Web Security – HCG Injections Webs http://hcginjectionswebs.com/ Tue, 09 Aug 2022 23:25:55 +0000 en-US hourly 1 https://wordpress.org/?v=5.9.3 https://hcginjectionswebs.com/wp-content/uploads/2021/07/icon-2-150x150.png Web Security – HCG Injections Webs http://hcginjectionswebs.com/ 32 32 SEC and CISA reports on cyberattacks https://hcginjectionswebs.com/sec-and-cisa-reports-on-cyberattacks/ Tue, 09 Aug 2022 23:25:55 +0000 https://hcginjectionswebs.com/sec-and-cisa-reports-on-cyberattacks/ Hello and welcome to Protocol Enterprise! Today: The SEC and CISA impose new rules for reporting cyberattacks, Micron’s revenue warning is a bad sign for the chip industry, and VMware releases its latest incident report. The east effect Two federal agencies are simultaneously pursuing new rules for reporting major cyberattacks, but the difference in their […]]]>

Hello and welcome to Protocol Enterprise! Today: The SEC and CISA impose new rules for reporting cyberattacks, Micron’s revenue warning is a bad sign for the chip industry, and VMware releases its latest incident report.

The east effect

Two federal agencies are simultaneously pursuing new rules for reporting major cyberattacks, but the difference in their approaches couldn’t be more stark.

An SEC proposal that would cover Public enterprises has come under heavy criticism from the industry. The separate rules CISA is implementing for critical infrastructure operators seem on a less divisive path.

  • CISA is focused on “not overburdening the private sector” when it comes to incident reporting, agency director Jen Easterly said during a panel at the RSA conference in June.
  • Easterly has received praise from many in the cybersecurity community for his engagement efforts.
  • Cybersecurity officials said the launch of the Joint Cyber ​​Defense Collaborative, for example, has been instrumental in improving relations between the public and private sectors.
  • Easterly has also done an “incredible” job of expanding information sharing between government and the private sector, said William MacMillan, senior vice president of Salesforce and former CIA CISO.

While CISA’s regulatory work has just begun, the SEC has been receiving comments on its proposal for months.

  • If the opposition is not unanimous, “I have seen a lot of calls for [the SEC’s] the whole proposal will just be burned down and never discussed again,” said Harley Geiger, senior director of public policy at Rapid7.
  • By requiring public disclosure of major cyber incidents within four business days, the SEC’s proposed rules require companies to “make very important decisions with very little information,” Juniper Networks’ CISO told me, Drew Simonis.
  • Ultimately, the SEC’s proposed regulations “will likely help attackers more than investors,” the Internet Security Alliance asserted in its comments.

It is not yet clear what the fate of the two regulatory proposals will be.

  • And even with public-private partnership in cybersecurity seemingly at an all-time high in the United States, CISA “will have to take a hard line” as the agency transitions from just a partnership with the private sector to a regulator of this one, said Ben Miller, vice president of services at Dragos.
  • This agency will still have to address industry concerns, and “the only way to get there is with an extended rule-making period where both sides sit down and talk,” said Marc Rogers, executive director of cybersecurity at Okta. The proposed rules are not due until March 2024, with final regulations expected in September 2025.
  • Yet while the government has said for years that it wants to work more closely with industry around security, “CISA seems to be able to bring that spirit of collaboration to life in a way that other agencies don’t. haven’t quite accomplished,” Simonis said. .

Read the full report here.

—Kyle Alspach (E-mail | Twitter)

MICRON SPONSORED CONTENT

Shortage of microchips could harm national security: The global shortage of semiconductors has hampered production of everything from pickup trucks to PlayStations. But there are more serious implications than a shortage of consumer goods. If the United States does not ensure continued domestic access to advanced semiconductor manufacturing, experts say our national security could suffer.

Learn more about Micron

Chip boom shows signs of weakening

Until this week, the server chip sector was doing quite well. Booming, in fact. But back-to-back revenue warnings from graphics processor designer Nvidia and memory producer Micron suggest things aren’t as rosy as everyone thought.

On Tuesday, Micron warned Wall Street that it was likely to generate significantly less revenue than executives had expected in late June due to a weaker market in most of its businesses, including memory for the cloud. At an investor conference, CFO Mark Murphy delivered his own unflattering assessment that cloud customers are watching the economy and, worried, withdrawing their orders.

“We are also seeing isolated supply chain disruptions affecting the cloud, but these are mostly macroeconomic and market conditions, inventory adjustment,” Murphy said, according to a Sentieo transcript. The weakness extended across Micron’s business, which includes chips in smartphones, PCs and memory for vehicles and industrial uses.

Micron-made memory has long been the most prone to the ups and downs that have defined the chip industry for decades, and that doesn’t bode well for the industry at large.

