Rechercher dans les flux d'actualités



Filtrer par auteur :
   |   
Rechercher un terme :


  Alien Vault - Online reputation management: how to control what‘s out there
Your reputation is one of the most powerful assets you can have as a successful businessperson. Having a reputation for honesty and quality can be the key to locking down major clients or building a standing in a fledgling market. Alternatively, having a poor reputation can be detrimental to the point of completely running you out of business. In this day and age, online reputation management is a critical component to building and growing a successful business. People will analyze how a business is described online just as often (if not more than) as they will in more traditional ways, such as word of mouth. Strong business reviews and a solid online reputation can be a substantial driver for business. Taking steps to manage and promote your personal and business reputation is now an important component to success. Especially when it comes to web domains, management of things such as search results and reviews is a game changer. Below are things to look out for and be aware of as you assess your current reputation management efforts for your business: Personal information For individuals working in the business world, the management of personal information online has the power to influence the types of jobs that will be attainable and the number of doors that will open up. This information can take many forms, including personal files, emails, and social media accounts. Basically anything that can help a stranger identify you could be considered personal information. One problem that many young professionals run into is the oversharing of information or the lack of valuable privacy settings. Mismanagement of these things can lead to an excess of (potentially compromising) personal information being available to job interviewers, managers, or potential clients. Just imagine being a sales manager attempting to lock down a new client when a photo of you overly intoxicated and hugging a friend’s toilet emerges on one of your social media profiles. Even bigger problems can arise if this information is either lost or stolen. For instance, malicious users could trash your reputation and personal credibility by becoming an active participant in unsavory blogs or online discussions. Regardless of whether or not you were actually involved, it could take a great deal of time to clean that up. Business management Many of the same issues have the potential to arise for businesses when managing their online reputation. In addition, things such as numerous negative online reviews or awkward search results can have a profound negative impact on a business. Many potential clients are significantly influenced by their initial review and Google searches of your business. If what they find is bad, your business could be in trouble. Because of this, negative items, such as hubbub about a poor manager with many negative reviews that has since been fired, can come back to haunt businesses over the years. To help combat this, many large companies are hiring online reputation management services. These services can help to promote the positive aspects of your business and redirect internet traffic over time to represent a more balanced and realistic view of the company. Working on monitoring things like incidents that impact IP addresses can help online reputation security professionals track and protect a company’s reputation. Potential risks include things such as malware infections, malicious activities, breaches, compromised websites, or botnet creation on host websites. Most of this monitoring can be completed simply by registering an IP address and list of domains to be monitored. As an aside, don’t forget that protecting your customers’ information is inextricably tied to reputation management; a data breach can mean a severe loss of trust and loyalty in consumers. Ensure that you follow and advocate for strong security practices online. Courtesy is key Regardless of whether you are worried about protecting your personal or business reputations, there are a number of tips and tricks to help combat potential issues. Perhaps the single most powerful one is courtesy and professionalism at all times while online. No matter what is said about you or the company, always respond by taking the higher road — never snap back in anger. One tip is to always think twice about what you are willing to post online. One negative or thoughtless post can have lasting impacts. For instance, responding rudely to a potential customer can lead them to spreads the interaction far and wide. Sometimes, having a coworker read your response before sending it can be a good way to help avoid any potential issues that may arise. In addition to being strictly online, the way you or your company conduct yourself in the presence of potential customers can also have an impact in the form of online reviews. When interacting with customers try to avoid phone use as much as possible. If you must be on a device, try to continue to make as much eye contact as possible, take necessary phone calls outside, and refrain from texting.       

Le 2019-04-04


  Alien Vault - Information on open source vulnerabilities is as distributed as the community
Nothing gets the AppSec / InfoSec community abuzz quite like a good old 0-day vulnerability. I mean, what’s not to love here? These vulnerabilities involve the thrill of adversaries knowing something we don’t, giving them a path to sail through our defenses to break into that sweet data inside. They are the James Bond of the security space — suave, sexy, and deadly. However, once we get past the veneer of the 0-day mystique, we are quickly reminded that the far bigger threat to our software comes more from the known vulnerabilities that are floating around in public available for all to see and exploit. Known security vulnerabilities: hidden in plain sight While there are always going to be those exploits kicking around in the darker corners of the hackerverse and require an effective threat intelligence solution, the vast majority of vulnerabilities for both commercial and open source products end up on security advisories like the National Vulnerability Database (NVD), the popular U.S. government-backed database that analyzes reported software vulnerabilities (CVE’s). For years now, we have been seeing a moderate yet steady climb in the number of software vulnerabilities (CVEs) being reported. However, the count for 2017 more than doubled the previous year’s number, spiking from 6,447 to 14,714 CVEs in the books. Hardly a fluke - 2018 recorded 16,555 vulnerabilities. I have theorized on why we are seeing more of these vulnerabilities coming to light, due in part to bug bounties and corporate sponsorship for research into open source security efforts. Frankly, more money being thrown at the problem is helping to play a positive role in making software safer, but it only tells a part of the story. Where do software security vulnerabilities go once they are discovered? While the NVD is generally considered to be the authoritative listing for vulnerabilities and is where many security folk and developers go to search for known vulnerabilities, their details, and their fixes. Not all, but most known vulnerabilities can be found there, and that’s the good news. The bad news is that the information pertaining to these vulnerabilities is spread out across multiple sources, making the job of keeping track of them considerably more difficult. Not every vulnerability makes its way directly to the NVD through the standard CVE route. Vulnerabilities reach the CVE, another U.S.-government-backed organization run by the non-profit MITRE Corporation, through reports from security researchers, project maintainers, or companies in the case of commercial software. When a vulnerability is discovered by a researcher, the common practice is to notify the vendor or project maintainer and then reach out to the CVE to reserve an identification number. Information about what has been found to be vulnerable and how to exploit it is withheld during a grace period, (typically 60-90 days) which is meant to allow the product/project’s team time to develop a fix for the vulnerability.  Vulnerabilities reported for commercial products like Microsoft’s Windows, Apple’s MacOS and iOS, Cisco products, etc follow the more traditional course of being uncovered by their in-house security team or brought to their attention by a bug bounty hunter. Then there is an update, often delivered with a regularly scheduled update (looking at you Patch Tuesday.) Vulnerabilities discovered in open source components are a different animal. The wild west of open source security vulnerabilities At its core, the difference between open source software and commercial software is the kind of license that it’s rocking. However, when it comes to security issues, you need to turn over more rocks in order to stay on top of open source vulnerabilities, as this space is still very much a Wild West. By now we’re all familiar with Eric S. Raymond’s 1999 essay, The Cathedral and the Bazaar, where he talks about the distributed nature of open source. Truth is that while resources like the above mentioned NVD do a pretty good job of compiling many of the open source vulnerabilities, it is far from complete and comprehensive because of how the community works, eschewing a centralized approach. For starters, a sizable number of the open source vulnerabilities that we see out there are actually being posted and discussed on a wide range of different security advisories and issue trackers. This means that even for relatively popular projects, these red flags may fly beneath the radar. From our experience, you need to be looking where the developers who are working on the projects and using the components are. Issue trackers like Apache’s Jira can be invaluable given their large share of the market as it were. Pivotal security is also a good source for a range of product-specific security advisories. Zooming out a bit, Bugzilla should be at the top of everyone’s list, as well as the Linux security advisory. We should note though that it can sometimes take weeks or more for a vulnerability which has been reported on a project’s issue tracker to make its way to the CVE and then NVD. During that time, a hacker can use the information about what is vulnerable and how to exploit it to target unsuspecting victims who do not know that they are using a risky open source component in their product. The brunt of this challenge usually falls on the shoulders of developers and their managers, who have to ensure that they are using secure and updated versions of open source components. More often than not, developers are not pulling the most recent version of a component, and are unaware of any vulnerabilities which are hidden away in the component or its dependencies. Fiascos like the late discovery of the Heartbleed vulnerability and the Equifax data breach prove that staying abreast of newly discovered open source security vulnerabilities and updating insecure versions are not exactly a welcome task when you’re racing from one sprint to the next. Concepts like the Software Bill of Material have emerged to help with this problem. Open source vulnerabilities management: knowing your code Organizations that are developing software need to actually keep track of all the open source components that they are using, and be able to know when a component that they are using becomes vulnerable if they hope to stay ahead of those who would do them harm. If companies used to skate by on Excel sheets for tracking open source components, the sheer scale of their usage has rendered this method useless. Seeing as how open source components now comprise between 60-80% of the code base in modern applications, the time has come to adopt automated solutions that can track what is being used and monitor the various resources discussed above for when a new vulnerability is publicized.  Knowing what your team is using is the start of a conversation that allows you to empower your developers by not burdening them with the task of manual tracking. Staying on top of the open source components in your development products with automated tools allows them to focus not on whether a license is in line with company policy or if there is a vulnerability that could put your product at risk. Security measures that aren’t easy for developers to include are likely to end up being ignored. Providing developers with an easy way to follow what they are using without taking up their valuable time will make it far easier for them to remediate issues when they do arise, and as we learned from G.I. Joe, knowing is half the battle.       

Le 2019-04-03


  Alien Vault - Things I hearted this week, 29th March 2019
I search long and hard each week to find the best and most interesting security stories. These aren’t just news stories, but also interesting blogs and experiences people share. One thing I’ve felt (I say feel because I don’t have scientific proof to back this up) is that fewer people are blogging regularly. Of those that do regularly blog, many have left their blogs and moved over to Medium - and I have nothing against Medium, I just don’t want my list to end up being just a bunch of Medium articles every week. The second thing is that a lot of people end up sharing their thoughts on a social media platform, such as a long post on LinkedIn or Facebook. Or worse still - they have a Twitter thread. I could link to Twitter threads, but I feel these don’t accurately convey the message in the same way a blog does. For example, Magen Wu has a great Twitter thread on career success. About how she feels she wasted time comparing herself to others and setting goals she wasn’t necessarily aligned to. With some good comments from others. The question I guess I’m asking is that are social media platforms taking away from blogging, and given the short life span of tweets in particular, does it lessen knowledge sharing? Should I start a “Tweet threads I Hearted this week”. All are important questions. While you ponder on that, here’s your regular dose of security things I hearted this week. Creating an Android open source research device on Your PC While this was written last August, I only just saw this article on creating a virtual Android device on a PC to conduct open source research. Creating an Android Open

Le 2019-03-30


  Alien Vault - Do You Know Your Numbers?  No, Your Cyber Health Numbers!
Last year, as in years prior, was a year full of cyber-attacks.  But what was interesting was the trend of small and medium businesses being targeted more often.  Generally, those types of businesses have either rested in the false impression that they’re not a big enough target or didn’t have plentiful valuable information hackers are seeking.  The reality is the opposite and the stakes couldn’t be higher. You’ve probably heard the phrase, “small businesses are the lifeblood of our economy.”  A powerful word like lifeblood is defined as an indispensable factor that gives something its strength and vitality.  That is to say, they are critical to the health of our national economy and prosperity.  And as we’ve all seen on TV, in order to protect our own physical health, it’s important to “know your numbers” as the ad says. Well, this should hold true for small businesses.  We’re not talking about physical health, but something just as important, cyber health.  But how many businesses are currently measuring their cyber health numbers?  A better question to ask is how do you even do it?  And what can you do with it?  Is there a standard out there that’s recognized by industry peers and cyber insurers alike? AT&T, a leader in world-class security solutions, has pondered these same questions and has come up with a solution to answer some of them.  Cybersecurity Rating from AT&T, is exactly what the doctor ordered. This new solution, powered by BitSight, will equip small business owners with actionable data that can help protect data and assets, but also help you maintain a pulse on your own cyber health.  And it’s perfect for business owners who don’t have large IT staffs, or who lack some of the technical expertise necessary to stay ahead of today’s evolving cyber-threat landscape. Cybersecurity Rating helps an organization maintain an effective security posture by providing valuable insight into vulnerabilities with data collected by Bitsight over the last seven years.  Cybersecurity Rating is non-intrusive and does not disrupt your network.  Results are grouped into the following categories of risk vectors:  compromised systems, diligence, user behavior, and data breaches.  It helps a business owner answer the question of just how protected it is against cyber risk.  So, with these numbers in hand, as a business owner, you now have the ability to make data-driven, informed decisions about cyber risk mitigation, or cyber risk transfer through a cyber insurance policy.  The cyber insurance market is rapidly expanding, especially in the small and medium business space, because it’s a relatively new concept, but also referring to the earlier point about perceived permeability.  Cyber rating products like Cybersecurity Rating will become even more important as cyber insurers gather more cyber risk actuary data and develop more effective policies that address the unique threat landscape faced by small and medium businesses. More cybersecurity help is on the horizon to help navigate these menacing cyber-attack waters.  Proposed legislation like HR 1648, cyber-awareness training for employees, and comprehensive risk management products like Cybersecurity Rating can help to facilitate a deeper conversation about uncomfortable topics like cybersecurity, risk of data breaches, and cyber insurance. It’s akin to going to the doctor’s office after the holidays, but since you have all of your data and you know your numbers, you’re really just seeking a recommendation for a good gym.  It should be easy to find one that’s not crowded now since the January rush is over!       

Le 2019-03-29


  Alien Vault - Great find! The ThreatTraq Internet Weather Report
Every week, the AT&T Chief Security Office produces a set of videos with helpful information and news commentary for InfoSec practitioners and researchers.  I really enjoy them, and penned a blog on a segment on the impact the banning of smartphones in some secure federal facilities  a few weeks ago. The Internet Weather Report is a look at what’s happening on the vast network AT&T oversees as evaluated by the AT&T CSO team. So on the 2/21/19 Internet Weather Report, for example, here was the situation overall: Matt Keyser, Principle Technology Security, AT&T typically leads the discussion with a couple of guests for commentary. He covers the most probed ports and the most sources probing, ranking them and comparing them with the previous week. Then he dives into the interesting stories. For example, on the 2/21 episode, Matt drilled into the scans on port 8080, which looks to be exploiting a common bug in a couple of Netgear routers. It’s a great resource for InfoSec practitioners and researchers alike!   John Hogoboom. Lead - Technology Security, Security Platforms,  and Stan Nurilov, Lead Member Of Technical Staff, Security Platforms, also present the Internet Weather in other episodes. To subscribe to watch the Internet Weather Report each week and other features, subscribe to the AT&T Tech Channel.         

