Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 'DarkGate' Campaign Targets Europeans with Multiple Payloads Fri, 16 Nov 2018 07:28:14 -0600 A newly discovered malware campaign is targeting users in Europe with various payloads, has a reactive command and control (C&C) system and can remotely control infected machines, enSilo security researchers warn.

Spreading through torrent files, the DarkGate malware can avoid detection by several anti-virus products and is also capable of detonating multiple payloads onto the infected machines, for crypto-currency mining, stealing crypto-coins, and encrypting victim’s files (ransomware).

The campaign operators use a C&C infrastructure cloaked in legitimate DNS records from services such as Akamai CDN and AWS, thus being able to avoid reputation-based detection. Their malware can bypass User Account Control (UAC) and can also evade elimination of critical files by several known recovery tools.

Mainly focused on targets in Spain and France, the campaign uses a reactive C&C infrastructure, where human operators react to notifications from infected machines. As soon as the malware reports back activity of interest on an infected machine, such as the presence of crypto wallets, the operators install a custom remote access tool for further operations.

The malware author invested a lot of time into ensuring the threat can evade detection by anti-virus products and continues to improve their creation. The operation appears financially motivated, but, given the threat’s ability to install remote access tools, the author might have other motives as well.

The security researchers were able to link DarkGate with the Golroted password stealer, as both use the Nt* API calls for process hollowing and a SilentCleanup schedule task for UAC bypass. Moreover, there are significant code overlaps between the two malware variants.

Distributed via torrent files, the DarkGate malware has a multi-stage unpacking process that starts with an obfuscated VBScript file functioning as a dropper for several files (saved to a hidden folder “C:\{username}”).

The malware uses process hollowing to inject and execute malicious code but, if the Kaspersky anti-virus is detected, the code is loaded as part of the shellcode. The final binary copies all files from “C:\{computer_name} “ to a new folder under “C:\Program data” and also installs a new key in the registry, to achieve persistence.

As part of the initial connection made to the C&C server, the malware gets the file necessary to start the cryptocurrency mining process. The malware can also search for and steal credentials for a variety of crypto wallets.

The threat contains six hard coded domains that it attempts to connect to upon infection. It also uses DNS records that are similar to legitimate DNS records from Akamai or Amazon, which allows it to avoid unwanted attention.

The malware also includes various anti-VM and user validation techniques, and also checks the infected system for a series of anti-virus products (informing the server on their presence, with the exception of Kaspersky, Trend Micro and IOBIt) and known recovery tools.

DarkGate, the researchers reveal, uses two distinct UAC bypass techniques in an attempt to elevate its privileges. One abuses a scheduled task for DiskCleanup (cleanmgr.exe), while the other one leverages Event Viewer (eventvwr.exe).

The threat can log keystrokes, and attempts to steal passwords from various programs, using the following applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView.

DarkGate can delete all restore points on the system, and also appears capable of installing a RDP connection tool, thus providing operators with unfettered access to the infected machine. The server can request various information on the machine, such as locale, username, computer name, processor type, RAM, OS type and version, Epoch time, and installed AV type, among others.

Related: NSA Leak Fuels Rise in Hacking for Crypto Mining: Report

Copyright 2010 Respective Author at Infosec Island]]>
Facebook Patches Bug that Exposed Private Information Thu, 15 Nov 2018 12:46:00 -0600 Facebook recently addressed a vulnerability that could have allowed anyone to access private information about users and their contacts.

The vulnerability, Imperva security researcher Ron Masas explains, was found in Facebook’s online search function. He discovered that the HTML code for every search result contained an iframe element that could be exploited maliciously.

The issue is that the endpoint that expects a GET request with a number of search parameters is now cross-site request forgery (CSRF) protected. This allow users to share the search results page via a URL, but most users won’t take action, which makes it a non-issue.

When it comes to the Facebook online search, however, the problem is that the CSRF bug can be combined with the fact that iframes are exposed in part to cross-origin documents.

An attacker looking to abuse the vulnerability would need to trick a user into opening their malicious website and click anywhere there. The malicious site would only need to be running JavaScript.

The user interaction triggers a popup or a new tab to the Facebook search page, and the attacker forces the user to execute any search query they want.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” Masas explains.

The security researcher, who published a proof-of-concept video, notes that he was able to extract a variety of private user data by exploiting the issue.

Such information included details on whether the user had friends from Israel or friends named “Ron,” whether the user had taken photos in certain locations/countries, if they had Islamic friends or Islamic friends living in the UK, and even if the user or their friends wrote a post containing a specific text.

The process, the researcher explains, can be repeated without the need for a new popup or tab, as the attacker has control over the location property of the Facebook window through running a specific snippet of code.

“This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” the security researcher says.

The attacker doesn’t even need a Facebook account to extract said information, Imperva told SecurityWeek in an email. The security firm also said that Facebook, who was alerted on the bug in May, issued two bounties (mobile and desktop), for the total amount of $8,000.

Related: Facebook Says 50M User Accounts Affected by Security Breach

Related: Facebook Asks Big Banks to Share Customer Details

Copyright 2010 Respective Author at Infosec Island]]>
A Human-Centered Approach to Building a Smart, Satisfied Information Security Team Thu, 15 Nov 2018 07:27:45 -0600 With limited personnel to manage the rising risk, the difficulty attracting, recruiting and retaining an appropriately skilled workforce has become a significant risk. 

Shortfalls in skills and capabilities are manifesting as major security incidents damage organizational performance and reputation. Building tomorrow’s security workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age. Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is clearly in need of new tactics and fresh ideas.

Consider, for example, that new research by Cybersecurity Ventures finds that only 20% of the global cybersecurity workforce is comprised of women. On its face, this statistic proves that there are large, untapped pools of talent. Looking deeper, there are lessons to be learned about what organizations must do differently to attract bright prospects from a wider spectrum of education, experience, and expertise. And of course, it goes way beyond gender diversity — organizations must figure out how to recruit effectively from younger and older age groups, underprivileged districts, liberal arts colleges, and other atypical populations.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g. security software platforms, patching and configuration practices, analytics, and machine learning) become more complex.

The Evolution of the Security Workforce

The security workforce, typically defined as the personnel responsible for an organization’s information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as: risk, technical IT operations, legal and or audit. It can be identified as information, cyber, assurance, or operational security. It can also report into various business units, including finance, risk, governance, or IT.

Over the course of its evolution, the lack of a consensus definition of the information security function has allowed numerous, disparate components to form an organization’s security workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.

Supply and Demand

Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture. It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies.

But is this inevitable? Are hiring managers so inflexible in requiring candidates to have specific skills, qualifications, and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organizations are urgently seeking a solution to the perceived crisis around hiring information security professionals.

