Cybersecurity 🔐 And Much More Newsletter 📪 — Week 15 (2022)
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
🚨 It’s Patch Tuesday 🗓 Week, and The list is long!
Microsoft published a list of 140 vulnerabilities across their line of products and 10 of these vulnerabilities were [Critical]. Here is a quick look at some of the critical ones:
- 02 x [Critical] RCE [Remote Code Execution] vulnerabilities in the Windows NFS (of course, where NFS is enabled). See CVE-2022–24491 and CVE-2022–24497
- 01 x [Critical] RCE [Remote Code Execution] vulnerability in Windows SMB that allows attackers to retrieve data via API when users visit malicious SMB servers. See CVE-2022–24500.
- 01 x [Critical] RCE [Remote Code Execution] vulnerability in the LDAP protocol. that allows attackers to execute arbitrary code in the victims’ machines. See CVE-2022–26919.
📰 CISA Adds Nine Known Exploited Vulnerabilities to Catalog
CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.
👾 New Google Chrome Zero-Day Vulnerability
🩹 Google Chrome’s updates for Windows, Mac, and Linux will roll out over the coming days/weeks.
👾 VMWare Release Security Updates for a Critical RCE
A remote code execution vulnerability (CVE-2022–22966) in VMware Cloud Director was privately reported to VMware and updates are available to remediate these vulnerabilities in affected VMware products. An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server.
👾 Juniper Networks Resolved Multiple Critical Vulnerabilities in Contrail Networking
Multiple vulnerabilities (10 vulnerabilities in total) in third-party software used in Juniper Networks Contrail Networking have been resolved in release 2011.L4. These issues affect Juniper Networks Contrail Networking versions prior to 2011.L4. These issues were discovered during external security research.
👋 Tips — 🔐 Security — Did You Know that You Can Check Your Security Vendor’s Effectiveness against Threat Actors?
Sounds amazing, yes I know. The MITRE Engenuity published the fourth round of the MITRE ATT&CK Evaluations, where they tested 30 participants’ (security vendors) proficiency to defend against the tactics, techniques, and procedures (TTPs) leveraged by two very relevant and sophisticated threat groups — Wizard Spider and Sandworm. The goal is not only to show the ability to detect, and block but most notably identify the reasons (Why?), the impact (What?), and the execution (How?). Link
📝 Note — 🔐 Security — Attack Tactics and Techniques — Holistic View of the Different Tactics used by Threat Actors
Before we get into the techniques, here is an overview of what’s MITRE ATT&CK framework. It is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies. Here are below the different Tactics used by threat actors:
- Reconnaissance — Trying to gather the information that can be can use to plan future operations.
- Resource Development — Trying to establish resources that can be used to support operations.
- Initial Access — Trying to get into the network.
- Execution — Trying to run malicious code.
- Persistence — Trying to maintain a foothold.
- Privilege Escalation — Trying to gain higher-level permissions.
- Defense Evasion — Trying to avoid being detected.
- Credential Access — Trying to steal account names and passwords.
- Discovery — Trying to figure out the environment.
- Lateral Movement — Trying to move through your environment.
- Collection — Trying to gather data of interest,
- Command and Control — Trying to communicate with compromised systems to control them.
- Exfiltration — The adversary is trying to steal data.
- Impact — Trying to manipulate, interrupt, or destroy systems and data.
Next, we will go into detail about each of the tactics.
📝 Note — 🔐 Security — Data Protection — What to Consider when Discovering Data?
As I mentioned in some of the past articles, Discovering the data is the first thing to do when planning on protecting your data. Because you can’t protect the unknown.
For that, you will need to discover all the data stored on-premise and in the cloud, regardless if it’s structured or not (learn more about it here), and this includes the data you have on your databases, servers, endpoints, shared storage, and archives.
The goal of discovering your data is to identify, catalog, and classify business-critical and sensitive information. Then to define or refine the data lifecycle and protect data based on its criticality and use.
Why You Might Have to Conduct Data Discovery?
- As an Audit requirement.
- Subjects might request access to their data or ask you to delete it.
- Risk Mitigation as part of your data protection program.
- Data Migration to the cloud or from one data center to another.
But what are the ways to discover data at rest?
You can run some scripts to discover the data you have or retrieve some information about it, but it is limited in functions and scalability. Like using PowerShell to discover network information from shares, SMB hosts, or discover wide open share folders.
For the commercial tools, you can POC some of the leaders like Varonis, SailPoint, Informatica, or use Proofpoint Data Discover or Microsoft AIP if you have an E3/E5 licensing already.
But the most important thing to remember is People, Processes, and Technology. It’s not about getting the latest and greatest tool, but it’s more about your plans to make it a continuous process, integrate the activity into your data lifecycle process, and most importantly mitigate the risk by continuing in the process and working on classifying the data, controlling access to it, archiving or destroying it, and protect it based on its sensitivity.
