How to Make Your Employees Your First Line of Cyber Defense

May 01, 2024
The Hacker News

There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats.

As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you’re only as secure as your weakest link. There’s still one group that can inadvertently open the gates to unwanted threat actors—your own people.

Security must be second nature for your first line of defense #

For your organization to thrive, you need capable employees. After all, they’re your source for great ideas, innovation, and ingenuity. However, they’re also human. And humans are fallible. Hackers understand no one is perfect, and that’s precisely what they seek to exploit.

This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend themselves against the treachery of hackers. That’s where security awareness training (SAT) comes in.

What is Security Awareness Training (SAT)? #

The overall objective of an SAT program is to keep your employees and organization secure. The underlying benefit, however, is demonstrating compliance. While content may differ from program to program, most are generally similar, requiring your employees to watch scripted videos, study generic presentations, and take tests on cyber “hygiene.” At their core, SAT programs are designed to help you:

  • Educate your employees on recognizing cybersecurity risks such as phishing and ransomware
  • Minimize your organization’s exposure to cyber threats
  • Maintain regulatory compliance with cyber insurance stipulations

These are all worthwhile goals in helping your organization thrive amidst ever-evolving cyber threats. However, attaining these outcomes can feel like a pipe dream. That’s because of one unfortunate truth about most SAT programs: they don’t work.

Age-Old Challenges of Old-School SATs#

Traditional SAT programs have long been scrutinized for their inability to drive meaningful behavioral changes. In fact, 69% of employees admit to “intentionally bypassing” their enterprise’s cybersecurity guidance.

If you oversee cybersecurity for an organization, then you’re likely familiar with the pain that comes with implementing one, managing it, and encouraging its usage. Given their complexities, traditional SAT solutions practically force non-technical employees to become full-on technologists.

Challenges for AdministratorsChallenges for EmployeesChallenges for Your Organization
Complex, ongoing management is frustrating. Plus, through it all they just find poor results.They’re bored. Unengaging content is detrimental, as it doesn’t lead to knowledge retention. Boring, unengaging content doesn’t help with knowledge retention.Most SATs aren’t effective because they’re created by generalists, not real cybersecurity experts And many are designed with little reporting capabilities, leading to limited visibility into success rates

Because most SAT programs are complex to manage, they’re usually dismissed as a means to an end. Just check a box for compliance and move on. But when done right, SAT can be a potent tool to help your employees make more intelligent, more instinctive, security-conscious decisions.

Ask the Right Questions Before Choosing Your SAT Solution#

When it comes to choosing the right solution for your organization, there are some questions you should first ask yourself. By assessing the following, you’ll be better equipped to select the option that best fits your specific needs.

Learning-Based Questions

  • Are the topics covered in this SAT relevant to my organization’s security and compliance concerns?
  • Are episodes updated regularly to reflect current threats and scenarios?
  • Does this SAT engage users in a unique, meaningful manner?
  • Is this SAT built and supported by cybersecurity practitioners?
  • Is the teaching methodology proven to increase knowledge retention?

Management-Based Questions

  • Can someone outside of my organization manage the SAT for me?
  • Can it be deployed quickly?
  • Does it automatically enroll new users and automate management?
  • Is it smart enough to skip non-human identities so I don’t assign training to, say, our copy machine?
  • Is it simple and intuitive enough for anyone across my organization to use?

Your ideal SAT will allow you to answer a resounding “Yes” to all of the above.

Essential Features of an Effective SAT#

A SAT solution that’s easy to deploy, manage, and use can have a substantial positive impact. That’s because a solution that delivers “ease” has considered all of your organization’s cybersecurity needs in advance. In other words, an effective SAT does all the heavy lifting on your behalf, as it features:

Relevant topics
…based on real threats you might encounter.
What to look for:

To avoid canned, outdated training, choose a SAT solution that’s backed by experts. Cybersecurity practitioners should be the ones regularly creating and updating episodes based on the latest trends they see hackers leveraging in the wild. Additionally, every episode should cover a unique cybersecurity topic that reflects the most recent real-world tradecraft.
Full management by real experts
…so you don’t have to waste time creating, managing, and assigning training.
What to look for:

Ideally, you want a SAT solution that can manage all necessary tasks for you. Seek a SAT solution that’s backed by real cybersecurity experts who can create, curate, and deploy your learning programs and phishing scenarios on your behalf.
Memorable episodes
…with fun, story-driven lessons that are relatable and easy to comprehend.
What to look for:

Strive for a SAT solution that features character-based narratives. This indicates the SAT is carefully designed to engage learners of all attention spans. Remember, if the episodes are intentionally entertaining and whimsical, you’re more likely to find your employees conversing about inside jokes, recurring characters, and, of course, what they’ve learned. As a result, these ongoing discussions only serve to fortify your culture of security.
Continual enhancements …so episodes are updated regularly in response to real-world threats.
What to look for:
Seek out a SAT solution that provides monthly episodes, as this will keep your learners up to date. Regular encounters with simulated cybersecurity scenarios can help enhance their abilities to spot and defend against risks, such as phishing attempts. These simulations should also be dispersed at unpredictable time intervals (i.e. morning, night, weekends, early in the month, later in the month, etc.), keeping learners on their toes and allowing them to put their security knowledge into practice.
Minimal time commitment
…so you don’t have to invest countless hours managing it all.
What to look for:
For your learners, choose a SAT solution that doesn’t feel like an arduous chore. Look for solutions that specialize in engaging episodes that are designed to be completed in shorter periods of time.
For your own administrative needs, select a SAT that can sync regularly with your most popular platforms, such as Microsoft 365, Google, Okta, or Slack. It should also sync your employee directories with ease, so whenever you activate or deactivate users, it’ll automatically update the information. Finally, make sure it’s intelligent enough to decipher between human and non-human identities, so you’re only charged for accounts linked to real individuals.
Real results …through episodes that instill meaningful security-focused behaviors and habits.
What to look for:
An impactful SAT should deliver monthly training that’s rooted in science-backed teaching methodologies proven to help your employees internalize and retain lessons better. Your SAT should feature engaging videos, text, and short quizzes that showcase realistic cyber threats you and your employees are likely to encounter in the wild, such as:PhishingSocial engineeringPhysical device securityand more
Measurable data …with easy-to-read reports on usage and success rates.
What to look for:
An impactful SAT program should provide robust reporting. Comprehensible summaries should highlight those learners who haven’t taken their training or those whom a phishing simulation has compromised. Additionally, detailed reports should give you all the data you need to help prove business, insurance, and regulatory compliance.
Easy adoption
….that makes it easy to deploy and easy to scale with your organization.
What to look for:
Choose a SAT solution that’s specially built to accommodate organizations with limited time and resources. A solution that’s easy to implement can be deployed across your organization in a matter of minutes.
Compliance …with a range of standards and regulations
What to look for:
While compliance is the bare minimum of what a SAT should offer your organization, it shouldn’t be understated. Whether to meet insurance check boxes or critical industry regulations, every business has its own compliance demands. At the very least, your SAT solution should cover the requirements of:
Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI)Service Organization Control Type 2 (SOC 2)EU General Data Protection Regulation (GDPR)

The Threat Landscape is Changing. Your SAT Should Change With It. #

Cybercriminals think they’re smart, maliciously targeting individuals across organizations like yours. That’s why you need to ensure your employees are smarter. If they’re aware of the ever-changing tactics hackers employ, they can stand as your first line of defense. But first, you need to deploy a training solution you can trust, backed by real cybersecurity experts who understand emerging real-world threats.

