miércoles, 31 de octubre de 2018

Informe de McAfee Labs sobre amenazas — Septiembre de 2018


El informe incluyen noticias y estadísticas recopiladas por los equipos de McAfee® Advanced Threat Research y McAfee® Labs durante el 2.º trimestre de 2018. No sorprende que los ciberdelincuentes sigan yendo donde está el dinero —desde la minería de monedas hasta las campañas de fraude de facturación— evolucionando y perfeccionando sus tácticas para conseguir estafar a las víctimas desprevenidas. 

Estos son algunos de últimos hallazgos:

  • El malware de minería de monedas sigue superando al ransomware: el total de malware de minería de monedas casi se ha duplicado (hasta el 86 %) en el 2.º trimestre con más de 2,5 millones de muestras nuevas, en comparación con las 990 000 del ransomware.
  • Nueva campaña de fraude de facturación de Google Play: el equipo de McAfee Mobile Research ha descubierto 15 apps nuevas —incluido un tono de la popular canción "Despacito"— que contenían una aplicación de instalación falsa diseñada para que los usuarios se suscribieran sin su conocimiento a servicios premium de pago.
  • El malware JavaScript repunta en el 2.º trimestre: tras un descenso considerable durante los tres últimos trimestres, el malware JavaScript aumentó un 204 % en el 2.º trimestre, con más de 7 millones de muestras nuevas.



miércoles, 17 de octubre de 2018

CLARA - Herramienta para el análisis de cumplimiento del Esquema Nacional de Seguridad [CCN-Cert España]

CLARA es una herramienta para analizar las características de seguridad técnicas definidas a través del Real Decreto 3/2010 por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica. El análisis del cumplimiento está basado en las normas proporcionadas a través de las plantillas de seguridad de las Guías CCN-STIC 850A, 850B, 851, 851B, 870A, 870B, 899A y 899B.



Se tiene en consideración que los ámbitos de aplicación de este tipo de plantillas son muy variados y por lo tanto dependerán de su aplicación las peculiaridades y funcionalidades de los servicios prestados por las diferentes organizaciones. Por lo tanto, las plantillas y normas de seguridad se han generado definiendo unas pautas generales de seguridad que permitan el cumplimiento de los mínimos establecidos en el ENS. No obstante, las diferentes organizaciones deberán tener en consideración el hecho de que las plantillas definidas habrán podido ser modificadas para adaptarlas a sus necesidades operativas.

La herramienta para el análisis de cumplimiento es funcional exclusivamente en sistemas Windows, tanto en sus versiones cliente como servidor, miembros de un dominio o independientes al mismo. Las versiones soportadas en esta primera versión son:
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows 10 Edición Anniversary
Descarga
CLARA ENS v.1.4 Versión 32 Bits [Descarga] | Firma SHA [Descarga]
CLARA ENS v.1.4 Versión 64 Bits [Descarga] | Firma SHA [Descarga]
Manual de uso CLARA y cumplimiento [Descarga]

Contacto: 
Clave PGP Descargar
FINGERPRINT B95E E16F B072 82C1 51D2 F92A 7F6A 960A E5C5 AEDA


Fuente: ccn-cert.cni.es

viernes, 12 de octubre de 2018

24 best free security tools (CSO)

Check out these 24 free, standout software tools that will make your daily security work easier. 

Who doesn't love free software? Infosec professionals are fortunate to have many good free tools for a range of tasks. The following list of two dozen tools include everything from password crackers to vulnerability management systems to networks analyzers. Whatever your security role is, you'll find something useful here.


Maltego

Paterva develops this forensics and open-source intelligence app, designed to deliver a clear threat picture for the user's environment. It will demonstrate the complexity and severity of single points of failure as well as trust relationships that exist within the scope of one's infrastructure. It pulls in information posted all over the Internet, whether it's the current configuration of a router on the edge of the company network or the current whereabouts of your company's vice president. The commercial license does have a price tag, but the community edition is free with some restrictions.

OWASP Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is a user-friendly penetration testing tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It's designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pen testing, or for developers: There’s even an official ZAP plugin for the Jenkins continuous integration and delivery application.

Samurai Web Testing Framework 


The Samurai Web Testing Framework is a virtual machine packed with some of the other items you'll see in this slideshow, and functions as a web pen-testing environment. You can download a ZIP file containing a VMware image with a host of free and open source tools to test and attack websites. 

KALI (BackTrack) 

Kali Linux is the Linux-based pen-testing toolbox previously known as BackTrack. Security professionals use it to perform assessments in a purely native environment dedicated to hacking. Users have easy access to a variety of tools ranging from port scanners to password crackers. You can download ISOs of Kali to install on 32-bit or 64-bit x86 systems, or on ARM processors. It’s also available as a VM image for VMware or Hyper-V. Kali’s tools are grouped into the following categories: information gathering; vulnerability analysis; wireless attacks; web applications; exploitation tools; stress testing; forensics; sniffing and spoofing; password attacks; maintaining access; reverse engineering; reporting, and hardware hacking.