To address the growing demand, organizations should broaden their approach, and work purposefully to recruit security professionals from a diversity of backgrounds, disciplines and skill sets. Focus on the aptitude and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that would eliminate a large portion of current and prospective information security professionals.

Human-Centric Security

As vendors and tools saturate the market of security solutions, potential employees have come to perceive information security as deeply technical, leaving recruiters struggling to identify and appeal to candidates with a less traditional mix of education and experience. Organizations are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that is capable of meeting the challenges presented by digital risk.

To help achieve a human-centric approach, the information security function should collaborate with HR and take advantage of well-established HR practices to build a diverse workforce of capable individuals. A human-centric approach supported by HR provides the structure for a strong workplace culture characterized by proficient and satisfied information security professionals.

Building a Sustainable Security Workforce

Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organization’s survival. But for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.

Organizations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organization’s security objectives.

As the security workforce matures and finds innovative ways to embrace the vast resources of untapped talent, the exaggerated myth of a looming crisis in the global security workforce. A robust and diverse security workforce will empower organizations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing. ISF Members are already demonstrating success at cultivating teams with the necessary skills and expertise in progressive and engaging environments.

A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Addressing the CISO’s Key Challenges in 2018 and Beyond with Endpoint Detection and Response Mon, 12 Nov 2018 09:17:00 -0600 IT security leaders face more hurdles today than ever. From the growing threat landscape to the increasing regulation of the digital economy, information security officers have their work cut out for them.

Research indicates that CISO responsibilities are growing faster than their ability to address security issues. Some of their biggest troubles include evolving threats, tight budgets, lack of skilled staff, complex environments to protect, and even more complex solutions that do little to ease the IT department’s load. Coupled with the increasing compliance burdens of GDPR and other regulations like it, CISOs need to meet their responsibilities by working smarter, not harder. One such smart approach includes leveraging effective Endpoint Detection and Response (EDR.)

While there is no shortage of EDR solutions, an evaluation of efficacy among top providers shows these solutions vary widely. But why? Most EDR solutions are: too complex and noisy, they trigger too many false alarms (alert fatigue), offer little to no visibility into the detection and remediation process, and/or lack analytics to automate core processes.

An effective EDR solution should reduce alert fatigue by limiting the number of incidents requiring human analysis, enabling IT departments to focus security resources on real threats, and should never overburden staff or infrastructure resources.

Moreover, IT departments need a security solution that is operationally effective. Instead of piling on disparate solutions from different vendors and achieving inferior results, organizations today have access to technologies that give them the option to deploy a single-agent, single-console solution that greatly reduces the effort to install and manage endpoint security.

An integrated, full-spectrum solution

Combating modern threats requires modern weapons. Traditional security solutions are no longer enough—they only display a warning that a threat was blocked, end of story. They offer no visibility into what happened before, during, and after the attack. This lack of insight does little to prepare security teams for similar attacks in the future.

What IT departments need is integrated EDR and EPP (endpoint protection platform), which offers both protection and visibility across all malicious/suspicious activities throughout the infrastructure, as well as alert triage to let them focus on real threats. This integrated solution also offers effective incident response workflows that help reduce resource requirements.

A proper EDR implementation augments protection, detection and response by working together with the security solution in order to provide a complete picture of how threats target organizations, while also allowing IT and security teams to focus on relevant security incidents. At the same time, a successful EDR/EPP implementation eliminates the need for multiple agents, as everything is delivered under a single solution, manageable from a single centralized console. This simplifies deployment and operations across all enterprise endpoints and operating systems, in complex infrastructures both physical and virtual, and across data centers and public cloud environments.

Furthermore, integrated EDR and EPP provides stack and on-execution detection capabilities, which prevents and stops advanced threats from being executed on enterprise infrastructure, while also helping IT and security teams with forensics and investigations into potential security incidents.

The Best of Both Worlds – Security, Visibility

The evolution of cyberattacks has made anomaly detection an imperative and integral part of EDR. Leveraging Machine Learning, EDR solutions can offer suspicious activity detection that helps with investigation and response, by performing fast security alert triage and focusing on truly relevant security events, usually associated with potential breaches and cyberattacks. Once a potential threat is detected, automatic response kicks-in, enabled by the integrated EPP solution, blocking lateral movement, killing suspicious or malicious processes, and automatically remediating any malicious changes performed by the threat. Finally, pre- and post-compromise forensics, offer by EDR capabilities, provide visibility into past actions covering the entire lifecycle of the attack and creating a full picture of the attacker’s objective.

Keeping imminent cyber threats at bay may sound complicated, but it really boils down to just a few key aspects: reducing the attack surface, automating detection and response, gaining insight to mitigate future threats, and avoiding loss of business by rapidly containing and remediating an attack.

Today more than ever, incident response teams need to be given the tools to analyze and investigate suspicious activities, and adequately respond to evolving threats.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Fight Fileless Malware on All Fronts Tue, 06 Nov 2018 08:44:00 -0600 Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.

The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.

Cyber Criminals Love Fileless

The recent trend of fileless malware is part of a larger cybercrime story, that of attackers using a variety of scripts to introduce malware or command and control capabilities into an enterprise. PowerShell, for example, is mainly used to automate administration tasks, including managing configurations of systems and servers. It has been exploited by scripting malware families like W97/Downloader, Kovter fileless malware, Nemucod and other JavaScript downloaders.

One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.

Why Fileless Works so Well

Fileless malware has become the darling of cyber criminals because, quite simply, it’s a no-brainer. Rather than wait for some human to open a phishing email or inadequately encrypted application, fileless malware works on what is already in your network, i.e., the day-to-day scripts enterprises use, like PowerShell, VBScript or JavaScript. It is easier to conduct an exploit and harder to detect. The malware can be executed entirely from the command line and with capabilities such as executing commands written in base 64 encoding, it may be very difficult to see the malware running. Fileless malware typically does not require downloading additional malicious files – the hacker simply executes a command with arguments on the command line. These commands however, are capable of stealing data and credentials, spying on IT environments, and leaving back doors open to further exploits. Another tactic is to exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behavior.

A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.

Fighting Back against Fileless

Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.

How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.

Here are recommended practices for a unified IT approach to fighting back against fileless malware:

  1. Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities:  CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
  2. Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
  3. Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
  4. Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
  5. Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
  6. Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
  7. Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
  8. Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.

What’s Next?

“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.

The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.

The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance - is the only way to fight back against fileless malware!