Le 2019-03-27


  Alien Vault - Things I hearted this week, 22 March 2019
RSA has come and gone, and things are settling down into a normal routine. I did write a post-RSA blog which covered the highlights and trends I observed. Because of RSA and the subsequent week of getting through the backlog of emails and work, the news list has piled up with over 141 separate news items lined up in my list. But don’t worry, I’ll only share the ones I truly hearted. Device and account security checklist Bob Lord has put together a great resource to help people and companies better secure themselves and their organisations. Even if you’re a security expert, it’s worth checking out and sharing the checklist with friends and family. Device and Account Security Checklist 2.0 | Medium, Bob Lord The Citrix data breach On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CISO. Citrix breach once again highlights password weaknesses | ComputerWeekly Why The Citrix Breach Matters -- And What To Do Next  | Forbes Related Ad Network Sizmek Probes Account Breach | Krebs on Security New phishing campaigns target real estate agents Actors have been launching phishing campaigns that abuse several brands of well-known real estate franchises with the intent of capturing targeted real estate agents' email credentials. While this type of targeting in the real estate sector is not new, this post highlights the in-depth tactics, techniques, and procedures (TTPs) used. The TTPs and imagery used in the PDF are used to lure people in. Credential harvesting websites can be used for situational awareness to defend against these attacks. Closing on credential theft. New phishing campaigns target real estate agents. | Medium  Pros-for-hire no better at writing secure code than compsci beginners Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all. Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn't do so securely unless asked, and even then didn't always get it right. Freelance devs: Oh, you wanted the app to be secure? The job spec didn't mention that | The Register Do a good deed, get met by lawyers SEDC is an Atlanta-based company that provides back-ends for utility companies; a security researcher discovered that the company stored his password in the clear. The company's products have more than 15,000,000 users, whose logins and passwords are potentially also stored in plaintext. When the researcher alerted the company about this, the company ignored them, then denied that there was any problem, then demanded that the researcher not communicate about this except to SEDC's general counsel. Security researcher warns of power company customers' passwords being stored in the clear, software provider responds with lawyer-letter | BoingBoing Average DDoS attack sizes decrease 85% due to FBI’s shutdown of DDoS-for-hire websites The FBI’s shutdown of the 15 largest distributed denial-of-service (DDoS) for hire vendors (booters) reduced the overall number of attacks worldwide by nearly 11 percent compared to the same period last year. Along with the fewer total attacks, the average size decreased by 85 percent as did the maximum attack size by 24 percent, indicating the FBI crackdown was effective in reducing the global impact of DDoS attacks. Average DDoS attack sizes decrease 85% due to FBI’s shutdown of DDoS-for-hire websites | HelpNetSecurity PewDiePie fans keep making junk ransomware For some misguided reason, PewDiePie fans seem to believe that making and releasing ransomware is a proper and acceptable method of supporting their idol. PewDiePie fans keep making junk ransomware | ZDNet Other stories I hearted The NYPD is using a new pattern recognition system to help solve crimes | The Verge How to Quit Your Job in 837 Easy Steps | Medium, Jessica Powell 7 Things You Need To Stop Doing To Be More Productive, Backed By Science | Medium, CamMi Pham       

Le 2019-03-26


  Alien Vault - Restart BEFORE patching
Most folks who work with servers know the monthly drill: Patches are released by manufacturers -> Patches are tested -> Patches are deployed to Production.  What could possibly go wrong? Anyone who has ever experienced the nail-biting joy of patching, and then awaiting a restart, knows exactly what could go wrong.  Does anyone remember the really good old days when patches had to be manually staged prior to deployment? For those of you who entered the tech world after Windows NT was retired, consider yourself lucky! If you think about it, most organizations that patch on a monthly basis are considered to have an aggressive patching strategy.  As evidenced by the legendary Equifax breach, some organizations take months to apply patches. This is true even when the organization has been forewarned that the patch is a cure for a vulnerability that is being actively exploited, also known as a “Zero-day” vulnerability. Patching is never a flawless operation.  There is always one server that just seems to have problems.  What is the first response when this happens?  Blame the patch, of course!  After all, what else could have changed on the server?  Plenty, actually. Sometimes, removal of the patch doesn’t fix the problem.  I have seen the patch still held responsible for whatever has gone wrong with the server.  I am not blindly defending the patch authors, as there have been too many epic blunders in patching for me to exhibit that kind of optimism and not laugh at myself.  But what can we do to avoid the patch blame game? The simple solution is to restart the servers before deploying patches.  This is definitely an unorthodox approach, but it can certainly reduce troubleshooting time and “patch blame” when something goes wrong.  If you restart a server, and it doesn’t restart properly, that indicates that an underlying problem exists prior to any patching concern. This may seems like a waste of time, however, the alternative is usually more time consuming. If you patch a server, and it fails at restart, the first amount of time you will waste is trying to find the offending patch, and then removing the patch.  Then, upon the subsequent restart, the machine still fails.  Now what? Even if we scale this practice to 1000 servers, the time is still not wasted.  If you are confident that your servers can withstand a simple restart, then restart them all.  The odds are in your favor that most will restart without any problems.   If less than 1% of them fail, then you can address the problems there before falsely chasing the failure as a patch problem. Once all the servers restart normally, then, perform your normal patching, and feel free to blame the patch if the server fails after patching. The same approach could also be applied to workstations in a corporate environment.  Since most organizations do not engage automatic workstation patching on the corporate network, a pre-patch restart can be forced on workstations. Patching has come a long way from the early days when the internet was young and no vulnerabilities existed (insert sardonic smile here).  The rate of exploits and vulnerabilities have accelerated, requiring more immediate action towards protecting your networks.  Since patches are not without flaws, one easy way to rule out patching as the source of a problem is to restart before patching.       

Le 2019-03-26


  Alien Vault - The NIST cybersecurity framework (CSF) and what it can do for you
The NIST Cybersecurity Framework (CSF) has only been around for four years and while developed for critical infrastructure, resulting from Executive Order 13636, it has been widely adopted across both private and public sectors and organizational sizes.  It is used inside of the US government, with 20 states using it (at last count). In addition, international organizations such as the Italian government, as well as private sector organizations including technology and education are using the framework.   Why is this?  If there’s one overarching theme of the NIST CSF when it comes to implementation, it’s that there’s no one-size-fits-all solution.  Your risk profile, regulatory requirements, and financial and time constraints are unique, and the NIST CSF allows each organization to take these factors into account when implementing the CSF.  Moreover, implementation is not an all-or-nothing proposition. Without the restrictions of a formal compliance regulation to hold you back, you are free to implement the NIST framework in whatever way best fits your business needs.  Once you establish your unique, current profile and target profile, you can use the gaps between them as a tool to help prioritize improvement actions, based upon your budget and resources.   The NIST CSF allows you to establish or build upon your foundation by identifying what needs to be protected, implementing safeguards, and detecting, responding to, and recovering from events and incidents.  In the simplest terms, NIST CSF defines outcomes based upon your unique threats and risks, as well as how you manage risks within your organization: Know what you have and what you are facing The NIST CSF calls on organizations to identify your data and the devices that store, transmit, and process information.  This means you must have an inventory of data, the devices, the applications, and the underlying infrastructure that process and store that data.   Now that you know what data you have, you can identify threats and vulnerabilities in the environment.   This allows you to focus on protecting the ‘riskiest’ assets or what is most valuable to your organization.  Put protection measures in place Once you know what you need to protect, put measures in place to safeguard that data.  Taking the approach of "We have a firewall. Our data is protected" is long gone.  A layered approach to security is imperative protecting the connectivity layer, the application layer, and the device itself.  Monitor, monitor, monitor There are always changing circumstances, even with the most mature security programs.  That is why you must continually monitor the environment to detect events and potential incidents.  Not only must you monitor but you must improve your monitoring strategy and technologies that you use.  Detection must be efficient and effective - your organization can fall into one of these two buckets:  you have been breached and you know it or you have been breached and you don’t know it.  Continually optimize and tune the technologies and processes you have in place.  You cannot respond to what you can’t detect.  Have a plan Like we all know, it’s not if you get breached, it’s when.  Having a formal, tested response plan that is known by the organization, its stakeholders, and responders is crucial.  Like detection, response must be efficient and effective, so you can get back to business as soon as possible.   Also, like detection, the response plan must be continually improved.  Recover and improve Last, but not least, you must recover when your organization is disrupted by a breach.  While no organization wants to go through this, it is a way to look at where improvements can be made.  You can restore business and IT operations, but not until you take the time to investigate what went wrong and where security controls can be improved.  It allows for real-life lessons learned and reflection on how to improve the overall process.  Not only have you had the opportunity to mature - but next time, the response and recovery  process hopefully will be more efficient. NIST also has a framework for incident response, in case recovery is necessary.       

Le 2019-03-26


  Alien Vault - All about security analytics
With or without a security operations center, and whether your network is on premises, in the cloud, or a hybrid, you need to determine which events and indicators correlate with cyber attacks. Organizations these days face a wider range and greater frequency of cyber threats than ever before. These threats can be from APTs (advanced persistent threats), cyberwarfare, promiscuous attacks through bots and botnets, script kiddies, malware-as-a-service via the Dark Web, or even internal attacks from entities within your organization. Everything from distributed denial of service attacks (DDoS) to cryptojacking, from man-in-the-middle attacks to spear phishing, from ransomware to data breaches hit businesses of all sizes and in all industries constantly and every single day. It’s perfectly normal to find it all to be overwhelming! But implementing the right tools and practices can help you make sense of all of the cacophony. That’s where cybersecurity analytics can be useful. Several years ago, security analytics became something of a buzzword, but it’s as relevant now as ever. Cybersecurity data analytics explained So what is it exactly? It’s actually quite simple. Security analytics isn’t one particular type of tool or system. It is a way of thinking about cybersecurity proactively. It involves analyzing your network’s data from a multitude of sources in order to produce and maintain security measures. It’s all about aggregating data from every possible source and finding the “forests” that all of those “trees” of logs and other recorded details are a part of. Of course, being able to identify the “forests” can make it easier to not only put out “forest fires” of cyber attacks, but also prevent “forest fires” in the future. Security analytics sources and tools Here are some of the different types of data sources which can be used in your cybersecurity analytics practices: Cloud resources User data acquired from endpoints Logs from network security appliances, such as firewalls, IPS, and IDS Network traffic and its patterns Identity and access management logs Threat intelligence Geolocation data Mobile devices and storage mediums connected via WiFi, Ethernet, and USB Antivirus applications Business specific applications There are some types of tools which your network can deploy which pertain to cybersecurity analytics. They include: Code analysis applications to find vulnerabilities in software and scripting File analysis tools to explore files in ways which may go beyond malware detection Log analysis applications for firewalls, IDS, IPS, networked print devices, servers, and endpoints SOC (security operations center) specific applications to organize data in a way which is useful for their functions DLP (data loss prevention) tools Security analytics use cases Properly implemented cybersecurity analytics can not only improve your network’s security posture, but also help your organization with regulatory compliance needs. There are many industry-specific regulations which require log data collection and activity monitoring. HIPAA and PCI-DSS are just a couple of them. It can even help show your organization’s stakeholders and management which security measures and policies are useful and worthy of investment. Using an analytics approach and the right tools have the benefit of being able to look at cyber threat patterns over months or possibly even years, as long as your network data is properly stored and maintained. Often it helps to get a “big picture” view of what may be going on with your network. Security analytics AI and machine learning When AI is usefully deployed for cybersecurity analytics, it can be used to scan your entire IT environment to find patterns and identify anomalies. Well implemented AI can take a lot of the calculation and identification work off of the shoulders of your human security analysts so that they can direct their efforts to areas where human thinking is more effective. People’s brains can tire of repetitive and tedious work, whereas AI can deal with loads of tedious data without mental fatigue. All of the supposedly boring details won’t be missed by properly configured advanced computer systems! Machine learning can be implemented by your AI and monitoring systems to learn from data and results which are accumulated over time. Machine learning can have both supervised and unsupervised applications according to your specific needs. Supervised machine learning can analyze structured data for clear algorithms and rules. Unsupervised machine learning can analyze unstructured data from sources such as SIEM and general scans. Conclusion Well deployed cybersecurity analytics systems and practices can actually augment and complement your SIEM. As Paul Reid wrote: “Leveraging security analytics with SIEM as a data source provides the best of both worlds. The SIEM investment is protected and additional value is unlocked from the rich cyber log data stored there. Security analytics can now watch for those changes in behavior that may be indicative of an attack. These behavior changes create a set of cybersecurity leads that can be followed up on by your cyber hunters. The entities associated with the behavioral change can be examined in the SIEM to see what the underlying activities could have caused the attack. Ultimately, security analytics uniquely augments other existing security tools‒not just your SIEM, but also data loss prevention, identity access and management and other solutions.” The most obvious direct application of using cybersecurity data analytics to augment your SIEM that I can think of is to identify new data and event patterns to make better SIEM correlation rules. Cyber threats are constantly evolving and the threat landscape itself is constantly changing. You shouldn’t just stick with one set of SIEM correlation rules from one year to the next, because some of them might become irrelevant or outdated. Your network security would benefit from both tweaking the rules your SIEM already has, and creating new rules based on the data you acquire from your cybersecurity analytics which reflects how cyber attacks are changing. When used properly, good security analytics can improve every facet of your network’s security and help you keep up with how cyber attacks are evolving.       

Le 2019-03-26


  Alien Vault - RSA 2019 - A Case of the Blues
RSA is arguably the biggest business-focussed cyber security event of the year. As over 40,000 security professionals completely take over the Moscone Centre in San Francisco. Of course, one of the biggest changes this year was a case of the blues - as AlienVault made its transition into AT&T Cybersecurity. There were smiles all around, and the now blue blinky sunglasses remained a favourite across our two booths.  However, it’s not the last we’ll see of our little Alien mascot, who will live on in Alien Labs. There was also a ‘bullet time’ camera setup in the South Booth. I’m sure there’s a technical term for it, but I only know it as bullet time - the technique popularised by the Matrix movies, where multiple cameras are setup and take a photo at the same time, giving attendees the chance to have their photo taken while being beamed up by the UFO above. Kevin @Kevin_Jackson "beaming up to the Alien Lab!" https://t.co/DyTZ49wYT6#RSAC #RSA2019 #ATTInfluencer #ATTCyberInsights @ATTCyber #attcybersecurity @RSAConference pic.twitter.com/8iEV6ZC0xn" — dez.i.am (@dez_blanchfield) March 8, 2019 The Trends RSA is a huge event with thousands of vendors, and hundreds of talks, which naturally bring about some common topics and trends. Stop, Collaborate, and Listen No, Vanilla Ice wasn’t a keynote speaker, but a common thread from the keynote to the show floor was one of collaboration and working better together. I attended a great presentation by Wade Baker and Jay Jacobs if Cyentia Institute entitled “NONE of Us Are as Smart as All of Us” in which they take a scientific approach to proving why many is better than one for learning in the security industry. Don’t call it a comeback There was a lot of discussion around security fundamentals. While there are many new threats and attacks in the wild, they are not worth focussing on if the foundations are shaky. Industry luminaries HD Moore and Jeremiah Grossman are working on asset discovery, and Cybersecurity Asset management firm Axonius won the RSA innovation Sandbox. As Frederick Lee, CISO at Gusto (ex CISO at Square) said in a panel I moderated at RSA, that many companies get compromised not by a zero day, but by a 90 day, 180 day, or even a 360 day. Security is everyone’s job! @square #cso on the #Cybersecurity Is All About the Seams panel. https://t.co/3MnSZaBfKe…#RSAC #RSA2019 #ATTInfluencer #ATTCyberInsights @ATTCyber #attcybersecurity @RSAConference pic.twitter.com/l2VexVsA7B — Evan Kirstel at #EC19 (@evankirstel) March 7, 2019 Similarly, Nick Selby delivered an engaging and insightful talk into the Timehop Breach Response in which 25 million user records were exposed. The talk served as a good example of what incident response actually looks like, and some of the essential components needed to prepare your company. Welcome to the Machine From the vendor side, there was a lot of discussion around machine learning, and some on artificial intelligence. Without delving into the precise definition of these terms, the broad sentiment was the same, that technology and businesses are at the level where humans alone cannot scale effectively. Therefore machine learning, automation, and other similar techniques are becoming integral to many security offerings. With this, comes greater opportunity for orchestration, not just for products, but between people and processes too. This train of thought extended not just to traditional tech, but also spilled over into the Internet of Things (IoT) which are expanding at a rapid pace, and for which security remains a big concern. Shiny Happy People Another angle discussed in several sessions was focussed more around the human side. More specifically there were plenty of discussions around the topic of burnout within the industry, signs, coping mechanisms, and support. It was good to see this in practice as at the end of the day, the industry is made up of people, and having the right people in the right frame of mind is essential. Diversity and inclusion also cropped up and the need for people of all genders and backgrounds to be supported into getting into and moving up in the industry. A few years ago, RSA conference itself found itself in the middle of some controversy when there was a lack of diversity especially amongst keynote speakers. To its credit, RSA has made big strides towards addressing the lack of balance, and serves as a good example of how change is possible. Awards all around Overall, RSA was a great experience for all those involved. AlienVault USM Anywhere won the Best SME Security Solution award at the SC Awards. Additionally, we were recognised as a Market Leader in both the Cloud Security and Threat Intelligence categories for Cyber Defense Magazine. What the future holds RSA always kicks off the next trends and sets the tone for the security year. Sometimes looking back gives you a good indication of what the future holds. AT&T Cybersecurity President Barmak Meftah explains the past, present, and the future of cybersecurity far better than I can in this video interview from RSA. I caught up with Barmak Meftah ( President AT&T Cybersecurity ) in San Francisco at #RSAC 2019. https://t.co/4n0vU6mFxw#attinfluencer #attcybersecurity @attbusiness #attcyber @attcyber #rsac #cybersecurity #cyber #security — dez.i.am (@dez_blanchfield) March 8, 2019         

