Information Technology

The Solarwinds software supply chain attack is the one everyone knows about. But supply chain attacks are becoming commonplace, and that’s bad news. There are efforts afoot, such as the Linux Foundation’s Software Package Data Exchange® (SPDX) project, which ensures transparency and improves compliance for software bill of materials (SBOM). But, we need SBOMs now. As President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity says, we must provide “a purchaser with an SBOM for each application.” Codenotary Community Attestation Service wants to help you with that.

Open Source

It is a free, open-source notarization and verification service. Its parent company Codenotary promises it will enable businesses to easily create an SBOM, attesting to the provenance and safety of their code.The Community Attestation Service provides end-to-end protection for software development and workloads. Codenotary also promises that it’s scalable to millions of transactions per second, which makes it ideal for continuous integration/continuous delivery (CI/CD) services. It gives developers a way to attach a tamper-proof SBOM for development artifacts that include source code, builds, repositories, and Docker container images. These SBOMs are built without uploading any data to the service.  Instead, it notarizes these artifacts using cryptographic verification to uniquely identify development artifacts. Each artifact retains a cryptographically strong identity stored in Codenotary’s immutable database, immudb. This is a fast and cryptographically-verifiable ledger database. This, unlike other SBOM systems, makes no guarantee about the safety of the components in your program. What it does do is assure your customers that the programs, code, libraries, container images, and so on truly are the ones you’ve promised them. This is no small thing.”More and more software companies are being asked by their customers to provide a software bill of materials and to give guarantees about its veracity,” said Dennis Zimmer, Codenotary’s co-founder and CTO. “We’re providing an easy way for developers to build an SBOM and let their customers and users know the provenance of their software is cryptographically and very easily verifiable, effectively enabling true Zero Trust application delivery.”

This is more than just a promise. Home Assistant, an open-source home automation company with hundreds of thousands of users, is using Codenotary’s Community Attestation Service to ensure that only its approved code runs at the homes using its Internet-of-Things (IoT) software. “The open-source nature of Community Attestation Service, the easy integration and real-time revocation is a real game-changer,” said Pascal Vizeli, Home Assistant’s founder and core developer. “That is how software trust and integrity should look and feel.”Home Assistant isn’t the only one who’s bought into Codenotary’s approach. Jack Aboutboul, community manager of the CentOS replacement Linux distro AlmaLinux, said, “AlmaLinux is working on integration with the Community Attestation Service to provide a secure Software Bill of Materials for the AlmaLinux OS distribution and to guarantee the provenance of our builds.”Sound interesting? Head over to Community Attestation Service and start creating your own tamper-proof SBOMs.Related Stories: More

StackCommerce

If you’re an entry-level IT professional interested in getting your foot in the door of a cybersecurity career, the extremely affordable Palo Alto Networks Cybersecurity Fundamentals (PCCSA) E-Course can help you with that by training you in firewall maintenance. In 27 lectures across almost seven hours of content, you will be able to build a solid foundation in cybersecurity contexts. First, you will have to learn all of the basics of networking, systems, and security solutions, including the basic concepts of cloud security. And, of course, you will learn the skills that are necessary in order to deploy firewalls. This will allow you to enable traffic that is based on credentials such as the user or app ID, content, and policy.You will learn how to identify the most common cybersecurity threats and cyberattack techniques. Then, as your skills develop, you will progress toward the levels required to become a Palo Alto Networks Certified Network Security Engineer (PCNSE).

[embedded content]

The entry-level PCCSA certification was created to verify that you possess the expertise required for configuring, installing, maintaining, and troubleshooting all of the various Palo Alto Network Operating Platform executions and next-generation firewalls.The course is provided, authored, and presented by ITProTV on the iCollege platform. ITProTV is noted for the entertaining and effective talk-show format it uses for IT training courses. Former students have awarded this one an average rating of 4.4 out of 5 stars.You will have lifetime access to this content 24/7 on both desktop and mobile devices. That means you can train at your own pace without taking time off from your current job, even if you are working full-time.If you’re an entry-level IT professional, don’t miss this chance to get this firewall certification; grab the Palo Alto Networks Cybersecurity Fundamentals (PCCSA) course now.