Nvidia’s warning on Monday is another strong data point that follows what Micron said. Sales of its graphics chips for video games are expected to fall by about a third. Nvidia noted that its data center chip sales fell short of expectations, but blamed supply chain disruptions.

“The significant charges incurred during the quarter reflect previous long-term purchase commitments we made during a period of severe component shortages and our current expectations of continued macroeconomic uncertainty,” said Nvidia’s chief financial officer. Colette Kress, in a statement.

— Max A. Cherney (E-mail | Twitter)

Zero days waste more days

Disclosure of a previously unknown zero-day vulnerability is never a fun time for cybersecurity and IT teams. Unfortunately, attackers’ use of zero-days is only getting worse, warn a growing number of security researchers. This week, VMware released a new survey of incident response professionals, which found that 62% had experienced a zero day in the past 12 months, a huge jump from 51% a year ago.

The report follows other similar findings, such as reports from CrowdStrike and Unit 42 (part of Palo Alto Networks) that show attackers are moving faster and faster to exploit new vulnerabilities a once they are disclosed. Tom Hegel, senior threat researcher at SentinelOne, recently told me that hackers working for the Chinese government are particularly good at this. They are now looking for zero-day vulnerabilities “the second they appear online”, he said.

The bottom line, as the Unit 42 researchers point out in their report, is that “patch time is getting shorter and shorter.” While organizations may have been used to having more time for patches in the past, they “must now accelerate patch management and orchestration to try to close these known gaps as soon as possible.”

—Kyle Alspach (E-mail | Twitter)

Around the company

President Joe Biden signed the Chips Law signed into law at a White House ceremony attended by a number of semiconductor industry executives.

Cloudy disclosed that it appears to have been hit by the same phishing attack as Twilio, although the web security provider claims that it thwarted the attack.

Avaya has “substantial doubt” on its ability to continue operating, after the cloud communications provider took on $600 million in debt and cut profits by more than 60%.

MICRON SPONSORED CONTENT

Shortage of microchips could harm national security: To ensure America’s security, prosperity, and technological leadership, industry leaders say the United States must encourage domestic chip manufacturing to reduce our reliance on chipmakers. East Asia for critical electronic components.

Learn more about Micron

Thanks for reading – see you tomorrow!

]]>
United States Provides $2.5 Million in Development Assistance to Ghana Amid Global Food Security Crisis – Ghana https://hcginjectionswebs.com/united-states-provides-2-5-million-in-development-assistance-to-ghana-amid-global-food-security-crisis-ghana/ Sun, 07 Aug 2022 23:59:43 +0000 https://hcginjectionswebs.com/united-states-provides-2-5-million-in-development-assistance-to-ghana-amid-global-food-security-crisis-ghana/ Friday, August 5, 2022 The United States is providing $2.5 million in new development assistance, subject to Congressional notification, to Ghana through the United States Agency for International Development (USAID). As an existing partner country of Feed the Future, Ghana will intensify its efforts to directly mitigate the impacts of growing food insecurity, which has […]]]>

Friday, August 5, 2022

The United States is providing $2.5 million in new development assistance, subject to Congressional notification, to Ghana through the United States Agency for International Development (USAID). As an existing partner country of Feed the Future, Ghana will intensify its efforts to directly mitigate the impacts of growing food insecurity, which has been exacerbated by Russia’s unprovoked aggression in Ukraine. A confluence of crises has pushed many Ghanaians into hunger. Food and fertilizer prices, already high due to the COVID-19 pandemic, have soared further due to Russia’s war on Ukraine, putting families at risk.

This additional funding from USAID in Ghana will focus on the development and commercialization of inorganic and organic fertilizer products, and support importers and fertilizer blenders/manufacturers, including private sector partners, to bring more fertilizers in the country and ensure that they reach the most vulnerable farmers. Helping vulnerable households and individuals protect their health and livelihoods can strengthen food systems, which can help mitigate the risks of food insecurity that can erode existing capacities to meet the needs of a population.

Feed the Future’s intensified efforts to alleviate this crisis and alleviate food insecurity and malnutrition in Ghana are part of the bipartisan Congressional Emergency Supplementary Bill signed by President Biden in May. This includes $2.76 billion in additional U.S. government resources to protect the world’s most vulnerable populations from an escalating global food security crisis exacerbated by Russia’s unprovoked and unwarranted war in Ukraine and the severe drought in the Horn of Africa region.