Le 2019-03-26


  Alien Vault - AT&T Cybersecurity partner of the year 2018
I am very excited to announce the 2018 AT&T Cybersecurity (formerly AlienVault) Partners of the Year! These eight outstanding companies achieved phenomenal business growth during 2018 and truly reflect the types of organizations that believe in ‘customers first’. The AT&T Cybersecurity Partner Program enables leading VARs, system integrators, managed security service providers (MSSPs), managed detection and response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by AlienVault USM in the global marketplace. With a strong focus on enablement, the program is designed to help solution providers create new opportunities for business growth, expansion and profitability. Our dynamic and rapidly expanding partner community is a critical part of our success as a company, and we are committed to enabling and supporting the growth of our participants based on their individual goals and objectives. Our Partner of the Year awards recognize the success achieved by our partners in the following categories: Global awards: Global Partner of the Year:  BINARY DEFENSE Highest overall sales bookings in 2018 Binary Defense led the AT&T Cybersecurity global partner community by identifying, architecting and delivering managed security services to a record number of customers. These customers ran the spectrum in size, from small business to some very recognizable, household names! They had top honors two years ago and we are very proud to recognize their return to the top spot by delivering more than 100% year-over-year growth. “We are honored to receive such an award. The continued partnership and support between AlienVault and Binary Defense is a testament to the dedication of both organizations to improving cyber security around the world. As a leading MSSP and provider of SOC-as-a-Service, Binary Defense is proud to be aligned with AlienVault’s world class SIEM platform.”  - Mike Valentine, CEO Growth Partner of the Year:  IT LAB Highest growth in 2018 as compared to 2017 sales bookings IT Lab, based in the UK, delivered more than 800% growth year-over-year leading all others in 2018 by a comfortable margin. These growth numbers are challenging to achieve even in the best of times and IT Lab were able to take a great baseline and deliver these amazing results. With an eye firmly on value, it’s no surprise their existing customers renew and new customers flock to their services. “IT Lab are thrilled to have been awarded growth partner of the year. This represents the excellent growth that we have had across IT Lab, both within our cyber security services and beyond. The SOC team have on-boarded some excellent clients in the last 12 months; spanning large FTSE250 businesses to financial and professional services, healthcare organisations and beyond. This award is testament to the fantastic team, and the great people that make up that team, right across our cyber and managed services.” – Michael Bateman New Partner of the Year:  AGIO Highest sales bookings by a solution provider that joined our program in 2018 Agio signed on with us in early 2018 and came to the table with focused goals, a compelling service offering and an amazing technical team. Their desire to be impactful to their customers immediately made recognizing Agio a simple process. When you enter a relationship with all the bases covered, you can’t help but deliver success. “Receiving AlienVault’s Partner of the Year award is a reflection of the strength of our innovative relationship. Agio’s priority is working with technology partners that understand the nuances of those industries and clients we serve, and AlienVault’s promise to clients like us is to adapt and flex with market needs.  Together, it truly feels like we have each other’s backs, and we’re thrilled to continue our mutually beneficial connection. - Kate Wood, Chief Marketing Officer Distributor of the Year:  CMS DISTRIBUTION Highest growth in 2018 as compared to 2017 sales bookings CMS epitomizes the definition of Value Added Distributor. In a time where distributors are scrambling to identify ways to differentiate, CMS carved out their value by delivering ‘white-glove’ service to not only their partners, but their vendors as well. Every engagement with CMS is thoughtful, focused and makes a strong impact on their partners AND their partners’ customers. “CMS are delighted to have been awarded AlienVault’s Distributor of the year 2018! This proves that all the hard work and effort we have put into this brand, by launching in the UK/Ireland, only a few short years ago has truly been recognised. We have a very strong partnership together and will continue to invest in and grow this brand as it evolves through its exciting acquisition by AT&T.”  - Tierna Killick, Group Software Manager Regional awards: These awards recognize the partners that had the highest sales bookings in each of the 4 global regions. North American Partner of the Year:  TERRA VERDE SYSTEMS Terra Verde repeats this achievement for the second consecutive year. Terra Verde has built a robust, diversified practice – reselling AlienVault USM, delivering world-class services and implementation, and leading some of our highest-rated training classes within our ecosystem. The focus on delivering a quality, impactful outcome to their customers is what sets them above others in region. “All of us at Terra Verde are overwhelmed with gratitude on being selected the 2018 North American Partner of the Year, for the second year in a row! Our commitment to our AlienVault and AT&T partnership runs throughout our company and is a core component of our ongoing success. We look forward to supporting our AlienVault/AT&T partnership and our respective customers and partners across the world.” - Mark Dallmeier, CSO/CMO Latin American Partner of the Year:  Cable and Wireless Business Cable & Wireless Business has been delivering value added services to their customers based on the USM platform for the last several years. Their dedication to providing exceptional outcomes drove their bookings and enabled them to lead all other providers in Latin America. EMEA Partner of the Year:  SOFTCAT Softcat, another repeat Partner of the Year winner, continued to lead the EMEA partner community in 2018. Their aggressive commitment to delivering world class security technology to their customers was reflected in both the number of new customers and the bookings they achieved. This year saw the addition of managed security services to their portfolio and the rapid expansion of this practice helped them outpace the growth of others in the ecosystem by a significant percentage. "I was absolutely delighted to receive the AlienVault EMEA partner of the year award.This award is recognition of the strength of our partnership and value the AlienVault platform brings to our client base. I am very positive about the outlook in this journey together and confident it will continue go from strength to strength." - Matthew Helling, Softcat Ltd Networking and Security Manager APAC Partner of the Year:  TRISKELE LABS Triskele Labs led the APAC region in bookings, customer acquisition and customer retention. They continually strive to deliver world-class services to their customers and this attitude, put into action, singled them out among all others in region. With our recent office expansion into Sydney, Australia, Triskele Labs has gone above and beyond in welcoming us to the market by keeping our teams busy co-selling!  "As this award demonstrates Triskele Labs are thrilled to be identified as a leader in our field. We started this journey to be an industry leader, delivering outstanding and unparalleled service at an affordable cost for everyday businesses and this could not have been achieved without the amazing partnership we have developed with AlienVault. The partner of the year award affirms our approach that all organisations, big and small should be able to achieve the same level of Cyber Security protection as the large corporates without the need to spend millions of dollars per year on securing their information." - Nick Morgan, Chief Executive Officer Congratulations to all our winners on an amazing 2018! We are honored to team up with such a stellar group of companies and look forward to supporting your continued growth and achievements in 2019. Interested in becoming a solution provider? You can learn more about the AT&T Cybersecurity Partner Program here.       

Le 2019-03-26


  Alien Vault - Ban on Smartphones in Secure Federal Facilities
The Federal ban on smartphones for some employees in the workspace makes a lot of sense in post-Snowden days. The phone has a camera, microphone, Bluetooth and other capabilities that can be abused, with or without the employee even intending harm. AT&T ThreatTraq did a six-minute video I really enjoyed. ThreatTraq is a production of the AT&T Chief Security Office, and a great resource I've discovered since the acquisition of AlienVault by AT&T. The video included Karen Simon, Director Technology Security, AT&T, Manny Ortiz, Director Technology Security, AT&T and Matt Keyser, Principle Technology Security, AT&T. They referenced a great article in Security Magazine on this topic recently. Here are some key takeaways: Unbridled smartphone capabilities are a righteous threat in highly secure facilities. Cameras can be used to steal classified documents. Microphones can be used to spy. Bluetooth is fraught with valid security issues that could be abused to exfiltrate data and spy. The ban cost about 52 minutes per day of lost productivity. Karen calls it the “backlash on productivity”. Manny found the 52 minute number to be incredible, but then broke it down to employees having to walk out to their car or to a locker to check on their phones multiple times per day – yes it does add up. But is that really true? Would employees have been equally or more unproductive due to using the smartphone for personal reasons on the job? There’s a definite hit on employee morale. I know a few people who wouldn’t take a job that required surrendering their smartphone to go to work. From the article: “The numbers don’t lie: four out of ten millennials refuse to work for an organization that doesn’t allow personal devices in the workplace.” Personal effectiveness can be greatly reduced. Think of all the times getting a quick text to a colleague during a long meeting can save quite a bit of time and reduce wasted work. Work laptops / desktops have similar functionality as smartphones – why does it make sense to ban a smaller version of a laptop? Laptops can’t be taken from employees because they would be unable to do much work without them! As Karen suggested, while security does have an impact – it’s never entirely benign - there needs to be a balance between security and productivity. Perhaps technology to disable the recording and camera functions of smartphones while at work? Definitely check out the video and subscribe to ThreatTraq!       

Le 2019-03-26


  Alien Vault - Announcing the AlienVault Success Center!
We are very excited to announce that our new Success Center has just launched. It is our new “one stop shop” for help for AT&T Cybersecurity commercial USM Anywhere, USM Appliance and USM Central customers, OTX and OSSIM users, and InfoSec practitioners in need of help and support. Why a Success Center? We studied the situation at length before formulating our plan for the Success Center. In interviews with customers and partners, we determined that those wanting our help had to go to too many sites to get what they needed. These sites include the Forum, the Support Portal, the Documentation Center and the blogs. It was hard for folks to know the best place to look for information about a particular topic or question. What Makes the Success Center Different? Now you can log in one time and have access to information from a great many resources. You have the capability to search across all the resources and find helpful information that would otherwise be tricky to find. Searches span across blogs, AlienVault documentation, KB articles, Forum questions and even the customer case history (in the case the user is a customer.) We respect your privacy - company case history is accessible only by designated users of that company. What Happened to the Customer Support Portal? If you were a user of the Support Portal, your existing credentials will allow you access to the Success Center. You will have access to all the things you used to have access to, and much more! What Happened to the AlienVault Forum? The Success Center is a superset of the Forum. If you were a Forum user, you should have received an email near the end of January requesting you set up a new password in for the Success Center. We migrated all the users of the Forum over to the Success Center, as well as the all existing Forum questions and answers. There’s another neat feature about the Success Center – we will be able to get the focus from our technical experts to answer your questions better. In the Forum, questions could go unanswered. With the Success Center we will be alerted if a question has not been answered in a reasonable time. We can then open a ticket to get the right eyes and minds to answer your questions. In addition, duplicate questions will be resolved, and questions we’ve already answered in the past will get answers automatically. Features to Notice in the Success Center Intelligent Search: Searching for an answer is hard enough, but trying to filter through the results for the best answer makes finding your answer a frustrating process. Our new search intelligence can help with that by adding the following features: View filters – additional filters allow you to filter results by result type, product, or source. AI - Search AI will compare your search to previous results and your own history in the community to determine the likelihood of relevance for each result. Result post-filtering - Our new search will analyze the results to rank not just by term relevance, but also age, validation, and reviews. Getting Started Guide Sometimes it is hard to know where to start with a new product. To help ease the process of getting used to our products, we provide a quick Getting Started Guide to help you get off the ground quickly. Common Links In order to simplify finding what you need, we have provided a list of links to commonly requested answers and pages. Browse and Discuss  Sometimes, you may want to just look around for what is out there. The Browse and Discuss section allows you to navigate questions and Knowledge Base/ Known Issue Articles by topic. Trending Articles One thing you learn quickly in support is that issues - whether they be basic configuration questions, threats or known issues – happen in sets. We have added a section to highlight trending articles being viewed by your peers, as well as a view filter to allow you to filter by trending questions. Be sure to check it out! What’s Next? Better Case and view filters – We are improving our view filters to make it easier to review your account data. Account Resources and Tools – Some items, such as resetting your appliance license or getting the status of a product issue related to your appliance, can be tedious to request. We are working to provide access to these items directly from your Success Center. Media Content - We are aware that videos are the way many folks prefer to learn. We are working to create new video content, and will be adding it going forward as it becomes available. Please stay tuned for other new changes on the way.       