Huntress Security Awareness Training is an easy, effective, and enjoyable solution that helps:

  • Minimize time-consuming maintenance and management tasks
  • Improve knowledge retention through neuroscience-based learning principles
  • Update you and your employees on the current threat landscape
  • Establish a culture that values cybersecurity
  • Inspire meaningful behavioral habits to improve security awareness
  • Engage you and your employees in a creative, impactful manner
  • Assure regulatory compliance
  • Keep cyber criminals out of your organization

Discover how a fully managed SAT can free up your time and resources, all while empowering your employees with smarter habits that better protect your organization from cyber threats.

Say goodbye to ineffective, outdated training. Say hello to Huntress SAT.

Start your free trial of Huntress SAT today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Source :
https://thehackernews.com/2024/05/everyones-expert-how-to-empower-your.html

Empowering Cybersecurity with AI: The Future of Cisco XDR

May 7, 2024
Siddhant Dash

In 2007, there was a study from the University of Maryland proving that internet-connected systems were attacked every 39 seconds on average. Today, that number has grown more than 60%. Cisco sees 64 attempts to connect to ransomware infrastructure every second. The world is becoming digitized, and hybrid, which creates an environment that criminals target with increasing sophistication. It’s too much for human-scale, and so a hybrid world requires a hybrid approach that sits between humans and machines.

Envision an AI Assistant that serves as a reliable partner for incident responders, offering precise, real-time guidance on the subsequent steps to take, tailored to the specific state of the incident at hand and allowing SOC (Security Operations Center) teams to respond faster and do more with less. I am pleased to announce the launch of the AI Assistant in XDR as a part of our Breach Protection Suite.

In our RSAC 2023 announcement, we introduced a vision of our Cisco SOC Assistant, designed to expedite threat detection and response. Today, this vision is realized and available in private preview. It enhances our Breach Protection Suite which is powered by Cisco XDR’s capabilities. It significantly speeds up investigations and responses, enabling security teams to safeguard their environments more efficiently and cost-effectively.

Assist with Information Discovery

In 2024, the global shortfall of 3.5 million security professionals, as reported by ISC2, underscores the importance of retaining and recruiting skilled personnel to counter increasingly sophisticated cyber threats and safeguard enterprises. Moreover, the lack of appropriate tools often leads to ineffective cyber risk management and professional burnout, adversely affecting staff retention and the SOC’s capacity to thwart attacks.

The AI Assistant in XDR acts as a potent enhancer, empowering SOC teams to maximize their efficiency and effectively close the personnel and skill gap. When an incident occurs, the assistant will contextualize events across email, the web, endpoints, and the network to tell the SOC analyst exactly what happened and its impact on their environment. It presents a short description of the incident that quickly answers what, when and how an incident happened. It also provides a long description of the incident which explains the timeline of events that have happened in this active incident.

Figure 1: Short Description of Incident Details generated by the AI Assistant
Figure 2: Long Description of Incident Details and Events Timeline

Moreover, our AI Assistant utilizes XDR’s patented ability to prioritize critical incidents, reducing alert fatigue for the SOC team and enhancing their efficiency in handling active incidents.

Figure 3: Targeted Prioritization of Incidents by AI Assistant that Need Immediate Attention

Augment and Elevate SOC Teams with Best Practice Recommendations

Today’s SOCs often struggle with a fragmented technology stack, making it difficult to respond effectively to cyber threats. Alert fatigue is a major hurdle for modern SOC teams, hindering proactive threat hunting and leading to overlooked alerts and burnout. The Cisco AI Assistant comes to the rescue and jumpstarts the incident response process for a modern SOC team.

Our AI Assistant, powered by Cisco XDR the platform for Cisco’s Breach Protection Suite, synthesizes data from email, web, processes, endpoints, cloud, and network domains, offering precise action recommendations to effectively contain ongoing cyber-attacks. It works at machine scale to identify patterns and potential attacks that humans might miss because of alert fatigue, if a defender is only looking at one domain in isolation, or while trying to manually correlate data. The AI Assistant is context aware, meaning it tracks the state of the incident in real-time and generates tailored recommendations specific to that incident.

Figure 4: Tailored Recommendations for an Incident by the AI Assistant

Mean Time to Detection (MTTD) and Mean Time to Respond (MTTR) are two primary metrics that SOC teams want to optimize for. Cisco XDR with our AI Assistant enables security teams to reduce these metrics by jumpstarting investigations and incident response by providing tailored recommendations for that specific incident.

Enable Seamless Collaboration Across Security Teams

The Cisco AI Assistant, embedded within XDR, facilitates team collaboration using Webex, Teams, or Slack. This empowers security teams to swiftly assemble the right experts for an active incident, thereby speeding up the MTTR. The AI Assistant unifies the team by setting up WAR rooms, summarizing messages, and logging them in XDR for instant audit-readiness.

Figure 5: AI Assistant creates a Webex WAR Room and brings the right experts together for Incident Response

Automate Workflows to Neutralize Threats Across the Enterprise

Today’s SOCs often lack a cohesive technology stack to respond to cyber threats efficiently and consistently. As the IT environment grows beyond the on-premises data center to cloud, hybrid-cloud and multi-cloud country specific data centers, organizations accumulate point solutions to monitor and protect pieces of the environment. As a result, SOC analysts must do a lot of the heavy lifting required to detect and respond to an attack. This includes logging into different tools to execute workflows that contain an attack.

Our AI Assistant taps into advanced workflows and atomics with Cisco XDR’s 90+ integrations. Our AI assistant enables the execution of workflows at a single click, guided by the AI Assistant’s personalized recommendations that consider the incident’s playbook and current state in real-time.

Figure 6: Execution of Automated Workflows by the AI Assistant to Contain an Incident

Gone are the days when security teams had to juggle multiple isolated products and execute workflows in each to mitigate an attack. With Cisco Breach Protection Suite, billions of security events can be correlated and recommended actions can be generated and executed all in one place. This is the transformative power of the Cisco XDR combined with Cisco’s AI Assistant revolutionizing enterprise security.

Conclusion

By leveraging comprehensive telemetry data from various sources in Cisco XDR and combining that with our AI Assistant, we enable SOC teams to rapidly respond to active incidents and fortify defenses against complex threats. The AI Assistant amplifies the SOC’s existing knowledge, streamlines routine tasks, and empowers analysts to focus on strategic initiatives. This boosts analyst productivity and job satisfaction, leading to improved staff retention and SOC effectiveness, ultimately resulting in precise, consistent, and accurate security outcomes.

Learn how Cisco Breach Protection SuiteCisco XDR and our AI Assistant can simplify your security operations.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Source :
https://blogs.cisco.com/security/empowering-cybersecurity-with-ai-the-future-of-cisco-xdr

How to Rename an Active Directory Domain

written by Cyril Kardashevsky
February 8, 2024

Changing the name of an Active Directory domain is something few AD administrators have ever done. The domain renaming process itself is fairly straightforward, but needs to be carefully planned so as not to break the entire corporate infrastructure.

The need to change an AD domain name usually arises in the context of a corporate acquisition, rebranding, M&A consolidation of multiple business units.

Preparation for an AD Domain Rename

Before you proceed to change your domain name, check the basic requirements:

  • AD schema version at least Windows Server 2003;
  • If the domain Certificate Authority (CA) is deployed in domain, make sure it is properly prepared (Prepare certification authorities for domain rename);
  • Domains with on-premises Exchange Server (except 2003 versions) are incompatible with domain renaming. Migrating your users, groups, and computers to a new AD forest with Exchange using ADMT is the only solution in this case;
  • There are some other Microsoft and non-Microsoft applications that do not support domain renaming renames (check your application’s documentation);
  • You need to create a primary DNS zone for the new domain name in your AD;
  • If your DFS namespaces, redirected folders, roaming user profiles, etc. are implemented in your infrastructure, gather all the relevant information for them and schedule a migration immediately after the domain name change.

