Category: Uncategorized

Saint Michael’s launches cybersecurity major, other curriculum …  Vermont Biz
source

What is a Data Breach? | U.S. News  U.S. News & World Report
source

When the first “international days for women” were organized in the early 20^th century the world looked very different. The digitalization and online interconnectedness that many now take for granted were part of a yet unimagined future. Those early calls for workplace equality, voting rights, and radical social reform resonate more than a century later, however. A range of digital technologies amplify and reinforce discrimination and the stereotypes of the so-called offline world and introduce new forms of harm for women and people of diverse sexual orientations and gender identities. Apart from the existing gender gap there is now a digital gender gap encompassing digital literacy as well as employment and educational concerns. Yet, technology offers powerful new channels to access vital services and information, and to mobilize. Holistic, intersectional, and inclusive solutions are needed as we collectively mark the 2023 International Women’s Day (IWD), for which the United Nations has designated “innovation and technology for gender equality” as a theme.
Cyber security, technology, and innovation are complex and multi-faceted topics, and the application of a gender lens reveals even more dimensions. An important starting point for any discussion is viewing gender identity as a factor in how and why we use technology, including digital technology.
For instance, research on the gendered impact of internet shutdowns has shown that in diverse societies and countries the internet is integral for women to pursue education or earn income when family responsibilities or other constraints make it challenging to attend class in-person or work in the formal economy. Many also use it to access information that is not widely available through other means, such as in relation to sexual and reproductive rights. Certain digital technologies like social media and messaging platforms have been shown to provide safe spaces for people of diverse gender identities or sexual orientation in contexts where they may be persecuted.
Gender differentiated use of cyber and digital technologies means there are gender differentiated impacts of its misuse. Recent research on the economic impact of internet shutdowns in Iran highlights that limitations on access to platforms like Instagram have had a negative economic impact on all Iranians, women are disproportionately impacted because a high percentage of Iranian businesses relying on the platform are women-owned. From Latin America to Australia and the United States, data breaches in which sensitive medical or health information exposed have also been found to pose unique risks for women or gender minorities. And some technologies, like tracking apps, have been specifically devised to constrain the mobility of women.
Barriers to meaningful access are linked to the digital gender divide. According to the International Telecommunications Union’s (ITU) latest data, the proportion of women using the internet globally stands at 57%, compared to 62% of men. This varies across regions: in least developed countries, only 19% of women used the internet in 2020, compared to 86% in developed countries in 2019. The disparity in meaningful access is also a function of other intersecting factors, such as location, economic power, age, gender, racial or ethnic origin, social and cultural norms, and education, amongst others. In some societies the internet is commonly accessed through mobile devices rather than computers, and it is not uncommon for a family to share a single device often controlled by a male family member. These factors also play a role in women’s ability to develop digital literacy as well as access fields of education which lend themselves to cybersecurity-related careers, in which there is also a well-acknowledged gender gap.
Women’s political participation was among the priorities of early IWDs. Significant strides have been made globally in this area but the abuse of digital platforms risks undermining that progress. A new report from #ShePersisted notes, “Building on sexist stereotypes and disseminated with malign intent, gendered disinformation campaigns in every context identified have a chilling effect on the women they target, often leading to political violence, hate and the deterring of young women from considering a political career.” The report affirmed that women coming from what are traditionally marginalized sections of society are made even more vulnerable by gendered disinformation and online hate campaigns which have racist and sexist undertones.
This is not unique to the political sector. Women or gender diverse people working in other public roles such as journalism are routinely targeted. So too are women peacebuilders, working in post-conflict situations or contexts with high levels of armed violence. Here technology has been an enabling factor for women-led civil society to engaged in peace talks, or for grassroots organizing, but such groups have also been threatened with offline violence through online tactics and platforms because of their work. When technology facilitated GBV or disinformation “smear campaigns” are conducted by foreign actors seeking to influence political dynamics elsewhere, it is no longer a human rights issue but also one of international security.
Some progress is being made towards closing gaps and preventing harm, buoyed along by civil society advocacy and research and growing governmental support. IWD 2023 is an opportunity to increase that momentum and commitment. Frameworks like the Women, Peace and Security Agenda and relevant human rights instruments should be adapted for the digital landscape and to account for broader and intersectional understandings of gender, going beyond women alone. New and more focused tools are also needed to fill legal gaps, underpinned by independent research and involving the technology companies whose products and platforms are failing women. Of key importance will be locking in meaningful participation of women and gender diverse people within cyber security and relevant fields. When women, or any group, are a part of policymaking from the outset, the potential for impactful results grows exponentially. This not only closes gaps and moves us towards equality but will enable gender-responsiveness and awareness within cyber and digital security, and can address issues of gender and other bias.
Copyright The Henry L. Stimson Center
Privacy Policy