About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

Copyright 2010 Respective Author at Infosec Island]]>
How to Protect SMBs Against Phishing Attacks via Social Engineering Tue, 06 Nov 2018 07:23:00 -0600 Social engineering and artificial intelligence (AI) are bringing about a new golden age of hacking for criminals. They are capitalizing on common online habits of everyday people to tempt them to click on or install harmful applications – in the guise of browser extensions, clickbait and more – each specifically targeted to the individual user’s online habits using AI.

Most breaches occur when employees make common, seemingly harmless mistakes. Now, this goes beyond forgetting to install updates or using overly simple passwords.  In fact, due in part to the rise of social engineering, employee mistakes account for the vast majority of breaches. Hackers are catching on fast, capitalizing on human nature and using AI and social engineering to target unsuspecting employees. Clickbait isn’t just about articles and pageviews – it’s about getting a backdoor into your network through unsuspecting employees.

These increasingly sophisticated attacks might look like a harmless browser extension or an article in a social media feed. Employees will likely assume they are legitimate (haven’t we all downloaded a music app or other favorite tool?). Unfortunately, behind these many commonly installed applications, lurks a more sinister motive: a hidden phishing device.

Varying Risk Factors

While training may be effective, it is unlikely to stop all employees from putting themselves unwittingly at-risk (particularly on their mobile devices over work networks). Small to medium businesses are especially vulnerable when it comes to these highly sophisticated attacks, so what do they need to know to safeguard against these threats?

First, organizations need to understand the types of phishing attacks. Spear phishing, for example, is a phishing attack targeted at specific individuals and can present a substantial risk to organizations. Spear phishing attacks pinpoint persons in the company with access to sensitive and/or valuable data. This could be anyone from a sales executive to an engineer on a specific project to the chief financial officer. While most phishing attacks broadly target employees with the hopes of catching just one, spear phishing is intended to focus on extracting data or credentials from specific individuals. We are seeing this increasingly as hackers become more aware of the value of specific targets and go after them.

Next, organizations need to understand basic prevention techniques. Phishing requires constant training, since humans are the targets, rather than computer systems. Phishing works because someone takes an action to provide access to cybercriminals, unlike other types of attacks. This element of social engineering requires organizations to train employees not once, but on a recurring basis. Many organizations are seeking hands-on training through simulations after finding that prior measures weren’t effective. Training employees how to inspect email header information and identify malicious “spoof” websites can help safeguard organizations against many common threats.

Mobile Devices in the Workplace

Mobile devices are increasingly becoming the vector through which hackers target employee networks. According to a recent report, the rate at which users are falling for attacks on mobile devices has increased 85 percent each year since 2011. Mobile devices are growing in popularity for attacks because they often lack endpoint security and have access to a wide variety of mobile applications and messaging services. This provides more opportunities for hackers to target employees, who may assume their personal device isn’t a threat to their employer’s network. New attacks use popular apps such as WhatsApp and Facebook to lure victims to download malware, which can expose data stored on these devices.

Having a bring-your-own-device (BYOD) policy is not without risks.  For example, the device may be taken to offsite for personal use where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Additionally, devices, especially mobile phones and tablets, can easily be lost. If the device contains sensitive business information, or can connect to a corporate network to access such data, these behaviors seriously increase the risk of compromising company data.

Training Isn’t Always Enough

When the best training isn’t enough, SMBs should put technology in place to back up these efforts. People are human, and as such, they will often make judgement calls that may put them at risk despite the best intentions and training. To supplement training, technology that can identify threats where people might not even think to look is critical. A layered security approach that combines the use of technology, policy and training will be the most effective. Solutions like next-generation firewalls, endpoint protection, behavioral heuristics and more should all be explored when architecting the right strategy for your organization.

Ultimately, phishing attacks rely on social engineering, with the goal of putting something in front of an employee that will entice them to click (or download) without thinking about the consequences.

Attackers are constantly changing tactics, so ensuring that you are armed against the latest threats is critical. Look for solutions that automatically update in addition to training your employees at regular intervals to understand the latest threats. Creating a culture of security awareness is an important first step for any organization. 

About the author: Timur Kovalev serves as the CTO at Untangle and is responsible for driving technology innovation and integration of gateway, endpoint, and cloud technologies. Timur brings over 20 years of experience across various technology stacks and applications.

Copyright 2010 Respective Author at Infosec Island]]>
DDoS Disruption: Election Attacks Mon, 05 Nov 2018 10:08:00 -0600 In an increasingly politically and economically volatile landscape, cybercrime has become the new geopolitical tool. Attacks on political websites and critical national infrastructure services are ever more frequent not only because the tools to do these are simpler, cheaper and more widely available, but also due to desire and capabilities of attackers to impact real-world events such as election processes, while staying undiscovered. Not surprisingly, a third of respondents to NETSCOUT’s latest Worldwide Infrastructure Security Report saw political or ideological disputes as motivation for DDoS attacks.

As such, we are reminded that cyberattacks against elections are a major concern for the US—recall the recent DDoS attack that crashed a Tennessee county's website on election night in May. The Department of Homeland Security has warned against voting machine hacks and targeted attacks against campaigns. The agency said that in 2016, hackers targeted election systems in 21 states.

Election officials are on high alert for future DDoS attacks and the risk they pose to availability of systems, and more importantly, to confidence in the entire system, which hangs in the balance as we consider the integrity, sanctity and validity of election results overall. Moreover, DDoS attacks on election night pose risk to the availability of information. Imagine if the AP suffered an outage due to a DDoS attack on election night?

The Risk of Volumetric Attack

The sudden emergence of MemcacheD as an attack vector earlier this year certainly brings the possibility of a massive DDoS attack into focus for election officials. The reality is that while 2018 has ushered in an era of terabit DDoS attacks, with the largest one clocking in at 1.7Tbps, we’ve seen evidence that it will also prove to be a year faced with application-layer attacks as well.

Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, application-layer attacks are more subtle and insidious – and much more difficult to detect and block. The application-layer attack, sometimes called a Layer 7 attack, targets the top layer of the OSI model, which supports application and end-user processes. In these outbreaks, attackers pose as legitimate application users, targeting specific resources and services with repeated application requests that gradually increase in volume, eventually exhausting the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack and often fueled by botnets such as Mirai and it’s many successors, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional ISP or cloud-based monitoring solutions. They have a singular goal: take out a website, application or online service. While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data center.

Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, and HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications.

Best Practice DDoS Defense

To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defense strategy combining cloud-based and on-premise mitigation. An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, and early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defenses through cloud signaling. Deploying any widely available on-premise component of a hybrid DDoS defense solution, including those from NETSCOUT, can mitigate the vast majority of application-layer attacks before they can do damage. For organizations facing budget and resource constraints, managed DDoS service options provide them with a means to save money, amplify in-house resources and reduce risk. Outsourced or in-house, a hybrid DDoS defense ensures detection and mitigation across the full spectrum of DDoS risks while protecting availability.