📝 Note — 📡 Telco/IoT Security — How bad was 1G security?
1G, the first generation of cellular networks that made us able to make voice calls using mobile devices, was not designed with security in mind.
In fact, it has critical flaws that led to major threats. 1G did not offer built-in authentication or identification, this means that threat actors can eavesdrop on communications by just using a radio receiver and can clone phone numbers just using a phone and computer. Later on, a PIN code was added to mitigate the risk of cloning.
I remember when I was just a kid 👦🏻 and got my first walkie-talkie 🗣, I was in shock when I could hear strangers talk on the phone and me just sitting in my grandma’s backyard on the floor using my new toy to discover a new world, a world of frequencies 📡.
☣️ Biotech firm announces results from first US trial of genetically modified mosquitoes
Researchers have completed the first open-air study of genetically engineered mosquitoes in the United States. The results, according to the biotechnology firm running the experiment, are positive. But larger tests are still needed to determine whether the insects can achieve the ultimate goal of suppressing a wild population of potentially virus-carrying mosquitoes.
📚 🤔 Books I’m Currently Reading
Title: Suggestible You: The Science of the Brain’s Ability to Deceive, Transform, and Heal.
Author: Eric Vance
National Geographic’s riveting narrative explores the world of placebos, hypnosis, false memories, and neurology to reveal the groundbreaking science of our suggestible minds. Could the secrets to personal health lie within our own brains? Journalist Erik Vance explores the surprising ways our expectations and beliefs influence our bodily responses to pain, disease, and everyday events. Drawing on centuries of research and interviews with leading experts in the field, Vance takes us on a fascinating adventure from Harvard’s research labs to a witch doctor’s office in Catemaco, Mexico, to an alternative medicine school near Beijing (often called “China’s Hogwarts”). Vance’s firsthand dispatches will change the way you think — and feel.
Expectations, beliefs, and self-deception can actively change our bodies and minds. Vance builds a case for our “internal pharmacy” — the very real chemical reactions our brains produce when we think we are experiencing pain or healing, actual or perceived. Supporting this idea are centuries of placebo research in a range of forms, from sugar pills to shock waves; studies of alternative medicine techniques heralded and condemned in different parts of the world (think crystals and chakras); and most recently, major advances in brain mapping technology. Thanks to this technology, we’re learning how we might leverage our suggestibility (or lack thereof) for personalized medicine, and Vance brings us to the front lines of such a study.
📚 🤩 Books I Recommend Reading
Title: Urgent: Strategies to Control Urgency, Reduce Stress and Increase Productivity.
Author: Dermot Crowley
Urgency, that frantic feeling that we need to be doing more, and faster is a destructive force in today’s workplace. Unnecessary urgency can be toxic, causing stress and burnout. But not all urgency is bad, and sometimes we really do need to get things done quickly. Too little urgency can lead to inaction and lost productivity. So how do we find the right balance where we can use urgency as a meaningful tool to keep productivity up, without generating burnout? Urgent! is a guide to using urgency for good to help achieve your goals, to drive success, and minimize stress for yourself, your teams, and your business.
This book will teach you to moderate urgency for yourself and those you lead. In our age of fast-paced technology, it’s easy to swing between extremes, working reactively one minute, and being inactive the next. The middle ground, described in this book, allows us to work in the “Active Zone” where we maximize proactivity and productivity. By following the practical strategies outlined in this book, readers will learn to understand the urgency, become proactive rather than reactive, and lead teams to their fullest potential.
- Eliminate stress and burnout for yourself, your teams, and your businesses
- Learn how to dial urgency up or down, depending on the situation
- Keep teams working in the optimal productive zone by moderating the urgency
- Stay focused on what’s important and learn prioritization skills to avoid burnout
If you feel that you and your team are caught up in busywork, stressed to the max by competing demands, leaving no room to focus on what really matters, Urgent! will show you a new way of thinking, leading, and responding. Learn the skills to reduce overload, get more done, and achieve better performance each day.
🎙 Podcast — Have you heard about the Pegasus Spyware?
The NSO Group creates spyware called Pegasus which gives someone access to the data on a mobile phone. They sell this spyware to government agencies around the world. How is it used and what kind of company is the NSO Group? That is what the Episode #100 Special of the Darknet Diaries was about in case you missed it.
🎥 Videos — The Great Hack
This documentary film is about the rise and fall of Cambridge Analytica, a London-based political consulting firm that did work for the Trump campaign that harvested and used the personal data of nearly 50 million Facebook users without user consent. The firm specializes in psychographic profiling, which is a qualitative methodology of studying users based on psychological characteristics and then impacting voter behavior via targeted advertising.
Quote of the Week
“If I have seen further it is by standing on the shoulders of Giants.” ― Isaac Newton, The Correspondence Of Isaac Newton