source

The Biden administration’s new cyber strategy calling for minimum security standards across multiple economic sectors looks likely to face opposition from some lawmakers and businesses as U.S. officials work to implement the blueprint. 
Top Republicans on the House Homeland Security Committee said in a statement that the administration should be seeking partnerships with the private sector rather than punishment. And at least one private cybersecurity expert warned of potential resistance from sectors that already work under federal regulatory requirements.
By including software makers among those that will have a role in cybersecurity, the administration could also be testing the willingness of that industry to weed out participants that don’t provide adequate security. And by speculating about the possibility of federal insurance for attacks, the strategy is raising questions about the potential for big changes in private sector behavior.
The strategy, released last week, said the current practice of allowing sectors including utilities, food and agriculture, health care and others meet voluntary cybersecurity standards had resulted “in inadequate and inconsistent outcomes,” and it prescribed regulations to “level the playing field.” 
Reps. Mark E. Green, R-Tenn., the chairman of the House Homeland Security Committee, and Andrew Garbarino, R-N.Y., the chairman of its Cybersecurity and Infrastructure Protection Subcommittee, responded with a statement urging the administration to streamline existing regulations and to favor partnerships rather than punishment in the implementation of the strategy. 
“The key to building trust with our private sector partners is employing harmonization across government, rather than encouraging disparate and competing efforts,” Green and Garbarino said. “We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government.”
The administration is making the case that mandated security standards in key sectors are needed after high-profile cyberattacks in late 2020 and 2021 showed voluntary standards aren’t working. An attack on Colonial Pipeline in 2021 shut down supplies of gasoline on the East Coast, and several federal agencies were themselves victims when software supplier SolarWinds was hacked in late 2020.
After the Colonial attack, the administration imposed minimum security standards for operators of pipelines. And similar standards were later extended to airlines and railroads. 
The Cybersecurity and Infrastructure Security Agency, or CISA, oversees cybersecurity in the 16 critical sectors that may face new standards. But many of the sectors, including financial services and health care, are overseen by other regulatory bodies, some of which address cybersecurity. 
The financial services sector, for example, is one where several regulatory agencies already prescribe cybersecurity requirements and more regulation stemming from the new cybersecurity strategy could face resistance, said Marcus Fowler, CEO of Darktrace Federal, part of U.K.-based Darktrace, a global cybersecurity company. 
“I think you’re going to run into business interests and other areas that could erode the bipartisan-ness of cybersecurity when you start to touch on a couple of different sectors,” Fowler said. “I think the one that jumps out to me, which is a critical sector but also one that already has a lot of regulation, is financial services.”
White House officials developing and implementing the strategy acknowledged the need to streamline regulations for some sectors already meeting several cyber standards even as other sectors face few rules. 
“We have to raise the bar in some places, we have to harmonize in other places to create a level playing field,” Kemba Walden, acting national cyber director, said last week at an event hosted by the Center for Strategic and International Studies. 
Rep. Bennie Thompson, D-Miss., ranking member of the House Homeland Security Committee, said requirements are needed. 
“As cyberattacks increase in frequency and sophistication, smart, well-harmonized, performance-based security requirements for critical infrastructure could help ensure the critical infrastructure we rely on every day is sufficiently resilient to keep operating in the wake of a compromise,”  he said. 
Sen. Gary Peters, chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement that he would “closely examine this strategy, quickly consider the parts of it that will require Congressional action.” 
Peters, D-Mich., authored legislation that became law in the last Congress that required operators of critical infrastructure to report a cyber attack to federal agencies. 
The administration’s cyber strategy also called for shifting liability for insecure software that enables cyberattacks to makers of such software. 
“Poor software security greatly increases systemic risk across the digital ecosystem and leaves American citizens bearing the ultimate cost,” the strategy said. “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security program cannot prevent all vulnerabilities.” 
The strategy pointed to software developed by unvetted third parties that is embedded into commonly used programs, potentially allowing hackers to exploit flaws. 
Well-established software companies that sell to commercial enterprises “do take security seriously and invest heavily in it,” said Henry Young, policy director at BSA-The Software Alliance, a trade group that represents companies including IBM, Microsoft, Salesforce and others. 
“If there is a path that we think will lead to more secure software, I think we’re totally on board,” Young said. 
Shifting liability to companies for making software with poor security features may help the industry overall by curbing “fly-by-night operators” who are not interested in long-term market presence, Young said. 
The administration also is exploring a federal insurance backstop to aid victims of cyberattacks after “catastrophic cyber events,” the strategy said, adding that officials will consult with lawmakers, state regulators, and the insurance industry on how to design such a backstop. 
Devising and implementing such an insurance program would have to work through several questions and could face hurdles, Fowler said. 
The questions range from what the threshold would be to trigger a federal insurance response, whether companies would drop their insurance coverage in hopes that the federal government would step in, and whether a separate entity like the Federal Emergency Management Agency would be required, Fowler said. 

