Security Boulevard

Permalink

The post Randall Munroe’s XKCD ‘Seismologists’ appeared first on Security Boulevard.

Today, we at Flare announced our USD $30M Series B Round led by Base10 Partners with participation from Inovia Capital, White Star Capital, and Fonds de solidarité FTQ.  We have raised CAD $9.5M to this point, and plan for this fresh round of capital to accelerate our growth. We’ve seen consistent traction with triple digit […]

The post Flare Raises $30M Series B Led by Base 10 Partners to Continue Growth in Security Intelligence and Threat Exposure Management Markets appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The post Flare Raises $30M Series B Led by Base 10 Partners to Continue Growth in Security Intelligence and Threat Exposure Management Markets appeared first on Security Boulevard.

The digital currency market is booming, and as security professionals, we must address the crucial question: Is crypto safe?  Following the re-election of former President Donald

The post Is crypto safe? What to know before investing in digital currencies appeared first on Security Boulevard.

by Source Defense The landscape of payment security is at a critical turning point. As we approach the March 31, 2025 PCI compliance deadline for implementing new e-skimming controls, organizations face mounting pressure to address what has become the predominant vector for payment fraud. This isn’t just another compliance checkbox – it represents a fundamental

The post The Growing Threat of E-Skimming: Why March 2025’s PCI Deadline Matters appeared first on Source Defense.

The post The Growing Threat of E-Skimming: Why March 2025’s PCI Deadline Matters appeared first on Security Boulevard.

Los Angeles, USA, 11th December 2024, CyberNewsWire

The post Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024 appeared first on Security Boulevard.

Vienna, Austria, Dec. 11, 2024, CyberNewswire — DMD Diamond, one of the oldest blockchain projects in the space, has announced the start of Open Beta for the DMD Diamond v4 blockchain.

Established in 2013, DMD Diamond is recognized as … (more…)

The post News alert: DMD Diamond invites developers to participate in open beta for its v4 blockchain first appeared on The Last Watchdog.

The post News alert: DMD Diamond invites developers to participate in open beta for its v4 blockchain appeared first on Security Boulevard.

Oasis Security today revealed that it worked with Microsoft to fix a flaw in its implementation of multi-factor authentication (MFA) that could have been used by cybercriminals to gain access to every major Microsoft cloud service

The post Oasis Security Details MFA Security Flaw Found in Microsoft Cloud Services appeared first on Security Boulevard.

This is a joint post with the Ruby Central team. The full report, which includes all of the detailed findings from our security audit of RubyGems.org, can be found here. Ruby Central hired Trail of Bits to complete a security assessment and a competitive analysis of RubyGems.org, the official package management system for Ruby applications. […]

The post Auditing the Ruby ecosystem’s central package repository appeared first on Security Boulevard.

Vienna, Austria, 11th December 2024, CyberNewsWire

The post DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet appeared first on Security Boulevard.

Recent guidance from CISA and the FBI highlights best practices to monitor and harden network infrastructure. The guidance, published in response to high-profile attacks on telecom infrastructure, is applicable to a wider audience. This blog unpacks important points and explains how Tenable products can help with compliance scans.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint statement concerning an investigation into cyberattacks on commercial telecommunications infrastructure. The ongoing investigation centers on threat actors believed to be affiliated with the People’s Republic of China (PRC) government. In response to the cyberattacks, U.S. and international government agencies, including CISA and the FBI, authored joint guidance to help network defenders improve network visibility and security. This guidance highlights the importance of monitoring and alerting, but also provides specific ways to strengthen cybersecurity with increased configuration management and strong identity hygiene. 

What’s this all about?

The U.S. government has been monitoring PRC-sponsored groups such as Volt Typhoon and Salt Typhoon because it suspects they may be preparing for a large-scale disruption of U.S. critical infrastructure. A press release from mobile telecom provider T-Mobile highlights the activity that it has identified, the controls that it had in place to help prevent a greater threat, as well as how it is collaborating with the authorities’ investigation. According to U.S. government officials, at least eight telecommunications companies have been targeted so far but there may be more. 

The new guidance can help prevent these attacks, whose main goal is to reportedly carry out cyber espionage activities on behalf of the Chinese government by, among other things, stealing customer call-records data. The guidelines pair well with recommendations in Center for Internet Security (CIS) Benchmarks for specific network devices. CIS Benchmarks are written and maintained by industry professionals with the goal of simplifying the implementation of security controls to help mitigate risk. By using CIS Benchmarks, network and security engineers can identify and harden configurations, and establish a more secure posture as suggested by the guidance.