About the author: Hardik Modi is Senior Director, Threat Intelligence at NETSCOUT|Arbor. He is responsible for the Threat Research and Collections teams, ASERT and ATLAS, respectively. In this role, he drives the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes.

Copyright 2010 Respective Author at Infosec Island]]>
Buy, Rent, or Uber Your Security Operations Center Mon, 05 Nov 2018 04:08:00 -0600 We all know that data breaches cost a lot—an average of $3.6M per organization.

For cyber criminals, everyone’s a target—and perfect prevention isn’t practical. We must assume that, at some point, every organization’s IT infrastructure will be breached. That’s why we need to continuously monitor, investigate and respond to cyber threats 24/365 if we are to avoid costly breaches and the potential impact to reputation, revenue and customer confidence.

What better way to provide continuous monitoring and analysis than through a security operations center (SOC)? With the people, processes and platform to continuously look across the entire organization’s networks, servers, endpoints, applications and databases, a SOC applies expert knowledge to detect and dig into potential threats. One of the key benefits of a SOC is preventing the devastating impact of a breach by reducing the dwell time (the time between when an attacker compromises a network—minutes—and when the organization discovers the threat—typically months!)

Cost and complexity are roadblocks

Any way you look at it, a SOC is complex and expensive. It requires a lot of specialized hardware and software to generate events and alerts, which must be examined by highly skilled security analysts who can determine which ones represent real threats.

The platform is costly.

You need a well-tuned SIEM (security information and event management) to provide the visibility foundation, along with firewalls, IPS/IDS, vulnerability assessment tools, endpoint monitoring solutions and more. All of this must be fed by threat intelligence that is specific to your organization’s goals and risk tolerance, and the results need to be augmented by machine learning and fine-tuned by human experts.

Processes are costly as well.

Detailed organization-specific playbooks need to be written, spelling out what should happen when ransomware, malware infections, distributed denial of service attacks or other threats are seen. They specify how to investigate, what evidence to gather and when and how to escalate.

Perhaps the most expensive component is people.

It’s difficult enough to hire a team of highly skilled security analysts with the bandwidth and expertise to perform continuous monitoring, while we are experiencing a worldwide shortage. It’s even harder to retain them in the face of stiff competition for scarce talent.

The Complete SOC: Platform. People. Process.


Finding the best route

Reaching the goal of continuous coverage is not a simple make/buy decision: it’s more of a buy/rent/co-manage decision: should you build your own SOC, outsource your SIEM (or SOC) platform, or leverage a co-managed SOC solution.

1. Building your own SOC is akin to buying a car to get from Point A to Point B.

You incur all the platform, process and people costs – but you are in total control over where you are going and how to get there (i.e. what your organization sees as risks, threats, and responses). Of course, the cost and complexity could be prohibitive.

2. Outsourcing your SIEM or SOC platform is like renting a car.

You don’t have to make the capital outlay for hardware, but you still need to carry out all the processes—and you must hire, train and retain your own SOC team. It’s less expensive than building your own SOC, but still quite pricy.

3. Leveraging a co-managed SOC solution is like using Uber to get to your destination.

You augment your own internal team with seasoned security experts with mature processes driving a powerful SIEM platform, yet you remain in control of the ultimate destination. A co-managed SOC ensures that the collective team is operating in concert to reach your organization-specific goals.

Uber your way to a SOC

The goal is to get from Point A (your organization’s current security and compliance posture) to Point B (stronger security posture, compliance confidence and incident readiness). Clearly, the most cost-effective way to reach that goal is via a co-managed SOC – the Uber approach. You get the best of both worlds: the best people, processes and platform, at the lowest cost. Not only do you avoid the people and process costs, you retain control over the aspects that are specific to your organization: your risk tolerance, your market realities and your definition of what’s most important to you.

About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.

Copyright 2010 Respective Author at Infosec Island]]>
What You Need to Know about the Recent Apache Struts Vulnerability Mon, 05 Nov 2018 03:55:09 -0600 Researchers recently revealed a vulnerability in Apache Struts, a popular type of enterprise software. Active exploit attempts weren’t far behind.

The Equifax hack that occurred roughly a year ago was due to an earlier Apache Struts vulnerability (CVE-2017-9805). The team at Equifax was aware of the vulnerability but took some time to patch it — and in this gap the company was hacked, and the data of millions was stolen.

To avoid falling victim to a similar attack, it’s important for businesses and their IT service providers to understand the recently revealed CVE-2018-11776 Apache Struts vulnerability and how to guard against it. This is a command injection vulnerability in the Apache Struts framework. When you run the vulnerable version and have a specific vulnerable configuration, an attacker can perform remote code execution and breach the web application.

The specific vulnerability is exploitable when:

  • An action is configured to use no namespace or a wildcard namespace
  • The “struts.mapper.alwaysSelectFullNamespace” configuration is set to “true”

Struts uses OGNL (Object-Graph Navigation Language), an expression language to perform data transfer and type conversion. In the case where there is a wildcard namespace, Struts will take the user-defined namespace and in some cases, execute it as an OGNL expression. This means that an attacker can send specific commands that end up being executed when OGNL evaluates it.

An attacker can use this vulnerability to execute any type of commands on the hacked server. They could attempt to steal live payment information, install cryptominers or other software, hold the server to ransom, perform attacks using the server as a starting point, or simply delete all the data on the server.

Sharp Increase in Exploitation Attempts

Web application attacks are extremely common today — and they are increasingly weaponized using automated bots. Our honeypots detected a surge in exploitation attempts of the older Apache vulnerability immediately after the current vulnerability was announced. Since then, we’ve seen the level of activity remain high.

News has come out that the Mirai botnet has been repurposed to perform these exploitation attempts at a massive scale using infected IoT devices. It has been found that some versions of Mirai are attempting to exploit multiple different vulnerabilities to gain access to and control web servers.

When it comes to web application attacks, much more than the web application is at risk. Attackers can also use the web application as a staging area to gain further access to the network and access other critical resources. This means that any web application — no matter how small it is — should be patched and kept up to date at all times. However, patching a web application can take time. Between testing the patch to ensure that it does not break core functionality, finding sysadmin resources, and getting approvals for any required downtime, an application can remain unpatched for weeks or months. Having the right web application firewall in place can provide complete protection during this time by blocking known attacks and zero-day attacks. This provides you with valuable air cover while you get ready to fix the vulnerability on your web servers.

How a WAF Can Protect Against Other Attacks

A WAF should provide complete application protection, including against attacks most people don’t consider — like application distributed denial of service (DDoS), brute force attacks, and web scraping.