More ZDNet Academy Deals More

Ransomware is the most significant cybersecurity threat facing organisations today as increasingly professional and sophisticated cyber criminals follow the money in order to maximise the profit from illicit campaigns.  ENISNA, the European Union Agency for Cybersecurity, has released the latest edition of the ENISA Threat Landscape (ETL) report, which analyses cyber criminal activity between April 2020 and July 2021. It warns of a surge in cyber criminality, much of it driven by the monetisation of ransomware attacks. 

Although the paper warns that many different cybersecurity threats are on the rise, ransomware represents the ‘prime threat’ faced by organisations today, with a 150 percent rise in ransomware attacks during the reporting period. And there are fears that despite the problem of ransomware attracting the attention of world leaders, the problem will get worse before it gets better.  “We are observing the golden era of ransomware — it has become a national security priority — and some argue that it has not yet reached the peak of its impact,” the paper warns. Cyber criminals trigger a ransomware attack by secretly compromising networks — often via phishing attacks, compromising cloud services or exploiting vulnerabilities — before installing file-encrypting malware across as many systems as possible. Victims are locked out of files and servers, and the cyber criminals demand a ransom payment — made in cryptocurrency — in exchange for the decryption key. In many cases, the victim will pay up. SEE: A winning strategy for cybersecurity (ZDNet special report)     One of the key drivers behind the increased threat of ransomware is the amount of money that can be made; cyber criminals can walk away with millions of dollars from a single attack. It’s likely that the success of ransomware campaigns will only encourage more bad actors to get involved with ransomware, particularly when it comes to hands-on operations that can cripple an entire network. 

“Our assessment is that more cyber criminals will very likely be attracted to shifting their targeting to focus on targeted ransomware operations and replicate these successes,” said the ENISA paper.  Incidents like the Darkside ransomware attack against Colonial Pipeline demonstrated how disruptive a ransomware attack can be, to the extent it has an impact on everyday lives. The incident led to gas supply shortages in the North Eastern United States, causing people to try and stockpile supplies. In the end, Colonial paid cyber criminals almost $5 million for the decryption key.  While events like this receive a lot of attention, it’s believed that there are many more ransomware attacks where victims quietly pay the ransom without any publicity. “The incidents that are publicly disclosed or that receive media attention are only the tip of the iceberg,” ENISA warns.  However, the report also notes that action is being taken on ransomware, with governments having “stepped up their game”, recognising the threat and conducting multinational efforts in an attempt to deal with the issue. The report also details how the last year has seen several arrests made over involvement in ransomware gangs, indicating that, for some cyber criminals at least, their actions have consequences. “Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks,” said ENISA executive director, Juhan Lepassaar    “Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cyber crime and ransomware more specifically.”  Organisations are encouraged to develop a mitigation strategy involving secure backups, so in the event of a ransomware attack, the network can be restored without giving into the ransom demand. Operating systems and software should also be kept updated with the latest security patches so cyber criminals can’t exploit known vulnerabilities to enter or move around the network. Applying multi-factor authentication to accounts can also help prevent intrusions that could eventually lead to a ransomware attack. 
MORE ON CYBERSECURITY More

Cybersecurity firm Zscaler has released their latest State of Encrypted Attacks Report, highlighting the growth in HTTPS threats since January as well as other attacks facing tech companies and retailers. 

The report found that HTTPS threats have increased by more than 314% while attacks on tech companies grew by 2,300% and retail companies saw an 800% increase in attacks. According to the report, the tech industry accounted for 50% of all attacks they tracked. Instances of malware were up 212% in the report and phishing rose by 90%. Also: Microsoft warns over uptick in password spraying attacksThe report tracks more than 20 billion threats blocked over HTTPS and analyzes about 190 billion daily transactions through its Zero Trust Exchange that took place from January to September. From there, the Zscaler ThreatlabZ research team goes through the data to compile the report. Deepen Desai, CISO at Zscaler, said most enterprise IT and security teams struggle to implement SSL/TLS inspection policies due to a lack of compute resources and/or privacy concerns.”As a result, encrypted channels create a significant blind spot in their security postures. Zscaler’s new report on the state of encrypted attacks demonstrates that the most effective way to prevent encrypted attacks is with a scalable, cloud-based proxy architecture to inspect all encrypted traffic, which is essential to a holistic zero trust security strategy,” Desai said. See also: Cloud security: A business guide to essential tools and best practices.