In this post, we will rename an existing contoso.com domain with AD controllers running Windows Server 2019 to theitbros.com.

Note. Be sure to backup your AD before you start renaming your domain.

The first step is to create a primary DNS zone for the new domain on your DNS server:

  1. Connect to DC and open the DNS Manager console (dnsmgmt.msc);
  2. Expand the Forward Lookup Zones node;
  3. Select New zone;
    change domain name active directory
  4. Create a new primary AD-integrated zone called theitbros.com with enabled Allow only secure dynamic updates option. Wait for the new zone to replicate all the DNS servers in the forest.
    active directory change domain name

Renaming AD Domain Using RenDom Tool

In order to change the AD domain name, you must use the rendom console tool, which is available on any domain controller. The C:\Windows\System32\rendom.exe command allows you to perform all the necessary actions for a domain renaming operation.

Sign-in to the DC and open the command prompt as an administrator.

Run the following command to generate an XML file containing your domain configuration:

rendom /list

Open the Domainlist.xml with notepad:

notepad Domainlist.xml
rename active directory domain

Use the Edit > Replace option to find the old domain name in the file and replace it with the new one. Manually change the value in the NetBiosName field.

change active directory domain name

Save the changes to the Domainlist.xml file.

Verify the new configuration (command makes no changes yet):

rendom /showforest
change ad domain name

Upload a new configuration file to the DC running the Domain Naming Operations Master FSMO role:

rendom /upload

Wait for the file containing the domain renaming instructions to be replicated to all other domain controllers in the forest. You can force the synchronization of changes made on the Domain Naming Master to all DCs:

repadmin.exe /syncall /d /e /P /q DomainNamingMaster_DC_HostName

This creates a DCclist.xml file that is used to track the progress and status of each domain controller in the forest for the domain rename operation. At this point, the Rendom freezes your Active Directory forest from making any changes to its configuration (such as adding/removing DCs, configuring domain trusts, etc.).

Check if the domain is ready to accept changes (checks the availability of all DCs):

rendom /prepare

If this command returns no errors, you can run the rename operation:

rendom /execute

This command automatically reboots all domain controllers.

All the domain-joined workstations and member servers must be rebooted twice for the changes to take effect. The first reboot allows the domain member to detect the domain change and change the full computer name. The second is used to register the new computer name in the new DNS zone.

Note. If there are any remote computers that connect to your domain via VPN, you will need to unjoin them from the old domain and rejoin the new domain.

Now your users can log on to computers using their old usernames and passwords.

After that, you need to manually rename all domain controllers (they won’t automatically change their names to reflect the new domain).

Use the following command to rename each DC:

netdom computername DC01.contoso.com /add:DC01.theitbros.com

netdom computername DC01.contoso.com /makeprimary:DC01.theitbros.com

Reboot the domain controller to apply the changes.

how to change domain name in active directory

Now you need to rebind the Group Policy Objects to the new domain name:

gpfixup /olddns:contoso.com /newdns:theitbros.com

Then run the command to fix the NetBIOS name of the domain in the GPOs:

gpfixup /oldnb:CONTOSO /newnb:THEITBROS

Remove links to the old domain:

rendom /clean

You can now complete the domain rename and unfreeze the AD forest:

rendom /end

Make sure that the rename was successful. Check if all Active Directory domain controllers can be contacted, users can sign in to the new domain; check if applications work correctly, and check AD replication and errors on DCs.

Now change paths in DFS namespaces, roaming profiles, redirected folders, etc. if used.

Source :
https://theitbros.com/how-to-rename-active-directory-domain/

How to Sync Client Time with Domain Controller on Windows

written by Cyril Kardashevsky
January 18, 2024

In order for Windows computers to function properly in Active Directory, they must have their time in sync with the domain. In the AD environment, domain controllers act as the time source for client devices. Kerberos AD authentication will fail if the clock offset between the client and the domain controller (KDC) is greater than 5 minutes.

Understanding the Time Hierarchy in the Active Directory Domain

There is a strict hierarchy to time synchronization in an Active Directory domain:

  1. The domain controller with the PDC emulator FSMO role is the main source of time in the domain. This DC synchronizes the time with an external time source or NTP server;
  2. Other domain controllers synchronize their time with the PDC domain controller;
  3. The domain workstations and the Windows member servers synchronize their time with the domain controller that is closest to them (in accordance with AD sites and subnets configuration);
sync time with domain controller

Hint. Learn more about time syncing in an Active Directory domain using the GPO.

Sync Time with DC on the Domain-Joined Machine

The AD domain controller should be used as the time source on the workstation after you have joined it to the domain. On Windows 10 or 11, go to Settings > Time and Language and make sure your DC is used as the last time sync source.

windows server sync time with domain controller

You can also get the NTP source on your computer by using the command:

w32tm /query /source

The command should return the name of one of the domain controllers in your AD domain.

windows sync time with domain controller

List details of the status of time synchronization on the client device:

w32tm /query /status
how to sync time with domain controller

The command returns the following useful information:

  • Leap Indicator (time sync status)
  • Last Successful Sync Time
  • Source (your DC)
  • Poll Interval (1024 seconds by default)

Get a list of the AD domain controllers which can be used to synchronize time:

w32tm /monitor

In this example, there are three domain controllers available for the client to synchronize time with.

sync time ad server

To re-enable time synchronization with a DC for computers in an Active Directory domain, use the following commands:

w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

If the domain computer is configured to synchronize its time following to the AD DS Time hierarchy, the value of the Type parameter in the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key should be NT5DS.

sync time with domain controller cmd

If the Windows client fails to synchronize time with the AD domain controller, you must to reset the Windows Time service configuration. To do this, open a command prompt as an administrator and run the following commands:

  • The first command unregisters the w32time service and removes the settings from the registry:w32tm /unregister
  • Then register w32tm service and restore the default time settings:w32tm /register
  • Set AD as the time sync source for the client (by changing the Type registry parameter to NT5DS):REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /d NT5DS
  • Restart the service:net stop w32time && net start w32time
  • Update settings:w32tm /config /update
  • Synchronize the time:w32tm /resync
  • Check your current sync settings:w32tm /query /status

The screenshot below shows that Windows is now synchronizing with DC (Source).

w32tm sync with domain controller

Time Sync Issues on Windows Domain Joined Computers

The Windows Time Service (W32Time) is responsible for time synchronization. First, ensure that this service is running on a Windows client computer:

Get-Service W32Time | Select-Object name,status
time sync with domain controller

UDP port 123 is used for time synchronization on Windows. If this port is not available on the DC, the client computer won’t be able to synchronize the time.

You may get an error when you try to synchronize the time with the w32tm /resync command:

Sending resync command to local computer
The computer did not resync because no time data was available.

sync time to domain controller

Check that the w32time service is running on the DC and listening on UDP port 123:

netstat -an | find "UDP" | find ":123"
sync time with dc

Then check that the UDP inbound rule named Active Directory Domain Controller – W32Time (NTP-UDP-In) is enabled in Windows Defender Firewall (Control Panel > Windows Firewall > Advanced settings > Inbound rules).

sync server time with domain controller

You can check Windows Defender Firewall rule status with PowerShell:

Get-NetFirewallrule -DisplayName 'Active Directory Domain Controller - W32Time (NTP-UDP-In)'|select Enabled
active directory time sync

If the rule is disabled, you must enable it:

Get-NetFirewallrule -DisplayName 'Active Directory Domain Controller - W32Time (NTP-UDP-In)'|Enable-NetFirewallrule

It is also possible to force a client to manually synchronize its time with another domain controller.

net time \\ny-dc01 /set /y
w32tm sync to domain controller

Configuring the NTP Client Time Sync on Windows Using GPO

In most cases, time sync with a domain on Windows client doesn’t require administrator intervention. However, if you find that time synchronization is not working properly on clients in your domain, you can centrally configure client NTP settings on Windows devices using Group Policy.

