Archive for October 4, 2023

Supply chain attacks triple while known vulnerabilities are downloaded

Posted in Commentary with tags on October 4, 2023 by itnerd

In the 9th Annual State of the Software Supply Chain Report, as of September 2023 security experts at Sonatype had caught over 245,000 malicious software supply chain attacks which is twice as many as were found in all previous years combined.

The report also highlighted that, in 2023, 96% of open-source downloads with known vulnerabilities could have been avoided because a fixed version was available. For example, despite a fix being released almost 2 years ago, 23% of Log4j downloads are still of the critically vulnerable versions.

67% of respondents to a Sonatype poll said they were confident their applications do not rely on known vulnerable libraries, but almost 10% also claimed they had experienced security breaches due to open-source vulnerabilities in the past year.   

“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools,” said Brian Fox, CTO at Sonatype.

Dave Ratner, CEO, HYAS had this comment:
 
   “Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions.  By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”

There need to be improvements when it comes to how vulnerabilities are dealt with. Otherwise we’ll be trapped in this mess.

UPDATE: Craig Harber, Security Evangelist, Open Systems had this comment:

   “From my perspective the findings in this report are not surprising, but frankly, they are extremely frustrating. The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organizations for as long as I can remember. Real leadership is needed to bring forward a change. And it’s got to be more than drafting regulations and guidance. Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”


Dave Ratner, CEO, HYAS follows with this:
 
   “Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions.  By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”

Leave a comment »

Over 3 million customers’ records were exposed globally by a CRM Provider

Posted in Commentary with tags on October 4, 2023 by itnerd

Over 3 million records belonging to Really Simple Systems, a global B2B CRM provider, were exposed according to cybersecurity researcher Jeremiah Fowler, exposing companies and their customers to many online threats.

Highlights:

  • Over 3 million records exposed
  • Several business affected, located in the USA, UK, Australia, multiple EU countries, and more
  • Medical records, identification documents, credit reports, legal documents, tax documents, among others exposed

If you want to know more about Jeremiah’s findings, you will find all the details here: https://www.vpnmentor.com/news/report-reallysimplesystems-breach/

Leave a comment »

Trend Micro Redesigns Partner Program to support Channel and Partner Engagement

Posted in Commentary with tags on October 4, 2023 by itnerd

Trend Micro Incorporated has announced a complete redesign to the company’s worldwide partner program. This re-design will accelerate business growth for partners and allow them to further deliver exceptional value to end customers.

The program is built around the Trend Vision One™ platform, creating opportunities for partners to deliver services and assessments for both enterprise and SMB-focused partners.

Customers are facing increased risks as threat actors derive greater monetary value from criminal activities. As cybersecurity demand grows, the need for in-house skills to protect data, companies, brands, industries and governments grows as well. Partners can close this gap by delivering value via crucial services: MSSP, MSP, SOCaaS, XDR, Incident Response, and much more. To address this need, Trend is improving the ability for partners to offer assessments to customers, including Cyber Risk Assessments, new additions of External Attack Surface, Cloud Posture, and Azure AD Assessments. Over 800 partners have already leveraged Cyber Risk Assessment Services to complete 1,400+ customer assessments—and more new services are on the way.

As Trend and its partners have evolved together, so has another critical component: artificial intelligence, which enables partner analysts to understand the next threat alert, and the next opportunity for growth within customer accounts, further deepening a partner’s value to their end customers. 

