Hello and welcome to the sixth episode of The Secret CISO newsletter! We are thrilled to announce that we have reached 500 followers in just five episodes. It's all thanks to our dedicated readers who have been sharing this newsletter with their colleagues and friends. Our new goal is to reach 1000 subscribers in the next two episodes, so we're counting on your help to get us there.
Please share this newsletter with others by this Twitter sharing link. And here we go!
1. Data Breaches
TOR under the DDoS, Scandinavian airlines hacked, and Atlassian claims 3rd party app for the recent data breach
Scandinavian Airline SAS Hit by Hackers, Says App Was Compromised
We posted about the US Airlines stop list leak a few weeks ago. And here is the second airlines cybersecurity incident in a month. Scandinavian airline SAS suffered a cyber attack that hit its website and compromised its app. The hack is believed to have leaked customer information from the app. Customers who tried to log into the app were logged into the wrong accounts and had access to personal details of other people. SAS urged customers to refrain from using the app and said the entire website was down for a while on Tuesday. The airline has now fixed the problem, but the attack raises questions about the security of customer data in the aviation sector. Various Swedish companies and organisations have recently been hit by cyber attacks, and SAS is the latest victim.
This incident is a reminder for CISOs in the aviation industry to take cybersecurity seriously and to ensure that they have robust systems in place to protect customer data from potential hackers. It also highlights the importance of having a plan in place for handling cyber attacks and responding quickly to minimise the damage.
Tor Hit By a Series of Ongoing DDoS Attacks
Tor, which is often associated with hacking tools, has become the target of DDoS attacks itself. The Tor Project recently revealed that its network has been suffering from several different types of ongoing DDoS attacks for at least seven months. Many Tor browser users have experienced connectivity and performance issues, with some unable to load pages or access onion services. The Tor Project's Executive Director, Isabela Dias Fernandes, said that they have been working hard to mitigate the impacts and defend the network from these attacks. The Tor team is continually tweaking and improving the network defences to counter the ongoing issue, and two new members will be added to the team to focus on .onion service development. However, the Tor team has not yet discovered the goal of these attacks or the identity of the attackers behind them. The slow connection of Tor browser can also be affected by a variety of factors, including which onion services are being used or which relays get picked when building a circuit through Tor.
The ongoing DDoS attacks on the Tor network are a reminder for CISOs to remain vigilant and to ensure that their organisations have robust systems in place to prevent cyber attacks. It is also essential to have a well-planned response strategy to minimise the impact of such attacks.
Atlassian: Leaked Data Stolen via Third-Party App
We all know Jira, right? Some of us even claim that Atlassian products are perfectly secure. Recently, Atlassian has suffered a breach of employee and operations information allegedly stolen by a threat group called SiegedSec. The company has assured its customers that their data is secure, saying that a third-party app was breached. The app was used to coordinate in-office resources, compromising employee data including names, emails, departments, and floor plans of segments of Atlassian offices located in San Francisco and Sydney. According to Envoy, which provided the app, the breach likely occurred due to the threat actor gaining access to employee credentials. An Envoy spokesperson confirmed that their systems were not compromised or breached and no other customer's data was accessed. There is an ongoing investigation into the breach.
This event is a reminder for CISOs to ensure that their third-party vendors are adequately secured and to review the security of their third-party apps. CISOs must be vigilant in ensuring that third-party vendors have stringent security protocols in place and monitor their security posture continuously.
Hacking Apple to get Bounty, Killing EDR, and Securing Nuclear Power Plants
Two Researchers Hacked Apple and Admire Their Bug Bounty Program
Breaking into Apple may sound like an impossible feat, but for this blogger, it was a walk in the park. The catch? They did it through Apple's bug bounty program. In this post, the blogger shares their experience hacking Apple twice in one day and participating in the company's bug bounty program. They go on to detail how they found vulnerabilities in Apple's systems and what it was like working with Apple's security team. The blogger started by using Shodan to identify Apple assets and eventually found an asset with ports 443 and 4786 open. Through a flaw in the Cisco Smart Install protocol, they were able to remotely execute a code and modify the configuration file.