]]>
Stock Market Today: Dow Wavers on Jobs Report, Virgin Galactic Tumbles https://hcginjectionswebs.com/stock-market-today-dow-wavers-on-jobs-report-virgin-galactic-tumbles/ Fri, 05 Aug 2022 17:20:00 +0000 https://hcginjectionswebs.com/stock-market-today-dow-wavers-on-jobs-report-virgin-galactic-tumbles/ Text size The pace of monetary policy tightening by the Federal Reserve remains a major concern for markets. Saul Loeb/AFP via Getty Images Stocks were mixed on Friday as market participants digested a stronger-than-expected July jobs report. In the afternoon discussions, the Dow Jones Industrial Average reversed earlier declines to rise 17 points, or less […]]]>

Text size

]]>
Protection monitoring in Peru: Overview (April – June 2022) – Peru https://hcginjectionswebs.com/protection-monitoring-in-peru-overview-april-june-2022-peru/ Tue, 02 Aug 2022 22:03:57 +0000 https://hcginjectionswebs.com/protection-monitoring-in-peru-overview-april-june-2022-peru/ Attachments This snapshot summarizes key findings from protection monitoring conducted in Lima, Peru, between April and June 2022 as part of the Danish Refugee Council (DRC) and ENCUENTROS SJM’s humanitarian response in the country. This project is implemented with funding from the European Union Civil Protection and Humanitarian Aid (ECHO) and through a consortium named […]]]>

Attachments

This snapshot summarizes key findings from protection monitoring conducted in Lima, Peru, between April and June 2022 as part of the Danish Refugee Council (DRC) and ENCUENTROS SJM’s humanitarian response in the country. This project is implemented with funding from the European Union Civil Protection and Humanitarian Aid (ECHO) and through a consortium named “Alliance for Protection Programming (AFPP)” which includes two international NGOs : the Danish Refugee Council (DRC) and Humanity and Inclusion (HI).

To view the interactive dashboard with results for this period and since the start of the protection monitoring program, click here.

INTRODUCTION

Between April and June 2022, DRC and ENCUENTROS SJM interviewed 172 households representing a total of 590 people. Since the start of the protection monitoring exercise in Peru in October 2020, 1,402 households have been interviewed, reaching a total of 4,906 people.

CONTEXT UPDATE

How an approved $3 million in funding from the World Bank and the Government of Canada could strengthen institutional efforts to promote the integration and protection of the human rights of the Venezuelan population in Peru

  • During the reporting period, the World Bank and the Government of Canada announced the release of $3 million in funding, with the governments of Colombia and Peru being the main recipients. This funding will aim to help the Government of Peru identify and implement innovative practices and policies with a triple objective; improve the social inclusion and integration of the Venezuelan population through socio-economic initiatives that promote social cohesion, further improve the delivery of quality social services with a focus on meeting the needs of vulnerable communities and further strengthen institutional and legal policies that seek to advance existing agendas such as the regulation of legal documentation.

  • One of the biggest obstacles faced by the Venezuelan population is their involvement in informal employment, resulting from the lack of legal documentation. As revealed by a multisectoral study, carried out by Action against Hunger in the metropolis of Lima and Callao, almost 80% of Venezuelan migrants and refugees are forced to be employed informally, due to the lack of documentation. which also seriously compromises their access. social programs, educational services and health insurance.

  • The absence of legal documents or authorization for regular stay in Peru, lack of guaranteed access to fundamental rights for Venezuelan migrants and refugees. Food security remains one of the biggest challenges for affected populations, who have been forced to resort to negative coping mechanisms such as reducing meals per day or decreasing food consumption by adults, giving priority to the needs of minors. In May 2022, 70% of refugee and migrant populations surveyed from Venezuela reported moderate (32.2%) or severe (38.3%) food insecurity, due to their inability to find employment , either due to a lack of documentation or negative and xenophobic social perceptions as manifested on behalf of local communities.

  • In addition to the lack of documents attesting to regular entry into the country, weak legislation on the hiring of foreign workers, discrimination based on nationality and the reduction of employment opportunities, further hinder access to Peruvian labor for migrant and refugee populations from Venezuela, increasing the risks of food insecurity, labor exploitation and the general physical and psychological well-being of the affected population.

Integrated migration control has restarted at the borders between Peru and Chile.

Since April 2022, the border authorities of Peru and Chile have restarted migration control at the crossing points of Santa Rosa in Tacna and the Chacalluta complex in Arica. This activity is part of the Integrated Migration Control, which has been agreed and implemented by both countries, with the aim of better monitoring migration and refugee flows between Peru and Chile.

]]>
Apple should scan iPhones for child abuse images, says inventor of scanning technology | Apple https://hcginjectionswebs.com/apple-should-scan-iphones-for-child-abuse-images-says-inventor-of-scanning-technology-apple/ Sun, 31 Jul 2022 16:19:00 +0000 https://hcginjectionswebs.com/apple-should-scan-iphones-for-child-abuse-images-says-inventor-of-scanning-technology-apple/ Apple should heed warnings from UK security services and relaunch its controversial plans to scan iPhones for child abuse images, the inventor of the scanning technology has claimed. Professor Hany Farid, an expert in image analysis at the University of California, Berkeley, is the inventor of PhotoDNA, an “image hashing” technique used by companies on […]]]>

Apple should heed warnings from UK security services and relaunch its controversial plans to scan iPhones for child abuse images, the inventor of the scanning technology has claimed.

