Fancy a new job? I’m hiring for two roles at Cydea! Both are UK-based remote positions, with some occasional domestic travel. More info on the roles and benefits at the links below:
If you like the idea of positive security and want to work for an innovative, growing cyber consultancy, I’d love to receive your application!
And if you know anyone who you think would be a good fit please send them over to our careers page for more info on the roles and what it’s like to work for Cydea :-)
This week
New version of ISO 27002 security controls
Perhaps not the most exciting news, but hopefully useful for you…
The ISO 27002 standard provides a reference “for determining and implementing controls for information security risk treatment”. Many organisations use it as part of risk management processes to identify and report on security controls present within their environments.
The main changes are in the structure and taxonomy of controls under four main categories:
- people, if they concern individual people
- physical, if they concern physical objects
- technological, if they concern technology
- organisational, for everything else
Controls also have five attributes that will make cross-reference much easier:
- Type (Preventive, Detective and Corrective)
- Properties (Confidentiality, Integrity and Availability)
- Concepts (Identify, Protect, Detect, Respond and Recover — ie. The NIST Cybersecurity Framework categories)
- Operational capabilities (15 ‘practitioners’ perspectives’ of infosec capabilities)
- Security domains (Governance_and_Ecosystem, Protection, Defence and Resilience)
The controls themselves have been updated, some merged or deleted and some new ones to reflect the greater focus on response, resilience and cloud in 2022, versus the previous version that was published almost a decade ago in 2013.
My initial reaction is that it will make the standard much more useful for users. The attributes, in particular, will help practitioners to quickly check if they have a balance, or over-reliance on any one type of control (for example preventive, rather than detective).
The first parts of the document, and its headings, are available on the ISO website, though you’ll have to fork out CHF 198 to licence the full thing.
PS, if you’re looking to map between the old and new versions, Annex B at the back of the document has a ‘correspondence table’ mapping the old 2013 identifiers to new 2022 ones.
Interesting stats
130% growth in price cyber insurance cover in the US, and 92% growth in the UK, in the fourth quarter of 2021, according to Marsh ft.com
$4,600 average asking price by Initial Access Brokers (IAB) for unauthorised access to company networks, according to KELA zdnet.com
1,483 companies are active in the UK providing cyber security services (+21% over 2020 figures), with 46,683 ‘full time equivalents’ (FTEs) being employed by these companies, and generating £8.9 billion estimated revenue in 2021, up 7% on 2020, according to UK government figures gov.uk (PDF)
Other newsy bits
Ukraine’s Ministry of Defense and two banks were taken offline by DDoS attacks
The website of Ukraine’s defence ministry was taken offline by a significant distributed denial of service (DDoS) attack on Thursday. Two banks were also knocked offline, with some ATM services being unavailable and a website being defaced to say ‘WAF is watching you’.
DDoS attacks are often used as a cover and diversionary tactic away from more covert attempts to compromise systems and gain access to networks. The Kremlin has denied it was behind the attacks, which Ukraine’s deputy prime minister said were ‘the largest’ seen by the country.
As the number of attacks in the region increases, concerns remain about fallout and collateral damage, with former NCSC chief Ciaran Martin reminding The Guardian that NotPetya is widely attributed to a previous Russian cyberattack on Ukraine that spiralled out of control.
“If Russia escalates against Ukraine, there’s the risk of another NotPetya-style accident. After all, NotPetya, perhaps the most economically damaging cyber-attack of all time, was the accidental fallout against the west of the Russians hacking Ukraine.” — Ciaran Martin
They serve as an example of ‘hybrid warfare’ tactics, where such attacks and disruption can just be part of broader efforts to destabilise and distract. Damage doesn’t have to be physical, as Esther Naylor from Chatham House points out: “[The goal of these attacks] is to cause panic, and to make people think what might come next.”
theregister.com, therecord.media, theguardian.com
“Fraud is the new dope”
Thomas Brewster has a write up on Forbes about the shift of street gangs in Miami away from the ‘risky’ narcotics business to identity theft and fraud to support lavish lifestyles.