They reported the findings to Apple and received a fair and transparent compensation package. They then moved onto the next target and were able to identify another Remote Command Execution vulnerability. The communication process was seamless, and the response from Apple was prompt and highly professional. However, the blogger criticizes Apple's bug bounty program for the lack of collaboration on submissions. Overall, their experience with Apple was exceptional, and the compensation policy was fair and reflected the level of severity and impact of the reported vulnerabilities.
How to bypass Microsoft's Tamper Protection?
A simple answer: Kill the EDR. How to do that when most organizations use Tamper Protection? According to Microsoft, Tamper Protection locks Microsoft Defender Antivirus to its secure default values and prevents security settings from being changed. Thus, disabling the service or modifying the configuration won't work. Even deleting the Defender executable won't work as we can't own or modify it due to TrustedInstaller, a built-in service account in the Windows operating system that manages system files and critical system updates.
TrustedInstaller assigns ownership of system files, and even an administrator cannot make changes to these files without first taking ownership of them. The only way to modify these files is to become TrustedInstaller, but stealing a token from the TrustedInstaller process is impossible due to the limited access. The other approach is to create a new process with TrustedInstaller.exe as the parent, which inherits its privileges. To do this, we need SeDebugPrivilege, which gives us full access to the process, including the right to create child processes. Once we have our malicious process, we can delete the Defender Directory without receiving an "Access Denied" message.
Cyber Security Controls in Nuclear Power Plants
In the current technology era, the industrial control system is rapidly increasing with its interconnected environments. Hence, the cyber-attacks on these systems have also increased. The nuclear power plants (NPPs) are among the targets for cyber-attacks that can not only cause economic losses but also human casualties. Therefore, it is necessary to apply cyber-security controls to minimize the security threats to NPPs. This paper discusses the application of differential security controls based on NEI 13-10 and technical assessment methodology (TAM) for mitigating the risks. The authors compare the results derived from applying security controls and assessing risks using both NEI 13-10 and TAM for the plant protection system of the nuclear power reactor APR1400. TAM is a methodology that generates a quantitative score by assessing the effects of potential cyber-attacks on an asset and the relevant security controls.
This methodology allows for the application of differential security control based on the score to identify whether the security controls have actually mitigated the risks. The results indicate that there are limitations to mitigating all the risks when only NEI 13-10 is applied. However, when it is applied along with TAM, all the threats, including those that could not be detected in the past, could be mitigated by utilizing the five significant advantages of TAM.
Managing breaches, learning vCISO approach, and training C-level communications
A CISO's Perspective on Managing a Breach
If you think that managing a data breach is all about incident response, then think again! In this episode of The Defender's Advantage Podcast, Fred Thiele, CISO at Interactive, gives an inside scoop of his personal experiences handling data breaches.
From working with regulators, insurance carriers, and crisis communications, Fred reveals the long and unexpected tail of a breach. He shares the depth and complexity of breaches, including surprises that he has encountered.
If you want to learn from the experiences of a seasoned CISO and know more about what really goes on behind the scenes of a breach, then this is the podcast for you!
What the heck is a vCISO?
Do you ever wonder what a virtual CISO (vCISO) is and how it can help your business? In this DtSR podcast, we have Jim Tiller, a cybersecurity expert, to explain what vCISO is and how companies can use it as a part-time resource. As it becomes harder and harder to find and afford good CISOs and security leaders in the current market, it is essential to know how vCISO can work for your company. Jim answers questions on the best ways to utilize vCISO, questions to ask, and things to look out for. He is a business leader, cybersecurity author, and patent holder who has experience as a Global Chief Information Security Officer. Tune in to the podcast to learn more about how vCISO can help you with your business cybersecurity.