Professor Hany Farid, an expert in image analysis at the University of California, Berkeley, is the inventor of PhotoDNA, an “image hashing” technique used by companies on the web to identify and remove illegal images . He said that following an intervention from technical officials at GCHQ and the National Cyber ​​Security Center backing an extension of the technology to individual phones, Apple should be encouraged to revive its abandoned plans to do just that. .

“The denial came from a relatively small number of privacy groups,” Farid said, speaking to the Internet Watch Foundation (IWF) on the child safety group’s latest podcast. “I would argue that the vast majority of people would have said ‘sure, that sounds perfectly reasonable’, but yet a relatively small but vocal group put enormous pressure on Apple and I think a bit of a coward’s Apple succumbed to this pressure.

“I think they should have stood firm and said, ‘It’s the right thing to do and we’re going to do it.’ And I’m a huge proponent of not just Apple, but Snap, Google, all online services.

Apple first announced plans to perform “client-side analysis” in August 2021, alongside other child safety proposals that have since come to iPhones. The company intended to update iPhones with software that would allow them to match child abuse images stored in a user’s photo library with identical copies already known to authorities to have been shared on the web, and to report such users to child protection agencies.

After an outcry from privacy groups, the company shelved the proposal in September of that year and hasn’t discussed it publicly since. But in July, UK security officials published an article detailing their belief that such a sweep could be deployed in a way that allays some fears, such as fears that an oppressive nation could hijack the sweep to seek politically controversial images.

“Details matter when talking about this subject,” wrote Ian Levy and Crispin Robinson. “Discussing the subject in generalities, using ambiguous language or hyperbole, will almost certainly lead to a bad outcome.”

Farid argued that now is the time for Apple and other tech companies to act and get ahead of the legislation. “With the Online Safety Bill making its way through the UK Government and with the DSA [Digital Services Act] and AMD [Digital Markets Act] crossing Brussels, I think now is the time for companies to say: “We’re going to do it, we’re going to do it on our terms”. And, if they don’t, then I think we have to step in with a very heavy hand and insist that they do.

“We regularly scan our devices, our emails, our cloud services for everything including spam, malware, viruses and ransomware, and we do it willingly because it keeps us safe. I don’t think it’s hyperbolic to say that if we’re ready to protect ourselves, we should be ready to protect the most vulnerable among us.

“It’s the same basic core technology, and I reject those who say it’s kind of giving up on something. I would say that’s, in fact, exactly the balance we should have to protect the children online and to protect our privacy and rights.

Sign up for First Edition, our free daily newsletter – every weekday morning at 7am

Speaking about the Levy/Robinson article, Mike Tunks, head of policy and public affairs at the IWF, said: “Over the last few years the government has said, ‘We want tech companies to do this more to address child sexual abuse in end-to-end encrypted environments.’

“As we know, at present, no technology can do this, but this document presents some ways to achieve this.”

]]>
Illinois Unemployment Fraud: Scammers Targeting the Illinois State Department of Employment Security; officials say they are better prepared now https://hcginjectionswebs.com/illinois-unemployment-fraud-scammers-targeting-the-illinois-state-department-of-employment-security-officials-say-they-are-better-prepared-now/ Fri, 29 Jul 2022 17:15:00 +0000 https://hcginjectionswebs.com/illinois-unemployment-fraud-scammers-targeting-the-illinois-state-department-of-employment-security-officials-say-they-are-better-prepared-now/ Internet criminals who stole nearly $1.9 billion in federal money earmarked for unemployed Illinois residents during the COVID-19 pandemic are bragging online about how they are still selling stolen personal information and fraudulently obtain unemployment benefits. That’s what a Georgia State University professor discovered recently in the dark corners of the Internet, where he monitors […]]]>

Internet criminals who stole nearly $1.9 billion in federal money earmarked for unemployed Illinois residents during the COVID-19 pandemic are bragging online about how they are still selling stolen personal information and fraudulently obtain unemployment benefits.

That’s what a Georgia State University professor discovered recently in the dark corners of the Internet, where he monitors criminals who commit unemployment insurance fraud and other scams against government agencies.

Criminology professor David Maimon says he often sees Illinois credit and debit account numbers for sale online, along with fake Illinois driver’s licenses and advertisements for “tuts” – slang for online tutorials on how to commit fraud.

One user bragged about getting $354 weekly unemployment benefits from Illinois in May.

David Maimon, a criminology professor who says he often sees Illinois credit and debit account numbers for sale online, as well as fake Illinois driver’s licenses and advertisements for “tuts” – slang for online tutorials on how to commit fraud.