  1. Use the gpedit.msc console if you want to change Group Policy settings on a single computer (this is the best solution if you need to solve synchronization problems on a single computer or test new NTP client settings). To set up a GPO for multiple domain computers, use the Group Policy Management Console (gpmc.msc);
  2. Expand the following node in GPO editor: Computer Configuration > Administrative Templates > System > Windows Time Service;
  3. Enable the Enable Windows NTP Client policy;sync time with ad
  4. Then enable the Configure NTP Client policy and set the following settings in the Options panel:
    NTPServer: your domain name (preferred) or FQDN name of the domain controller with the PDC Emulator role (you can find it with the command: netdom.exe query fsmo)
    Type: NT5DS
    CrossSiteSyncFlags: 2
    ResolvePeerBackoffMinutes: 15
    ResolvePeerBackoffMaxTimes: 7
    SpecialPollInterval: 64
    EventLogFlags: 0
  5. Restart your computer to apply the new GPO client time settings.

Source :
https://theitbros.com/sync-client-time-with-domain-controller/

NIST Launches Cybersecurity Framework (CSF) 2.0

By: Shannon Murphy, Greg Young
March 20, 2024
Read time: 2 min (589 words)

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the official 2.0 version of the Cyber Security Framework (CSF).

What is the NIST CSF?

The NIST CSF is a series of guidelines and best practices to reduce cyber risk and improve security posture. The framework is divided into pillars or “functions” and each function is subdivided into “categories” which outline specific outcomes.

As titled, it is a framework. Although it was published by a standards body, it is not a technical standard.

https://www.nist.gov/cyberframework

What Is the CSF Really Used For?

Unlike some very prescriptive NIST standards (for example, crypto standards like FIPS-140-2), the CSF framework is similar to the ISO 27001 certification guidance. It aims to set out general requirements to inventory security risk, design and implement compensating controls, and adopt an overarching process to ensure continuous improvement to meet shifting security needs.

It’s a high-level map for security leaders to identify categories of protection that are not being serviced well. Think of the CSF as a series of buckets with labels. You metaphorically put all the actions, technology deployments, and processes you do in cybersecurity into these buckets, and then look for buckets with too little activity in them or have too much activity — or repetitive activity — and not enough of other requirements in them.

The CSF hierarchy is that Functions contain many Categories — or in other words, there are big buckets that contain smaller buckets.

What Is New in CSF 2.0?

The most noteworthy change is the introduction of Governance as a sixth pillar in the CSF Framework. This shift sees governance being given significantly more importance from just a mention within the previous five Categories to now being its owna separate Function.

According to NIST the Govern function refers to how an organization’s, “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”  This is a positive and needed evolution, as when governance is weak, it often isn’t restricted to a single function (e.g. IAM) and can be systemic.

Governance aligns to a broader paradigm shift where we see cybersecurity becoming highly relevant within the business context as an operational risk. The Govern expectation is cybersecurity is integrated into the broader enterprise risk management strategy and requires dedicated accountability and oversight.

There are some other reassignments and minor changes in the remaining five Categories. CSF version 1.0 was published in 2014, and 1.1 in 2018. A lot has changed in security since then. The 2.0 update acknowledges that a review has been conducted.

As a framework, the CISO domain has not radically changed. Yes, the technology has radically evolved, but the greatest evolution in the CISO role really has been around governance: greater interaction with C-suite and board, while some activities have been handed off to operations.

NIST Cybersecurity Framework

So How Will This Impact Me in the Short Term?

The update to the NIST CSF provides a fresh opportunity to security leaders to start or reopen conversations with business leaders on evolving needs.

  • The greatest impact will be to auditors and consultants who will need to make formatting changes to their templates and work products to align with version 2.0.
  • CISOs and security leaders will have to make some similar changes to how they track and report compliance.
  • But overall, the greatest impact (aside from some extra billable cybersecurity consulting fees) will be a boost of relevance to the CSF that could attract new adherents both through security leaders choosing to look at themselves through the CSF lens and management asking the same of CISOs.
Category

Source :
https://www.trendmicro.com/it_it/research/24/c/nist-cybersecurity-framework-2024.html

Windows 11 KB5034765 won’t install, taskbar issues, and explorer.exe crashes

By Mayank Parmar -February 19, 2024

You’re not alone if you have issues with the Windows 11 KB5034765. February 2024 security update for Windows 11 causes File Explorer to crash when rebooting the system, and some have found it’s causing the taskbar to disappear. Additionally, many users are having problems installing the Windows 11 February 2024 update.

Microsoft sources have confirmed to Windows Latest that the company is aware of an issue that causes the taskbar to crash or disappear briefly after installing KB5034765. I’m told the company has already rolled out a fix. This means some of you should be able to see the taskbar again after reinstalling the patch (remove and install it again).

But that’s not all. The February 2024 update has other problems, too. In our tests, we observed that the Windows 11 KB5034765 update repeatedly fails to install with 0x800f0922, 0x800f0982, and 0x80070002.

Multiple users told me that when they tried to install the security patch, everything seemed fine at first. The update downloads and asks for a restart. But during the installation, Windows Update stopped and confirmed there was a problem. It tries a few more times and then goes back to the desktop without updating.

KB5034765 is not installing, but there’s a fix

Windows 11 KB5034765 won't install
Windows 11 January 2024 Update fails with 0x80070002 | Image Courtesy: WindowsLatest.com

Our device also attempted the “rollback” after successfully downloading the February 2024 cumulative update, but the process was stuck on the following screen for ten minutes:

  • Something didn’t go as planned. No need to worry—undoing changes. Please keep your computer on.

I tried tried a few things to fix it. For example, I removed programs that didn’t come with Windows, cleared the Windows Update cache and used the Windows Update troubleshooter. None of these solutions have worked.

However, there’s some good news. It looks like we can successfully install KB5034765 by deleting a hidden folder named $WinREAgent. There are multiple ways to locate and delete this folder from Windows 11 installation, and you choose your preferred one:

  • Method 1: Run Disk Cleanup as an administrator, select the system drive, and check the boxes for “Temporary files” and other relevant options. Finally, click “OK” to remove the system files, including Windows Update files. This will delete unnecessary files within $WinREAgent.
  • Method 2: Open File Explorer and open the system drive, but make sure you’ve turned on view hidden items from folder settings. Locate $WinREAgent and remove it from the system.
  • Method 3: Open Command Prompt as Administrator, and run the following command: rmdir /S /Q C:\$WinREAgent
Windows 11 0x800f0922 0x800f0982 and 0x80070002

Windows Update causes File Explorer to crash on reboot

Some PC owners are also running into another problem that causes the File Explorer to crash when rebooting or shutting down the system.

This issue was previously observed in Windows 11’s January 2024 optional update, and it seems to have slipped into the mandatory security patch.

The error message indicates an application error with explorer.exe, mentioning a specific memory address and stating, “The memory could not be written”.

“The instruction at 0x00007FFB20563ACa referenced memory at 0x0000000000000024. The memory could not be written. Click on OK to terminate the program,” the error message titled “explorer.exe – Application Error” reads.

KB5034765 crashes explorer
explorer.exe crashes with a referenced memory error when rebooting

This issue seems to persist regardless of various troubleshooting efforts. Users have tried numerous fixes, including running the System File Checker tool (sfc /scannow), testing their RAM with Windows’ built-in tool and memtest86+, and even performing a clean installation of the latest Windows 11 version.

Despite these efforts, the error remains.