Le 2019-03-26


  Alien Vault - 6 Reasons you Should Consider an Annual Penetration Testing Especially in Healthcare
Breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII). .With instances of identity theft and fraud rising, however, many healthcare organizations are now hosts to valuable patient data such as social security numbers, medical records, and more personal information that can be compromised through cyber-attacks.  If cybersecurity is not a key piece of your healthcare facility’s infrastructure, you may be putting both your organization and your patients at extreme risk. With the current cybersecurity climate in healthcare, it is important to consider some foundational security elements in terms of maintaining cyber hygiene. What it Means for 2019 and Beyond The data from 2018 illustrates that there is a problem with security throughout the healthcare industry. Information security experts warn that healthcare will be the biggest target for cybercriminals over the next five years, as noted in Healthcare IT News. The financial burden on attacked organizations is crippling, but the reputation risk is even greater. A Smarter Approach to Security Healthcare organizations must have an effective security risk management strategy built on the concept of edge-to-edge protection. They need to know what their data security priorities are, have policies that are effectively enforced, and bring an approach to cybersecurity that’s surgical— working from the inside out — to understand every fit and function of their organization. Without proper guidance, healthcare organizations could be throwing money into cybersecurity with little return, strangling their operations rather than supporting them.  So as healthcare organizations work to toward their future security, a key step is consider doing a penetration test. Consider it a self-check-up.  To combat a hacker, you need to think like a hacker. Penetration testing is a form of ethical hacking that simulates attacks on an organization’s network and its systems. This is done to help organizations find exploitable vulnerabilities in their environment that could lead to data breaches. The test is a manual process performed by security experts that dive deeper into your environment than an automated vulnerability scan does. A Penetration Test Does NOT Equal Automated Vulnerability Scans. It exposes your weaknesses before real hackers do It can reveal which areas of security you need to invest in It provides an outsider perspective of your security posture It will simulate a real attacker scenario Help with meeting compliance with industry standards and regulations Help prioritize and tackle risks based on their exploitability and impact       

Le 2019-03-26


  Alien Vault - AT&T Cybersecurity Is Born
Today marks another new milestone and I am proud to unveil our new name….AlienVault has now combined with AT&T Cybersecurity Consulting and AT&T Managed Security Services to form a new standalone division, AT&T Cybersecurity! Digitalization continues to drive rapid changes in business models and network architectures. On the other hand, it also drives changes in how cybercriminals operate, making it easier for them to harvest data and launch automated attacks at scale. The mismatch between changes in cybercrime sophistication and the relative stagnation in cybersecurity approaches is apparent as organizations continue to suffer data breaches. According to a survey presented in AT&T Cybersecurity Insights, 88% of respondents had reported at least one type of security incident or breach in the last year. The root cause? Dispersed networks, an explosion of data, disparate technologies, complex security operations present cybercriminals with gaps or “seams” in organizations’ security postures. Fighting cybercrime requires a coordinated and collaborative approach orchestrating best-of-breed people, process and technology. AT&T started down this path years ago by building a best-of-breed Cybersecurity Consulting practice and Managed Security Services business serving customers of all sizes, across industries, and around the world. Combined with its network visibility across the threat landscape, AT&T has been well-positioned to take a unique role in cybersecurity. With the acquisition of AlienVault, AT&T Cybersecurity will continue to deliver on our joint vision to address these “seams” and uniquely bring together people, process, and technology through a “software defined” unified security management platform. A platform that integrates, automates and orchestrates a wide spectrum of best-of-breed point security products. By abstracting much of the management of individual security products, we are automating deployment and ongoing operations, and operating them as a single unified solution - much in the same way AlienVault had done with the critical capabilities required for threat detection and response.  This platform will use the technical capabilities and reach of AT&T’s Edge-to-Edge intelligence in order to deliver solutions as on-demand digital services optimized to help protect customers through their own digital transformation journey. We will accomplish this through collaboration with AT&T’s industry-leading Chief Security Organization and through the integration and automation of AT&T Alien Labs threat intelligence into the platform.  The combination of Open Threat Exchange now curated by Alien Labs and AT&T’s incredible breadth and depth of threat intelligence will create one of the world’s leading threat intelligence platforms! AT&T Cybersecurity is uniquely positioned to provide security without the seams  through people, process and technology, which will provide UNRIVALED VISIBILITY for our customers! 2019 is off to a great start! Stay tuned for more exciting news from AT&T Cybersecurity that will enable our customers to anticipate and act on threats to help protect their business!       

Le 2019-03-26


  Alien Vault - Things I Hearted This Week, 22 Feb 2019
We have two weeks of news to catch up with because I was travelling last week and wasn’t able to submit to the editor in time. But that just means double the security fun. So let’s just jump right into it. Helping The Smaller Businesses Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don't have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous. GCA cyber security toolkit | GCAtoolkit Mastercard, GCA Create Small Business Cybersecurity Toolkit | Dark Reading Security Isn’t Enough. Silicon Valley Needs ‘Abusability’ Testing It is time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Tech companies need to think not just about protecting their own users but about abusability: the possibility that users could exploit their tech to harm others, or the world. Security isn’t enough. Silicon Valley needs ‘abusability’ testing | Wired Hackers Wipe US Servers of Email Provider VFEmail Email provider VFEmail.net were compromised and disks formatted. Every VM, file server, and backup server was lost. No ransom demand, no notice, just attack and destroy. ZHackers wipe US servers of email provider VFEmail | ZDNet CISO Spotlight: Security Goals and Objectives for 2019 Rick Holland shares his security goals and objectives for 2019, which has some great insights and tips such as hyperfocusing on process / program improvements, establishing a security and risk playbook, avoiding ‘expense in depth’, eating their own BBQ, and investing in the team. CISO Spotlight: Security Goals and Objectives for 2019 | Digital Shadows Court Camera Used to Spy on Juror’s Notebook Some defense attorneys in San Juan County worry that Sheriff Ron Krebs has a finger on the scales of justice after learning he used a courtroom security camera to surreptitiously zoom in on defense documents and a juror’s notebook during a criminal trial last week. The incident has drawn outrage from criminal and civil-rights attorneys and frustration from the county prosecutor, and prompted a rare weekend hearing during which a judge dismissed misdemeanor assault and trespass charges against a Lopez Island man after finding the incident amounted to government misconduct that had violated his right to a fair trial. Sheriff’s use of courtroom camera to view juror’s notebook, lawyer’s notes sparks dismissal of criminal case | Seattle Times We Need to Kill the ‘Security Analyst’ This is a rational and well-grounded piece talking about the skills gap, how it’s perceived and what can be done to address some of the apparent shortages. It’s not so much about trying to find and throw more bodies at the problem, but rather, finding the right kind of people and placing people in the correct roles. We Need to Kill the ‘Security Analyst’ | Mark C, Medium When You Can’t Do Awesome Things, Because of Crushing Bureaucracy The term ‘thought leader’ is thrown about with reckless abandon to the extent that it is viewed as a derogatory term. But Haroon Meer is probably among the few who are worthy of the title, and most of his posts give me something new to think about. This one is no different. When you can’t do awesome things, because of crushing bureaucracy | Thinkst NHS Cybersecurity Needs to be a Qualified Success A freedom of information request which revealed a lack of cyber and information governance training may be something of a red herring. But that doesn’t mean there isn’t valuable work to be done on creating a cyber-qualified NHS IT workforce. NHS cybersecurity needs to be a qualified success | Digital health Cards Used at 137 Restaurants Exposed by Point-of-Sale Breach North Country Business Products point-of-sale and security solutions provider with roughly 6500 customers around the US mdwest has disclosed a data breach which led to the exposure of payment information for clients who used their credit and debit cards at 137 restaurants. According to the company's data breach notification, North Country first observed that suspicious activity was present on some of its clients' networks on January 4 and a joint investigation with a third-party cybersecurity forensic firm established that the cause was malware deployed on its partner restaurants' networks. Cards Used at 137 Restaurants Exposed by Point-of-Sale Breach | Bleeping Computer The RSA Shortlist RSA is just a couple of weeks away - arguably one of the largest business-focused security conferences, and soon the masses shall descend on San Francisco. There’s usually something for everyone there, but how can you find the talks that are best for you? Well, maybe not the best talks for you, but Thom Langford has listed out some of the sessions he’s most interested in. Maybe it can inspire you to shortlist your own sessions: My RSA 2019 itinerary | Thom Langford Not wanting to be outdone my Thom, I came up with my own list of vendors I’d like to meet, or who seem pretty cool and interesting. The RSA 2019 shortlist | J4vv4D Other Things I Hearted How to procrastinate | Stella McKenna, Medium The Importance of Working For A Boss Who Supports You | Forbes Women Helping Women Isn't Just A Rallying Cry. It's Good Business | Refinery29 Why Mark Zuckerberg’s writing style erodes our trust in Facebook | Slab       

Le 2019-02-22


  Alien Vault - Fileless Malware Detection: A Crash Course
Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!  What is Fileless Malware and How Does It Work? There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:  "A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network." What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory. The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category. Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers. This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks. There has been an increase in these attacks. McAfee puts it at 432% growth year over year in Powershell malware that they've witnessed. And SentinelOne found a 94% increase in just the first half of 2018. We're seeing these attack methods persist because they are effective. Attackers are also looking for ways to infiltrate that don't require some kind of vulnerability exploit, to evade detection. Trusted Admin Tools Leveraged for Fileless Attacks Living off the land is the use of trusted admin tools to conduct malicious activity. It's a way to hide in plain sight. These methods help attackers gain persistence within your environment, elevate privileges, and spread laterally across the network. Commonly, we see these with PowerShell, and WMI. We've also seen some using Visual Basic Scripts and UAC Bypass – where attackers are leveraging trusted tools to perform malicious actions. This is true within Linux and Windows as well. Example of a Fileless Malware Attack: GZipDe Here’s an example of an attack and how, at different stages, we see the use of sanctioned applications or different types of a vector that might not register with a file detection tool. Our AlienVault Labs team wrote about this in a blog post in 2018. The way this attack works is through an email phishing campaign that includes an attachment, such as a normal-looking Word document. Once you open that Word document, there's a malicious macro. Once those macros are enabled, a Visual Basic script executes, which launches a hidden PowerShell task, which then connects to the downloads and runs Metasploit in memory. You see a mix of file and fileless attack throughout the process. At first glance, it looks like a traditional attack. Everyone is familiar with phishing campaigns. Then, as you go through the processes, it runs complete programs or attacks in memory - not writing it to a disk so that an anti-virus can’t see it. It also makes this non-persistent. If an attacker is trying to evade audit and capture at a later point, fileless attacks are great. Have a Suspect Machine? One of the first steps you’ll do to investigate and audit a suspect machine is isolate it and turn it off. Since everything runs in memory in these types of attacks, as soon as you turn a suspect machine off, all evidence of the attack will be gone. There are ways to keep these attacks persistent. You can write cron jobs or tasks to a system from a PowerShell script to attain persistence. However, generally, fileless malware attacks are gone once you reboot the computer. Fileless Malware Detection AlienVault® Open Threat Exchange® (OTX™) is a community of security researchers and practitioners. Individuals contribute information to the community after seeing attacks unfold in their environments, just to help others in the community keep up to date. It’s a great resource for anyone who wants to get an understanding of what’s happening in the wild. I searched OTX™ for a few examples of fileless campaigns that we saw in 2018. This is from a quick search of “fileless”. A perfect example of a fileless campaign is GhostMiner cryptomining. It was first recognized a few hundred days ago in our community. It started out as something you would download to your hard drive. It has morphed over time to using an executable PowerShell evasion framework so that they can execute the program within memory rather than downloading it to your drive. It installs cryptomining software, but in a new way. What does it take to detect and defend and begin to protect yourself against these attacks? They are designed to evade file and signature-based protection tools - traditional anti-virus types of tools. What you need is better visibility on the host and on the endpoint. Some of the ways to detect them include things like looking for processes executing shell commands or suspicious commands executed by listening processes like ElasticSearch. We might see excessive network communications from processes that are somewhat abnormal or anomalous, as well as limited persistence and privilege escalation. We might also see attackers trying to cover their tracks by deleting their bash history or installing malicious Chrome browser extensions. All of these can be indicators that there is some type of fileless malware attack occurring in your environment. You’re going to need to spot anomalous behavior rather than a specific Indicator of Compromise (IoC).  To summarize: Conclusion The growing trend of fileless malware attacks will definitely make your life as a defender more challenging. There are free tools, like OTX, to help you keep up, and other offerings, like USM Anywhere to help quickly detect fileless attacks to prevent damage, even when there aren’t yet signatures or IoCs identified for the morphed version of fileless malware. If you’re curious to explore further, check out the Fileless Attacks webcast by Danielle Russell and Aaron Genereaux where they walk you through actual detection examples.       

Le 2019-02-21


  Alien Vault - Securing People
Cyber security has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour. While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated. And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses. If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas. Three of the most commonly spotted areas are as follows: Employees Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time. Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company. At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data. Customers Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers. Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed. In fact a Netflix phishing scam was so bad, even the FTC issued a statement warning customers about it. But phishing isn’t the only attack avenue against customers. Credential stuffing has also risen in popularity. This is where scammers take the passwords of users that have been disclosed in breaches, and use those credentials against other systems in the hope that users have reused passwords across different services. Third Parties Another avenue attackers target are third parties. This could be any company in the supply chain, or with whom the target has a business relationship with. The infamous Target breach of 2013 was conducted after attackers broke in via a HVAC company.   In a more recent incident, LocalBitcoins was targeted by attackers who were able to compromise the sites forums and redirect users to a phishing site from where they captured users credentials. Recommendations Cyber security is perhaps the most challenging game of whack-a-mole in existence. Where we plug one hole, the attackers move to another, easier to exploit hole. With this, we should look to continually move forward and proactively try and stop attackers new tactics becoming full-fledged epidemics. To do so, enterprises need to have a consistent approach to not just user awareness, but also increase awareness for their customers, and 3rd party partners. The most important things to consider would be: Password reuse Raise awareness of the dangers and risks associated with password reuse. Also provide tools or methods to help eliminate password reuse such as the use of password managers. Clicking on links & opening attachments While users within enterprises are getting some training on the dangers of clicking links or opening email attachments, this should extend to customers too. Establish good practices by avoiding sending links in emails, and asking users to navigate directly to the website to log onto their accounts. Reporting issues Finally, and perhaps most importantly is to have a simple and accessible way for both employees and customers to report any suspicious activity. Or indeed, report that they may have fallen victim to a scam by clicking on a link, opening an attachment, or sending sensitive information to a scammer.       

Le 2019-02-20


  Alien Vault - Security Have and Have-Nots
Security Have and Have-Nots Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security. Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it? I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.” It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line. Technical Debt The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment. Exponential Losses One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate. Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face. Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management. How Much Information Security is Enough? With such a seemingly endless laundry list of things to consider in the security world, the question on the minds of most businesses is, ‘how much is enough’? Unfortunately, if you’re looking for a hard number, you’ll be disappointed. Because the threats and challenges present in the cyber world represent a moving target. But this doesn’t mean all effort is futile, it’s more a case of looking at the world differently. One way to look at this could be through the lens of finite and infinite games, as coined by James Carse in his 1986 book of the same name. The idea is that there are two kinds of games, finite, and infinite games. Finite games are those which have rules such as number of participants, boundaries, time duration, and so forth. After a certain period of time, a winner is declared in accordance with the agreed upon rules. If you try to look at cyber security as a finite game, you will inevitably pull your hair out in frustration and turn into precisely how urban dictionary describes Infosec. Cyber Security is more of an infinite game - one where there is no set rules or boundaries or even a winner or loser as defined in the classical sense. Rather the purpose of an infinite game is to always be in a position to continue the game. Continuing The Game Asking companies to continue the game when resources are scarce and they’re living on the security poverty line. But once you understand the game, the players, the pieces, and the moves, it becomes easier to plan your strategy. For that, it’s useful to consider the following points. 1. People Having the right people can be the difference between making it or not. It doesn’t necessarily mean hiring an entire security department. Sometimes, all it needs is a consultant to help provide guidance and steer towards best security practices to ensure security is built right from the beginning. 2. Technology IT security technologies have come a long way in the last decade. While the constant news cycle may feel like things are getting worse, we actually see more attacks that focus on attacking humans through phishing, or compromises through third parties. Therefore, it makes sense to invest broadly in technologies that offer a broader set of capabilities. These can be more affordable, not just to buy, but to maintain on an ongoing basis. 3. Outsourcing In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. Securing the services of a reputable MSSP can take away the need to run your own security operation centre. Or having a PR agency on a retainer can help smooth over any incidents that need reporting. 4. Insurance Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can a long way in demonstrating to customers, shareholders, or partners that insurance was part of a broad cyber security plan to keep data secure.       