“We see many identities, many bank accounts, many driver’s licenses associated with Illinois residents” for sale on the dark web, Maimon says.

Illinois officials — stung by an audit released in June that found flaws in the state’s administration of two federal pandemic unemployment programs — say that, despite the onslaught, they are now ready for the bad guys.

Since the widespread fraud problems of 2020 and 2021, which the Illinois Department of Employment Security blamed on the rushed rollout of federal pandemic relief programs, the state has beefed up its security systems and joins a multi-state group that shares information about fraudsters applying for benefits. in more than one place, says Kristin Richards, director of Governor JB Pritzker’s IDES.

“We have multiple layers of security in place,” Richards says of the new system.

Kristin Richards, director of the Illinois Department of Employment Security.

Kristin Richards, director of the Illinois Department of Employment Security.

Auditor General Frank J. Mautino’s June report found that, from July 2020 to June 2021, the department suffered “unprecedented” fraud under the federal pandemic unemployment assistance program, which offered up to 39 weeks of temporary unemployment benefits to workers, including the self-employed. employees and gig workers.

The audit found that about $1.9 billion of the $3.6 billion paid out under the federal program was lost to scammers, mostly due to identity theft. .

The program, along with another federal program that paid $600 in weekly unemployment benefits to those who qualified, expired last September, turning off a major tap for scammers.

This screenshot of an online advertisement found by an Internet crime researcher at Georgia State University offers a

This screenshot of an online ad found by a Georgia State University internet crime researcher offers a “tut,” or tutorial, on how to commit unemployment fraud in Illinois.

Illinois was one of many states where scammers stole money from federal programs. Fraud was easier to commit because scammers could lie and say they were self-employed. Nationally, approximately $163 billion was lost.

Since then, IDES has moved to new login software that includes “identity verification,” multi-factor authentication, and fraud analysis, Richards says. The department also performs additional data analysis using Pondera Solutions, a private data company owned by Thompson Reuters, and works with the National Association of State Workforce Agencies to flag suspicious filers operating in more than one state.

Haywood Talcove, government enterprise managing director of LexisNexis Risk Solutions and a critic of Illinois’ anti-fraud methods, said Illinois could reduce its rate of “abusive payments” – which, according to the US Department of Labor , averaged 16.65% from July 1, 2018 to June 30, 2021 – to around 5% if it had even tighter controls.

Talcove says having more data in multiple layers could point to, say, a small ranch house used by a few dozen requesters. Or an applicant who offers a work history that doesn’t make sense because he was in jail in another state at the time.

“They claim it’s fixed, and I’m telling you, it’s not fixed,” Talcove says of the state system.

IDES’ Richards and Adam Ford, director of information security for the Illinois Department of Innovation and Technology, however, say they believe their back-end analytics are strong enough “to weed out all the claims for fraudulent features”.

Ford says the new system takes into account many other data points, such as geographic information, device types, IP addresses, and more.

But he says people should always be wary of giving out their personal details, even seemingly innocuous facts asked by social media quizzes.

“The public generally has no idea how much information is out there,” Ford says.

Richards won’t comment on the online post bragging about stealing Illinois unemployment benefits, except to say it’s possible the image was stolen from elsewhere online and reused by a scammer.

Illinois’ unemployment insurance mispayment rate of 16.65% was better than some other states, such as Virginia, which has a rate of 38%, Tennessee, with 37%, and Florida. , with 35%.

But Illinois has lagged behind states like Hawaii and Utah, which have each seen about 5% of their unemployment money reported as abuse payments.

]]>
Royal Orthopedic Hospital to roll out new cloud-based PACS https://hcginjectionswebs.com/royal-orthopedic-hospital-to-roll-out-new-cloud-based-pacs/ Mon, 25 Jul 2022 08:30:27 +0000 https://hcginjectionswebs.com/royal-orthopedic-hospital-to-roll-out-new-cloud-based-pacs/ The Royal Orthopedic Hospital NHS Foundation Trust will be the first trust in Europe to deploy a new cloud-based PACS (Picture Archiving and Communication System). Through a partnership between GE Healthcare and Amazon Web Services, the deployment of Edison True PACS will provide the trust’s radiologists with smart productivity tools. These tools will help improve […]]]>

The Royal Orthopedic Hospital NHS Foundation Trust will be the first trust in Europe to deploy a new cloud-based PACS (Picture Archiving and Communication System).

Through a partnership between GE Healthcare and Amazon Web Services, the deployment of Edison True PACS will provide the trust’s radiologists with smart productivity tools. These tools will help improve reading speed, reduce errors, improve diagnostic accuracy, and provide greater diagnostic confidence.

It was designed to help hospitals transition from the traditional care delivery model to a more centralized virtual model.

The partnership will enable the delivery of cloud-based imaging solutions, integrated data and clinical operational information for Royal Orthopedic teams.