Application DDoS attacks are the subtle siblings of volumetric DDoS attacks. They fly under the radar by performing low and slow attacks against a web server, tying up its resources and bringing down an application. A typical example is multiple concurrent downloads of a large file, very slowly. A WAF can detect and block all kinds of application DDoS attacks.

Other types of automated attacks that occur often are brute force attacks — where hackers attempt to brute force login to applications — and web scraping. Web scraping is a large problem today; bots masquerading as valid users attempt to steal content and competitive information from web application for profit. A good WAF should have a powerful bot mitigation engine to detect and block bots with ease.

Multiple Layers of Protection for the Win

Organizations need to implement a multi-layered approach to ensure complete defense of their network. Defense in depth requires these layers to work in unison to defeat the various attacks against a network. This includes Advanced DDoS Protection to block volumetric attacks, cloud-generation firewalls to secure your network perimeter, and a WAF that combines web and API security along with secure application delivery in a single platform. All these layers work together to protect your applications and provide you with valuable air cover against today’s evolving threat landscape.

About the author: Tushar Richabadas is product manager for the Barracuda CloudGen WAF product line. His specific areas of focus are application security in the cloud, automation, and bot mitigation.

Copyright 2010 Respective Author at Infosec Island]]>
Crypto-Mining Malware Attacks on iPhones Up 400%: Report Tue, 16 Oct 2018 06:47:45 -0500 Crypto-mining malware attacks against iPhones went up 400% in the last two weeks of September, security firm Check Point notes in a new report.

Crypto-mining attacks have intensified over the past couple of years, fueled by a massive surge in the price of crypto-currencies. Threats range from botnets to fileless malware and malicious programs that abuse NSA-linked exploits for propagation. Industrial systems are frequently hit as well.

Mobile users are being targeted as well, either with Trojans that can steal crypto-currencies or with various types of miners.

While most of these attacks target Android, iPhone users weren’t spared either, as Check Point reveals. Amid a four-fold increase in crypto-mining malware assaults on iPhones, attacks on Safari users also intensified, the security firm reveals.

The attacks used the Coinhive mining malware, which emerged as the leading threat in December 2017 and has remained the top malware ever since. At the moment, Coinhive impacts 19% of organizations worldwide.

“Crypto-mining continues to be the dominant threat facing organizations across the world. The attacks on Apple devices are not using any new functionalities. The reason behind the increase is not yet known, but serves to remind us that mobile devices are an often-overlooked element of an organization’s attack surface,” Check Point says.

While the Coinhive mining code was at the top of the most active malware list, it wasn’t the only crypto-currency related malware there. Cryptoloot (Coinhive competitor), with Jsecoin (JavaScript miner), and XMRig (open-source CPU mining software) are also present on the list, on the third, fifth and eighth position, respectively.

Other malware families present on the list are Dorkbot, a worm that supports remote code execution, the Andromeda bot, Roughted malvertising campaign, Ramnit banking Trojan, Conficker worm, and the Emotet Trojan.

The top 3 most exploited vulnerabilities in September, were in Microsoft IIS WebDAV, OpenSSL, and PHPMyAdmin.

“CVE-2017-7269 is the most popular exploited vulnerability for the 7th consecutive with global impact of 48% of organizations. In second place [is] CVE-2016-6309 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations,” Check Point notes.

Related: Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

Related: Crypto-Miners Slip Into Google Play

Copyright 2010 Respective Author at Infosec Island]]>
Most SMBs Fold after Cyber Attacks: Here’s How to Protect Yours Fri, 12 Oct 2018 05:53:00 -0500 Many small-to-medium businesses (SMBs) think they’re flying under the radar of cyber-attackers. But in reality, perpetrators specifically target smaller, more vulnerable businesses because of their lack of security expertise and fragile infrastructure, and because they often provide easy entryways to larger companies with whom the SMBs work. Even more alarming, more than 60 percent of SMBs go out of business within six months of devastating attacks, like ransomware and distributed denial of service (DDOS).

In this digital era, where cyber-attacks happen at all times around the world,  SMBs are often the hardest hit, although their breaches may not make headline news. According to a report by Verizon, 61 percent of data breach victims were small businesses. And as Hiscox’s Cyber Preparedness Report 2017 notes, small businesses lose an average of $41,000 per cybersecurity incident.  

The challenge is that SMBs typically have a shoe string IT & security budget and very limited expertise with cutting-edge tools. For instance, a local mom-and-pop store typically has a firewall and anti-virus for their security posture. So DDOS attacks, point-of-sale malware and phishing scams can very easily lead to a huge payout for attackers. Moreover, it is not always easy for business owners to understand what and how to protect their assets from constantly evolving cyber threats.

How MSSPs can help SMBs affordably protect themselves

Small businesses today tend to focus on doing the basics to protect endpoints and servers, which includes staying current on anti-virus updates and security patches for systems and applications. In these organizations, there may be just one person working part-time handling IT. Security is secondary and perhaps an afterthought.

Security breaches can be devastating to a small business that has significant resource constraints. The goal, therefore, is to deliver more data protection at less cost, based on thoughtful risk assessments and business-specific needs. A smart, affordable way for SMBs to protect themselves is by aligning with Managed Security Service Providers (MSSPs), who offer key services such as:

  • Outsourced, advanced-level 24x7 monitoring of security events and management. This is a cost-effective alternative to having dedicated in-house staff managing security events.
  • Deep threat intelligence covering a wide security landscape, such as device management, breach monitoring, data loss prevention, insider threat detection, phishing attacks, web exploits, and more.
  • Incident response to contain and eliminate cyber threats in near real-time and keep your business running.
  • Flexibility of deployment. The MSSP’s services should be available over the internet, via on-premise systems that are managed remotely, or through a hybrid model. SMBs may choose to implement some security capabilities in-house alongside other services from their trusted MSSP.
  • Consulting on industry specific requirements and know-howpertaining to your business. This helps the MSSP   implement  best-practice processes and the right technologies for you.

MSSPs are an increasingly popular choice for SMBs who need a simple, cost-effective solution for cyber threat protection  that leverages the latest innovations and provides 24x7 access to security experts. According to Market Research Engine, global managed security services market revenues could surpass $45 billion by 2022, expanding at a compound annual growth rate (CAGR) of 14.5 percent between 2016 and 2022.

MSSPsare a great resource for either supplementing your existing security team or starting your security practice. However, not all managed security services solutions are created equal. Each provider has different strengths and levels of support for incident management and response, and engagement with your business.

How to choose the best MSSP for your business

Many SMBs have a tendency to pick a security bundle from the managed service provider (MSP) who manages their systems, backups, software upgrades, and routine operations. However, this may not suffice. Not all MSPs have the right cybersecurity service offerings and businesses can’t afford to gamble on using providers that may end up delivering inadequate coverage and cause them to incur excess costs.