”How many ounces of cocaine would you have to sell, bought at a wholesale price and then sold at retail, to make that profit, when you can put a [fake] business together and the government is going to send you $3 million to $4 million?” — Dan Lipskey, Kroll
In brief
Threat intel
- Proofpoint says a group, dubbed TA2541, has been relentlessly targeting employees in the aviation, aerospace and transportation sectors with phishing emails leading to remote access trojans therecord.media
- Google Threat Horizons report says Google Cloud are counting to see 400,000 scans a day for Log4J systems vulnerable to Log4Shell google.com (PDF)
- US CISA advisory on preventing Russian state-sponsored attacks against defence contractors recommends enabling multi-factor authentication, in addition to strong passwords, and enabling Microsoft 365 ‘Unified Audit Logs’ and rolling out an EDR solution cisa.gov
- The FBI says business email compromise (BEC) scammers are increasingly using video call and virtual meeting platforms to impersonate CEOs and CFOs, as part of their attacks, to direct employees to transfer funds therecord.media, in the same vein…
- MS Teams accounts are being compromised and used to distribute trojan documents to compromise organisations bleepingcomputer.com
Vulnerabilities
- WordPress force-updated millions of websites running the UpdraftPlus plugin this week to address a vulnerability in the plugin wired.com
Cyber defence
- Kali Linux 2022.1 released kali.org
- CISA has released a list of free cyber security services and tools to help critical infrastructure providers protect their organisations. This is a really useful, consolidated list cisa.gov
Security engineering
- AWS’ CodeGuru code scanner now has detectors for Log4Shell vulnerabilities in Java and Python code zdnet.com
- Microsoft has a blog post on ‘ice phishing’ on the blockchain, and what can be done to improve Web3 smart contracts microsoft.com
Internet of Things
- The US National Institute of Standards and Technology (NIST) is considering what ‘security labels’ for Internet of Things (IoT) devices might need to look like zdnet.com
Privacy
- California to introduce ‘age-appropriate design code’ to restrict the data big tech companies can collect on children and regulate the use of behavioural nudges to get them to weaken privacy safeguards arstechnica.com
- Clearview AI is seeking $50 million funding to collect 100 billion images by the end of the year and lobby for ‘favourable regulation’, which it says will be enough to identify almost anyone on the planet arstechnica.com
Public policy
- India to issue outsourcing guidelines to its financial services sector after concerns that this “[exposes] them to significant financial, operational and repetitional risks” theregister.com
- US Open App Markets Act presents an opportunity to introduce choice, while also requiring app stores to implement appropriate security and vetting processes techcrunch.com
Regulatory
- The European Data Protection Supervisor (EDPS) has called for a “ban on the development and deployment of spyware with the capability of [NSO Group’s] Pegasus in the EU” techcrunch.com
Law enforcement
- In a victory for common sense, the journalist that reported a flaw exposing teacher’s social security numbers in the source code of a Missouri state website (vol. 4, iss. 42) will not face charges, though Governor Mike Parson’s office insists that the law was broken arstechnica.com The FBI is launching the Virtual Asset Exploitation Team (VAXU) that will be dedicated to tracking cryptocurrency crimes and ransomware profits techcrunch.com
Mergers, acquisitions and investments
Probably more threat intel, but seeing as the criminal ecosystem is maturing, perhaps this is M&A news?
- Conti ransomware gang has ‘acquired’ the team behind TrickBot malware and is focusing development on a new, stealthier alternative BazarBackdoor, to provide a stream of compromised organisations to exploit, according to AdvIntel bleepingcomputer.com
And finally
Messanges jammed
A father in the southwestern French town of Messanges faces up to six months in jail and a fine of up to €30,000 for using a signal jammer to keep his teenage children from accessing the internet.
His solution was a little too effective, with him inadvertently blocking mobile phone signals to the rest of the town between midnight and 3:00 am every day, leading to an investigation by Agence Nationale des Fréquences (ANFR).