source

Hi, what are you looking for?
Carding marketplace BidenCash last week released information on more than 2.1 million credit and debit cards.
By
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Notorious carding marketplace BidenCash last week released information on more than 2.1 million credit and debit cards.
Carding marketplaces, also referred to as card shops, are cybercrime websites that facilitate the trading and unauthorized use of stolen payment card details.
Active for less than a year, BidenCash has quickly become one of the top carding marketplaces, making a name for itself by releasing the details of hundreds of thousands of cards in June 2022. In October 2022, it released the details of more than 1.2 million stolen cards, for free.
The new data dump, the largest associated with the illicit portal so far, is meant to attract new customers, especially since most of the released cards are approaching expiration.
Roughly 70% of the leaked cards expire in 2023, cyber threat intelligence company Flashpoint has discovered. The firm also notes that half of the cards belong to US-based people or entities.
According to threat intelligence provider Cyble, the dump contains more than 740,000 credit cards and over 810,000 debit cards, as well as roughly 300 charge cards. Some of the cards expire in 2052, the company says.
The cards were released on a top-tier Russian-speaking dark web forum and included card numbers and expiration dates, CVV numbers, and bank names.
In the leak, BidenCash also included the personally identifiable information (PII) of the victims, such as names, addresses, email addresses, and phone numbers.
While the release of expired or about-to-expire cards might not seem too much of a threat, cybercriminals are known to purchase such information as means of gathering information on their potential victims.
“The presence of email addresses and full information (commonly referred to as ‘Fullz’ by cybercriminals) will make the victims of this leak vulnerable to other attacks, such as phishing, identity theft, and scams, long past the expiration of their card details,” Cyble notes.
Related: Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
Related: U.S. Charges 22 in Stolen Payment Cards Crackdown
Related: Underground Carding Marketplace Joker’s Stash Announces Shutdown

Ionut Arghire is an international correspondent for SecurityWeek.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.
Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.
When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own security. (Torsten George)
While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions. (Joshua Goldfarb)
Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization. (Marc Solomon)
Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. (Derek Manky)
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments. (Matt Wilson)
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.
Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.
The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.
As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.
PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.
No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.
A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the…
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