Five criteria to look for when choosing an MSSP:

  1. Employs state of the art tools, technologies, well-documented processes and workflows, and clearly articulates the level of interaction they’ll have with your business.
  2. Provides complete visibility of your sensitive data and transparency into the data movements within their environment.
  3. Understands specific issues and requirements pertaining to your industry. Different industries, such as finance, healthcare, and retail, have their own security concerns and benefit from an MSSP that has extensive experience in their area.
  4. Demonstrates compliance with your business’ and partners’ requirements.
  5. Helps you stay ahead of advanced threats by bringing collective knowledge from other customers and sources, such as threat intelligence, government alerts, etc., to educate your team on the latest security issues. This is critical as many data breaches result from employees opening phishing emails, and lost or stolen credentials.

Empirical data shows SMBs have high security-related risks that can be extremely detrimental, compared to larger organizations. Given resource constraints and skills limitations, it is best to align yourselves with MSSPs that can provide superior 24x7 protection and support at affordable prices, freeing you to safely focus on your core competency.

About the author: Arun Gandhi has more than 17 years of experience with startups and global brands in the service provider and enterprise segments. He is currently Director of Product Management and Marketing at Seceon, responsible for driving strategic go-to-market initiatives, positioning, customer use cases, and executive engagements with customers & partners.

Copyright 2010 Respective Author at Infosec Island]]>
How Can Businesses Protect against Phishing Attacks on Employee Smartphones? Thu, 11 Oct 2018 07:41:00 -0500 Smartphones have become synonymous with everyday business operations, enabling employees to store important contact details, browse the web and reply to emails while on the move. However, the ubiquity of such devices has led scammers to increasingly target them with a variety of phishing attacks – all designed to convince individuals to part with sensitive personal and corporate information.

With banking details, phone numbers and email addresses all commonly stored on them, a successful attack on an employee’s smartphone could have devastating consequences, both for that individual and for your organisation. This threat is even more daunting considering that the click rate for suspicious URLs on mobile has increased 85% year-over-year since 2011.

With this in mind, it is vital that business leaders educate themselves on the types of attacks that today’s scammers are using, and advise employees on how best to protect themselves.

A new school of phish

Almost everyone has seen a dubious email hit their inbox at one time or another, seemingly from a legitimate source such as PayPal or Apple. At a cursory glance, these emails can look like the real thing, but tell-tale signs like frequent spelling errors and obviously false email addresses can help users identify a disguised phishing attack. 

Unfortunately, these signs can be far less obvious when received on a mobile device, as email headers and URLs are often hidden. As such, it’s worth encouraging employees to double-check the sender’s details, take note of impersonal address and avoid clicking on any suspicious links. 

But some more sophisticated scams can be even less obvious and, again, can be extremely damaging when targeting a mobile device. For example, spear-phishing attacks occur when a scammer creates an email that perfectly imitates genuine correspondence, often from senior members of staff within the same organisation. 

In these cases, the scammer will research company websites and social media channels to build a comprehensive profile of an employee to fool unsuspecting users. The scammer will usually target junior members of teams, requesting confidential information or encouraging them to click on links that will download malware, which can be particularly disastrous on Android phones, which tend not to have the rigorous in-built security that their iPhone counterparts do. Always advise staff members to check with your IT department or managed service provider before engaging with correspondence like this. 

However, it’s not just email that modern hackers are utilising. Social media has now become the go-to platform for phishers who want to extract crucial company information from unsuspecting staff. For a hacker, social media is a great place to start building a picture of exactly who you are in preparation of launching a phishing attack, and some have even resorted to sending suspicious links via messenger platforms. Investigating the privacy settings on such sites (and ensuring they are consistent across mobile, apps and desktop) is a worthwhile exercise to ensure you’re prepared.

Other mobile apps that facilitate remote working, such as Google Docs and Dropbox, have also grown increasingly vulnerable to phishing scams, with Google Docs falling victim to a large-scale attack which affected around 1 million users in 2017. Using a link, the scam diverted users from a Google page to a third-party site, where password information was claimed. Combatting such scams can be achieved by implementing two-factor authentication to add an extra layer of defence to your security measures.

Preventing mobile phishing

Education is extremely important when considering ways to combat phishing attempts, as learning to spot the warning signs can prevent your or your company’s data from falling into the wrong hands, and this is more prescient when considering your mobile devices. 

A strong enterprise mobility management strategy can help organisations to manage their apps and social media accounts that have access to your data, and secure personal information on employees’ smartphones. They should complement this by ensuring that their file transfer procedures are completely secure. 

Mobile devices are only going to become a more central component of our working lives in the future, so ensuring that the safeguards are in place to protect your vital information now will go a long way to preventing potential phishing scams in the future.

About the author: Matt joined Intercity Technology in 2015 from Imerja Limited, as one of the company’s founders. He worked there for 12 years as technical director and previously operations & services director. With over 25 years’ business and technical experience in providing IT solutions, Matt’s expertise covers the design, implementation, support and management of complex communications networks.

Copyright 2010 Respective Author at Infosec Island]]>
Lessons from Cyber Essentials – Going Back to the Basics Thu, 11 Oct 2018 07:32:00 -0500 Whether it’s phishing attacks or zero-day exploits, businesses are facing an increasing number of cyber threats every day. And when these attacks are successful, businesses can face both reputational and monetary consequences. In fact, a 2018 report from Ponemon found that businesses have to fork out an average of $3.9 million when hit by a data breach. However, there are some simple steps that organisations can follow to achieve cyber resilience and understanding the UK Government’s Cyber Essentials scheme is a great start. 

Launched in 2014, the scheme sets out five simple and effective cyber security measures that businesses of all sizes can implement to reinforce their defences against malicious attacks. Four years on, these measures are just as relevant as ever.

Configure and monitor firewalls to secure your internet connections

Any device that protects the network edge of your organisation, such as a router or firewall, needs to be configured and kept up to date. As key points of access to the wider network, these can be easy targets for hackers if their settings are not adjusted from their factory defaults. Having a trained member of IT staff that can approve and document inbound traffic allowed by network rules, and remove any that are no longer needed, is a simple way to better secure your internet connections. 

Ensure security for your devices and prevent automatic software installation

Most Windows-based devices and operating systems will have a minimum level of basic security measures built in as standard. However, as these default settings are altered or third-party software is installed, the risk of these devices being targeted by hackers increases as the potential attack surface broadens. Again, this can be prevented by implementing simple best practices across an organisation. 