Le 2019-02-08


  Alien Vault - SIEM: What Is It, and Why Does Your Business Need It?
Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits. What Is SIEM? SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data. How Does SIEM Work? IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats.  What Are the Benefits of SIEM? SIEM technology frequently helps businesses reduce security breaches and improve threat detection. The AlienVault Infographic and "2019 SIEM Survey Report" revealed 76 percent of cyber security professionals reported their organization's use of SIEM tools resulted in a reduction in security breaches. Additionally, 46 percent of survey respondents said their organization's SIEM platform detects at least half of all security incidents. Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations. SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals. Is SIEM Right for My Business? SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more. How Can I Select the Right SIEM Tool for My Business? The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities: Compliance reporting Database and server access monitoring Incident response and forensics Internal and external threat identification Intrusion detection and prevention system, firewall, event application log and other application and system integrations Real-time threat monitoring, correlation and analysis across multiple systems and applications Threat intelligence User activity monitoring Lastly, as you search for the right SIEM tool for your business, it often helps to partner with a proven SIEM technology provider. If you have the right SIEM technology provider at your side, your business can seamlessly integrate an SIEM tool into its day-to-day operations. As a result, your IT team can use SIEM technology to streamline its security management.       

Le 2019-02-08


  Alien Vault - Things I Hearted This Week, 1st Feb 2019
Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do. Enough reminiscing - let’s get down to it. The Big Five There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them. But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time. Life without the tech giants | Gizmondo Week 1, Amazon | Gizmondo Week 2, Facebook | Gizmondo Week 3, Google | Gizmondo Considerations for When Your Apartment Goes “Smart” Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it). Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position. Security Things to Consider When Your Apartment Goes ‘Smart’ | tisiphone Abusing Exchange: One API Call Away From Domain Admin An attacker with just the credentials of a single lowly Exchange mailbox user can gain Domain Admin privileges by using a simple tool. Very good writeup here. Abusing Exchange: One API call away from Domain Admin | dirkjanm.io Sending Love Letters The "Love Letter" malspam campaign has now changed its focus to Japanese targets and almost doubled the volume of malicious attachments it delivers. Love Letter Malspam Serves Cocktail of Malware, Heavily Targets Japan | Bleeping Computer While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vulnerable devices. The survey is part of an effort to strengthen Japan's network of Internet of Things devices ahead of the 2020 Tokyo Olympic games. I like the intent behind this initiative, but the execution leaves me a little worried. Scanning for devices is one thing, actively logging into a device is another. Will be interesting to see how this pans out. Japan Authorizes IoT Hacking | Dark Reading South Korean Delivery Apps Accidentally Leaks 26M Documents The Korean Android Apps Zcall Delivery Agent and Zcall Delivery Account Manager, which are used to schedule and report package pickups and deliveries, have accidentally leaked personal information about their users. The leaked data includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information. A statement on the company’s website acknowledges the leak and assured customers that the outflow route has been blocked, but blames the incident to the Korea Internet Promotion Agency, rather than a hacking intrusion on their servers. South Korean Delivery Apps Accidentally Leaks 26m Documents | The Daily Swig Judge Rejects Yahoo’s Data Breach Settlement Proposal Yahoo’s proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn’t declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover, according to court documents. In 2016, the massive data breach compromised the information of more than one billion Yahoo users affecting email addresses and other personal information marking the largest data breach in history. Judge rejects Yahoo’s data breach settlement proposal | SC Magazine Inside the UAE’s Secret Hacking Team of American Mercenaries Presented without comment - it’s a long article worth reading and drawing your own conclusions. Inside the UAE’s secret hacking team of American Mercenaries | Reuters Other Things I Hearted This Week Work Is Not Your Family, As The Fyre Festival Doc Reminds Us | Huffington Post 2019 Tech M&A Outlook | 451 Research Looking for fraud | Antisocial engineer       

Le 2019-02-08


  Alien Vault - APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs
Threat Actors That Don’t Discriminate  When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch. Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX). The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet. The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”: The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain. As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures. How Can APT10 Group Impact You? If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run! Wired Magazine reported the following on APT10 in a December 2018 article: In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign. What Can You Do About APT10 Group? For sophisticated, long-standing, and non-discriminating campaigns such as this, the NCCIC suggests there is no single or set of defensive techniques or programs that will completely avert all malicious activities — because new variants are constantly being created. Instead, security pros should be using a defense-in-depth approach (multiple layers of security) to provide a complex barrier to entry and increase the likelihood of detection. Among the key recommendations are the following (which can be easily managed via the AlienVault Unified Security Management (USM) platform). Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities. Implement an Intrusion Detection System (IDS) to: conduct continuous monitoring; send alerts to a SIEM tool; monitor internal activity. AlienVault Labs has identified more than 660 Indicators of Compromise (IOCs) associated with this campaign, which are shared in OTX.  You can use USM Anywhere or OSSIM to directly check for these IOCs throughout your attack surface. The Labs team has also released IDS signatures and correlation rule updates to the USM Anywhere Platform so customers can identify suspicious activity that could be related to this campaign. For further investigation, visit the Open Threat Exchange (OTX) to see what research members of the community have shared: https://otx.alienvault.com/pulse/59096495b8eeba365246b24d/ Also, check out US-CERT Alert (TA17-117a), Last revised December 20, 2018.       

Le 2019-02-08


  Alien Vault - Top 7 Tips for Improving Cyber Risk Management in 2019
With the constant barrage of headlines regarding breaches in the last few years, it seems that society in general has become numb to losing personal data. This year’s overarching cybersecurity theme is clear: We’re all in this together because we simply can’t do it alone. Effective defense demands a team effort where employees, enterprises, and end users alike recognize their shared role in reducing cybersecurity risks. To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis.  Here are  tips for improving your cyber risk management this year. Tip #1: Balance risk versus reward. The key is to balance risks against rewards by making informed risk management decisions that are aligned with your organization’s objectives — including your business objectives. This process requires you to: Assign risk management responsibilities; Establish your organization’s risk appetite and tolerance; Adopt a standard methodology for assessing risk and responding to risk levels; and Monitor risk on an ongoing basis. Tip #2: Use your investments wisely. When determining the best strategy for future cyber investments, it’s vital that you review your organization’s current security posture and existing security controls, including technology, people and processes. Before making new investments, perform an architectural and program review to understand how the existing controls can be utilized to address your identified risks.  There are almost always ways to optimize, reduce cost, or minimize upcoming investments. Tip # 3: Be nimble; make sure your strategy can quickly adapt. Business is not static and neither are the solutions that enable and protect it. To grow, compete, and own its place in the market, a business must adopt new models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting. Tip #4: Don’t lose sight of the data — are you asking the right questions? Before analyzing your security controls, take a step back to understand what data is needed to support the business, who that data must be shared with, and where that data is stored.  Look at your operations, the flow of data into, throughout, and outside of your organization, and the risks associated with your business model. This will give you an understanding of the exposures that the data faces, enabling you to address and prioritize security measures. The three questions most organizations should be asking are: How secure are we? Are we going to be secure based on our current and future business plans? Are we investing the right amount of time and resources to minimize risk and ensure security — especially people, technology and process? Tip # 5:  Re-imagine your security approach; don’t go looking for the silver bullet. The cybersecurity market is flooded with solutions, leaving many organizations struggling to select the right protection for their business and get the best value from their investments. Most cybersecurity solutions, however, are point solutions, which don’t adequately address today’s threats. Tip # 6:  Make security awareness stick. More than 90 percent of security breaches involve human error. These acts are not always malicious, but often careless and preventable. To change security behavior effectively, employees must know what to do, care enough to improve, and then do what’s right when it matters. An effective security awareness program can help change organizational behavior and lower risk. Look for best practices for implementing a successful security awareness training program to change employee behavior and help make your organization more secure.  Consider the answers to the following questions.: Does the program assess your users’ ability to spot real-world phishing attacks? How is the training delivered to help employees identify phishing and other social engineering tactics? Is there flexibility for planning, scheduling, and running the program? Tip #7: Think beyond compliance. Achieving Compliance is not the ultimate goal, it is about sustaining compliance. Security and Compliance are not equal. Compliance management is not a project that you start and finish, but rather an ongoing program that needs to be continuously maintained. To make the journey easier, follow an integrated compliance and risk management framework that addresses security, privacy, risk, and compliance, such as the National Institute of Standards of Technology (NIST) framework. This ensures a more manageable program and allows you to report compliance posture more efficiently.       

Le 2019-02-08


  Alien Vault - Ways to Respond to a Breach
Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways companies respond to breaches. Delayed response A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog. Complicated response (traumatic or prolonged) A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend. Disenfranchised response Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers. Cumulative response A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack. A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next. Distorted response Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third party company. On occasion the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO. Inhibited response Also known as “keep this between us” is a conscious decision by a company to keep details of a breach limited to a very small group. Problems can occur if customers or regulators get wind of it, and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties. Collective response Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side and put their differences aside. When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain. Absent response A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual. It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions. Or it could just mean they don’t care, it can be hard to tell. Anticipatory response Remember all those posters telling you ‘it’s not a matter of if, but when’ - well, that can have a positive affect as companies can go into anticipatory mode, expecting a breach and preparing accordingly. It doesn’t lessen the sting of a breach, but does allow you to have plans in place to respond and recover.       

Le 2019-02-08


  Alien Vault - Things I Hearted this Week, 25th January 2019
And in what feels like a blink of an eye, January 2019 is almost over. Time sure does fly when you’re having fun. But we’re not here to have fun, this is a serious weekly roundup of all the security news and views, with a few cynical observations thrown in for good measure. Tables Turn on Journalists Colorado journalists on the crime beat are increasingly in the dark. More than two-dozen law enforcement agencies statewide have encrypted all of their radio communications, not just those related to surveillance or a special or sensitive operation. That means journalists and others can’t listen in using a scanner or smartphone app to learn about routine police calls. Law enforcement officials say that’s basically the point. Scanner technology has become more accessible through smartphone apps, and encryption has become easier and less expensive. Officials say that encrypting all radio communications is good for police safety and effectiveness, because suspects sometimes use scanners to evade or target officers, and good for the privacy of crime victims, whose personal information and location can go out over the radio. How long before journalists start touting, “If you’re innocent you have nothing to fear.” What would really be ironic is if journalists ask that police put backdoors into their comms so that journalists could listen in. Encryption efforts in Colorado challenge crime reporters, transparency | Columbia Journalism Review Would a Detection by Any Other Name Detect as Well? One detection category is not necessarily “better” than other categories. While detection categories and descriptions might lead one to think that certain categories are better, the category alone is not enough to give a complete picture of the detection. It’s important to look at the technique under test, the detection details, and what’s considered normal behavior in your organization’s environment to help you understand what detections are most useful to you. Part 1:Would a Detection by Any Other Name Detect as Well? | Frank Duff, Medium Breach of the Week Over 24 million financial and banking documents were found online by researcher Bob Diachenko as one does I suppose. The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life. Millions of bank loan and mortgage documents have leaked online | TechCrunch Voicemail Phishing Campaign Tricks You Into Verifying Password A new phishing campaign is underway that utilizes EML attachments that pretend to be a received voicemail and prompts you to login to retrieve it. This campaign also uses a clever tactic of tricking you into entering your password twice in order to confirm that you are providing the correct account credentials. Voicemail Phishing Campaign Tricks You Into Verifying Password | Bleeping Computer 265 Researchers Take Down 100,000 Malware Distribution Websites In a showcase of the good that can happen when the right people come together, security researchers across the globe united in a project dedicated to sharing URLs used in malicious campaigns managed to take down close to 100,000 websites actively engaged in malware distribution. Called URLhaus, the project was initiated by abuse.ch, a non-profit cybersecurity organization in Switzerland. It started at the end of March 2018 and recorded a daily average of 300 submissions from 265 security researchers. 265 Researchers Take Down 100,000 Malware Distribution Websites | Bleeping computer VC Funding of Cybersecurity Companies Hits Record $5.3B in 2018 According to new data out by Strategic Cyber Ventures, a cybersecurity-focused investment firm with a portfolio of four cybersecurity companies, more than $5.3 billion was funneled into companies focused on protecting networks, systems and data across the world, despite fewer deals done during the year. That’s up from 20 percent — $4.4 billion — from 2017, and up from close to double on 2016. This isn’t Sparta, this really is madness! VC funding of cybersecurity companies hits record $5.3B in 2018 | TechCrunch Other Things I Hearted This Week U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession | Fortune How to make it big in tech and still keep the demons at bay | Guardian How Dr. Jessica Barker brought positivity into cybersecurity | The Cyber Woman How Much Time Americans Spend In Front Of Screens Will Terrify You | Forbes       

Le 2019-02-08


  Alien Vault - The Changing Face Of Cybersecurity In The 21st Century
67% of small and micro businesses have experienced a cyber attack, while 58% have experienced a data breach within the last 12 months, according to a study conducted by the Ponemon Institute. Cybersecurity has become one of the major questions that plague the 21st century, with numerous businesses reporting significant losses resulting from loss of private customer data, denial of service (DoS) attacks that cripple operations and internal employee threats that pose a growing data security challenge for both small and large companies. When you consider the effects of the cyber attack in Alaska and the astounding number of businesses it crippled, it's clear that businesses owners need to understand the threats they face today. The Question of Cybersecurity A few decades ago, the thought of cyber warfare would have seemed far-fetched to say the least. But today, it has become as likely as it is terrifying, especially when you consider how many of our gadgets are connected to the internet - mobile phones, smart TVs, PCs, and IoT devices. The technical advancements in data-hacking have led to the parallel development of data-protection. While downloading an antivirus software may previously have been sufficient protection, this is now only a preliminary measure, and must be coupled with stronger controls like 2-factor authentication, access control, and raising threat awareness. The cyber-security industry grows steadily each day, and it is now possible to find adequate protection for all your gadgets: from your phone to your tablet and yes, even your new television set. Artificial Intelligence Shaping Cybersecurity If you have a basic interest in the tech world, you will have undoubtedly come across Sophia. Sophia is a humanoid robot and may be termed by many as the perfect illustration of how far AI has come. It is for this reason that AI is leading the cybersecurity field. This is through the application of the concept of synthesizing data. Basically, what this means is that two independent chunks of information can be combined to arrive at a single conclusion. In layman's terms, AI is expected to improve cybersecurity by speeding up incident response when malicious activity is detected, thwarting ransomware and automating practices. This way, companies will be able to remain a step ahead of potential cyber threats.   The Future of Cybersecurity Innovation Conventionally, data transfer has been achieved through electrical signals. However, this may change if we enter the era of data exchange through light signals. This works through the use of photons as carriers of quantum information in cyberspace. Photons are light particles which are generated simultaneously in pairs. With timing controls, this would mean that data transfer would only be possible if twin-photon particles existed for the sender and recipient. Ultimately, the only way to hack the data would be to upend the laws of physics. More innovations like deep learning, cloud technology, and hardware will revolutionalize the future of cybersecurity, making it easier for companies to prevent cyber attacks. The field of cybersecurity is shifting and improving daily to match the changing needs of today’s cyberspace. It is essential that everyone, including businesses, become familiar with the means with which to protect their data. Understanding the changing face of cybersecurity is a key step to achieving that goal.       