We’ll be taking a closer look at the specific sections in the recent guidance and highlight CIS Benchmark recommendations that align with these objectives.

Strengthening visibility

This section highlights monitoring and alerting best practices. It breaks these guidelines into two sets of tasks: one for network engineers and another one for network defenders. However, the common goal is to help them find and trigger alerts on misconfigurations, changes and user account activity. One key recommendation is to use an independent and centralized log-storage environment, and if possible, a security information and event management (SIEM) solution built specifically to analyze the logs to produce alerts. 

Alerting should be focused on configuration changes; configurations that don’t meet specific criteria; and open ports or enabled services. In addition, devices that accept traffic from outside of the network (external facing) should be reviewed to ensure that only necessary services are accessible to and from the internet.

Examples of centralized logging criteria can be found in CIS Benchmarks for Cisco, Fortinet, Juniper Networks and Palo Alto Networks devices:

• Cisco: “Ensure Syslog Logging is configured”
• Fortigate: “Centralized Logging and Reporting”
• Juniper: “Ensure logging data is monitored”
• Palo Alto: “Syslog logging should be configured”

This section also focuses on monitoring user- and service-account logins to ensure that anomalous login activity is detected and prevented. Unused accounts should be disabled whenever possible. Some examples of this criteria can be found in CIS Benchmarks for Check Point Software and Palo Alto Networks devices:

• Check Point: “Ensure Deny access to unused accounts is selected”
• Palo Alto: “Ensure that the User-ID service account does not have interactive logon rights”

Hardening systems and devices

This section aims to help reduce risk by limiting access to the network and network devices; ensuring that communication is encrypted and secure; and providing more direct guidance with regards to Cisco-based devices. This section includes recommendations regarding access control and network segmentation, provides specific protocol guidelines (such as using only SNMPv3 when SNMP is necessary), and details what is considered to be “strong” encryption. 

First, network segmentation helps to limit movement across the network and to make it easier to inspect inbound and outbound traffic. It also helps to maintain a DMZ to contain the services that must face externally (towards the internet) and prevent direct access to backend resources and networks. Segmentation also involves creating and using VLANs, and the recommendation is that these VLANs should be used to group together devices of a similar nature, which is common in most networks. In addition to segmenting the network, the authoring agencies also recommend adopting Transport Layer Security-everywhere using strong algorithms. These guidelines can help keep threat actors out of corporate networks, as well as ensure that these actors are limited in what they can do and/or see if they manage to penetrate the outermost defenses. 

Another component of segmentation is initializing a default-deny access-control list (ACL), which can be done at the firewall level. This is important for all traffic types, but especially so when isolating management traffic for network devices. Most physical network devices, such as routers and switches, have dedicated ports for management traffic that can be attached to a physically segmented network in order to limit administrative access. Further controls on lateral movement are also recommended for the management network, and it is advisable to not manage devices directly from the internet. Some examples of segmentation and ACL firewall configurations can be found in CIS Benchmarks for Cisco, Juniper Networks, and Palo Alto Networks products.

• Cisco: “Restrict Access to VTY Sessions” and “Ensure explicit deny in access lists is configured correctly”
• Juniper: “Ensure firewall filters contain explicit deny and log term”
• Palo Alto: “Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone”

The guidance further identifies numerous insecure protocols and services and notes that they should be disabled. These include FTP, TFTP, SSHv1, HTTP, and SNMP v1/v2. Additionally, any network protocols or services in use should require authentication when available, including routing protocols. Meanwhile, you should use SNMP Version 3 with encryption and authentication. Having centralized authentication, authorization, and accounting (AAA) logging is emphasized here, in addition to prior mentions of syslog configuration. Examples of identifying and disabling protocols can be found in several CIS Benchmarks for Cisco, Fortinet, Juniper Networks, and Palo Alto Networks products:

• Cisco: “Set version 2 for 'ip ssh version'”
• Fortigate: “Disable all management related services on WAN port” and “Ensure only SNMPv3 is enabled”
• Juniper: “Ensure Web-Management is not Set to HTTP”
• Palo Alto: “Ensure HTTP and Telnet options are disabled for the management interface”

This section highlights specific criteria for Cisco devices. Disabling the Smart Install and Guest Shell features is recommended, as is disabling Telnet in favor of SSH. Specific commands are also provided to disable HTTP-only access so that device management is performed over HTTPS instead. If UI access is not necessary, the secure service should also be disabled. The specific password type recommended is type-8 when possible, and type-6 encryption for securing the Terminal Access Controller Access-Control System + (TACACS+) key. The document also links to the hardening guide for Cisco IOS XE and a guide for securing NX-OS devices.