Cain &Abel 

If you desperately need to access an old Windows system to which no one can remember the password, or even who set the box up, you might find Cain &Abel useful. It’s a password recovery tool for Microsoft operating systems through Windows XP (remember that?) and hasn’t been updated since 2014. It allows for easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It covers some security aspects/weakness present in protocol standards, authentication methods and caching mechanisms. Its main purpose is the simplified recovery of passwords and credentials from various sources.

Fierce Domain Scan 

Another venerable tool, Fierce Domain Scan was last updated by developer Robert Hansen (RSnake) back in 2007. As he described on his ha.ckers blog, it "was born out of personal frustration after performing a web application security audit. Fierce pinpoints likely targets inside and outside a corporate network by looking at DNS entries. It is essentially a reconnaissance tool, a Perl script built to scan domains within minutes, using a variety of tactics. Although Hansen has shut down his blog, Fierce lives on in this Github repository. Because the underlying principles of DNS haven’t changed in the last decade, Fierce still works.

The Harvester

The Harvester is an open-source intelligence tool (OSINT) used to obtain subdomain names, email addresses and user names relating to a domain, drawing on public sources such as Google and LinkedIn. A favorite among pen testers, it lets the user conduct passive reconnaissance and build target profiles that include a list of user names and email addresses -- or research the exposure of their own domain.

Hping

Hping is a command-line tool that can be used to assemble and analyze custom TCP/IP packets. It can be used for firewall testing, port scanning, network testing using different protocols, OS fingerprinting and as an advanced traceroute. It runs on Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, and Windows. It hasn’t been updated in years but then, neither has TCP/IP.

John the Ripper

John the Ripper is a password cracker available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS -- although you’ll likely have to compile the free version yourself. It's mainly used to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. An enhanced community version includes support for GPUs to accelerate the search.

Nessus

Nessus is one of the world’s most popular vulnerability and configuration assessment tools. It started life as an open-source project, but developer Tenable switched to a proprietary license way back in version 3. As of May 2018 it’s up to version 7.1. Despite that, Nessus is still free for personal use on home networks, where it will scan up to 16 IP addresses. According to the Tenable website, Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration and vulnerability analysis. 

NMap

Nmap is an open-source tool for network exploration and security auditing, and its developers are still updating it, over 20 years after its launch. It's built to rapidly scan large networks, though it also works against single hosts. According to the NMap website, the scanner uses raw IP packets to determine what hosts are available on the network, which services those hosts are offering, what operating systems they are running, what types of packet filters/firewalls are in use, and dozens of other characteristics. It’s not just for security audits: it can also be used for network inventory, managing service upgrade schedules or -- if you believe its appearances in various Hollywood films -- for hacking brains and tracking superheros. A versatile tool indeed.

OpenVPN

OpenVPN is an open source SSL VPN tool that works in a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions. It offers load balancing, failover, and fine-grained access controls. A packaged installer is available for Windows machines, and the code can also run on OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

Ophcrack

Ophcrack is a free tool for cracking Windows passwords using rainbow tables. It runs on multiple platforms and has a graphical user interface showing real-time graphs to analyze the passwords. It can crack passwords using LM (Windows XP) and NTLM (Vista, 7) hashes using the free rainbow tables available on the site. It also has a brute-force module for simple password and can even dump and load hashes from an encrypted Security Account Manager (SAM) recovered from a Windows partition.

Python Security

The OWASP Python Security Project set out to create a hardened version of Python allowing developers to build applications for use in high-risk environments, and ended up building the largest collection of information about security in the Python programming language. The team focused on two areas: the functional and structural analysis of python applications and open-source code, and on a black-box analysis of the Python interpreter. The project website has a wiki listing all the security concerns they identified.

Wireshark 

Wireshark is a network protocol analyzer that lets users capture and interactively browse traffic running on a computer network. In its more than 20-year development history, it has acquired a long list of features including live capture and offline analysis, and deep inspection of hundreds of protocols, with more being added all the time. It’s multi-platform, running on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD and others. Among its more esoteric features it can analyse VOIP traffic; decrypt SSL/TLS, WEP and WPA/WPA2 traffic, and read traffic carried over USB, Bluetooth and even Frame Relay (remember that?)

ModSecurity 

ModSecurity is a web application monitoring, logging and access control toolkit developed by Trustwave's SpiderLabs Team. It can perform full HTTP transaction logging, capturing complete requests and responses; conduct continuous security assessments; and harden web applications. You can embed it in your Apache 2.x installation or deploy it as a reverse proxy to protect any web server.

ThreadFix 

ThreadFix is a software vulnerability aggregation and vulnerability management system from Denim Group. It matches and merges report results from dynamic, static, and interactive application scanners. It can interact with software defect tracking systems to help developers focus on the most serious problems. The community edition is open source; Denim Group also offers a paid version of ThreadFix with enhanced features.

Burp Suite 

Burp Suite is a Web app security testing platform. Its various tools support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Tools within the suite include a proxy server, web spider, intruder and a so-called repeater, with which requests can be automated. Portswigger offers a free edition that’s lacking the web vulnerability scanner and some of the advanced manual tools.