Interestingly, a common factor among affected users is the presence of a controller accessory, such as an Xbox 360 controller for Windows, connected to the PC. This connection has been observed, but it’s unclear if it directly contributes to the problem.

Microsoft’s release notes for the KB5034765 update mentioned a fix for an issue where explorer.exe could stop responding when a PC with a controller accessory attached is restarted or shut down.

However, despite this so-called official fix, users report that the problem still occurs, and it’s not possible to manually fix it.

Windows 11 taskbar crashes or disappears after the patch

As mentioned at the outset, the Windows 11 KB5034765 update causes the taskbar to disappear or crash when you reboot or turn on the device.

KB5034765 taskbar disappears
Taskbar is missing/disappeared in Windows 11 virtual machine after new update | Image Courtesy: WindowsLatest.com

According to my sources, Microsoft has already patched the issue via server-side update, but if your taskbar or quick settings like Wi-Fi still disappear, try the following steps:

  1. Open Settings, go to the Windows Update section and click Update History. On the Windows Update history page, click Uninstall updates, locate KB5034765 and click Uninstall.
  2. Confirm your decision, click Uninstall again, and reboot the system.
  3. Go to Settings > Windows Update and check for updates to reinstall the security patch.

The above steps are unnecessary, as the server-side update will automatically apply to your device.

About The Author

Mayank Parmar

Mayank Parmar is Windows Latest’s owner, Editor-in-Chief and entrepreneur. Mayank has been in tech journalism for over seven years and has written on various topics, but he is mostly known for his well-researched work on Microsoft’s Windows. His articles and research works have been referred to by CNN, Business Insiders, Forbes, Fortune, CBS Interactive, Microsoft and many others over the years.

Source :
https://www.windowslatest.com/2024/02/19/windows-11-kb5034765-wont-install-and-causes-other-issues-but-theres-a-fix/

Enhancing RFC-compliance for message header from addresses

06/02/2024

Hornetsecurity is implementing an update to enhance email security by enforcing checks on the “Header-From” value in emails, as per RFC 5322 standards.
This initiative is driven by several key reasons:

  1. Preventing Email Delivery Issues: Historically, not enforcing the validity of the originator email address has led to emails being accepted by our system but ultimately rejected by the final destination, especially with most customers now using cloud email service providers that enforce stricter validation.
  2. Enhanced Protection Against Spoofed Emails: By strictly validating the “Header-From” value, we aim to significantly reduce the risk of email spoofing.
  3. Enhance Email Authentication for DKIM/DMARC Alignment: By enforcing RFC 5322 compliance in the “Header-From” field, we can ensure better alignment with DKIM and DMARC standards, thereby significantly improving the security and authenticity of email communications.

The cause of malformed “From” headers often stems from incorrect email server configurations by the sender or from bugs in scripts or other applications. Our new protocol aims to rectify these issues, ensuring that all emails passing through our system are fully compliant with established standards, thus improving the overall security and reliability of email communications.

Implementation Timeline

  • Stage 1 (Starting 4 March 2024): 1-5% of invalid emails will be rejected.
  • Stage 2 (Second week): 30% rejection rate.
  • Stage 3 (Third week): 60% rejection rate.
  • Final Stage (By the end of the fourth week): 100% rejection rate.

Impact Assessment

Extensive testing over the past six months indicates that the impact on legitimate email delivery is expected to be minimal. However, email administrators should be prepared for potential queries from users experiencing email rejections.

Handling Rejections

When an email is rejected due to a malformed “Header-From”, the sender will receive a bounce-back message with the error “510 5.1.7 malformed Header-From according to RFC 5322”. This message indicates that the email did not meet the necessary header standards.

Identifying Affected Emails

Email administrators can identify affected emails in the Hornetsecurity Control Panel (https://cp.hornetsecurity.com) using the following steps:

  1. Navigate to ELT in the Hornetsecurity Control Panel.
  2. Select your tenant in the top right field.
  3. Choose a date range for your search. A shorter range will yield quicker results.
  4. Click in the “Search” text box, select the “Msg ID” parameter, and type in “hfromfailed” (exact string).
  5. Press ENTER to perform the search.

When email administrators identify emails affected by the “Header-From” checks in the Email Live Tracking (ELT) system, immediate and appropriate actions are necessary to verify if the email application or server settings are correctly configured to comply with RFC 5322 standards. This will help maintain email flow integrity.


Defining Exceptions

In implementing the new “Header-From” checks, Hornetsecurity recognizes the need for flexibility in certain cases. Therefore, we have provisioned for the definition of exceptions to these checks.

This section details how to set up these exceptions and the timeline for their deprecation:

Configuring Exceptions

  1. Accessing the Control Panel: Log in to the Hornetsecurity Control Panel at https://cp.hornetsecurity.com.
  2. Navigating to the Compliance Filter.
  3. Creating Exception Rules: Within the Compliance Filter, you can create rules that define exceptions to the “Header-From” checks. This should be based on the envelop sender address.
  4. Applying the Exceptions: Once defined, these exceptions will allow certain emails to bypass the strict “Header-From” checks.

Timeline for Deprecation of Exceptions applied to the new Header-From checks

  • Initial Implementation: The ability to define exceptions is available as part of the initial rollout of the “Header-From” checks.
  • Deprecation Date: These exception provisions are set to be deprecated by the end of June 2024.

The provision for exceptions is intended as a temporary measure to facilitate a smoother transition to the new protocol. By June 2024, it is expected that all email senders would have had sufficient time to align their email systems with RFC 5322 standards. Deprecating the exceptions is a step towards ensuring full compliance and maximizing the security benefits of the “Header-From” checks.

Conclusion

The enhancement of our RFC-compliance is a significant step toward securing email communications. Adherence to these standards will collectively reduce risks associated with email. For further assistance or clarification, please reach out to our support team at support@hornetsecurity.com.

 

Invalid “Header From” Examples:

Header From Reason 
From: <> Blank addresses are problematic as they cause issues in scenarios requiring a valid email address, such as allow and deny lists. 
From: John Doe john.doe@hornetsecurity.com Non-compliant with RFC standards. The email address must be enclosed in angle brackets (< and >) when accompanied by a display name. 
From: “John Doe” <john.doe@hornetsecurity.com> (Peter’s cousin) While technically RFC-compliant, such formats are often rejected by M365 unless explicit exceptions are configured. We do accept certain email addresses with comments. 
From: John, Doe <john.doe@hornetsecurity.com> Non-compliant with RFC standards. A display name containing a comma must be enclosed in double quotes. 
From: “John Doe <john.doe@hornetsecurity.com>” Non-compliant with RFC standards. The entire ‘From’ value is incorrectly enclosed in double quotation marks, which is not allowed. 
From: “John Doe <john.doe@hornetsecurity.com>” john.doe@hornetsecurity.com Non-compliant with RFC standards. The display name is present, but the email address is not correctly enclosed in angle brackets. 
From: “John Doe”<john.doe@hornetsecurity.com> Non-compliant with RFC standards due to the absence of white-space between the display name and the email address. 
From: “Nested Brackets” <<info@hornetsecurity.com> Nested angle brackets are not allowed in the “addr-spec” part of the email address. 
From: Peter Martin <e14011> Non-compliant with RFC standards. The domain part of the email address (“addr-spec”) is missing. 
From: “News” <news.@hornetsecurity.com> Non-compliant with RFC standards. The local part of the email address must not end with a dot. 
Missing “From” header altogether A “From” header is mandatory in emails. The absence of this header is a clear violation of RFC standards. 