Secure by design

The secure-by-design concept helps introduce the security conversation earlier in the development lifecycle. This approach helps ensure that security considerations are addressed at the beginning of the product lifecycle. Customers should make sure that products they plan to buy adhere to this principle. CISA has more information on its “Secure by Design” site. Tenable has committed to a secure-by-design approach, as can be seen in a recent initiative reported on here and here.

How Tenable can help

This overview is meant to help give network and security engineers a summary of the best practices, as well as provide insight on how CIS Benchmarks cover many of the guidance’s topics. Still, engineers should read the guidance to ensure they fully understand the material and how it relates to their own networks. It’s equally important to map out the network and understand what devices exist and where they are placed. However, this is only a first step in securing the network.

Tenable has several products, such as Tenable Vulnerability Management, Tenable Security Center, and Nessus that support auditing a wide array of devices and operating systems using CIS Benchmarks. These products could help with maintaining control over risk factors that threat actors often attempt to exploit. Tenable audits are written to test for the criteria of each automated recommendation in CIS Benchmarks. After an evaluation is run against the target, a result is provided as well as remediation text from the CIS Benchmark so that engineers can remediate and harden the device or operating system.

Tenable provides audit files for the following CIS Benchmarks to help organizations assess device configurations:

• CIS Check Point Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco ASA 9.x Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco Firewall v8.x Benchmark v4.2.0 - Level 1 
• CIS Cisco IOS XE 16.x Benchmark v2.1.0 - Level 1, Level 2 
• CIS Cisco IOS XE 17.x Benchmark v2.1.1 - Level 1, Level 2 
• CIS Cisco IOS XR 7.x v1.0.0 - Level 1, Level 2 
• CIS Cisco NX-OS Benchmark v1.1.0 - Level 1, Level 2 
• CIS Fortigate 7.0.x Benchmark v1.3.0 - Level 1, Level 2 
• CIS Juniper OS Benchmark v2.1.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 10 Benchmark v1.2.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 11 Benchmark v1.1.0 - Level 1, Level 2 

These CIS Benchmarks align with the intent of the CISA hardening guidance. The example below highlights the CIS Cisco IOS XE 17.x v2.1.1 CIS Benchmark, and how it relates to the CISA hardening guidance:

Section 1.1 - Authentication, Authorization and Accounting (AAA) configuration

• Strengthening visibility as AAA logging supports user account login monitoring, and tracking changes
• Hardening systems and devices by providing identity management and policy enforcement

Section 1.2 - Access Rules for device administration

• Hardening systems and devices by restricting device management, and ensuring sessions are limited

Section 1.3 - Banner Rules to communicate legal rights to users

• Strengthening visibility by informing users they are subject to monitoring, and the event logs can support prosecution

Section 1.4 - Password Rules to enforce secure credentials and password lifecycle

• Hardening systems and devices by ensuring strong passwords are utilized, and passwords are securely stored

Section 1.5 - SNMP Rules provides guidance for secure configuration parameters

• Hardening systems and devices by ensuring SNMP is disabled, or is configured with secure parameters

Section 2.1 - Global Service Rules to reduce attack surface and disable unnecessary services

• Hardening systems and devices by disabling unnecessary, unused, exploitable, or plaintext services and protocols

Section 2.2 - Logging Rules configures log collection and forwarding

• Strengthening visibility by collecting event logs, and forwarding to a central log collection source
• Hardening systems and devices by forwarding logs to a central log collection source

Section 2.3 - NTP Rules ensures system time is provided by a single, consistent source

• Strengthening visibility by ensuring a consistent time source for event logs
• Hardening systems and devices by requiring that NTP is authenticated

Section 2.4 - Lookback Rules for configuring device initiated connections to supporting services such as AAA, SYSLOG, or NTP