The researchers found that cryptomining is becoming less prevalent as cybercriminals move toward more lucrative options like ransomware. Zscaler noted that attacks on retailers are likely to increase during the holiday season as more companies offer digital purchase options and promote e-commerce solutions. The company predicts a wave of malware and ransomware attacks targeting e-commerce platforms and digital payment systems between Black Friday and Christmas. “Additionally, as the world begins its return to normal, and as businesses and public events are opening up around the globe, many employees are still working in relatively insecure environments. Getting access to critical point-of-sale systems is extremely attractive to cybercriminals as it opens the door to huge profits,” the report noted. 
Healthcare and governmental organizations saw a decrease in attacks but overall, seven industries saw attack rates increase from threats in SSL and TLS traffic.Desai attributed the decrease to increased law enforcement scrutiny following the attacks on Colonial Pipeline and other critical industries. Desai noted that both healthcare and government were the most frequently targeted sectors in 2020, prompting many organizations within both industries to stiffen their security posture. Also: Best gifts for hackersThe UK, US, India, Australia and France led the way as the top five targets of encrypted attacks.When broken down by region, Zscaler ThreatLabz researchers found that Europe saw the most attacks at more than 7.2 billion, followed by the Asia Pacific region at almost 5 billion and North America, which had about 2.8 billion. The UK led Europe with 5.4 billion encrypted attacks targeting them followed by the US and India, which both had more than 2 billion attacks sent their way.  More

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from members of the group. By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members.”NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.” Arulanandam said. Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents show it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 
Brett Callow
The NRA will be faced with a difficult decision considering Evil Corp was sanctioned by the US Treasury Department in 2019, meaning the gun rights group would have to ask permission before paying any ransom. The rules were pushed following an attack on Garmin, a tech wearables company, that was hit by the WastedLocker ransomware. WastedLocker is another ransomware group with purported links to Evil Corp. Evil Corp was implicated in a wide-ranging ransomware attack last week on Sinclair Broadcast Group, which controls hundreds of news stations in the US. 

Grief has spent much of 2021 attacking school districts and local governments across the US including ones in New York, Alabama, Mississippi, Indiana, Washington and Texas, according to Comparitech. Paul Bischoff, privacy advocate at Comparitech, said NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. “A gun won’t help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data,” Bischoff said. “The inclusion of tax forms is particularly concerning because cybercriminals can use them to perpetrate tax fraud. Be sure to file taxes early and make sure no one else files in your name. Grief has led several attacks in the US against targets in government, healthcare, and education.” More