source

The Home of the Security Bloggers Network
Home » Security Bloggers Network » Cybersecurity Fundamentals Training as E-Learning
We know that security teams need to focus on confidently and efficiently defending against cyberattacks. While Analyst training is crucial to building a high-performing security team, finding the time to attend hours of training is easier said than done.
To address these challenges, our LogRhythm Training and Enablement team is thrilled to announce the launch of entirely self-paced versions of the LogRhythm University Fundamentals 301, 302, 304, and 305 courses. As part of our new training pivot, we want to make sure your security teams can complete their training without taking time away from defending your business and your customers.
Our new e-Learning training options cover 301 Admin Fundamentals, 302 AI Engine, 304 LogRhythm Cloud Admin Fundamentals, and 305 Analyst Fundamentals, with the added flexibility of on-demand access. We created this with our customers in mind, to accommodate our users’ busy schedules and ensure that our training programs are accessible, engaging, and informative.
With on-demand access, we also wanted to make sure our new training program is as engaging as it is informative. Instructors have recorded all exercises within the 301, 302, and 304 courses, along with student exercise guides, learning guides, and more.
Amongst these new offerings, our 305 Analyst Fundamentals course has a completely new scenario-driven look. Learners will go through the course as a new security operations center (SOC) Analyst in a LogRhythm deployed shop, learning from a mentor who will show you step-by-step how to use LogRhythm SIEM. Simulated hands-on exercises and immersive learner experiences provide learners the opportunity to conceptualize LogRhythm’s application in your environment and explore the potential of valuable tools, such as the AI Engine. Learning games, video walk-throughs, and activities are just the beginning of what you can expect with the new 305 course. You can access the self-paced 305 Analyst Fundamentals course now on LogRhythm University.
Upon completion of the 305 Analyst Fundamentals course, participants will be prepared to take the LogRhythm Security Analyst (LRSA) qualifying exam, and those who pass will receive official LRSA certification. We estimate the 305 course will take eight to ten hours to complete, but participants are free to work through the material at your own pace. You can start and stop anywhere within the learning modules, pick up where you left off, revisit previous modules, and more.
Depending on the training program, we have worked to incorporate many of the training aspects offered in our instructor-led courses into our on-demand self-paced format. For our 301, 302, and 304 courses, our virtual machine labs environment is integrated into the courses where applicable, and everything is built to be fully guided so you can work alongside LogRhythm instructors’ tips and tricks. You can access the self-paced 301 Administration Fundamentals course, the self-paced 302 AI Engine Fundamentals course, and the self-paced 304 LogRhythm Cloud Administration Fundamentals course now on LogRhythm University.
Hands-on exercises are also included with the self-paced 301, 302, and 304 courses. Included with the purchase of each individual class, learners will have two weeks of virtual machine lab time, starting from the time of registration, to go through the recorded exercises alongside the instructors (along with the aid of the student exercise guide). Learners will have the option to purchase extended lab time if needed.
For further questions, please contact [email protected] if you are a current customer or [email protected] if you are not a current LogRhythm customer.
Along with the exciting launch of our self-paced training program, we are also launching a new subscription services-based model for LogRhythm University. The purchase of a one-year subscription allows for one seat or person to access every course in LogRhythm University as much as needed. If learners need to revisit any course or learning module, they will not need to pay additional charges within the subscription. As these seats will be named, we have also made sure that the seats are transferrable upon attrition with no additional cost to ensure no unplanned costs are incurred due to changes on your security team.
While we are no longer selling training tokens, any previously purchased tokens will be honored and you can continue to use these to register for our training programs through to the end of June 2024.
All e-Learning courses can be accessed through LogRhythm University and are available for existing LogRhythm customers. For help accessing a course, please follow this guide located in LogRhythm Community on registering for LogRhythm University classes. LogRhythm University is currently only available to our existing customers and partners. For additional details on our subscription services, please reach out to your Sales Representative or Account Manager.
We will still be offering instructor led training if that is your preference and you can continue to find all of our training offerings in conjunction to our self-paced options in LogRhythm University.
The post Cybersecurity Fundamentals Training as E-Learning appeared first on LogRhythm.
*** This is a Security Bloggers Network syndicated blog from LogRhythm authored by Ianni Le. Read the original post at: https://logrhythm.com/blog/cybersecurity-fundamentals-training-as-e-learning/
More Webinars

source

Cybersecurity Training to Beat the Enemy Within the Gates  InformationWeek
source

Israel and Cyber Security: 2023 Forecast  Grey Dynamics
source

The Mumbai police’s Crime Branch on Saturday issued an advisory for citizens to prevent the increasing cyber-related crimes.
As per the notification, “Recently, fake text messages are going viral, asking to update KYC/PAN details in the name of the bank and sending links to customers stating that their bank account is blocked/ disabled/ suspended due to not updating their KYC/PAN Card.” The notification adds that these types of frauds have increased and have asked citizens to not click on any such links. The advisory was issued by Deputy Commissioner of Police (cybercrime, Crime Branch) Dr Balsing Rajput.
Don’t click on unknown, unverified links: Police
Once a customer clicks on the URL or link provided, she/he is routed to a fake website in the name of the bank where the customer will be asked to fill in confidential details like customer ID, user ID, password/PIN and mobile number. Once the details are submitted, fraudsters get a hold of the customer’s confidential banking information, which is used to steal money from bank accounts.
As per the advisory, the police have suggested that citizens should not click on unknown, unverified links, emails, or SMS and immediately delete them. “Always visit your bank’s official website or service provider for customer care support. Verify the website details, especially if it requires entering financial, confidential credentials,” the advisory said.
‘Don’t share personal and financial info’
It added, “Do not share personal or financial information like card details, PIN, OTP, password, etc, with anyone or over any link. The bank will never ask for your confidential banking details.”
The advisory also suggested that citizens add a strong password or biometric authentication to protect their mobile phone, adding that any such instances if the citizens experience or witness, the matter should be reported at www.cybercrime.gov.in or call at 1930, while also reporting the matter to the respective bank.
(To receive our E-paper on WhatsApp daily, please click here.  To receive it on Telegram, please click here. We permit sharing of the paper's PDF on WhatsApp and other social media platforms.)

source

The High-Stakes Blame Game in the White House Cybersecurity Plan  WIRED
source