Valid “Header From” Examples:

Header From Reason 
From: john.doe@hornetsecurity.com RFC-compliant 
From: <john.doe@hornetsecurity.com> RFC-compliant 
From: “Doe, John” <john.doe@hornetsecurity.com> RFC-compliant 
From: “John Doe” <john.doe@hornetsecurity.com> RFC-compliant 
From: < john.doe@hornetsecurity.com > RFC-compliant but not recommended because of the spaces between the email address and angle brackets 
From: John Doe <john.doe@hornetsecurity.com> Acceptable, although it is recommended that the display name is enclosed in double quotes if it contains any white-space. 

Source :
https://support.hornetsecurity.com/hc/en-us/articles/22036971529617-Enhancing-RFC-compliance-for-message-header-from-addresses

How to Set Up Google Postmaster Tools

Updated: Jan 31, 2024, 13:03 PM
By Claire Broadley Content Manager
REVIEWED By Jared Atchison Co-owner

Do you want to set up Postmaster Tools… but you’re not sure where to start?

Postmaster Tools lets you to monitor your spam complaints and domain reputation. That’s super important now that Gmail is blocking emails more aggressively.

Thankfully, Postmaster Tools is free and easy to configure. If you’ve already used a Google service like Analytics, it’ll take just a couple of minutes to set up.

In This Article

Who Needs Postmaster Tools?

You should set up Postmaster Tools if you meet any of the following criteria:

1. You Regularly Send Emails to Gmail Recipients

Postmaster Tools is a tool that Google provides to monitor emails to Gmail users.

Realistically, most of your email lists are likely to include a large number of Gmail mailboxes unless you’re sending to a very specific group of people, like an internal company mailing list. (According to Techjury, Gmail had a 75.8% share of the email market in 2023.)

Keep in mind that Gmail recipients aren’t always using Gmail email addresses. The people who use custom domains or Google Workspace are ‘hidden’, so it’s not always clear who’s using Gmail and who isn’t. To be on the safe side, it’s best to use it (it’s free).

2. You Send Marketing Emails (or Have a Large Website)

Postmaster Tools works best for bulk email senders, which Google defines as a domain that sends more than 5,000 emails a day.

If you’re sending email newsletters on a regular basis, having Postmaster Tools is going to help.

Likewise, if you use WooCommerce or a similar platform, you likely send a high number of transactional emails: password reset emails, receipts, and so on.

Reset password email

If you don’t send a large number of emails right now, you can still set up Postmaster Tools so you’re prepared for the time you might.

Just note that you may see the following message:

No data to display at present. Please come back later.
Postmaster Tools requires your domain to satisfy certain conditions before data is visible for this chart.

This usually means you’re not sending enough emails for Google to be able to calculate meaningful statistics.

It’s up to you if you want to set it up anyway, or skip it until your business grows a little more.

How to Add a Domain to Postmaster Tools

Adding a domain to Postmaster Tools is simple and should take less than 10 minutes.

To get started, head to the Postmaster Tools site and log in. If you’re already using Google Analytics, sign in using the email address you use for your Analytics account.

The welcome popup will already be open. Click on Get Started to begin.

Add a domain in Postmaster Tools

Next, enter the domain name that your emails come from.

This should be the domain you use as the sender, or the ‘from email’, when you’re sending emails from your domain. It will normally be your main website.

Enter domain name in Postmaster Tools

If your domain name is already verified for another Google service, that’s all you need to do! You’ll see confirmation that your domain is set up.

Domain added to Google Postmaster Tools

If you haven’t used this domain with Google services before, you’ll need to verify it. Google will ask you to add a TXT record to your DNS.

Postmaster Tools domain verification

To complete this, head to the control panel for the company you bought your domain from. It’ll likely be your domain name registrar or your web host. If you’re using a service like Cloudflare, you’ll want to open up your DNS records there instead.

Locate the part of the control panel that handles your DNS (which might be called a DNS Zone) and add a new TXT record. Copy the record provided into the fields.

Note: Most providers will ask you to enter a Name, which isn’t shown in Google’s instructions. If your provider doesn’t fill this out by default, you can safely enter @ in the Name field.

Verify domain by adding TXT record for Google Postmaster Tools

Now save your record and wait a few minutes. Changes in Cloudflare can be near-instant, but other registrars or hosts may take longer.

After waiting for your change to take effect, switch back to Postmaster Tools and hit Verify to continue.

Verify domain in Postmaster Tools

And that’s it! Now your domain has been added to Postmaster Tools.

Verified domain in Postmaster Tools

How to Read the Charts in Google Postmaster Tools

Google is now tracking various aspects of your email deliverability. It’ll display the data in a series of charts in your account.

Here’s a quick overview of what you can see.

As I mentioned, keep in mind that the data here is only counted from Gmail accounts. It’s not a domain-wide measurement of everything you send.

Spam Rate

Your spam rate is the number of emails sent vs the number of spam complaints received each day. You should aim to keep this below 0.1%.

You can do that by making it easy for people to unsubscribe from marketing emails and using double optins rather than single optins.

Example of a Postmaster Tools report for Gmail recipients

It’s normal for spam complaint rates to spike occasionally because Google measures each day in isolation.

If you’re seeing a spam rate that is consistently above 0.3%, it’s worth looking into why that’s happening. You might be sending emails to people who don’t want to receive them.

IP Reputation

IP reputation is the trustworthiness of the IP address your emails come from. Google may mark emails as spam if your IP reputation is poor.

IP reputation in Postmaster Tool

Keep in mind that IP reputation is tied to your email marketing provider. It’s a measure of their IP as well as yours.

If you see a downward trend, check in with the platform you’re using to ask if they’re seeing the same thing.

Domain Reputation

Domain reputation is the trustworthiness of the domain name you’ve verified in Postmaster Tools. This can be factored into Google’s spam scoring, along with other measurements.

Domain reputation in Postmaster Tools

The ideal scenario is a consistent rating of High, as shown in our screenshot above.

Wait: What is IP Reputation vs Domain Reputation?

You’ll now see that Google has separate options for IP reputation and domain reputation. Here’s the difference:

  • IP reputation measures the reputation of the server that actually sends your emails out. This might be a service like Constant Contact, ConvertKit, or Drip. Other people who use the service will share the same IP, so you’re a little more vulnerable to the impact of other users’ actions.
  • Domain reputation is a measure of the emails that are sent from your domain name as a whole.

Feedback Loop

High-volume or bulk senders can activate this feature to track spam complaints in more detail. You’ll need a special email header called Feedback-ID if you want to use this. Most likely, you won’t need to look at this report.

Authentication

This chart shows you how many emails cleared security checks.

In more technical terms, it shows how many emails attempted to authenticate using DMARC, SPF, and DKIM vs. how many actually did.

Postmaster Tools authentication

Encryption

This chart looks very similar to the domain reputation chart we already showed. It should sit at 100%.

If you’re seeing a lower percentage, you may be using outdated connection details for your email provider.

Check the websites or platforms that are sending emails from your domain and update them from an SSL connection to a TLS connection.

wp mail smtp host and port settings

Delivery Errors

Last but not least, the final chart is the most useful. The Delivery Errors report will show you whether emails were rejected or temporarily delayed. A temporary delay is labeled as a TempFail in this report.

This chart is going to tell you whether Gmail is blocking your emails, and if so, why.

If you see any jumps, click on the point in the chart and the reason for the failures will be displayed below it.

Delivery errors in Postmaster Tools

Small jumps here and there are not a huge cause for concern. However, very large error rates are a definite red flag. You may have received a 550 error or a 421 error that gives you more clues as to why they’re happening.

Here are the 3 most important error messages related to blocked emails in Gmail:

421-4.7.0 unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.

550-5.7.1 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.

550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for example.com did not pass with ip: 192.186.0.1.

If you’re seeing these errors, check that your domain name has the correct DNS records for authenticating email. It’s also a good idea to examine your emails to ensure you have the right unsubscribe links in them.