Credit: Microsoft
Microsoft released a new Windows 11 Insider build on October 27 — Windows 11 Build 22489. In the release notes for this Dev Channel build, Microsoft officials disclosed there’s going to be yet another way to update Windows outside of major OS updates called “Online Service Experience Packs.” The mention of this new update pack was in the context of the “Your Microsoft Account” settings page, which Microsoft is now testing as part of some future update to Windows 11. A subset of Dev Channel Insiders is getting the new Your Microsoft Account setting page as part of Build 22489. This new page will display information related to users’ Microsoft Account, such as subscriptions to Microsoft 365, links to order history, payment details and Microsoft Rewards. Via this page, users will be able to access their Microsoft Accounts directly in the Settings in Windows 11. The details about what Online Service Experience Packs are and what, exactly, they’ll be updating are sparse right now. Microsoft officials said in today’s blog post about the new build: “Over time, we plan to improve the Your Microsoft account settings page based on your feedback from Feedback Hub via Online Service Experience Packs. These Online Service Experience Packs work in a similar way as the Windows Feature Experience Packs do, allowing us to make updates to Windows outside of major OS updates. The difference between the two is that the Windows Feature Experience Packs can deliver broad improvements across multiple areas of Windows, whereas the Online Service Experience Packs are focused on delivering improvements for a specific experience such as the new Your Microsoft account settings page.” Under Windows Update, users ultimately will see “Online Service Experience Pack – Windows.Settings.Account” with a version number. Microsoft execs have said fairly little about Windows Feature Experience Packs. These packs, introduced with Windows 10, have included the updated Snipping Tool, text input panel, and shell-suggestion UI.In addition to the new Your Microsoft Account settings page, Microsoft also has added support in today’s test build for “Discovery of Designated Resolvers.” This feature, which builds on DNS over HTTPS, allows Windows to discover encrypted DNS configurations from a DNS resolver known only by its IP address. Microsoft also is updating the name of the “Connect” app to “Wireless Display.” And it is splitting the Apps & Features in settings to two pages under Apps: Installed Apps and Advanced App Settings. The rest of Microsoft’s post about today’s build lists a bunch of fixes and known issues.Earlier this month, Microsoft introduced yet another Windows-updating-related feature to Windows Insiders. That mechanism, called Update Stack Packages, is designed to “deliver update improvements outside of major OS updates, such as new builds.”  Officials declined to say more about what exactly these Update Stack Packages are at this point. More

Google and Salesforce have announced the creation of a vendor-neutral security baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to “raise the bar for security while simplifying the vetting process.”MVSP was also developed and backed by Okta, Slack and more. Google vice president of security Royal Hansen said it was “designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines.” “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months,” Hansen said. “MVSP is a collaborative baseline focused on developing a set of minimum security requirements for business-to-business software and business process outsourcing suppliers. Designed with simplicity in mind, it contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution.”Companies have long had to create their own security baselines for their vendors that complicates the process, is difficult to assemble for organizations and creates a byzantine maze of baselines for complying vendors. Hansen explained that the MVSP will create an industry-wide baseline backed by practitioners that clearly communicates a set of minimum requirements. The requirements can also help organizations understand the gaps in their own process and identify areas where they need to be tougher on vendors. 

“MVSP provides a single set of security-relevant questions that are publicly available and industry-backed. Aligning on a single set of baselines allows clearer understanding from vendors, resulting in a quicker and more accurate response,” Hansen said. “MVSP ensures expectations regarding minimum security controls are understood up front, reducing discussions of controls at the contract negotiation stage. Referencing an external baseline helps to simplify contract language and increases familiarity with the requirements.”Hansen added that the companies were interested in feedback from the security community and others who may want to contribute. Salesforce said outsourcing operations to third-party vendors is a double-edged sword. It saves but also creates new attack vectors by granting external access to critical systems and customer data, a Salesforce official said. A recent study showed 59% of companies have experienced a data breach caused by one of their vendors. The MSVP checklist includes questions about whether a vendor performs annual comprehensive penetration testing on systems as well as whether a vendor complies with local laws and regulations like GDPR. Questions also cover whether vendors have implemented single sign-on using modern and industry standard protocols or apply security patches on a frequent basis. Does a vendor maintain a list of sensitive data types that the application is expected to process? Do they keep an up-to-date data flow diagram indicating how sensitive data reaches your systems and where it ends up being stored? These are all questions posed by the MSVP checklist. The checklist also includes questions about the physical security of facilities and whether vendors have layered perimeter controls or entry and exit logs. “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months,” Salesforce said. More

The #ShareTheMicInCyber campaign that took over the Twitter pages of the country’s cybersecurity leaders last week is being formalized thanks to a partnership between the movement’s founders and a think tank. Camille Stewart, co-founder of #ShareTheMicInCyber, said #ShareTheMicInCyber will be working with New America on a diversity initiative funded by Google, Twitter, and Craig Newmark Philanthropies. “We are excited to expand the impact of #ShareTheMicInCyber by creating a fellowship that will allow for sustained and deeper impact,” Stewart said. A fellowship will be created for 2020 that will be centered around researching diversity and inclusion in the cybersecurity industry, nurturing a stable of mentors and organizing professional development activities. “In an environment where there are so many cyber positions unfilled and we are facing cyber threats that are increasing in complexity and scale we must capitalize on the innovation and understanding of people that diversity brings to get ahead of threats and fill staffing gaps,” Stewart, who works as global head of product security strategy at Google, told ZDNet. “Intentional investment in changing the face of the industry, elevate and invest in diverse talent, promote diverse talent, change hiring and retention practices to allow for nontraditional backgrounds and experiences, and create and inclusive empathy-driven cultures where everyone can thrive and differences are celebrated.”Google vice president of security Royal Hansen said in a blog post that the company was funding the first year of the fellowship and pledging to a total of five years of funding.

