in corporate networks and are often targeted due to the limited visibility and protection offered by many security products. Encrypting an ESXi hypervisor file system enables one-click mass encryption, impacting hosted VMs and allowing threat actors more time and complexity for lateral movement and credential theft.

    Microsoft has observed various ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, supporting or selling ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper. The number of Microsoft Incident Response engagements involving ESXi hypervisor attacks has more than doubled in the last three years.

    Black Basta Ransomware Deployment by Storm-0506

    This critical hypervisor vulnerability has been exploited in the wild, and to great effect. Earlier this year, an engineering firm in North America was hit by a Black Basta ransomware deployment by Storm-0506. The attack exploited the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors. The threat actor initially accessed the organization via a Qakbot infection, followed by exploiting a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges on affected devices. They used Cobalt Strike and Pypykatz to steal domain administrator credentials and move laterally to domain controllers.

    On the compromised domain controllers, the attacker installed persistence mechanisms using custom tools and a SystemBC implant. They attempted to brute force RDP connections and installed Cobalt Strike and SystemBC on multiple devices. The attacker then created the “ESX Admins” group, added a new user, and used this access to encrypt the ESXi file system, affecting the hosted VMs. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint stopped encryption attempts on devices with the unified agent installed.

    Mitigation and Protection Guidance

    Microsoft advises organizations using domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. Additional recommendations include:

    • Install Software Updates: Ensure the latest security updates from VMware are installed on all domain-joined ESXi hypervisors. If updates cannot be installed immediately, validate the “ESX Admins” group exists in the domain and is hardened. Manually deny access to this group in the ESXi hypervisor settings, change the admin group, and add custom detections in XDR/SIEM for new group names.
    • Credential Hygiene: Protect highly privileged accounts by enforcing multifactor authentication (MFA), enabling passwordless authentication methods, and isolating privileged accounts from productivity accounts.
    • Improve Critical Assets Posture: Identify and protect critical assets such as ESXi hypervisors and vCenters with the latest security updates, proper monitoring procedures, and backup and recovery plans.
    • Identify Vulnerable Assets: Deploy authenticated scans of network devices using SNMP via the Microsoft Defender portal to identify vulnerabilities in network devices like ESXi.

    Detection and Threat Intelligence

    Microsoft Defender for Endpoint and Microsoft Defender for Identity provide alerts that can indicate associated threat activity, such as suspicious modifications to the “ESX Admins” group, suspicious Windows account manipulation, and compromised accounts conducting hands-on-keyboard attacks. Microsoft customers can use reports in Microsoft Defender Threat Intelligence to get up-to-date information about threat actors and techniques. Hunting queries are available for Microsoft Defender XDR and Microsoft Sentinel to detect related activities.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Open Source Adoption: Switzerland Leads the Way with EMBAG Legislation

    Open Source Adoption: Switzerland Leads the Way with EMBAG Legislation

    Switzerland has recently enacted the “Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks” (EMBAG), a landmark legislation that mandates the use of open-source software (OSS) in the public sector. This law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This initiative, driven by the “public money, public code” principle, aims to enhance transparency, security, and efficiency in government operations.

    Background

    The journey towards EMBAG began in 2011 with the Swiss Federal Supreme Court’s release of Open Justitia, a court application published under an OSS license. This move faced opposition from proprietary software vendors and sparked a decade-long political and legal battle. Finally, in 2023, EMBAG was passed, marking a significant shift towards open-source adoption in Switzerland.

    Key Provisions of EMBAG

    The EMBAG law mandates several key actions:

    • Open Source Requirement: Public bodies must disclose the source code of developed software unless restricted by third-party rights or security concerns.
    • Open Government Data: Non-personal and non-security-sensitive government data must be released as Open Government Data (OGD).

    The Thought Process Behind Switzerland’s Decision

    Professor Dr. Matthias Stürmer, a leading advocate for the law, emphasized its potential benefits for the government, the IT industry, and society. Open-source software reduces vendor lock-in, encourages digital business expansion, and potentially lowers IT costs while improving services for taxpayers. Implementing EMBAG aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. The Swiss Federal Statistical Office (BFS) is leading the law’s implementation, although organizational and financial aspects of OSS releases still need to be clarified.

    Comparison with the US

    Despite the clear advantages seen in Switzerland, the United States has been more reluctant to fully embrace open-source software. The US government’s approach to OSS is characterized by cautious and incremental adoption rather than sweeping mandates. The US Federal Source Code Policy requires federal agencies to release at least 20% of new custom-developed code as OSS but does not mandate its use across all government software. Similarly, the General Services Administration (GSA) promotes an “open first” approach but stops short of a full commitment to open-source software.

    One major reason for the US’s hesitant stance is security. The US government prioritizes secure software development and the protection of the open-source ecosystem. The Biden-Harris Administration’s National Cybersecurity Strategy (NCS) emphasizes the need for secure software, including investments in memory-safe languages and secure software development techniques. Efforts to enhance OSS security are ongoing, with initiatives led by agencies like CISA.

    OSS and The CrowdStrike Incident

    The reluctance to adopt open-source software in the US was highlighted by the CrowdStrike incident, where a significant security breach exposed sensitive information. If CrowdStrike’s software had been open source, the security community could have identified and patched vulnerabilities much more quickly. Due to CrowdStrike’s closed-source functionality, IT teams struggled around the world with solving the mass BSODs within the incident much more than needed. Open-source software allows for more eyes on the code, increasing the likelihood of identifying security flaws before they can be exploited.