Metasploit 

HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open source platform for writing security tools and exploits. In 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer's spare time, eating up most weekends and nights. Rapid7 agreed to fund a full-time development team and keep the source code under the three-clause BSD license that is still in use today.

Aircrack-ng 

What Wireshark does for Ethernet, Aircrack-ng does for Wi-Fi. In fact, it’s a complete suite of tools for monitoring packets, testing hardware, cracking passwords and launching attacks on Wi-Fi networks. Version 1.2, released in April 2018, brings big improvements in speed and security and extends the range of hardware Aircrack-ng can work with.

TAILS 

The Amnesiac Incognito Live System (TAILS for short) is a live Linux operating system that you can run from a DVD or USB stick. It’s amnesiac because it doesn’t keep track of your activities from one session to the next, and incognito because it uses Tor for all internet communications. It’s possible to reveal your identity to someone monitoring your Tor connection if you log in to, say, your social networking account, but if you don’t do anything stupid like that, TAILS can go a long way to keeping your online activity secret.

Qubes OS 

Qubes OS modestly describes itself as “a reasonably secure operating system.” It uses the Xen hypervisor to compartmentalize functions in different virtual machines or “qubes”. This allows different activities to be isolated in different qubes. How far you go with this is up to you. If you’re only slightly worried, you might perform your internet banking in one qube, and all your other online activities in another. If you’re really concerned, you might create a new, disposable qube for every email attachment you open, providing some level of assurance that a malicious attachment can’t take over your whole machine. It’s a free download, but you’ll need a 64-bit Intel or AMD machine with 4GB of RAM and 32GB of disk space.


Signal 

Signal is a messaging and voice-and-video-calling app offering end-to-end encryption: That means that even its developers can’t intercept or decrypt your conversations. It’s free for use on Android, iOS or desktop machines running macOS, Linux or Windows. It offers functions such as disappearing messages (that vanish a sender-selectable time after they are read), encrypted group chats, and picture messaging. The Electronic Frontier Foundation suggests using Signal as part of its “Surveillance Self Defense” guide.


Fuente:cso.com.au/

jueves, 11 de octubre de 2018

ISO 27001 Global Report 2018

Over the past ten years, the popularity of ISO 27001, the international standard that describes best practice for an ISMS (information security management system), has increased significantly.
As a global expert on ISO 27001, IT Governance has conducted research to explore the challenges and drivers behind the Standard’s increased adoption.
The findings provide useful insights for lead implementers, auditors, consultants and heads of security teams, and justify the continued growth and adoption of the Standard globally.

Download the report now to discover:

  • The relationship between ISO 27001 and the EU GDPR (General Data Protection Regulation), and why an increasing number of organisations are using the Standard to maintain compliance with the Regulation’s information security requirements;
  • The key drivers and benefits for implementing ISO 27001;
  • The main challenges and struggles encountered by organisations when implementing ISO 27001;
  • The average duration and cost of an ISO 27001 implementation project; 
  • How vulnerable organisations feel about coping with cyber attacks in an evolving threat landscape; and 
  • What other popular cyber security control sets are being used in addition to those provided by ISO 27001. 
The ISO 27001 Global Report 2018 is based on research carried out between 1st November 2017 and 30th March 2018 and presents the responses from 128 professionals around the world who have implemented, are implementing or intend to implement an ISO 27001-compliant ISMS. 

ISO 27001 Global Report 2018: top 3 key takeaways:

1) ISO 27001 aids GDPR compliance

ISO 27001 provides an excellent starting point for meeting the technical and operational requirements of the EU GDPR (General Data Protection Regulation). So, it’s no surprise that nearly half (48%) of respondents cited GDPR compliance as their key motivation for adopting the Standard.
Implementing a documented, ISO 27001-aligned ISMS (information security management system) can help your organisation achieve GDPR compliance, while providing unquestionable evidence that you have taken reasonable measures to address information security risks, which will be looked upon favourably by regulators.

2) Improving information security is the biggest driver for implementing ISO 27001

Respondents acknowledged the ease with which the Standard’s framework enables organisations to manage, monitor and improve their information security in one place, with 70% of respondents saying that improving their information security posture was the biggest driver for implementing ISO 27001.
Other key drivers included gaining a competitive advantage (57%), ensuring legal and regulatory compliance (52%), industry requirements to align with information security best practice (49%) and tendering for new business (46%).

3) Obtaining employee buy-in is a key challenge for organisations

You are only as strong as your weakest link, and an organisation’s biggest security risk is often its own employees. When it comes to improving your ability to guard against cyber threats, the best defensive strategy is creating a strong cyber security culture – from the executive boardroom to the reception desk.
So, it’s concerning that 51% of respondents cited obtaining employee buy-in and raising staff awareness as the “main challenge” when implementing ISO 27001.
The solution? Change your culture to generate tangible and lasting organisation-wide security awareness with a comprehensive staff awareness programme.


Fuente: www.itgovernance.co.uk