This includes the disabling of guest accounts, removal of unnecessary admin rights, and ensuring that all accounts are secured by robust passwords. It’s also important to disable the Autoplay function on Windows Operating Systems to ensure that software on removable media isn’t authorised to be installed automatically. 

Adobe Flash, Acrobat Reader and Java are some of the most prolific third-party software packages that pose a threat to Windows devices. Wherever possible, Java should be removed and it’s essential that Adobe applications are updated with the latest releases. One way to minimise the risk that third-party applications pose is to implement application control to prevent users from installing potentially damaging third-party software. 

Finally, many Windows PCs connect to public WiFis or untrusted networks, outside of the protection of a corporate system. As such, an endpoint firewall should be enabled on each device, adhering to the same rules as those applied to network-edge security devices. 

Control who has access to data and services 

Of the five goals set out by Cyber Essentials, ensuring that administrative accounts are not used on devices with internet access can be the hardest to achieve. This is because admin rights are often required to perform certain tasks when running legacy applications. 

Businesses can circumvent this difficulty by using a third-party privilege solution which can remove administrative privileges without affecting a user’s experience. This can help ensure that logged-in users retain standard user privileges while affording necessary additional rights to applications and processes. 

The Cyber Essentials scheme also advises the creation of uniquely named accounts for each user, limiting administrative accounts to a small number of trusted employees, and forbids the sharing of administrative logins. New user accounts should also be approved and documented with a business case. 

Following these guidelines can provide your organisation with the high-levels of security needed to protect your most valuable data and applications, and help meet the requirements of the Cyber Essentials scheme. 

Guarding against malware

To protect against malware strikes, it’s important to have several layers of security in place – the most important measure being whitelisting. This is simply a method of preventing users from installing and running applications that may be compromised with malware. 

To implement whitelisting, an administrator is first required to create a list of applications trusted to run and operate on a corporate device. Any application that tries to run that is not approved will instantly be prevented from doing so. 

This is a particularly strong prevention technique as it can still work even if the malware avoids detection. Application whitelisting is relatively easy and quick for any organisation to implement and maintain – all the while ensuring that they are protected.

However, it is important to remember that application whitelisting, along with firewalls, can be rendered ineffective if antivirus software is misconfigured. Therefore, it’s essential that any device connected to a wider corporate network, is reinforced through malware protection software.

Keep your software patched

It may seem simple, but it’s worth remembering that updating devices regularly will go a long way towards safeguarding your business and important data – for example, whenever a new patch or update is released by a manufacturer or developer. To make this easier, operating systems, programmes, devices and apps should be set to automatically update. Again, Cyber Essentials provides clear guidance on this, requiring that operating systems and third-party software are updated within thirty days of a patch being released. In the case of security patched, these must be installed within a fortnight of their release. 

The Cyber Essentials scheme provides some of the easiest ways to achieve cyber resilience. IT leaders across all organisations should be working to weave in these steps into the fabric of their businesses, to ensure that their company can evolve and face an ever-growing pool of threats with confidence.

About the author: Andrew has been a fundamental part of the Avecto story since its inception in 2008. As COO, Andrew is responsible for Avecto's end-to-end customer journey, leading the global consultancy divisions of pre-sales, post sales and training, as well as customer success, support and IT.

Copyright 2010 Respective Author at Infosec Island]]>
Security Gets Messy: Emerging Challenges from Biometrics, New Regulations, Insiders Thu, 11 Oct 2018 06:32:29 -0500 Over the coming years, the very foundations of today’s digital world will shake – violently. Innovative and determined attackers, along with seismic changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments.  Only those with robust preparations will stand tall.

Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future – a dangerous attitude to take.

Biometrics Offer a False Sense of Security

Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and promising added security for corporate information. But organizations will sleepwalk towards a degradation of access controls as this sense of security turns out to be false: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.

Demands for convenience and usability will drive organizations to move to using biometric authentication methods as the default for all forms of computing and communication devices, replacing today’s multi-factor approach. However, any misplaced trust in the efficacy of one or more biometrics will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

The problem will be compounded by the wide and confusing array of proprietary technologies produced by different vendors. As there are no common global security standards for biometrics, it is inevitable that some technologies will be vastly inferior to others. The question then becomes: which are secure today? And will that continue to hold true tomorrow… and the day after?

Existing security policies will fall well short of addressing the issues as new devices infiltrate organizations, from the boardroom down. Failure to plan and prepare for this major change will leave some organizations sleepwalking into a situation where critical or sensitive information is protected by a single biometric factor which proves vulnerable.

New Regulations Increase the Risk and Compliance Burden

Organizations will wrestle with an incredibly burdensome risk environment, with complex, conflicting and confusing regulatory demands overwhelming existing compliance mechanisms. Demands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.

By 2020, we expect the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling ‘attack surface’ which must be protected fully while attackers continually scan, probe and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information – including customer details and business plans – that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties who will transmit, process and store it in multiple locations. Most organizations will see penalties for non-compliance reach material levels.

Balancing potentially conflicting demands, while coping with the sheer volume of regulatory obligations, may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points

Increasing pressure on trusted professionals will lead some to divulge their organization’s weak points.  Those entrusted with protecting information will be targeted or tempted to abuse their position of trust. Financial temptation, coercion and simple trickery will combine with reduced employee loyalty – taking the insider threat to a new dimension.

The relentless hunt for profits and never-ending change in the workforce will create a constant atmosphere of uncertainty and insecurity that has the effect of reducing loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from ‘cashing-in’ corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now – or in the future – face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, it is not only the organizational crown jewels that are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercrime or hackers, puts a very high value on the most secret of secrets – the penetration test results and vulnerability reports that comprise the ‘keys to the kingdom’. Organizations reliant on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find those mechanisms inadequate.

Preparation Must Begin Now

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The threats listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Could a Credit-Like Security Score Save the Cyber Insurance Industry? Thu, 11 Oct 2018 06:14:00 -0500 In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”

Cyber insurance is an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions. The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, between 1975 and 2015, the value of these assets, mostly uninsured, climbed from 17 percent to 84 percent.

What’s the Problem?

A major issue affecting insurance agencies is that cyber insurance coverage is not as universal as one would expect, especially amongst smaller enterprises.  To understand the enterprise technology risk, a questionnaire that is completed by the policy holder enterprise applicant (not always accurate) and major reliance on third-party external ratings of the applicant enterprise that is an outside-in view only (excludes cloud security views which are increasing in importance) may or may not be accurate. 