Note: WP Mail SMTP preserves the list-unsubscribe headers that your email provider adds. That means that your emails will have a one-click unsubscribe option at the top.

One click unsubscribe link

If you’re using a different SMTP plugin, make sure it’s preserving that crucial list-unsubscribe header. If it’s not there, If not, you may want to consider switching to WP Mail SMTP for the best possible protection against spam complaints and failed emails.

Fix Your WordPress Emails Now

Next, Authenticate Emails from WordPress

Are your emails from WordPress disappearing or landing in the spam folder? You’re definitely not alone. Learn how to authenticate WordPress emails and ensure they always land in your inbox.

Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.

If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.

Source :
https://wpmailsmtp.com/how-to-set-up-google-postmaster-tools/

Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin

István Márton
February 5, 2024

On December 18, 2023, right before the end of Holiday Bug Extravaganza, we received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.

Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence PremiumWordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

We contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.

We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion
Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Security
Plugin Slug: wp-simple-firewall
Affected Versions: <= 18.5.9
CVE ID: CVE-2023-6989
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: hir0ot
Fully Patched Version: 18.5.10
Bounty Awarded: $938.00

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Technical Analysis

Shield Security is a WordPress website security plugin that offers several features to stop attackers, protect and monitor the website, including a firewall, malware scanner and also logs activities.

The plugin includes a template management system that renders .twig.php or .html files. Unfortunately, the insecure implementation of the plugin’s file template including and rendering functionality allows for arbitrary file inclusion in vulnerable versions. The template path is set with the setTemplate() function.

242243244245246247248publicfunctionsetTemplate( $templatePath) {    $this->template = $templatePath;    if( property_exists( $this, 'sTemplate') ) {        $this->sTemplate = $templatePath;    }    return$this;}

The renderPhp() function in the Render class uses the path_join() function to join the template file. It then checks that the template file is an existing file and includes it.

8182838485868788899091929394959697privatefunctionrenderPhp() :string {    if( \count( $this->getRenderVars() ) > 0 ) {        \extract( $this->getRenderVars() );    }    $template= path_join( $this->getTemplateRoot(), $this->getTemplate() );    if( Services::WpFs()->isFile( $template) ) {        \ob_start();        include( $template);        $contents= \ob_get_clean();    }    else{        $contents= 'Error: Template file not found: '.$template;    }    return(string)$contents;}

Examining the code reveals that there is no file path sanitization anywhere in these functions. This makes it possible to include arbitrary PHP files from the server.

The file inclusion is limited to PHP files in the vulnerability. This means that threat actors cannot exploit one of the most popular remote code execution methods via a log file poisoning attack. Since the plugin also uses isFile() function to file checking, the other popular remote code execution method using wrappers attack is also not possible. Nevertheless, the attacker has several options to include and exploit a malicious PHP file and execute on the server. This can be achieved by chaining the attack and exploiting vulnerabilities in other plugins. However, it’s worth mentioning that the attack possibilities are limited. This would likely be leveraged in an instance where an attacker has access to upload a PHP file, but does not have direct access to the file to execute it.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious file path and blocks the request.

Disclosure Timeline

December 18, 2023 – We receive the submission of the Local File Inclusion vulnerability in Shield Security via the Wordfence Bug Bounty Program.
December 20, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 21, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
December 23, 2023 – The vendor confirms the inbox for handling the discussion.
December 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
December 23, 2023 – The fully patched version of the plugin, 18.5.10, is released.

Conclusion

In this blog post, we detailed a Local File Inclusion vulnerability within the Shield Security plugin affecting versions 18.5.9 and earlier. This vulnerability allows unauthenticated threat actors to include and execute PHP files on the server, allowing the execution of any PHP code in those files, which can be used for complete site compromise. The vulnerability has been fully addressed in version 18.5.10 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Shield Security.

All Wordfence PremiumWordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2024/02/local-file-inclusion-vulnerability-patched-in-shield-security-wordpress-plugin/

Reflecting on the GDPR to celebrate Privacy Day 2024

26/01/2024
Emily Hancock

10 min read

This post is also available in DeutschFrançais日本語 and Nederlands.

Reflecting on the GDPR to celebrate Privacy Day 2024

Just in time for Data Privacy Day 2024 on January 28, the EU Commission is calling for evidence to understand how the EU’s General Data Protection Regulation (GDPR) has been functioning now that we’re nearing the 6th anniversary of the regulation coming into force.

We’re so glad they asked, because we have some thoughts. And what better way to celebrate privacy day than by discussing whether the application of the GDPR has actually done anything to improve people’s privacy?

The answer is, mostly yes, but in a couple of significant ways – no.

Overall, the GDPR is rightly seen as the global gold standard for privacy protection. It has served as a model for what data protection practices should look like globally, it enshrines data subject rights that have been copied across jurisdictions, and when it took effect, it created a standard for the kinds of privacy protections people worldwide should be able to expect and demand from the entities that handle their personal data. On balance, the GDPR has definitely moved the needle in the right direction for giving people more control over their personal data and in protecting their privacy.

In a couple of key areas, however, we believe the way the GDPR has been applied to data flowing across the Internet has done nothing for privacy and in fact may even jeopardize the protection of personal data. The first area where we see this is with respect to cross-border data transfers. Location has become a proxy for privacy in the minds of many EU data protection regulators, and we think that is the wrong result. The second area is an overly broad interpretation of what constitutes “personal data” by some regulators with respect to Internet Protocol or “IP” addresses. We contend that IP addresses should not always count as personal data, especially when the entities handling IP addresses have no ability on their own to tie those IP addresses to individuals. This is important because the ability to implement a number of industry-leading cybersecurity measures relies on the ability to do threat intelligence on Internet traffic metadata, including IP addresses.  

Location should not be a proxy for privacy

Fundamentally, good data security and privacy practices should be able to protect personal data regardless of where that processing or storage occurs. Nevertheless, the GDPR is based on the idea that legal protections should attach to personal data based on the location of the data – where it is generated, processed, or stored. Articles 44 to 49 establish the conditions that must be in place in order for data to be transferred to a jurisdiction outside the EU, with the idea that even if the data is in a different location, the privacy protections established by the GDPR should follow the data. No doubt this approach was influenced by political developments around government surveillance practices, such as the revelations in 2013 of secret documents describing the relationship between the US NSA (and its Five Eyes partners) and large Internet companies, and that intelligence agencies were scooping up data from choke points on the Internet. And once the GDPR took effect, many data regulators in the EU were of the view that as a result of the GDPR’s restrictions on cross-border data transfers, European personal data simply could not be processed in the United States in a way that would be consistent with the GDPR.

This issue came to a head in July 2020, when the European Court of Justice (CJEU), in its “Schrems II” decision1, invalidated the EU-US Privacy Shield adequacy standard and questioned the suitability of the EU standard contractual clauses (a mechanism entities can use to ensure that GDPR protections are applied to EU personal data even if it is processed outside the EU). The ruling in some respects left data protection regulators with little room to maneuver on questions of transatlantic data flows. But while some regulators were able to view the Schrems II ruling in a way that would still allow for EU personal data to be processed in the United States, other data protection regulators saw the decision as an opportunity to double down on their view that EU personal data cannot be processed in the US consistent with the GDPR, therefore promoting the misconception that data localization should be a proxy for data protection.