    Advantages of Open Source as a Whole

    Open-source software offers numerous advantages over closed-source alternatives. It promotes transparency, allowing users to inspect the code and understand how their data is being handled. This transparency can build trust and ensure that software behaves as expected without hidden functionalities. Open-source software also fosters innovation by allowing developers to build upon existing code, accelerating the development of new features and technologies. Moreover, it can lead to cost savings by reducing the need for expensive proprietary licenses and allowing for community-driven support and development. As Switzerland has demonstrated, embracing open-source software can lead to more secure, efficient, and transparent government operations, providing a model for other countries to follow.

    Conclusion

    Switzerland’s decisive move towards open-source software sets a compelling example of transparency, security, and efficiency in government operations. While the US recognizes the importance of OSS, its approach remains cautious, prioritizing security and coordinated strategies over broad mandates. As global digital infrastructure continues to evolve, the US may need to reassess its stance on open-source adoption to fully leverage the benefits seen in European counterparts. By understanding these dynamics, security professionals and policymakers can better advocate for more secure and transparent digital governance.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (8/5/2024)

    Netizen: Monday Security Brief (8/5/2024)

    Today’s Topics:

    • DDoS Attack Triggers Microsoft Global Outage
    • State-Sponsored Chinese Hackers Target Japanese Organizations with LODEINFO Malware
    • How can Netizen help?

    DDoS Attack Triggers Microsoft Global Outage

    On July 30, 2024, a Distributed Denial-of-Service (DDoS) attack caused a global outage of Microsoft services. The tech giant revealed that an error in its DDoS protection measures worsened the situation instead of mitigating it.

    The outage lasted for about 10 hours, from 11:45 UTC to 19:43 UTC, affecting various Microsoft platforms, including Outlook, Azure, and Minecraft. Microsoft cloud services like Intune and Entra were also impacted. Multiple organizations, such as banks, courts, and utility services, reported issues.

    Microsoft described an “unexpected usage spike” that led to Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds, causing errors, timeouts, and latency spikes. Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, noted that although the outage was short and affected only a subset of services, its impact was significant for many users.

    In response, Microsoft made networking configuration changes to support its DDoS protection efforts and performed failovers to alternate networking paths. These actions mitigated most of the issues by 14:10 UTC, with normal service levels resuming globally by 19:43 UTC. The incident was declared mitigated at 20:48 UTC.

    Microsoft apologized to customers via its X account and promised to publish a Preliminary Post Incident Review (PIR) within 72 hours to provide more details on the event and its response.

    The outage’s ripple effects were felt across various sectors. Cambridge Water, the HM Courts and Tribunals Service, and NatWest were among the organizations impacted. Customers around the world experienced difficulties accessing websites and services dependent on Microsoft’s platforms. Microsoft’s quick response and implementation of a fix showed improvement, and the situation was monitored to ensure full recovery.

    This incident occurred just days after a major outage caused by a flawed software update from cybersecurity firm CrowdStrike, which affected millions of computers worldwide and resulted in substantial financial losses and lawsuits.

    The outage coincided with Microsoft’s financial update, where the company reported weaker-than-expected growth in its April-June period, causing shares to drop by 2.7% in after-hours trading. Despite these challenges, revenue in the “intelligent cloud” unit rose 21% year-on-year, contributing to an overall revenue increase of 15% to $64.7 billion, with profit rising 11% to $22 billion.

    State-Sponsored Chinese Hackers Target Japanese Organizations with LODEINFO Malware

    A Chinese state-sponsored hacking group known as Stone Panda (APT10) has been exploiting antivirus software to deploy a new version of the LODEINFO malware against high-value targets in Japan. These targets include media groups, diplomatic agencies, government organizations, public sector entities, and think tanks.

    The LODEINFO backdoor malware includes several advanced capabilities. It can download and upload files to and from Command and Control (C2) servers, inject shellcode into memory, kill processes using process IDs, change directories, send malware and system information, take screenshots, encrypt files using an AES key, and execute commands via Windows Management Instrumentation (WMI). Additionally, it has configuration capabilities, although the implementation is incomplete.

    First discovered in 2019, LODEINFO has been continuously updated and improved to enhance its sophistication as a cyber-espionage tool. The malware and its infection methods have evolved to evade security products and complicate analysis by security researchers. Recent versions, such as v0.6.6 and v0.6.7, include support for Intel 64-bit architecture, reflecting the attackers’ focus on expanding their target environments.

    Improvements in LODEINFO include the implementation of the Vigenere cipher, a complex infection flow with fileless malware, partial XOR encryption, C2 communication packets with unique data structures and variable lengths, and the use of password-protected documents. These updates indicate a concentrated effort by APT10 to make detection, analysis, and investigation more challenging.

    The updated TTPs and enhancements in LODEINFO highlight the persistent threat posed by APT10 and their focus on sophisticated cyber-espionage operations. The attackers’ ability to continuously improve their malware to evade detection underscores the need for robust cybersecurity measures.

    Maintaining a secure infrastructure with the latest antivirus software tools and constant vigilance is critical to defending against sophisticated malware like LODEINFO. Organizations are advised to stay updated on the latest threat intelligence and ensure their security measures are robust and up-to-date.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.