The Trend Partner Program will enable channel partners to:

  • Embrace AI with Trend Vision One generative AI capabilities, empowering SOC teams to accelerate daily workflows, enhancing their performance and productivity
  • Increase profitability with stacked benefits; from capabilities, deal participation and co-selling, marketplace competitive private offers and recognized partners’ influenced revenue in services and consulting
  • Expand services with new competencies for partners to earn their technical and service validations in cloud security, professional services, managed security services, SOC, IR, and more
  • Co-sell and generate more leads with multiple lead gen tools and customer workshops, including co-branded risk assessments, cloud security for AWS and Azure workshops, online demo environments, marketplace incentive campaigns, and numerous co-sell and co-branded sales tools
  • Experience immersive learning with Trend Campus, which supports hybrid learning across three progressive tracks as well as in-depth 1:1 consultation for competency partners
  • Leverage an integrated digital experience across partner locator, partner portal, mobile app, leads dashboard and cloud marketplaces

The Trend Partner Program is built on the foundation of a thriving channel business comprising 147,000 profiled partners, more than half of whom took broader cybersecurity training in the past year. Deal registration has seen a significant increase, especially by co-selling partners, with 42% YoY growth in AWS CPPO partners and a 46% YoY increase in MSP partners selling XDR.

Trend continues to evolve and grow alongside partners, ensuring that joint customers remain protected while remaining profitable and extending partner opportunities.

To read more about the new partner program, visit https://www.trendmicro.com/partner

Learn more about Trend partner success stories at https://www.trendmicro.com/en_us/partners/partner-stories.html

Leave a comment »

ForAllSecure Announces First Dynamic Software Bill of Materials for Application Security 

Posted in Commentary with tags on October 4, 2023 by itnerd

ForAllSecure, the world’s most advanced application security testing company, today announced the debut of its runtime dynamic Software Bill of Materials (SBOM) solution for its Mayhem Security product to show organizations which components are present at runtime and further prioritize each in order of risk and speed remediation for open source and other third-party software vulnerabilities in code, saving organizations valuable remediation time and resources. 

Mayhem now generates a runtime-aware SBOM of components on the application attack surface, and uses this intelligence to prioritize and filter results from Software Composition Analysis (SCA), Static Application Security Testing (SAST), and similar tools. This eliminates AppSec noise and overhead for developers, allowing them to focus on remediating real security issues. 

Managing software supply chain risks is crucial in today’s security threat landscape. Open source software (OSS) saves developers time by accessing, modifying, and distributing prewritten source code. However, attackers can also target open-source software for supply chain attacks. Threats like Solar Winds and Keysa use lower-level vulnerabilities to pivot into large organizations. Latent, unpatched vulnerabilities are common within popular OSS and can have significant consequences in today’s software-dependent world. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that all software provide an inventory of open-source components and other code dependencies. 

Following ForAllSecure’s release of estimated CVSS scores for each defect found to help prioritize remediation found during analysis, the new dynamic SBOM solution continues to validate and prioritize the importance of the results provided by Mayhem.

To see Mayhem’s dynamic SBOM in action, request a demo at https://www.mayhem.security/contact.

Leave a comment »

Cybersecurity spending ‘insufficient’ as growth sinks by 65%

Posted in Commentary with tags on October 4, 2023 by itnerd

According to the 2023 Security Budget Benchmark Summary Report published last week by IANS Research and Artico Search, researchers revealed that cybersecurity spending saw a 65% drop in growth during the 2022-23 budget cycle with spending in the US and Canada increasing by an average of 6%, down from 17%.

Of the more than 550 CISOs surveyed, 37% reported flat budgets or budget decreases during the 2022-23 cycle, up from 21%. Technology firms, which saw a 30% growth in security spending last cycle, saw the greatest decline with just a 5% increase on average this cycle.  
 
Of the 63% who reported budget increases this year, 17% said it was due to increased risk, while 15% said it was the result of a digital transformation at their organization, such as after a major industry disruption, like a high-profile breach. On average, organizations adjusting spending in response to major incident boost their budgets by 27%.

“The incremental growth in cybersecurity budgets is insufficient relative to the increases in scope facing security teams. In the latter part of Q4 2022 and throughout 2023, many CISOs reported difficulty getting the resources they need, with some indicating outright budget freezes,” said Nick Kakolowski, senior research director of IANS, in an accompanying press release.