Smart enterprises and their security service providers are masking their environments from their external third-party rating firms to generate artificially higher scores This is done by implementing firewall rules that drop all outbound traffic to these third-party honeypots and also filters inbound scanning from these third-party firms.  These underwriting processes do not consider the true internal state of the enterprise and are at best limited point-in-time views.  What insurers fail to consider in an ever-changing threat level is that they may lose millions in underwriting policies over time to this constantly changing technology risk paradigm if they continue to rely on outdated approaches.  

In the Public Accounting Industry, when doing a financial audit of the firm (that includes technology reviews) no one relies only on management answers to questions and there is a strong verification process that the numbers are accurate and the controls are in place.  Insurers need to incorporate internal verification processes into their underwriting and on-going premium coverage process moving forward. 

What Next?

To move beyond this current, less-than-optimal state, insurers need more automation as part of their underwriting, streamline the process, better balance between premiums and risk, and make available policies that better cover the full range of assets potentially impacted by cyber peril.  In addition, insurers need to consider moving from point-in-time assessment to continuous assessment of their potential policy holders as the risk changes daily, based on the human factors and the threat landscape.  The individuals completing a large questionnaire (100 to 200 questions) are not 100% sure that their answers are correct, nor that the processes are consistently in place or enforced.  In addition, the third-party external ratings that Insurers use is like driving looking at the rear-view mirror.  All the data that is shown are past views that are reflective of how things were done in the past.  If the company had poor technology (CIO) and security (CISO) management that has been replaced, the external ratings do not reflect the future expected operation. 

External Ratings scoring logic assumes that technology management will not change.  In addition, the External ratings do not look at cloud security directly today as they do not have visibility into those environments unless there is a public facing website.

Introducing a Credit-Like Score for Security

One way to develop this is through the use of a ‘CyberPosture’ score, a security equivalent of a credit score; an easy to understand scoring of one’s current hybrid infrastructure security posture. 

Insurers now have the opportunity to provide the potential policy holder (customer) with an easy to deploy assessment technology (deployment and assessment within hours) that covers on-premises servers, cloud servers and cloud accounts, and containers that provides a detail understanding of their inside-out security level against benchmarks and provides a CyberPosture score it is in their best interest to implement this solution during the underwriting process and over time develop enhanced (more profitable) policies that change premiums and/or reduces coverage as the CyberPosture score changes during the premium coverage period.  The secondary benefit would be that this CyberPosture score would be available to the policy holder executive management team and board members to have an independent view of the cyber risks of the organization.  Today, a majority of the credit cards provide continuous free credit score reporting to their members (this follows that same logic).

In conclusion, enterprises and their security service providers have learned how to game the external third-party risk ratings which do not account for future enterprise risk models since the models do not consider technology/security leadership changes nor look at internal security risks (and/or cloud security risks) which in many enterprises represent the larger risks and potential control failure that generate cyber insurance claims.  It is in the best interest of the insurers to quickly adopt proactive underwriting and continuous monitoring solutions that provide a true representation of the applicant enterprise to minimize risk and maximize profit in new policies that are underwritten moving forward and the CyberPosture score provides one of those paths forward.

About the author: Joseph (Joe) Kucic is Cavirin’s Chief Security Officer, bringing to Cavirin over 20 years of enterprise and security experience. At Cavirin he is responsible for hybrid cloud infrastructure security strategies with CSOs, CIOs and CISOs and their teams across both enterprises and managed service providers / global system integrators.

Copyright 2010 Respective Author at Infosec Island]]>
Preview: SecurityWeek's 2018 ICS Cyber Security Conference (Oct. 22-25) Tue, 09 Oct 2018 09:59:36 -0500 Hundreds of professionals from around the world will meet in Atlanta, Ga., on October 22-25, for SecurityWeek's 2018 ICS Cyber Security Conference, the largest and longest-running conference dedicated to industrial and critical infrastructure cybersecurity.

The ICS Cyber Security Conference brings together industrial control systems users and vendors, security solutions providers, and government representatives to discuss critical issues facing operators of industrial networks.

Throughout the four day conference, presentations, training sessions and workshops will help participants improve their knowledge on how to efficiently protect SCADA systems, programmable logic controllers (PLCs), distributed control systems (DCS), engineering workstations, and field devices.

The exchange of technical information, details about actual incidents, insights, and best practices will help representatives of energy, manufacturing, transportation, water, utilities, and other industrial and critical infrastructure organizations address the issues they currently face.

The ICS Cyber Security Conference, set to take place at the InterContinental Buckhead Atlanta, will kick off on Monday, October 22, with a day dedicated to extended workshops and breakout sessions focusing on technology and strategy. The workshops include Red Team/Blue Team training, and a hands-on workshop by Palo Alto Networks and CyberX on defending ICS and SCADA networks.

The other sessions of day one will focus on risk assessments, vulnerability research, enhancing security using the ATT&CK Frameworkpathing of critical systems, zero trust networking applied in ICS, the risk posed by physical access controls, defense strategies for robotic systems, and securing applications using a local certificate authority.

The second day begins with representatives from Rockwell Automation, Schneider Electric and Siemens discussing the current state of cybersecurity in the ICS Manufacturer's Panel.

Next, Robert M. Lee and Marc Seitz of Dragos will present their research on Xenotime, the group that created the Triton/Trisis ICS malware. Participants will also learn from ARC Advisory Group's Larry O'Brien about the best approach for selecting cybersecurity vendors for operation technology (OT) environments.

On Wednesday, Andrea Carcano of Nozomi Networks will share details of research into the Triton attack, and Dr. Alex Tarter of Thales will discuss how the British Ministry of Defence protects critical infrastructure through a methodology called ‘Cyber Vulnerability Investigations’. On the same day, representatives from Sony's security team will discuss security in manufacturing environments, and Edna Conway, CSO for Cisco's Global Value Chain, will have a fireside chat with Microsoft Cybersecurity Field CTO Diana Kelley on supply chain security.

On the last day of the conference, Colonel Mark Gelhardt, Former CIO for President Clinton, will talk about his time at the White House and the lessons learned. Attendees will also learn about the actual meaning of “anomaly detection” and “machine learning” in the context of ICS threat monitoring, and they will find out how security researchers and automation vendors can work together on reporting and patching vulnerabilities. Another interesting presentation comes from the Department of Homeland Security, whose representatives will talk about Russian cyber activity on US critical infrastructure.

Each day of the conference also features various case studies, technical sessions, and strategy sessions, including on insider threats, side-channel attacks on ICS, preventing attacks on the power grid, cybersecurity programs at nuclear plants, best practices, threat detection, and the threat posed by IT malware.

In addition to amazing content, there will be several receptions and parties to give delegates the chance to network and discuss in a relaxed environment.

Check out the complete agenda for the 2018 ICS Cyber Security Conference

Copyright 2010 Respective Author at Infosec Island]]>