Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Salesforce Passwords At Risk From Dyre
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2014 | 12:20:50 PM
Re: More user awareness about phishing and social engineering
I do not mean to hammer on CIOs, but what about the CIOs who believe that "all things IT" should belong to them, including security? Do they not realize the inherent conflict of interest in that line of thinking? Unless those CIOs are credentialed or experienced security professionals, they do not possess enough security knowledge or expertise to manage security. Most of them are really engaged in empire building, so that they alone control resources for "all things IT". I believe this is how Target was structured when they were breached, and in spite of that incident, continue to be structured in that way; dare I say, "the old fashioned way". IMHO, this shows a lack of vision by sticking to a strategy that is no longer relevant or effective in today's threat landscape. This very topic was discussed in a Dark Reading Radio discussion a short time back and clearly, the participants were mostly against that strategy (I actually do not recall that anyone was for it).
SgS125
50%
50%
SgS125,
User Rank: Ninja
9/10/2014 | 11:31:37 AM
I bet you meant "now"
"For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre."

 

I'll bet you meant to say customers should check to see if the malware is caught by their anti-virus solution.  At least that is what the email said to us.

I find it refreshing that Salesforce took the time to contact it's customers even though the attack has nothing to do with their infrastructure.

We need more proactive measures like this to help us combat the ever more co-ordinated attacks we face in todays world.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:26:38 AM
Re: More user awareness about phishing and social engineering
Keep fighting the good fight aws0513! I find this one the most remarkable:
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/10/2014 | 10:50:01 AM
Re: More user awareness about phishing and social engineering
End user awareness of risk associated with IT systems is likely the largest weakness in the war against cybercrime.

The following list hopefully illustrates my point.  It is based upon the incidents I have had to remediate within the last 6 months.  Not in any order.
  • Users that click on any url link thrown at them on any web page or email.
  • Users that open attachments because they look interesting (shiny!!).
  • Users that are managers that feel that security funding is optional.
  • Users that are project managers that fail to integrate security into the project plan.
  • Users that believe that hacking only happens to the other guy.
  • Users that use the same password on all their accounts.
  • Users that use "Passw0rd" as their password...  or similar situation.
  • Users that accept a phone call and believe the caller is a technician from vendor X that is calling to help them with a problem they have detected on the users workstation.
  • Users that decide that playing online games at work is ok.
  • Users that feel they need to be able to install any software whenever they feel it is useful or necessary.
  • Users that consider corporate network web filtering a form of "big brother".
  • Users that believe they have a right to listen to music on their office workstation.
  • Users that believe they have a right to have a CD/DVD drive on their workstation.
  • Users that decide to send regulatory data to anyone that emails them for information.
  • Users that feel they need administrative control of the servers they use for work because they are the system owner (not the system administrative role).
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
  • Users that think vendor platform X is more secure that vendor platform Y because [insert unsubstantiated reason here].
  • Users that believe they know everything about IT security.  (I'm a IT security pro with 15+ years experience and even I cannot honestly make that claim).

I'm sure some of you out there could add a few more items.

I like to joke that end users are my #1 reason for my job security. 
But I am honestly and forever disenchanted by the fact that a large number of end users are just not on the right track when it comes to IT security.  I fully understand there is a lot to know.  Every day I need to review and revisit concepts to make sure I am on top of the latest developments.  But I believe everyone needs to become more cautious and aware of what bad-ness is out there.

With all security, it only takes one weakness to allow for a compromise.

I will keep fighting the good fight, with the simple hope that somewhere I am helping make a difference.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 8:11:05 AM
More user awareness about phishing and social engineering
Interesting (and not surprising) that experts recommend increased user awareness training about phishing attacks. That conforms to our current poll on social engineering where we ask Dark Reading community members what is the most dangerous social engineering threat to organizations. Results so far: "Employees aren't  aware of it (56% of respondents) and phishing emails (26%). If you haven't yet weighed in on the poll, you can scroll to the right column on your computer screen, or go to http://www.darkreading.com/editorial-poll/hacking-humans/d/d-id/1307012.


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.