“We are really proud to be an early adopter of the GE True PACS solution in Europe,” said Liam Maiden, IT Program Manager at the Royal Orthopedic Hospital. “With the ongoing cybersecurity patching and maintenance offered by cloud hosting, we are able to further improve the resilience of our PACS network.

“Not only will this migration help reduce our carbon footprint, but it will also allow us to dynamically scale up and down our environment to meet business needs, making it easier for our colleagues to work and improving our experience. patients. »

Edison True PACS provides remote access to various tools needed by healthcare professionals, including teleradiology and home reporting. Royal Orthopedic users will also be able to access the ZFP 3D viewer. This tool allows access to information anytime and anywhere with the ability to view 3D images on mobile phones.

David Labajo, VP Digital at GE Healthcare Europe, said: “Radiologists are increasingly looking for tools that help them do their jobs more efficiently using fewer resources.

“But many organizations are demanding easier and faster ways to deploy new imaging platforms for their radiology departments, with fewer internal IT resources, at lower cost, and ensuring maximum levels of security and data protection. data. Cloud-based tools allow remote and convenient access to the various tools needed with a reduced footprint and long-term cost of ownership.

GE Healthcare previously signed a deal with Hampshire Hospitals NHS Foundation Trust that will see the company transform the trust’s radiology services.

]]>
The State of Software Security Testing Tools in 2022 https://hcginjectionswebs.com/the-state-of-software-security-testing-tools-in-2022/ Fri, 22 Jul 2022 05:22:35 +0000 https://hcginjectionswebs.com/the-state-of-software-security-testing-tools-in-2022/ Supply chain attacks, injection attacks, server-side request forgery attacks – all of these threats, and many more, exploit software vulnerabilities. Vulnerabilities can range from misconfigurations to design and software integrity issues. Overall, the apps are the most common attack vectorwith 35% of attacks exploiting some type of software vulnerability, according to Forrester Research. The emphasis […]]]>

Supply chain attacks, injection attacks, server-side request forgery attacks – all of these threats, and many more, exploit software vulnerabilities. Vulnerabilities can range from misconfigurations to design and software integrity issues. Overall, the apps are the most common attack vectorwith 35% of attacks exploiting some type of software vulnerability, according to Forrester Research.

The emphasis on software security, as well as the proliferation of software security testing tools, has grown over the past few years, in part thanks to supply chain attacks like those on Stuxnet and SolarWinds. And as organizations expand their web presence, the risks are greater than ever. Finally, the move towards DevSecOps has encouraged more organizations to include security testing in the software development phase.

Keeping software attacks at bay requires increased efforts around testing, not just at the end of development. For those who develop software in-house, software should be tested early and often. This can reduce delays and additional expense that arise when software needs to be rewritten near the end of a production run.

In the case of software developed externally, the wisest approach is to test via several methods before putting it into full-scale production.

“It’s always easier to prevent problems than to catch them in production, so integrating security testing early on makes perfect sense,” said Janet Worthington, senior analyst for security and risk at Forrester. .

Mountains of software security testing tools

One of the most important testing tools to prevent threat escalation is static analysis testing.

Also called static application security testing (SAST), this type of testing analyzes either software code or its application binaries to model applications for code security weaknesses. It is particularly effective in eliminating injection attacks. SQL Injection Attacks are a common attack vector that inserts an SQL query into the input data from the client to the application. It is often used to access or delete sensitive information.

SAST tools can also help identify server-side request forgery (SSRF) vulnerabilities, where attackers can force servers to send forged HTTP requests to a third-party system or device. SAST tools can help detect these vulnerabilities before they reach production.

Another critical testing tool is software composition analysis. These tools help completely prevent malicious components from entering the pipeline. They scan for known vulnerabilities in all components, including those in open source and third-party libraries. Vulnerabilities like Log4J contributed to the popularity of this type of testing tool. According to Forrester, 46% of developers now use software composition analysis tools for testing.

Other important types of software security testing tools include:

  • Vulnerability analysis: Although these tools focus on research application security vulnerabilities at all levels, there are also specialized versions to find weaknesses in web applications. They are particularly useful for finding threats such as SQL injections, path traversal, insecure server configuration, command injection, and cross-site scripting.
  • Dynamic Application Security Testing (DAST): This type of test takes a “black box” approach by simulating attacks on the runtime version of an application. DAST is typically run during integration or end-to-end automation testing. Forrester found that 44% of development teams plan to use DAST before software releases.
  • API testing: APIs are everywhere today. Although APIs are not always a major concern, they are not immune to security threats. Yet Gartner finds that unmanaged and insecure APIs create many vulnerabilities, only managed by API Security API access testing and control.
  • Interactive Application Security Testing (IAST): This method tests software for vulnerabilities during runtime, using detection modules to monitor software behavior during the testing phase. If IAST detects a problem such as SQL injection or cross-site scripting injection, it sends an alert. As a newer type of testing, IAST is often performed by teams that already perform static and dynamic testing. It tends to have lower false positive rates than other types of tests.
  • Penetration tests. Also known as ethical hacking, pen test involves testing applications for vulnerabilities and threat susceptibility, usually by an external party. Penetration testing can reveal many things, from software bugs and misconfigurations to supply chain attacks.