Le 2019-02-08


  Alien Vault - Things I Hearted This Week, 8th February 2019
What a wild week it’s been. There have been assaults on researchers (ok, just one that I know of), there’s a great look into changing company cultures, and RDP has a flaw. All this and more, in this week’s action-packed edition of things I hearted this week. Assaulting Researchers The short version is that researchers found a significant vulnerability in a vendor's Casino app, they reported it, and for their troubles, were assaulted by the COO. Probably not the bounty any researcher wants in return for trying to do the right thing. It reads out as a mixture between a good novel, and something you’d imagine playing out on Jerry Springer. There’s not enough popcorn for this. Researcher Assaulted By A Vendor After Disclosing A Vulnerability | Secjuice Analyzing the 2019 RSA Innovation Sandbox Finalists With RSA fast approaching, Kelly Shortridge dons her analyst hat and gets to work. This time examining the innovation sandbox finalists and their finding status. Analyzing the 2019 RSA Innovation Sandbox Finalists | Medium, Kelly Shortridge Related, Kelly’s 2018 BlackHat USA 2018 business hall analysis Analyzing the Black Hat USA 2018 Business Hall | Medium, Kelly Shortridge And while it’s a couple of years old now, I can’t talk about analysing RSA without Cyentia Institute’s brilliant analysis of 15,000 RSAC CFP submissions to uncover trends and evolution. These cybersecurity words are golden - and so are their insights | RSA How Hackers and Scammers Break Into iCloud-Locked iPhones In a novel melding of physical and cybercrime, hackers, thieves, and even independent repair companies are finding ways to "unlock iCloud" from iPhones. How Hackers and Scammers Break into iCloud-Locked iPhones | Motherboard Changing Cultures These days in infosec, we hear a lot about culture change, in particular how it relates to security awareness and training. But one has to sometimes look far and wide for examples of where a culture has been successfully changed that has benefited the people as much as the company. This is a fantastic and insightful article into how Satya Nadella tackled the culture challenge within Microsoft. How do you turn around the culture of a 130,000-person company? Ask Satya Nadella | Quartz Accidental Personal Info Disclosure Hit Australians 260,000 Times Last Quarter The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error. Accidental personal info disclosure hit Australians 260,000 times last quarter | ZDNet WhatsApp 'Deleting 2m Accounts a Month' to Stop Fake News WhatsApp says it is deleting 2m accounts per month as part of an effort to blunt the use of the world’s most popular messaging app to spread fake news and misinformation. The Facebook-owned service published the data as part of a white paper on “stopping abuse” that was launched on Wednesday in India, the biggest market for the company with more than 200m users. WhatsApp 'deleting 2m accounts a month' to stop fake news | Guardian The Nightmare on Service Desk Street Many “ITIL aligned” service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. The nightmare on service desk street | Medium, Ronald Bartels Remote Desktop Protocol Flaws Could Be Exploited to Attack RDP Clients A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them. In a blog post, Check Point Software Technologies researcher Eyal Itkin refers to this scenario as a reverse RDP attack because the RDP servers installed on the compromised machines essentially reverse the normal direction of RDP communication in order to control and execute code on the client device. Reserve RDP attack | Checkpoint Remote Desktop Protocol flaws could be exploited to attack RDP clients | SC Magazine Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed Google has rolled out two new tools to help the password-challenged beef up their security game. The first is a Chrome extension called Password Checkup that can identify if you’re using a password that’s been exposed in a third-party data breach. The second is a feature called Cross Account Protection, which helps protect apps you’ve signed into with your Google account. Google's New Chrome Extension Warns You If Your Passwords Have Been Exposed | Gizmondo Other Stories I Hearted This Week Apps you've never heard of that your teen is already using | CNN When Bad Behavior Goes Viral | Medium, James Rush       

Le 2019-02-08


  Alien Vault - How Malware Sandboxes and SIEMs Work in Tandem to Effectively Detect Malware
Rohan Viegas of VMRay explains some of the key factors IT security teams should consider when evaluating a malware analysis sandbox and whether it’s a good fit for their existing SIEM environment. He then outlines how VMRay Analyzer complements and enhances the capabilities of AlienVault’s flagship platform, USM Anywhere. For IT security organizations, malware threats and attacks continue to play a prominent role in the threat landscape. According to Verizon’s 2018 Data Breach Investigations Report: Of the 2,216 data breaches that were studied by participating security vendors, 30% involved malware. Six types of malware (ransomware, C2, RAM scraper, backdoor, etc.) were among the top 20 varieties of action used in the data breaches covered in the study. Ransomware, used primarily to commit financial crimes, is now involved in more than 40% of malware attacks. Malware attacks can be completed in minutes. However, due primarily to poor detection, an intrusion may not be discovered for weeks or months, potentially causing damage all the while. “Full-featured SIEM, Looking for the Right Malware Sandbox” When selecting an automated malware analysis sandbox to address these challenges, IT security teams should not only compare the side-by-side capabilities of different vendor products. They should also weigh how a particular sandbox will interact with their existing SIEM platform and the extent to which a product’s strengths (or its weaknesses) are utilized across the managed security ecosystem. Below are some key points to consider. The sandbox’s detection efficacy. Malware today is designed to recognize when it is running inside an analysis environment and to stall or exit in the sandbox, thereby evading detection altogether or inhibiting the analysis by not fully revealing its behavior. This leaves blind spots in the analysis results, which can then be carried over to the SIEM. A key quality to look for in a sandbox is its ability to reliably conceal itself from the samples being analyzed so the malware can fully execute, giving you comprehensive visibility into the threat. The quality of Threat Intelligence that can be shared. Another consideration is what types of threat information can be ingested by your SIEM and made available across your security environment. Important IOCs include severity scores, suspicious behaviors, network activity, dropped files etc. You also need to consider how complete that information is. Full visibility into malware behavior is essential for generating quality threat intelligence. For instance, if you discover a malicious file, the analysis results should detail all the places it tried to reach out to, all the bad files it tried to create, and all the registry keys it tried to touch or modify. How can the Threat Intelligence be used once your analysis results are handed off to your SIEM? Can the data be easily monitored? Correlated with other data sources? What actions can you take with this information? To build on the prior example, if your sandbox identifies a new malicious file that has reached out to an unfamiliar and presumably bad IP address, can you search your entire infrastructure for systems that have also accessed that address? Rising to the Challenge For organizations that have USM Anywhere or another comprehensive SIEM platform in place, adding VMRay Analyzer to the managed security environment addresses these core challenges, strengthening the ability to detect and respond to malware threats, attacks and vulnerabilities more quickly and effectively. Unlike traditional malware sandbox solutions, VMRay Analyzer runs solely in the hypervisor layer and does not modify a single bit in the analysis environment. The sandbox remains completely invisible to the malware sample and can transparently monitor all aspects of the malware’s behavior, without triggering the evasion techniques that thwart detection and analysis in other sandboxes. In turn, analysis results provide complete and detailed visibility VMRay Analyzer’s Intelligent Monitoring engine, for example works much like an auto-zoom lens on a camera, adjusting to find the optimal level of monitoring. This allows analysts to distinguish between legitimate operations performed by the OS and trusted applications and unusual or malicious activities performed by the monitored sample. The result is to ensure security teams don’t miss any critical information while also delivering results that are precise and noise-free, with minimal false positives. Once VMRay malware analysis results are ingested by the SIEM, using VMRay’s REST API interface, that information gains wider use and greater value. It can be monitored, searched, correlated with other data sources, and shared with security devices, such as firewalls and endpoint protection system. It can also be investigated and acted upon. In addition, VMRay also has an out-of-the-box SIEM integration by publishing analysis alerts in Syslog/CEF format. These customizable syslog messages are generated when critical events occur. Here are some of the ways VMRay Analyzer makes SIEM environments, such as USM Anywhere, more efficient, useful and comprehensive. Ensures timely analysis and detection of zero day and polymorphic threats—as well as known threats—and translates that information into actionable intelligence. Automatically propagates analysis results (including sample details, severity scores, IOCs, network activity and YARA rule matches) to the SIEM’s centralized environment. Improves the productivity and effectiveness of analysts and incident responders by providing all the information they need and only the information they need to analyze and respond to malware threats, vulnerabilities and attacks. Eliminates the productivity-killing noise and false positives that many sandboxes generate, while also ensuring irrelevant information is not pumped into the SIEM environment. Continually adds to the malware-related threat intelligence that is made available to the SIEM. Sandboxes and SIEMs work in tandem to effectively detect malware or respond to a security breach. Choosing an evasion-resistant sandbox that generates precise, actionable Threat Intelligence ensures that you will have a good fit with your existing SIEM environment.       

Le 2018-12-27


  Alien Vault - The Dangers of Free VPNs
If you use a free VPN, then you have to wonder how your provider earns money to cover their own costs. The answer often involves advertising, but it can also be through far more sinister means. Running a VPN service costs a significant amount of money. There are setup costs, infrastructure costs, labor and other running costs. The companies behind these services generally want to make a profit as well. Why are free VPNs a problem? It really depends on your use case, but in general, VPNs are used to enhance both the online privacy and security of those who use one. Privacy and security tend to involve trust, which becomes especially important when we consider VPNs. To understand this properly, we have to take a step back and examine how VPNs protect their users. The most common analogy is that a VPN provides an encrypted tunnel between the VPN client on a user’s device and the VPN server. This tunnel essentially means that no other party can see the connections and data you are transferring between your device and the exit server. Your ISP, the government and other snoopers will be able to see that you are sending encrypted data through a VPN, but they won’t be able to see what it is. If someone is examining the traffic between the exit server and the website you are visiting, they will be able to see that someone from the VPN’s server is connecting to the site, but they won’t know where the connection originates from. In this way, a VPN’s encrypted tunnel protects users and their information from outside parties like hackers and governments, and also allows users to get around geo-restrictions by making it seem like their connection is coming from another place. The point is that the VPN provider is the one that keeps you safe by letting you use their encrypted tunnel. Since all of your data goes through the provider, you need to find one that you can trust. If you can’t trust your provider, how can you know that your data is being kept secure and private? What can a VPN provider see? Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history. Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over. VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address. It will depend on your use case, but if you want your VPN to provide the highest level of privacy, then you will want to choose one that records no logs at all. How do you know if a VPN provider keep logs? Most VPN providers will state on their websites whether or not they take logs, and if so, what kind. If the privacy policy doesn’t state the logging policy, or they make their logging process unclear, it’s best to assume the worst. No-log policies can be a huge selling point of many VPNs, so if a company doesn’t make their practice clear, it’s best to assume that they do keep logs in some form. How can you trust a VPN provider’s claims? At the end of the day, you can never really be 100 percent sure. The closest we can get is if a VPN provider was served a warrant or subpoena and was unable to give any data because they simply don’t have it. Even so, a provider may change their practices after a the court order has been carried out. While this may seem disheartening, the reality is that we don’t really need 100 percent confidence. For most situations, 99.99 percent is more than enough. You just need to find a VPN provider that you can trust enough for the activities that you intend to conduct over their service. There are a range of things that you will need to consider when evaluating whether a VPN provider is trustworthy enough for your intended uses. First, you will want to see that their website looks reputable. If everything checks out, you will want to go through their privacy policy and legal statements to ensure that everything is legitimate. Then you will want to do some background research to see if the company has been involved in any dodgy practices, and whether its users are generally happy with the service. NordVPN recently became the first provider to undergo a voluntary third-party audit of its zero-logs policy. Other providers like ExpressVPN have had their servers seized by police, but the servers contained no information of use thanks to no-logs policies. If you do a thorough search and it doesn’t bring up any red flags, then you can probably trust the VPN provider’s claims. This is because most established providers aren’t willing to sacrifice their long term revenue by doing something unscrupulous. They have a vested interest in keeping their users around and attracting more in the future, because keeping the business reputable will be worth more in the long run. Can you trust free VPNs? Paid VPNs can be dodgy, but free VPNs are even more of a minefield. From loading malware onto your computer to selling your data to third parties, there are countless dangers. This list narrows some of the offerings down a bit, but there are still many complications to consider. When it comes to free VPNs, the relationship between the provider and the user is different to that of a paid VPN. The user isn’t paying the provider any money, so the provider doesn’t have to do much to keep the user happy. How bad a service will be tends to depend on the VPN provider’s business model: Advertising Some free VPN companies make their money through advertising. This can range from showing banner ads to users, such as Psiphon, to those like Hotspot shield, which the Center for Democracy and Technology alleged tracks users and hijacks web requests. Many free VPNs insert advertisements into your web browser, and these ads can place tracking cookies on your device to monitor your browsing. If a VPN provider places ads in their app, it’s far from ideal, but it’s also hard to criticize a service for trying to monetize itself in some way. If a provider is actively tracking its users, this spells much bigger problems, particularly for those with privacy and security concerns. Although Hotspot Shield claims that it doesn’t collect “information that allows us to trace Internet usage on Hotspot Shield back to individual users”, VPN users are better off avoiding services that track them. Malware distribution Some free applications may look like they are offering an excellent service, when they are actually an underhanded way for hackers to install malware. It can be hard to know for sure whether an app does this, so it’s always best to be prudent when downloading software. In an academic study, numerous VPNs were run through a host of different virus scanners. Some free VPN apps such as Betternet and OKVPN tested positive for malicious activity in many of these tests. Those looking for a new VPN should err on the safe side and stay away from any free VPN that looks like it might be used to infect their devices. Botnets One of the most alarming VPN controversies of the last few years was when the popular service Hola was taken advantage of to form a botnet. Due to how the service operates, the bandwidth of Hola users was leveraged in an attack on 8chan. Obviously, no one wants their devices to be part of a botnet that attacks other individuals or organizations. This is just another instance shows how users need to be careful when dealing with free VPNs. As a free offering to attract users to a premium VPN service Some VPN providers offer a free service as a way to draw new users toward their paid services. These vary in quality, but they can often be more legitimate than the free VPNs that rely on other business models. Free tier services like Hide.me and Windscribe aren’t necessarily bad, but they are much more limited than paid VPNs. Research VPN Gate is operated by the University of Tsukuba using volunteer resources. The university runs it as an experiment, but anyone can use it or operate a node to contribute to the network. As an experiment, its service is pretty restricted, but it’s also less likely that a university would be using the network for any illicit activity. If a VPN’s free, it’s probably not fast Trust issues aren’t the only problems that come with free VPNs. They also tend to be slow and have other service limitations. It’s an old cliche, but with VPNs, you really get what you pay for. On free plans, the providers are hardly rolling out the red carpet, so users will have to put up with subpar service. Free VPNs often have fewer servers, which can force users to connect to those in less-than-ideal locations. This can make the speed much slower. In addition, some free VPN servers have heavy congestion, which can make connections stall to a near standstill. Other providers may force free users to wait in queues so that they don’t clog up the network. A lot of VPNs also have bandwidth limits that restrict the speeds that free users can access. Many have data caps as well, which tend to be between 512MB and 2GB. This amount of data won’t get most people too far. A few hours of heavy browsing could easily eat up the cap and watching videos will drain it much faster. What can you use free VPNs for? Now that you understand a little bit about how free VPNs work and their various business models, we can talk about their limitations. As we have just discussed, free VPNs tend to operate in ways that really restrict their use. These range from those that simply can’t be trusted and should be avoided at all costs, to those which have very low data caps or bandwidth limits. If you absolutely require privacy and performance, you will need to go with a paid provider that is well-regarded. In saying that, there can be circumstances where a free VPN will help you without putting you in serious danger. These include if you need to spoof your location temporarily, or if you need to get around internet restrictions. Again, you need to make sure that you aren’t engaging in risky or illegal behavior if you are using a free VPN. Most of them are simply far too unreliable. If you are going to use a free VPN, please make sure that you do your research and find a reliable provider that suits your needs. Using an untrustworthy provider can give you far more trouble than accessing the internet without one. What shouldn’t you use free VPNs for? In an ideal world, you wouldn’t use a free VPN at all, because the services are far too limited. Despite this, there are a lot of people who simply don’t have the money or don’t want to pay a few dollars each month for a reliable service. Anyone who does use a free VPN needs to be aware of their issues and be incredibly careful with how they use it. They absolutely must not engage in any illegal behavior, nor anything that requires a high degree of security or anonymity. As we discussed earlier, a VPN provider has the capacity to access all of the data that goes through their service. When the service is being provided to you for free, the provider doesn’t have much of an incentive to provide you with a reputable service. If you can’t trust the provider to give you a high-level of service, then you can’t trust them to be responsible for your privacy and security. Everything on the internet should be free One of the key issues isn’t with VPN technology itself, but with our attitudes to technology services in general. Many people have grown up in the internet age and become accustomed to free content, products and services. This is generally supported by advertising and other means. These funding models have provided opportunities for the poor to access all kinds of media and technology that traditional payment models would have locked them out of. It’s hard to deny that this has been a good thing in many ways, but it has also had some unfortunate results. The overwhelming amount of free stuff in our lives has left many of us unwilling to pay for things which we would have in the past. With many products and services, such an attitude doesn’t cause problems. With VPNs, it can be a big issue. If you really care about your privacy and security, your best course of action is to stay far away from free VPNs, because they simply don’t provide a service you can trust.       

