Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Pinpointing web application weaknesses
The latest top 10 web software vulnerabilities annual list is now available in draft form for peer review. Published by the Open Web Application Security Project (OWASP), it lists the most common weaknesses that organisations should focus on. As The Register noted, the leading flaw is broken access control. The second most common occurrence was weak cryptography, followed by code injection. (Dis)honourable mentions also for security misconfigurations, outdated libraries, and failure to monitor servers and logs.
A new category for this edition is ‘insecure design’. It aims to support the industry’s ambition to embed security at an earlier stage of the software development process. This way, it hopes to catch risks and threats before coding begins. After the feedback stage, OWASP plans to release the definitive 2021 list later this year.
Easy as RDP: attacks mount as ransomware gangs seek out easy access
Worried about ransomware? Who isn’t these days? Better check your Remote Desktop Protocol (RDP) endpoints are secure, as attacks against them have more than doubled since June. RDP is one of the main attack vectors that ransomware gangs are using to infiltrate organisations. ESET’s latest threat report (PDF) tracked a 103.9 per cent rise since the previous edition mere months ago.
The company publishes three times a year and it’s already warning that the situation could get worse over the next few months. Fortunately, there is a guide from Microsoft about securing RDP for anyone who hasn’t done so. We also cover this attack vector in our comprehensive white paper on ransomware. And to end on a positive note, there’s also been some good news recently with arrests and takedowns of ransomware operators.
A pledge to prevent harassment of infosec professionals
BH Consulting has signed up to Respect in Security, an industry initiative taking a stand against all forms of harassment. Respect in Security was formed this year by prominent industry professionals to support victims of harassment and coordinate efforts to prevent it. The group created a pledge for companies to support workplaces and the community free from harassment, abuse, and fear. Harassment, either persistent or isolated, is any unwanted physical, verbal, or non-verbal conduct that has the purpose or effect of either violating someone’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for them.
Research from Respect in Security found that 35 per cent of cybersecurity professionals have experienced harassment in person at industry events, in the workplace, or at work social occasions. Some 31 per cent experienced online abuse through Twitter or email. Lisa Forte, co-founder of the group, said retaliation isn’t always the most appropriate way to deal with abusive behaviour. “We would instead like the industry to come together to eradicate harassment and make the perpetrators accountable for their actions through official channels,” she said. By signing up to the pledge, BH Consulting commits to creating a workplace and community free from harassment and fear. Signatories ensure not to tolerate, condone or ignore any form of harassment no matter where it happens or the personnel involved. The pledge logo is visible on every page of the BH Consulting website and the commitment is detailed in full on our blog. More information about the campaign is at Respectinsecurity.org.
Links we liked
Why soft skills are just as important as technical expertise in security roles. MORE
Educational videos that teach how to hack? You won’t find them on TikTok. MORE
What wedding party planning can teach us about online security. MORE
Consumers beware: VPN industry consolidation might not be good news. MORE
It’s been a record-breaking year for zero-day attacks. MORE
Who scams the scammers? Giving online fraudsters a taste of their own medicine. MORE
Ransomware’s got so bad, a 30-nation army (ok, coalition) wants to stop it. MORE
Getting ready for Windows 11? Here’s the security book. MORE
A public database of supply chain compromises going back to 2003. MORE
How to choose a VPN and deploy it securely, from the US NSA and CISA. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here