Depending on the type of threat, platform, and other factors, organizations may choose to use different types of testing tools. Some applications may also require test tools not listed above. For example, an application that includes a cryptographic signature will likely require a cryptanalytic tool. This is why today, more than ever, it is important to use more than one type of software testing tool.

“If you want to get as in-depth as possible, you’ll want to do SAST testing for full coverage, DAST testing for open source components, and other types of testing for mobile apps. [and] web applications, depending on what you’re working on,” said Ray Kelly, a member of Synopsys, which provides software security and testing tools. “It’s really about finding the right tools for your specific situation.”

How to Choose Software Security Testing Tools

There’s no shortage of tools, and sifting through the options can be confusing. Overall, there are open source tools, best vendor tools, and proprietary software testing platforms.

Open source tools tend to be very tactical in nature, focused on one thing. Examples include OWASP ZAP, a free web application security scanner; Snyk’s free code quality and vulnerability checker; SQLmap or Metasploit for penetration testing; SonarQube for code security; and FOSSA for open source dependency testing.

There are, of course, many advanced tools available for a fee from various vendors.

And then there are proprietary software testing platforms, like HCL AppScan and HP Fortify, and vendor platforms like Veracode, Checkmarx, Synopsys, Palo Alto Networks, and Aqua Security.

In most cases, organizations are better off combining different types of tools from different sources, said Aaron Turner, vice president of Vectra AI, a threat detection and response provider. “If you combine a software testing platform with a selection of state-of-the-art testing tools, whether open source or proprietary, you can be sure to achieve all of your goals, because there is no one platform that can do it all.”

If budget is an issue, Worthington recommends starting with the free version of a testing tool, which many vendors now offer. For example, Snyk, which is known for its software composition analysis tool, has a free open source version. Once the tool has proven useful, the organization can decide to pay for the full version.

Expert advice

Know your team and their capabilities before diving into software security testing, Kelly advised.

“In many cases, software development [or evaluation] teams are overwhelmed with features, product requests, and agile deployment methodologies,” Kelly explained. “Often they ship a new product every week or even every day, and sometimes security takes a back seat. It’s worth taking the time to really analyze what applications are actually running in your environment today, what are their risks and what is the threat landscape Take the time to do this inventory and get a baseline.

And before committing to any testing tool or methodology, make sure you consider the relative importance of the software in your environment. “If you are a gas pipeline operator and you rely on specific software to keep the pipeline running, you’ll likely spend a lot more time and effort testing that industrial control software than you would testing WordPress, which runs your site web,” says Turner.

Finally, it is important to follow the evolution of software security. This means not only subscribing to relevant blogs and podcasts, but also staying up to date with government advisories (e.g. through the Cybersecurity and Infrastructure Security Agency) and NIST National Vulnerability Database.

About the Author

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a wide range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

]]>
The cybercrime and security market is booming with strong growth prospects – Control Risks, Happiest Minds, EY, Mimecast, Lockheed Martin, Sophos, Symantec https://hcginjectionswebs.com/the-cybercrime-and-security-market-is-booming-with-strong-growth-prospects-control-risks-happiest-minds-ey-mimecast-lockheed-martin-sophos-symantec/ Wed, 20 Jul 2022 07:10:55 +0000 https://hcginjectionswebs.com/the-cybercrime-and-security-market-is-booming-with-strong-growth-prospects-control-risks-happiest-minds-ey-mimecast-lockheed-martin-sophos-symantec/ Cybercrime and Security Market The research report of the report is a wide-ranging analysis and Impact of COVID19 in the global market and detailed information with segmentation has been added in this intelligence report. In this report, a comprehensive analysis of the current global market of the Global Cybercrime and Security Market in terms of […]]]>

Cybercrime and Security Market The research report of the report is a wide-ranging analysis and Impact of COVID19 in the global market and detailed information with segmentation has been added in this intelligence report. In this report, a comprehensive analysis of the current global market of the Global Cybercrime and Security Market in terms of request and supply environment is provided, as well as current price trend and in the the next years. The main global players are presented with their revenue, market to share, profit margin, major product portfolio and SWOT analysis. From an industry perspective, this report analyzes Supply Chainincluding the process graph presentationupstream key raw material and cost analysis, distributor and analysis of downstream buyers. This report also includes global information and regional market Cut and forecasting, major product development trend and typical downstream segment scriptas part of the analysis of market drivers and inhibitors.