Le 2018-12-24


  Alien Vault - Let‘s Chat: Healthcare Threats and Who‘s Attacking
Healthcare is under fire and there’s no sign of the burn slowing. Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading it off in the AlienVault Open Threat Exchange (OTX), our community of 100,000 users who contribute information on threat intelligence which is also curated by AlienVault Labs.   You can also get more details from the AlienVault blog post “SamSam Ransomware Targeted Attacks Continue.”  And, you can find detailed recommendations for preparing for SamSam and other, related attacks from HHS, FBI and US-CERT. Wait! There’s More. Here’s an overview of the trending threats AlienVault Labs has identified for 2018.   What We’re Seeing How to Learn More Other, opportunistic ransomware threats for criminal gain  . . . The most commonly seen threat to the healthcare in 2018 remains opportunistic. This is typically ransomware that targets anyone who happens to be vulnerable. And, it continues to cause an outsized amount of damage to the industry. Some examples of the most damaging will likely trigger your memory: WannaCry Indicators, GrandCrab Ransomware, VSSDestroy Ransomware   Defray ransomware Off-the-shelf ransomware used to target the healthcare sector GandCrab ransomware puts the pinch on victims VSSDestroy ransomware WannaCry indicators Fallout exploit kit releases the Kraken ransomware on Its victims   Targeted threats for criminal gain . . . There are a number of organized criminals who have moved to targeting healthcare providers with  targeted ransomware due to the criticality of continued operation. One example is the SamSam ransomware.   SamSam ransomware campaigns SamSam — the evolution continues netting over $325,000 in 4 weeks SamSam ransomware SamSam: the doctor will see you, after he Pays the ransom   Targeted threats for espionage that are led by organized crime . . . Threat actors are committing  corporate espionage for criminal gain — for example, by gaining insight into drug trials to inform investment decisions. Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia Powerful threat actor Wild Neutron returns for economic espionage FIN4 group is hacking the street More information from the FIN4 group attacking public companies Parasite HTTP RAT cooks up a stew of stealthy tricks   Targeted threats for espionage, let by nation states . . . Whilst rare, there are some threat actors that commit espionage against the healthcare sector to provide assistance to state-owned companies or to retrieve the healthcare data of high-profile individuals. Network health: advanced cyber threats to the medical & life sciences industries Tropic Troopers new strategy Intrusions affecting multiple victims across multiple sectors Wekby attacks use DNS for C2 Indian organizations targeted in Suckfly attacks Black Vine: Formidable cyberespionage group   Want more information?  There are a number of organizations, such as Healthcare-ISAC, that can provide additional information on threats seen within the healthcare sector. For any queries regarding this report, please contact labs@alienvault.com.       

Le 2018-12-20


  Alien Vault - Network Penetration Testing
What is Penetration Testing? Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor. First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you. It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes. The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance. Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated. Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful. In short, If the organization has not: 1.     Secured the internet connection with a firewall 2.     Secured organizational devices and software 3.     Controlled access to organizational data and services 4.     Protected organizational endpoints from viruses and other malware 5.     Made sure organizational devices and software are up to date Then the pen test will not go well for your organization and an adversary will have a field day. Penetration Testing Tools There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available. Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available. Common Network Penetration Testing Tools Nmap – Free! Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability. The Metasploit Framework available on Kali Linux – Free! Many special purpose pen testing tools, password crackers as well as wireless security tools. I would say this is an accepted industry standard. Zap – Free! An older attack proxy framework used to evaluate website and web application security. I like it and find it easy to use as I am not skilled enough to use something like Burp Suite against a website. Nessus – Not free. This software does require professional licensing to use as a professional pen tester, but it is an excellent vulnerability scanner. (Another one I recommend is Outpost 24.) Maltego Community Edition – Free! This does not do any pen testing but it is my go-to-documentation tool for network mapping and domain enumeration. Mostly a cyber threat intel platform but to make the pretty pictures it’s a lot more automated than Microsoft Visio. As a professional pen-tester you are only as good as your Google-Fu. Depending on the nature of your engagement, websites like Shodan, ExploitDB, or even searching for “Default Password for <insert make> <model number> device” will yield sources of information which may provide useful. It’s also surprising how frequently reverse IP lookups and domain name registration information is necessary to conduct the pen test. Website Penetration Testing This is really a subset of network penetration testing and is firmly (at least in my opinion) in the realm of software developer meets adversary. Websites are complex layers of software which usually connect to a “back-end” database. The database is potentially filled with customer or employee information which a cyber-criminal would like to steal & sell and/or destroy with ransomware. Thousands of hours of developer time may have gone into the creation of customer facing websites and they may even have access to credit card payment information. No matter what the database contains it needs to be defended and it is through any number of techniques a cyber-criminal can gain unauthorized access. Although a scanner like Burp Suit or ZAP can detect many of the OWASP 10 common vulnerabilities, a skilled web application pen tester can target the website’s API(s) to perhaps coax information from the site which should not be revealed. Because websites are intensely linked to the organization’s online brand and may be a primary source of revenue, many organizations insist on a web application pen test before a site goes live. Penetration Testing Report In most cases this is called the “dread” pen testing report. For most organizations who thought they had a decent security posture, this report usually suggests a lot more can or needs to be done. What makes for a good report is a list of the most impactful, readily achievable, and least expensive to implement solutions to the discovered shortcomings. The best pen test report also identifies items which the organization is doing well in addition to items the organization needs to improve upon to allow for some solace as the mountain of work to do is revealed. One of the most powerful metrics and a significant boost to organizational compliance is to use the pen test report as a road map for key IT projects, process or technology implementations in the next year. The first pen test the organization receives sets the need for future improvement. The second pen test report should have measurable improvements. If there has been no improvement between the two it may be time to consider a radical course of improvement before your organization is targeted by a real cyber-criminal adversary.       

Le 2018-12-19


  Alien Vault - AlienVault Monthly Product Roundup October / November 2018
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Let’s take a look at the highlights from our October and November releases: Mac OS Support for the AlienVault Agent In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements. In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts. AlienVault Agent Queries as Response Actions USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.) To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule. Launch AlienVault Agent Queries from Agents Page In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed. Asset Group Enhancements for the AlienVault Agent Asset Groups help USM Anywhere users group similar assets for specific purposes. For example, you might want to assign assets to the PCI DSS  asset group to keep track of the assets in scope of your CDE. We’ve added a new “Assets with Agents” dynamic asset group containing all assets that have the AlienVault Agent deployed. We’ve also expanded asset group functionality by adding the ability to assign AlienVault Agent profiles to asset groups. You can do this by selecting the “Assign Agent Profile” option from the Actions menu for a specific asset group. Improved Ability to View Suppressed Alarms We’ve improved the filtering options available on the Alarms page to support the display of only suppressed alarms. This change has no effect the default Alarms view, which does not include suppressed alarms. Certificate Upload for TLS-Encrypted Syslog In addition to the digital certificate provided through USM Anywhere, customers can now upload their own server certificate and CA certificate to enable the SSL connection for TLS-encrypted syslog transport. Certificates can be uploaded from a new Settings tab in the Syslog App configuration page located at Data

Le 2018-12-17


  Alien Vault - Things I Hearted this Year 2018
It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began. I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week. Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories. In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget) Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year. January 12th Edition Toy Firm VTech Fined Over Data Breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data breach | SC Magazine FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch March 9th Edition SAML, SSO Many Vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO March 30th Edition Investigating Lateral Movement Paths with ATA Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user. Investigating lateral movement paths with ATA | Microsoft May 18th Edition Hacking the Hackers A hacker has breached Securus, the company that helps cops track phones across the US. You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data. Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records. Hacker breaches securus, the company that helps cops track phones across the US | Motherboard Service meant to monitor inmates' calls could track you, too. | NYTimes June 1st Edition Your Data Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private. "The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?" Why Is Your Location Data No Longer Private? | Krebs On Security But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data. This Guy Is Selling All His Facebook Data on eBay | Motherboard July 6th Edition 10 Things To Know Before Getting Into Cybersecurity You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.   10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog August 31st Edition Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to watch his keynote entitled, Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models October 5th Edition Bupa Fined £175k International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account. The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year. Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register November 30th Edition The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet       

Le 2018-12-14


  Alien Vault - The REAL 2019 Cyber Security Predictions
It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening. Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold. You’re welcome. Jayson Street will be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street” HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com. Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them. Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far. Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year. SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids. Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’. Investigative journalist Brian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS)  which companies can use to get the heads up if they’re going to be outed. Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again. Marcus Hutchins reveals he was never really arrested by the FBI. Claims he just wanted a bit of “me time” and thought this would be the best way. (ISC)2 will cease offering the CISSP certification, stating that there is now a global surplus of security professionals and the number needs to be reduced. Independent analyst Kelly Shortridge reveals the magic that goes into magic quadrants, waves and other analyst firms methodologies. Confidence in analyst firms will take a dip as a result. Kelly will then sell the rights to the movie, The Big Short(ridge) Award-winning blogger and podcaster Graham Cluley will go through the whole of 2019 without winning a single award. Mega breaches will have reached the tipping point and GDPR will have been found ineffective. In a last ditch effort, companies that offer affected customers a year's credit monitoring will no longer be deemed sufficient. Rather companies will be forced to create whole new identities for affected individuals, complete with backstories, like witness protection programs do. Finally, world governments will see the error of their ways and stop trying to backdoor crypto. Have a happy 2019 folks!       

Le 2018-12-13


  Alien Vault - New AlienVault and AT&T Cybersecurity Consulting Solution for Cyber Risk and Compliance Management
Let’s face it, managing cyber risk and compliance is hard. Many organizations struggle to gain the visibility needed to truly understand their overall cyber risks. They also struggle to maintain that visibility as they take on digital business transformation and new cloud computing initiatives. It’s no easy task for organizations to continually align their security priorities to changes in the regulatory landscape, their IT environment, and an always-shifting threat landscape, especially for organizations with limited IT resources. That’s why we are excited to announce a new solution to help organizations of any size to help reduce their cyber risks and simplify their journey to work toward compliance. Together, AT&T Cybersecurity Consulting and AlienVault, an AT&T Company, are bringing together the people, process, and technology in one unified solution to help organizations improve cyber risk and compliance management. In doing so, we’re making it simple and fast for organizations to consolidate their requirements and to accelerate their security and compliance goals. Download the solution brief to learn more. “Managing cyber risk and compliance requires an ongoing review of your IT assets and data, security practices, and personnel — and no single security tool provides that holistic visibility,” said Russell Spitler, SVP of Product for AlienVault, an AT&T company, “With a unified solution from AT&T Cybersecurity Consulting and AlienVault, we can help organizations to reduce the complexity and cost of having to juggle multiple products and vendors.” This solution addresses many of the most challenging aspects of meaningful risk reduction (i.e. you are actually making progress in reducing risks, not simply “managing risks,”) and maintaining continuous compliance. The solution includes: risk assessment, scanning and remediation vulnerability assessment, employee cybersecurity awareness training,  continuous network monitoring for the latest threats, and reporting for compliance as well as for internal policy. It is ideal for organizations that are getting started with or want to accelerate their efforts for PCI DSS or HIPAA, but also for non-compliance organizations that are looking to evaluate and improve their cyber risk posture quickly and efficiently. Unlike other solutions for cyber risk and compliance that are often oversized and do not adapt to an organization’s existing security model, AlienVault and AT&T Cybersecurity Consulting offer flexible options that allow any organization to tailor-fit a solution to their unique environment, business goals, and budget. The solutions include: Risk-based Cyber Posture Assessment led by AT&T Cybersecurity Consultants ASV-provided External Vulnerability Scanning Services from AT&T Consulting Services AlienVault USM Anywhere - a unified platform for threat detection and response AT&T Cybersecurity IQ Training - cybersecurity user training and assessments For more details on the products and services included in this solution, read the solution brief here > Following AT&T Business’ acquisition of AlienVault in August, this offering is the first to combine the phenomenal threat detection and incident response capabilities of AlienVault USM Anywhere and AlienVault Labs Threat Intelligence with the world-class expertise of AT&T Cybersecurity Consulting. “It’s no secret that cybercrime has become its own industry, giving criminals access to a battery of tools for targeting victims,” said Marcus Bragg, Chief Operating Officer of AlienVault. “For the IT and security professionals who are defending against this, point solutions are no longer enough. They need all the support they can get, and that means people, process, and technology — access to security experts who can share their knowledge and experience, recommendations for best practices, and a unified platform that ties everything together, including the most up-to-date threat intelligence for threat detection and response. That’s what the future looks like in our fight against cybercrime.”   This solution is available from AlienVault and AT&T Business, so new and current customers can easily purchase the solution that works for them. To learn more about this and other cybersecurity solutions from AlienVault and AT&T, contact us to get started. To learn more about the offering, download the solution brief.       