“As modern cybersecurity threats evolve into new and more dangerous attacks — and as the industry seeks skilled workers — we need an arsenal of different ideas that represent all backgrounds. The #ShareTheMicinCyber Fellowship will amplify diverse talent and bring new voices and ideas to the industry and ultimately make us all safer and more secure,” Hansen said. She said she was inspired to start the campaign in the national security and cybersecurity industry after seeing a Share The Mic Now movement for another industry on Instagram.She tweeted about it and eventually was contacted by Harvard Kennedy School’s Lauren Zabierek, who decided to join the effort and helped Stewart host a similar campaign through her organization NextGen NatSec in celebration of Juneteenth 2020. “At the same time Lauren and I worked to create #ShareTheMicInCyber. The first campaign happened June 26, 2020 and built off the learnings from the campaign I hosted the week prior,” Stewart explained.On the heels of that, Stewart and Zabierek began extending invitations to anyone they had connections to, eventually getting the attention of a member of the NSA Cyber comms team through a tweet. Stewart also contacted CISA Director Jen Easterly, who responded immediately and urged her team at CISA to make it happen. IST contacted them in the hopes of joining the campaign.On Friday, CISA strategist Ayan Islam took over Easterly’s account, Google security engineer Talya Parker tweeted from the account of NSA cybersecurity director Rob Joyce and Institute for Security and Technology CEO Philip Reiner handed his accounts over to Hope Goins, staff director for the US House of Representatives Committee on Homeland Security. The women spoke about their experiences in the tech industry, the barriers they had to face as Black women and ways other women of color can break into the industry.  “The initiative is going well and continues to grow in reach and impact. Not only is the campaign reaching more people each time — sparking a much needed conversation about systemic racism in cyber, broadening networks, and engaging cyber employers — we have partnerships that allow us to address the impacts of systemic racism,” Stewart said. “Our partnership with WISP to create a scholarship for participants is helping to break down financial barriers. Cyberbase, which is launching in partnership with RStreet Institute, is combating the notion that diverse practitioners aren’t already in the industry by giving companies access to a database of Black cyber talent.”Stewart added that the partnership with New America would make what was discussed on Friday a reality, allowing the movement to evolve into actionable opportunities for cybersecurity professionals of color. The fellowship will give someone the opportunity to “conduct policy research and analysis, explore critical cyber security issues, and explore questions of diversity and the human side of cybersecurity.””Our focus on amplifying and investing in middle career talent is designed to be a beacon for newcomers and a pipeline for future leaders,” Stewart said. “The industry investment in this initiative is a recognition that investment in a diverse workforce at all levels will better equip us to meet the ever-evolving and increasingly complex security challenges we face as a society.”Peter Singer, senior fellow at New America and co-coordinator of the #ShareTheMicInCyber partnership, said the need to build greater diversity in cybersecurity brings together national security, industry, community, and equity needs.”It is the literal definition of a win for all,” Singer said. “We couldn’t be more excited and proud to join in taking #ShareTheMicInCyber to the next needed level.” Stewart and Zabierek said the latest partnership is only the beginning of the conversations that need to be had about diversity, racism and equity in the cybersecurity industry. They urged other companies to get involved in the campaign and find a way to support the initiative. “The outcomes that we’ve seen from the four #ShareTheMicInCyber campaigns — to include strengthening and expanding networks, deepening inclusion, and connecting people with more job and professional opportunities in cybersecurity show us that this movement must be rooted and fully resourced so that we can grow its impact,” Zabierek said. 

Workplace diversity More