As month’s end approaches, it is time for another collection of key updates to have emerged. Cyber security news Dec 2022 features two reports from The Hacker News. We begin with their article on a new way for attackers to bypass popular web application firewalls. We then turn to a new report from the European Union Agency for Cybersecurity (ENISA). Finally, we look at new safeguards added to Gmail.
New attack method to bypass web application firewalls (WAFs) revealed
The WAFs of certain vendors can now be circumvented via a new attack method which can then be used to infiltrate systems. This means that potential attackers might be able to gain access to sensitive business and customer information. WAFs are a crucial part of cyber security strategies and defences. They can help to filter, monitor, and block HTTP(S) traffic to and from a web application. They can also prevent attacks such as cross-site forgery, cross-site-scripting (XSS) and SQL injection (SQLi).
Towards the start of December, The Hacker News shared an update on the new WAFs attack method. They revealed that researchers at cyber security solutions specialist Claroty had discovered a generic bypass. According to Claroty’s Noam Moshe, the bypass “involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. “Most WAFs will easily detect SQLi attacks, but prepending JSON to SQL syntax left the WAF blind to these attacks.”
The moral of the story? Always ensure your IT systems are up-to-date and that your teams receive regular training. Keep an eye out for new developments in the cyber security world, too.
ENISA Releases the 2022 Cyber Europe report
The after action report of the 2022 edition of Cyber Europe was released this month by ENISA. The report compiled information they had gathered through a cyber security exercise testing the European Healthcare sector. The objective was to identify potential challenges and to then suggest recommendations.
Key findings include:
- Regular testing for cyber security teams within healthcare is recommended as a best practice at local level
- Appropriate budgets and resources to cyber security teams is crucial in the health sector
Participants completed a series of tests during cyber crises. These included the EU-level technical and operational co-operation mechanism, plus incident response and resilience plans at a local level. Stakeholders were also able to receive training on technical capabilities throughout the exercises.
Gmail adds client-side encryption
As reported by The Hacker News earlier this month, Google announced that client-side encryption is in beta for Workspace and education customers. This is being done to secure emails sent using the web version of Gmail, and customers can apply to sign up until January 20, 2023.
CRIBB first shared the news via social media in December 2022. Our cyber security experts are always happy when new measures are introduced to increase security and to bolster data protection efforts. The new Gmail safeguards are not the same as end-to-end encryption. However, they will now protect data from unauthorised access – including from the server or the service provider.
That is it for your cyber security news Dec 2022 round-up. Did we miss any stories of note? If you believe this to be the case, then we would appreciate you sharing your thoughts.
This is the final CRIBB article for 2022 and we’d like to thank those of you who have supported us this year. If you are an avid reader, do let us know what you would like to see in the year ahead. We’ll do our best to keep our blog as interesting and informative as possible but your input is always welcome. For now, we wish you all the best for a healthy and successful 2023!