Great Execution Requires Clear and Consistent Communication - CISO talk
CISOs must be able to communicate effectively with both executives and cybersecurity professionals to bridge the communication gap and make smarter security decisions. In the latest episode of CISO Talk, host Mitch Ashley is joined by Jennifer Leggio and Mike Rothman to discuss the importance of clear and consistent communication for successful execution in business. They also highlight the best ways to keep key stakeholders informed about threats, risk, and security programs. The trio emphasizes the need for CISOs to translate the proper understanding of IT systems, security strategies, potential risks, and the necessary investment required for cybersecurity maturity. Without proper communication, inaccurate information can get passed around, putting the entire organization at risk. Proactive communication is an essential part of high-performing teams and the foundation of a solid security strategy.
4. CISO Job Postings
The City of Baltimore's Office of Information and Technology is on the hunt for a Deputy Chief Information Security Officer
The successful candidate will work with and report to the CISO to lead the agency's cybersecurity program and provide security oversight for the organization's IT investments. Duties include leading a team of cybersecurity professionals, developing policies for agency-wide programs, overseeing security monitoring, and response, creating comprehensive cybersecurity standards, conducting internal security audits, and managing a risk-based, repeatable system security strategy. Applicants must possess comprehensive knowledge of cybersecurity, the ability to lead city-wide initiatives and collaborate across organizational boundaries, and effective communication skills with senior leaders and external stakeholders. If you want to be a part of the team that protects Baltimore's IT infrastructure, submit your application today!
Portland General Electric is currently seeking a CISO of Cyber Security
The chosen candidate will lead a team that focuses on protecting the company's technology assets and information from damage, unauthorized use, modification, or exploitation. This involves evaluating, testing, developing, coordinating, monitoring, and maintaining the company's cyber security policies, procedures, and systems. Additionally, the CISO of Cyber Security will implement policies and take measures against intrusion, fraud, attacks, or leaks. The ideal candidate for this role is a director-level individual who can develop a comprehensive Cyber Security strategy and drive horizontal integration and collaboration with business partners. They will be accountable for the performance and results of multiple teams and will provide leadership, mentorship, and direction to managers. The CISO of Cyber Security will lead analysis of the IT environment and market trends to determine the potential impact on the company's security and efficiency. They will also advise on best practices to overcome challenges and deliver expected business outcomes.
CISO position at Beazer Homes
The CISO will define data and network security policies, manage security operations, conduct cyber-risk and cyber intelligence assessments, and ensure compliance with IT security regulations. Additionally, the CISO will be responsible for designing and implementing an IT and network strategy for the company, managing the maintenance of the IT network, and sourcing necessary hardware and software. The CISO will present regular feedback reports on IT network security to the IT Steering Committee, advise and communicate cyber metrics to the Board of Directors, and provide consultancy services and security insight to support major projects. The ideal candidate will have a BS degree in Information Systems, Information Security, or a related field, with 12 years of security-related experience, and be familiar with relevant industry standards, including NIST. The position requires strong knowledge of network and IS security components, as well as excellent organizational skills and attention to detail. Beazer Homes is an equal opportunity employer committed to employee wellbeing and life-work balance, offering development opportunities, a flexible time-off program, and an industry-leading parental leave policy.
Thank you for reading!
Please share across your network
Thank you for reading the 6th edition of The Secret CISO newsletter! It's been amazing to see our followers grow to 500, and we're now setting our sights on reaching 1000 subscribers in just two more episodes.
We couldn't have done it without your support, so we ask that you continue to share this newsletter with your colleagues and peers. To show our appreciation, we've prepared this digital eagle gift for you to enjoy after reading this edition.
Don't forget to share this newsletter with your network and help us reach our goal of 1000 subscribers. Here's the Twitter link to share.
Stay safe and secure, and see you in the next edition of The Secret CISO!