In fact, we would argue that the opposite is the case. From our own experience and according to recent research2, we know that data localization threatens an organization’s ability to achieve integrated management of cybersecurity risk and limits an entity’s ability to employ state-of-the-art cybersecurity measures that rely on cross-border data transfers to make them as effective as possible. For example, Cloudflare’s Bot Management product only increases in accuracy with continued use on the global network: it detects and blocks traffic coming from likely bots before feeding back learnings to the models backing the product. A diversity of signal and scale of data on a global platform is critical to help us continue to evolve our bot detection tools. If the Internet were fragmented – preventing data from one jurisdiction being used in another – more and more signals would be missed. We wouldn’t be able to apply learnings from bot trends in Asia to bot mitigation efforts in Europe, for example. And if the ability to identify bot traffic is hampered, so is the ability to block those harmful bots from services that process personal data.

The need for industry-leading cybersecurity measures is self-evident, and it is not as if data protection authorities don’t realize this. If you look at any enforcement action brought against an entity that suffered a data breach, you see data protection regulators insisting that the impacted entities implement ever more robust cybersecurity measures in line with the obligation GDPR Article 32 places on data controllers and processors to “develop appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, “taking into account the state of the art”. In addition, data localization undermines information sharing within industry and with government agencies for cybersecurity purposes, which is generally recognized as vital to effective cybersecurity.

In this way, while the GDPR itself lays out a solid framework for securing personal data to ensure its privacy, the application of the GDPR’s cross-border data transfer provisions has twisted and contorted the purpose of the GDPR. It’s a classic example of not being able to see the forest for the trees. If the GDPR is applied in such a way as to elevate the priority of data localization over the priority of keeping data private and secure, then the protection of ordinary people’s data suffers.

Applying data transfer rules to IP addresses could lead to balkanization of the Internet

The other key way in which the application of the GDPR has been detrimental to the actual privacy of personal data is related to the way the term “personal data” has been defined in the Internet context – specifically with respect to Internet Protocol or “IP” addresses. A world where IP addresses are always treated as personal data and therefore subject to the GDPR’s data transfer rules is a world that could come perilously close to requiring a walled-off European Internet. And as noted above, this could have serious consequences for data privacy, not to mention that it likely would cut the EU off from any number of global marketplaces, information exchanges, and social media platforms.

This is a bit of a complicated argument, so let’s break it down. As most of us know, IP addresses are the addressing system for the Internet. When you send a request to a website, send an email, or communicate online in any way, IP addresses connect your request to the destination you’re trying to access. These IP addresses are the key to making sure Internet traffic gets delivered to where it needs to go. As the Internet is a global network, this means it’s entirely possible that Internet traffic – which necessarily contains IP addresses – will cross national borders. Indeed, the destination you are trying to access may well be located in a different jurisdiction altogether. That’s just the way the global Internet works. So far, so good.

But if IP addresses are considered personal data, then they are subject to data transfer restrictions under the GDPR. And with the way those provisions have been applied in recent years, some data regulators were getting perilously close to saying that IP addresses cannot transit jurisdictional boundaries if it meant the data might go to the US. The EU’s recent approval of the EU-US Data Privacy Framework established adequacy for US entities that certify to the framework, so these cross-border data transfers are not currently an issue. But if the Data Privacy Framework were to be invalidated as the EU-US Privacy Shield was in the Schrems II decision, then we could find ourselves in a place where the GDPR is applied to mean that IP addresses ostensibly linked to EU residents can’t be processed in the US, or potentially not even leave the EU.

If this were the case, then providers would have to start developing Europe-only networks to ensure IP addresses never cross jurisdictional boundaries. But how would people in the EU and US communicate if EU IP addresses can’t go to the US? Would EU citizens be restricted from accessing content stored in the US? It’s an application of the GDPR that would lead to the absurd result – one surely not intended by its drafters. And yet, in light of the Schrems II case and the way the GDPR has been applied, here we are.

A possible solution would be to consider that IP addresses are not always “personal data” subject to the GDPR. In 2016 – even before the GDPR took effect – the Court of Justice of the European Union (CJEU) established the view in Breyer v. Bundesrepublik Deutschland that even dynamic IP addresses, which change with every new connection to the Internet, constituted personal data if an entity processing the IP address could link the IP addresses to an individual. While the court’s decision did not say that dynamic IP addresses are always personal data under European data protection law, that’s exactly what EU data regulators took from the decision, without considering whether an entity actually has a way to tie the IP address to a real person3.

The question of when an identifier qualifies as “personal data” is again before the CJEU: In April 2023, the lower EU General Court ruled in SRB v EDPS4 that transmitted data can be considered anonymised and therefore not personal data if the data recipient does not have any additional information reasonably likely to allow it to re-identify the data subjects and has no legal means available to access such information. The appellant – the European Data Protection Supervisor (EDPS) – disagrees. The EDPS, who mainly oversees the privacy compliance of EU institutions and bodies, is appealing the decision and arguing that a unique identifier should qualify as personal data if that identifier could ever be linked to an individual, regardless of whether the entity holding the identifier actually had the means to make such a link.

If the lower court’s common-sense ruling holds, one could argue that IP addresses are not personal data when those IP addresses are processed by entities like Cloudflare, which have no means of connecting an IP address to an individual. If IP addresses are then not always personal data, then IP addresses will not always be subject to the GDPR’s rules on cross-border data transfers.

Although it may seem counterintuitive, having a standard whereby an IP address is not necessarily “personal data” would actually be a positive development for privacy. If IP addresses can flow freely across the Internet, then entities in the EU can use non-EU cybersecurity providers to help them secure their personal data. Advanced Machine Learning/predictive AI techniques that look at IP addresses to protect against DDoS attacks, prevent bots, or otherwise guard against personal data breaches will be able to draw on attack patterns and threat intelligence from around the world to the benefit of EU entities and residents. But none of these benefits can be realized in a world where IP addresses are always personal data under the GDPR and where the GDPR’s data transfer rules are interpreted to mean IP addresses linked to EU residents can never flow to the United States.

Keeping privacy in focus

On this Data Privacy Day, we urge EU policy makers to look closely at how the GDPR is working in practice, and to take note of the instances where the GDPR is applied in ways that place privacy protections above all other considerations – even appropriate security measures mandated by the GDPR’s Article 32 that take into account the state of the art of technology. When this happens, it can actually be detrimental to privacy. If taken to the extreme, this formulaic approach would not only negatively impact cybersecurity and data protection, but even put into question the functioning of the global Internet infrastructure as a whole, which depends on cross-border data flows. So what can be done to avert this?

First, we believe EU policymakers could adopt guidelines (if not legal clarification) for regulators that IP addresses should not be considered personal data when they cannot be linked by an entity to a real person. Second, policymakers should clarify that the GDPR’s application should be considered with the cybersecurity benefits of data processing in mind. Building on the GDPR’s existing recital 49, which rightly recognizes cybersecurity as a legitimate interest for processing, personal data that needs to be processed outside the EU for cybersecurity purposes should be exempted from GDPR restrictions to international data transfers. This would avoid some of the worst effects of the mindset that currently views data localization as a proxy for data privacy. Such a shift would be a truly pro-privacy application of the GDPR.

1 Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.
2 Swire, Peter and Kennedy-Mayo, DeBrae and Bagley, Andrew and Modak, Avani and Krasser, Sven and Bausewein, Christoph, Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures (2023).
3 Different decisions by the European data protection authorities, namely the Austrian DSB (December 2021), the French CNIL (February 2022) and the Italian Garante (June 2022), while analyzing the use of Google Analytics, have rejected the relative approach used by the Breyer case and considered that an IP address should always be considered as personal data. Only the decision issued by the Spanish AEPD (December 2022) followed the same interpretation of the Breyer case. In addition, see paragraphs 109 and 136 in Guidelines by Supervisory Authorities for Tele-Media Providers, DSK (2021).
4 Single Resolution Board v EDPS, Court of Justice of the European Union, April 2023.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet applicationward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

Source :
https://blog.cloudflare.com/reflecting-on-the-gdpr-to-celebrate-privacy-day-2024/