Manufacturer’s detail
DXC Technology Company
Control the risks
The happiest minds
EY
Mimecast
Lockheed Martin
Sophos
Symantec
Will-Brynn
Clearwater Compliance
IBM Security
Cisco
Raytheon Cyber
BAE systems
Digital Defense
Quick7

Segmentation of product types
internet security
Cloud Security
Wireless Security
Application segmentation
Aerospace
Government
Financial services
Telecommunication
Health care

Cybercrime and Security Market Report provides you detailed information, industry knowledge, forecasts and market analysis. The Global Cybercrime and Security Industry Report also clarifies economic risks and respect the environment. The Global Cybercrime and Security Market report helps industry enthusiasts including investors and policy makers to make confident capital investments, develop strategies, optimize their business portfoliosuccessfully innovate and perform safely and sustainably.

Free report data (in the form of an Excel data sheet) will also be provided upon request with a new purchase.

Regional Coverage of Cybercrime and Security Market (Regional Production, Demand & Forecast by Countries etc.):

  • North America (S., Canada, Mexico)
  • Europe (Germany, UK, France, Italy, Russia, Spain, etc.)
  • Asia Pacific (China, India, Japan, Southeast Asia, etc.)
  • South America (Brazil, Argentina, etc.)
  • Middle East and Africa (Saudi Arabia, South Africa, etc.)

Answer to the key question in the report.

  • What are the strengths and weaknesses of the Cybercrime and Security market?
  • What are the different marketing and distribution channels?
  • What is the current CAGR of the Cybercrime and Security market?
  • What are the Cybercrime and Security market opportunities ahead of the market?
  • Who are the leading competitors in the cybercrime and security market?
  • What are the main results of SWOT and Porter’s Five Techniques?
  • What is the cybercrime and security market size and growth rate during the forecast period?

Contents:

  • Global Cybercrime and Security Market Research Report 2022-2028
  • Chapter 1: Cybercrime and Security Market Overview
  • Chapter 2: Global Economic impact on the industry
  • Chapter 3: Cybercrime and Security Market Competition by Manufacturers
  • Chapter 4: Global cybercrime and security Production, revenue (value) by region
  • Chapter 5: Global Cybercrime & Security Supply (Production), Consumption, Export, Import by Regions
  • Chapter 6: Global Production, Revenue (Value), Price Trend by Type
  • Chapter 7: Global Market Analysis by Application
  • Chapter 8: Manufacturing cost analysis
  • Chapter 9: Industrial Chain, Sourcing Strategy and Downstream Buyers
  • Chapter 10: Marketing Strategy Analysis, Distributors/Traders
  • Chapter 11: Cybercrime and Security Market Effect Factor Analysis
  • Chapter 12: Global Cybercrime and Security Market Forecast

Contact us:
The Web: www.qurateresearch.com
E-mail:
sales@qurateresearch.com
Telephone: USA – +13393375221, IN – +919881074592

Note – In order to provide more accurate market forecasts, all our reports will be updated prior to delivery considering the impact of COVID-19.

]]>
Hackers steal $718 million from Web 3 attacks in Q2 2022: report https://hcginjectionswebs.com/hackers-steal-718-million-from-web-3-attacks-in-q2-2022-report/ Sun, 17 Jul 2022 17:45:48 +0000 https://hcginjectionswebs.com/hackers-steal-718-million-from-web-3-attacks-in-q2-2022-report/ According to a recent study by web 3 security firm Beosin, over $718 million was lost to web 3 related schemes in the second quarter of 2022. The report says 48 major “attacks” were responsible for the casualties. Each accounted for more than $100 million in losses, with 28 suffering losses of $1 million to […]]]>

According to a recent study by web 3 security firm Beosin, over $718 million was lost to web 3 related schemes in the second quarter of 2022.

The report says 48 major “attacks” were responsible for the casualties. Each accounted for more than $100 million in losses, with 28 suffering losses of $1 million to $10 million.

Data shows April was the busiest month for hacking, with “19 major security incidents” and over $374 million lost.

Losses have decreased considerably in parallel Bitcoins BTC/USD prices in May. However, despite the continued decline in the market, it experienced an interesting peak in June.

Also read: How a hacker stole $360,000 worth of NFTs from the Bored Ape Yacht Club Discord server

Defi was the top target for Web 3 hackers. Nearly 79.2% of attacks took place in this space in the last quarter, accounting for 63.3% of losses.

According to the data, the most common attack method was to exploit vulnerabilities in smart contract code, resulting in the loss of $138 million. These accounted for 45.8% of attacks, up from 50% in the first quarter.

Moreover, 52% of the attacked projects would have been audited, which represents 76.2% of the stolen funds.

The report also mentions that Ethereum ETH/USD posted a loss of $381.35 million last quarter due to the hacking frenzy.

 

]]>