Kelly Robertson, Principal Security Practitioner, Horizon3.ai had this to say:

   “The key to this information is that GROWTH is slower, but the title can be interpreted as a 65% drop in other ways. Cyber spending is increasing still, just not at 17%. “spending in the United States and Canada increased by just 6% on average in 2022-23, down nearly two-thirds from the 17% growth” That could have been better titled for clarity.”

Perhaps that is true. But I think we all can agree on the fact that it is a good thing that organizations are spending on cybersecurity needs. But at the same time, I am hoping that spending isn’t about to drop at a time when more not less spending on cybersecurity is required.

Leave a comment »

EU’s Cyber Resilience Act would require a ONE day breach notice

Posted in Commentary with tags on October 4, 2023 by itnerd

A group of leading tech companies and security researchers have written an open letter about how the vulnerability disclosure requirements proposed for the EU’s Cyber Resilience Act don’t make sense and are flat out dangerous.

Basically, the requirements would ask vendors to disclose that they know about a vulnerability in ONE day. The industry argues that’s not enough time and would open the doors to hackers to jump on the vulnerabilities without giving everyone enough time to actually do the patches.  “Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.”

George McGregor, VP, Approov Mobile Security had this comment:

“These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU.  The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered so the obligation will be worldwide in scope.

“This is clearly understood by the number of US based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours.

“The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement.

“With this level of industry reaction, the CRA requirements should certainly be relaxed.”

I am completely in favour of this as it makes vendors completely accountable for the quality of their products. But it has to be done in a way that make sense and is sustainable. This doesn’t meet that standard. A rethink is absolutely in order.

Leave a comment »

HP Introduces The HP Chromebook Plus 15.6-inch

Posted in Commentary with tags on October 4, 2023 by itnerd

HP Canada introduces a new Chromebook Plus laptop to HP’s existing Chromebook portfolio: the HP Chromebook Plus 15.6-inch. HP Chromebook Plus devices are designed for unrestrained productivity and creativity to provide a more powerful HP Chromebook experience.

Today’s consumers expect their devices to do it all. Gen Zers, in particular, are seeking technology that is flexible, adaptable, and delivers powerfully immersive experiences while keeping the planet in mind with sustainable materials. Key features and capabilities for HP Chromebook Plus devices include:

  • Unrestrained productivity – users can get work done from anywhere with up to a 12th Gen Intel® Core™ i5 processor, speedy memory up to LPDDR5, and ample storage, including up to 13 hoursiii for the HP Chromebook Plus 15.6-inch. To stay productive, built-in Google Docs, Sheets, and Slides are available online and offline.
  • Look and sound your best – AI-powered video conferencing tools, including noise cancellation, lighting improvement, blur backgrounds, and live caption tools.
  • Unleash your inner creator – advanced photo and video editing tools offer a premium creator experience, including Google Photos AI-powered Magic Eraser that easily removes distractions in a photo background or enhances brightness and contrast with a HDR effect, as well as Adobe Photoshop and Adobe Express. Those purchasing a HP Chromebook Plus device can get Photoshop web and Adobe Express Premium for 3 months at no cost.
  • Immersive entertainment – smooth streaming and cloud gaming are made easy with up to Wi-Fi 6E technology and up to a 144Hz refresh rate FHD IPS panel on the HP Chromebook Plus 15.6-inch.
  • Working safely from everywhere – HP Chromebook Plus laptops are designed with smart security features to keep data secure. Privacy is top of mind with an easy-to-access microphone mute button and webcam switch turning off your camera when not in-use.
  • Built with the planet in mind – designed with recycled materials like post-consumer recycled plastic and ocean-bound plastic. Packaging is 100% sustainably sourced and recyclable.

The sleek and durable 15.6-inch HP Chromebook Plus 15.6-inch comes equipped with a 15.6-inch diagonal screen and FHD IPSv resolution to provide reduced lag and a crisp viewing experience from any angle.

Pricing & Availability:

The HP Chromebook Plus 15.6-inch will be available at both hp.com on October 8 and at Staples and Costco on November 15 for $499.99 USD.

Leave a comment »