• Hardening systems and devices by ensuring that traffic is initiated from a specific source, which can be used to set ACLs/filtering

Section 3.1 - Routing Rules to disable unneeded services

• Hardening systems and devices by disabling unneeded services such as source routing

Section 3.2 - Border Router Filtering defines filtering between internal and external networks

• Hardening systems and devices by implementing a strategy to control inbound and egress traffic

Section 3.3 - Neighbor Authentication configures routing protocol authentication

• Hardening systems and devices by requiring routing protocols are authenticated

Learn more

• Tenable Nessus
• Tenable Security Center
• Tenable Vulnerability Management
• Tenable Research audits
• Who is CIS?
• "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" joint publication from various U.S. and international government agencies

The post New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers appeared first on Security Boulevard.

Researchers in Europe unveil a vulnerability dubbed "BadRAM" that hackers can easily exploit using $10 hardware to bypass protections in AMD's Eypc server processors used in cloud environments and expose sensitive data stored in memory.

The post AMD Chip VM Memory Protections Broken by BadRAM appeared first on Security Boulevard.

This blog explores ten essential web design security practices every developer and business should adopt to stay ahead of potential attacks.

The post Top 10 Web Design Security Best Practices to Follow in 2025 appeared first on Security Boulevard.

Understanding the nuances between cybersecurity products and platforms is crucial for enhancing business protections and supporting businesses anywhere.

The post Cybersecurity Products or Platforms – Which is More Effective? appeared first on Security Boulevard.

One of the most significant regulatory mandates on the horizon is the European Union’s Digital Operational Resilience Act (DORA).

The post Leveraging Crypto Agility to Meet DORA Requirements in Financial Services by January 2025 appeared first on Security Boulevard.

Learn how SOC 2 policies safeguard data, ensure compliance, and simplify the audit process for your business.

The post SOC 2 Policies: What They Should Include and Why They Matter appeared first on Scytale.

The post SOC 2 Policies: What They Should Include and Why They Matter appeared first on Security Boulevard.

In this Patch Tuesday edition, Microsoft addressed 72 CVEs, including 1 Zero-Day, 16 Criticals, 54 Important and 1 Moderate—the one Zero-Day was found to be actively exploited in the wild. From an Impact perspective, Escalation of Privilege (EoP) vulnerabilities accounted for 23%, followed by Remote Code Execution (RCE) at 38% and Denial of Service (DoS) …

Read More

The post Patch Tuesday Update – December 2024 appeared first on Security Boulevard.

Why is NHIDR Crucial in Modern Cybersecurity? For organizations to stay ahead in this dynamic cybersecurity landscape, it’s imperative to embrace innovative and comprehensive security methodologies. One such methodology is Non-Human Identity and Access Management (NHIDR). NHIDR is a revolutionary approach that addresses the increasingly complex security challenges associated with cloud environments. But, what makes […]

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Entro.

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Security Boulevard.

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Background

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

Analysis

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Patch Tuesday 2024 by severity

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

Patch Tuesday 2024 by impact

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

Patch Tuesday 2024 zero-day vulnerabilities

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

CVE Description Exploitation Activity CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group to deploy the FudModule rootkit CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT) CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability Used to deploy QakBot malware CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability Exploited by APT34 (aka OilRig) CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee to deploy the malware known as Atlantida stealer. CVE-2024-38178 Scripting Engine Memory Corruption Vulnerability Exploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt) CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkit CVE-2024-38213 Windows Mark of the Web Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI) CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Exploited by APT known as UAC-0194 to deploy Spark RAT malware. CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee in an attack chain with CVE-2024-38112 CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Exploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware. Conclusion

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

Get more information

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft Patch Tuesday 2024 Year in Review appeared first on Security Boulevard.

Quantum computing was long considered to be part of a distant future. However, it is quickly becoming a reality. Google’s recent announcement of its Willow quantum computing chip is a breakthrough generating significant media attention and questions about the implications for cybersecurity. Google’s Willow advancements are significant because of two major breakthroughs critical to the […]

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity first appeared on Accutive Security.

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity appeared first on Security Boulevard.

Open source software security and dependency management have never been more critical, as organizations strive to protect their software supply chains while navigating increasing complexity and risks.

The post Why software composition analysis is essential for open source security appeared first on Security Boulevard.