Le 2018-12-12


  Alien Vault - A HIPAA Compliance Checklist
Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack. For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started. Certification and Ongoing HIPAA Compliance HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Step 1: Start with a comprehensive risk assessment and gap analysis Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with the necessary expertise will ensure you don’t miss or misunderstand the required regulations, and it will save you time as they will likely have a HIPAA checklist to reference.  Your consultant can perform an initial evaluation of your entire security program to determine its adherence to HIPAA regulations and the level of readiness to proceed with the “certification” process. It’s worth noting that the OCR does not actually “certify” HIPAA compliance (see side bar), however there are organizations outside of the OCR that do provide “certification” services, and many organizations take advantage of these certification services to prove compliance. As a result of the evaluation, your consultant should provide a comprehensive report that may include such things as: Your organization’s current security and compliance posture compared to the requirements established by the OCR Audit Protocol (including the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule). Prioritized recommendations for risk remediation. A road map outlining the steps and initiatives to achieve compliance and “certification”. According to the OCR, organizations that have aligned their security programs to the National Institute for Standards and Technology (NIST) Cybersecurity Framework may find it helpful as a starting place to identify potential gaps in their compliance with the HIPAA Security Rule. Addressing these gaps can bolster compliance with the Security Rule and improve the organization’s ability to secure ePHI and other critical information and business processes. Read how NIST “maps” to the HIPAA Security Rule in the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Step 2: Remediate identified risks and address compliance gaps Once you’ve identified your organization’s risks, take immediate steps to address the gaps within your security program. Again, a consultant who has practical experience in healthcare security will be very useful in providing strategic guidance, as well as advice on risk mitigation. Many organizations use the same consultant who performed their initial risk assessment. Your consultant may develop specific programs, policies, standards, and procedures, as well as support or help implement key security practices and controls. For example, they may assist in prioritizing vulnerabilities and make recommendations for remediation in your EHR environment. Or, they may provide pre-packaged employee security awareness training that meets HIPAA guidelines, such as educating employees on security risks and running them through attack scenarios. Make use of security technology to help you more quickly address the gaps in your compliance program — and consider platforms versus point solutions, giving you the ability to address multiple issues at once. Also, look for solutions that address both on-premises and multi-cloud environments as HIPAA regulations apply to both (see Guidance on HIPAA & Cloud Computing).  For example, look for such use cases as the automation of asset discovery and the ability to categorize those assets into HIPAA groups for easy management and reporting. Those same solutions may also perform vulnerability assessments, automate the prioritization of vulnerabilities for mitigation, and integrate with ticketing solutions to ensure the most critical are being remediated while overall risks are mitigated. Step 3: Take advantage of automated compliance reporting The evaluation standard of HIPAA requires covered entities to perform and document ongoing technical and non-technical evaluations to establish the extent to which their security policies and procedures meet the security requirements. Simplify and speed this process by taking advantage of automated compliance reporting. Look for solutions with predefined report templates for HIPAA, as well as other key regulations such as PCI DSS, NIST CSF, and ISO 27001. Consider ease-of-use, such as being able to define groups of assets — for example, a HIPAA group that includes sensitive assets connected to patient data or protected data. How easy it is to view, export, and customize the reports? What percentage of regulation coverage is included in predefined reporting? Most solutions do not cover all the requirements defined by the HIPAA Audit Protocol, but they will give you a jump on your HIPAA checklist. Many security management platforms also include additional predefined event reports, such as reports by data source and data source type, helping to make daily compliance monitoring and reporting activities more efficient. Also, look for an intuitive and flexible interface that allows you to quickly search and analyze your security data, as well as the ability to create and save custom views and export them as executive-ready reports. Finally, solutions that provide centralized visibility of your cloud and on-premises assets, vulnerabilities, threats, and log data from firewalls and other security tools are key to giving you the most complete and contextual data set for maintaining and documenting continuous compliance. Step 4: Implement Monitoring and Breach Notification Protocols The Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and business associates to provide notifications if they experience a breach that involves unsecured protected health information. Security management platforms can help to simplify and automate monitoring for breaches on your network, ensuring you are able to more quickly detect and contain a breach, as well as provide the required notifications. As more organizations in healthcare are migrating data and applications to the cloud, make sure the technology you’re choosing offers advanced threat detection across both on-premises and multi-cloud environments. Simplify compliance management by choosing a solution that combines an array of essential security capabilities in one platform. These may include, but are not limited to: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, file integrity monitoring (FIM), and log management. By combining these use cases in a single dashboard, you are better able to quickly identify, analyze, and respond to emerging threats that target your EHR environment. Intelligence it key to threat detection and incident response, so consider vendors who have in-house research teams as well as access to external threat intelligence communities and other sources that can provide insight into the latest global threats and vulnerabilities — and in particular, those that are specific to healthcare. However, intelligence without context will create lot of distracting “noise” for your team. So, check that the solution goes beyond just providing intelligence to incorporating it directly into your dashboard, including providing recommendations on how to respond to identified threats. With this intelligence and guidance at your fingertips, you can react quickly to the latest tactics, techniques, and procedures used by threat actors. And, you are assured of an always-up-to-date and optimally performing security monitoring solution. Need more info on how to respond to a breach? See the HHS Quick Response Checklist. Step 5: Continuously evaluate and manage risk Whether you are managing ongoing HIPAA compliance internally or are using an external organization, avoid last-minute scrambling for annual evaluations and audits by employing a year-round risk management program. Such a program requires having real-time visibility of your environment, including system component installations, changes in network topology, firewall information, and product upgrades. Use a unified platform to gain this visibility and enable monitoring in a central location (opposed to various point solutions). Here are a few examples of where a platform would be helpful for continuous risk and compliance management: Manage assets and risks Examples: Use automated asset discovery for on-premises and cloud environments and then create asset groups such as business critical assets or HIPAA assets for ongoing monitoring, management and reporting. Identify systems with known vulnerabilities and use correlation rules to detect threats. Monitor access control; data security; information protection, processes and procedures; and protective technology Examples: Monitor for successful and failed logon events to assets. Monitor for communications with known malicious IP addresses or use file integrity monitoring (FIM) to detect, assess and report on changes to system binaries, and content locations. Schedule vulnerability scans, automate assessments, and plan for mitigation. Review events and detected incidents. Detect anomalies and events; and ensure continuous security monitoring and detection processes Examples: Aggregate events from across on-premises and multi-cloud environments. Classify threats based on their risk level. Monitor for stolen credentials, malware-based compromises such as communication to a known command and control (C&C) server, anomalous user and admin activities, file integrity, and vulnerabilities. Automate event and incident analysis; mitigation Example: Automate forensics tasks to be executed in response to a detected threat and simplify forensics investigations with filters, search and reporting capabilities for event and log data. Automate actions to contain threats, such as isolating systems from the network. Automated reporting Use out-of-the box reporting to document that you’ve made an accurate assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI — and to quickly show the status of technical controls that align to HIPAA or other regulations. Maintaining adherence to HIPAA is no small feat considering the dozens of criteria that are considered in the HIPAA Audit Checklist. Attempting to manage your compliance program manually and without the help of expert healthcare security consultants will not only take up massive amounts of time, it could result in your team missing an essential component of the regulation, or worse yet, enduring a breach that compromises patient data or takes down the network. However, with the right mix of people, processes and technology, it’s not an impossible to stay on top of compliance management while ensuring your network is secure and patient data protected year-round. HIPAA Regulations HIPAA Privacy Rule: This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and health care providers who conduct the standard healthcare transactions electronically.  HIPAA Security Rule: This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164 (e-PHI). HIPAA Breach and Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.       

Le 2018-12-11


  Alien Vault - Who Would You Hire in Your SOC?
I got curious about what kind of people are most desired in a Security Operations Center (SOC). I wondered how accepting InfoSec blue teamers would be to having a team member with a great attitude and system administration or network management skills, versus someone with deep InfoSec knowledge and skills. So I did a poll on Twitter to learn more.  After reviewing the Twitter poll results and the very insightful comments, I was even more curious about how SOC hiring decisions are made. Luckily, one of my Twitter pals reached out via DM and indicated he is a SOC hiring manager! And he’d be happy to have a call with me to give me the scoop on what he looks for when hiring for his SOC as long as he remained anonymous!  While I can’t name him, I can tell you he has 20+ years of experience in the InfoSec industry and is in the process of building his second SOC. The first team he built had about 25 people, was focused on infrastructure rather than cloud, and encompassed both SOC and GRC. The team he is building out now is focused on outsourcing (MSSP), which is a different story entirely. Here are his insights: Age is a Number He made the excellent point that the terms "junior" and "senior"  SOC analysts relate more to experience in a SOC vs the person's age. Older folks doing a career transformation might well be considered “junior" and someone in their 20’s who has had a home lab and network might have years of useful experience and be considered “senior”. A Balanced SOC Team The best team mixes some senior folks with junior people. A lot of SOC work is a *grind* with eyes always on the glass. Whereas junior folks can be quite happy to do that for a few years, some more senior folks may want to get into other roles than the front line of defense. In addition, your first job in InfoSec may be a stepping stone to where you want to get. You might want to be a malware researcher, but starting as a blue team defender is an excellent way to learn more about malware. Mainly Cloudy Times are changing – whereas deep skills on particular hardware, like a specific firewall, may have been important in the past, now SOC hiring managers tend to me more cloud oriented. They’re looking for a blend of skills, including DevOps, SecOps, scripting, cloud instrumentation and understanding of cloud infrastructure. Hiring managers are looking for nimble applicants with a flexible skill set. For example, to be good in a SOC job today, you will likely need to know how to monitor application logs as well as traditional security controls. Advice for Students Don’t be afraid to get your hands on tech. Classes are one thing – but also build yourself a home lab. Show some enthusiasm and initiative. Be flexible – avoid just knowing a few specific tech tools. Network! (More to come on that). Advice for Curmudgeons If you’ve “seen it all” – you might appear grumpy. Grumpiness is OK, as long as you work with and support the junior folks. The SOC team isn’t a great place for a grump who wants to just be left alone. Toxic people are not welcome on a SOC team, no matter what skills they may have. Important Tech Checklist for SOC Coding / scripting Understanding of network stack and knowing things like how routing, VLANs and ACLs work Machine Learning / Automation (at least take some free courses for awareness) Core security controls Cloud technology infrastructure Can a Red Teamer Be Good in a SOC? Sure, if they want to be on the Blue Team. They typically have the right skill set. However, Red Teamers live to find and exploit weaknesses. Red Teamers don’t always have to follow rules. Blue Team is defense in depth. Blue Teamers have to follow rules. Career Networking On social, Twitter is great. LinkedIn can be useful too. There are local meetup groups all over that are free to attend. You can hear talks and meet other people in the industry without having to travel to attend an expensive conference. Here's the Poll and Some Excellent Comments and Observations:  In a SOC, would you rather hire a person new to infosec w good attitude & great sys admin / network mgt skills or a curmudeon with badass infosec knowledge & proven track record in SOC. Comments on rationale appreciated. — Kate Brew (@securitybrew) November 25, 2018 The best part was the comments! Here are a few excerpts to demonstrate the common threads.  A Good Attitude Is Clearly Appreciated Good attitude every time. Much easier to train technical skills than people skills. — Chris (@church_of_chris) November 25, 2018 Aren't we seeing this play out now? There r 2 many opptys in the market for ppl to stay and be treated like crap. People will leave. We are seeing burnout up the wazzoo, ppl leaving, ppl afraid of making a mistake, let alone a suggestion. Hire the noob Train, train, train them — javascript jesus is watching you! (@ravici) November 25, 2018 Hard to say without knowing what the responsibilities would be, but generally I'd take the good attitude. People who are hungry and driven can learn the skills they lack, but it's harder to get someone to unlearn being jaded and negative, and spreading that vibe to everyone else. — ��l̶u̶0̷ (@blu0x30) November 25, 2018 In Defense of Curmudgeons   Dark humour is not the same as a bad attitude and burnout can heal — Heidi ������ (@winter_heidi) November 25, 2018 I feel like in tech (not sure about infosec) curmudgeon is a euphemism for "straight-up jerk". But I'd easily take someone competent over someone who's not, provided they're *just* a little grumpy. — Vanessa McHale (@vamchale) November 25, 2018  No Love for Toxic People! A SOC has to work closely together. A curmudgeon stops the communication flow. — Nasty Woman Voter (@sforslev) November 25, 2018 Yet if a curmudgeon doesn’t have the soft-skills necessary to navigate conflict, challenges etc & instead they utilize FUD (fear, uncertainty & doubt) as their professional strategy - no matter how badass their infosec knowledge is - they kill the positive vibe of the SOC & org — Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018 years ago we hired the most brilliant system admin I've ever worked with, but he had 0 people skills and started to make it a toxic work env he was so bad working with others people were on the verge of quitting to not have to deal with him, i'd lean towards good attitude. — Space Force Panda (@TrashPandaFTW) November 25, 2018 I’d rather invest time in developing potential than repairing damage from a curmudgeon. That said, it depends on the mission and cultural context. Theoretically, the mission (and culture) might force acceptance of the trade-offs that come with a highly-capable curmudgeon. — <script›alert('chrᎥs cɑlνert');‹/script› (@securedaemon) November 26, 2018 SOC Needs a Team / Balance I'm the curmudgeon, and I balance the 5 neophytes. It's a good ratio - for a Red Team. I suspect the ratio would work differently on the blue side, coming from there. Company culture also plays a role in quantifying these ratios, I think. — Abe Snowman - Yeti Vigilante ☃️ (@AbeSnowman) November 26, 2018 I’d hire either. It would also depend on the current makeup of the team. If you have a bunch of info sec people with out sys/net admin chops then the new blood will be good. If it’s the other way then the curmudgeon would be good. Cross pollination is good. — Michael Fourdraine (@mfourdraine) November 25, 2018 One curmudgeon to five enthusiasts - and a good manager over them all. — John (@JohnDCosby) November 25, 2018 Regardless if they are in a SOC or not. Challenging concepts & ideas is healthy. Conflict can be good for orgs as it encourages open-mindedness & helps avoid the tendency toward group thinking (which could become bully thinking) that many organizations fall prey to. — Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018 Conclusion I really appreciated the insights I got from the Twitter poll and speaking with my Twitter pal who is a SOC hiring manager. I hope this info is helpful to folks looking to move into Blue Team. Here’s another blog with career and networking advice.         

Le 2018-12-10


  Alien Vault - Things I Hearted This Week, 7th December 2018
It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions. Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter US Postal Service Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf. Luckily, a security researcher spotted the error about a year ago and notified USPS. Unluckily, the USPS didn’t respond to the researcher or fix the issue. Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours! USPS Site Exposed Data on 60 Million Users | Krebs on Security This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program? Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt GCHQ Reveals it Doesn't Always Tell Firms if Their Software is Vulnerable to Cyber Attacks In other words, spy agency keeps secrets. There are four reasons given as to why GCHQ may not disclose flaws, being: There is no way to fix it The product is no longer supported The product is so poorly designed it can never be secure There is an overriding intelligence requirement that cannot be fulfilled in any other way I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws. I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary. GCHQ reveals it doesn't always tell firms if their software is vulnerable to cyber attacks. | Sky News Scamming the Scammers I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money. Scamming the scammers | Medium, Hacker Fantastic ENISA Releases Online NIS Directive Tool ENISA released an interactive tool showing the relevant national laws and regulations, and per sector and subsector the national authorities supervising the NIS Directive. It’s pretty cool. NIS Directive Tool | ENISA Open

Le 2018-12-07


  Alien Vault - Password Stealers Aren‘t Letting up Any Time Soon
Password security has always been a challenge. Brute force attacks are constantly getting more powerful, but they aren’t the only threat you have to worry about. A range of password stealing malware continues to grow in popularity. One example, Agent Tesla, has seen its detection rate grow 100% in just three months, according to data from LastLine. Despite this rapid growth, Agent Tesla is far from the most popular. That title goes to Pony, which represents 39% of the total password stealer detections, according to Blueliv’s 2018 report, The Credential Theft Ecosystem. LokiPWS and KeyBase trailed Pony at 28% and 16%, respectively. These password stealers are each capable of stealing credentials and other information from a wide variety of programs. Each is unique with its own techniques for delivery and a range of features that hackers can use to mount attacks. Despite the differences, each of these programs can have severe impacts on their victims. The negative impacts can range from having all of the money stolen from an individual’s accounts, to the theft of a company’s intellectual property. The key features of some of the most common password stealers are listed below: Agent Tesla Like most password stealers, Agent Tesla can access a wide variety of your information, ranging from your credentials to your keystrokes. It can even take screenshots and videos from your device’s camera. Agent Tesla targets a number of major programs, including web browsers, email clients, FTP applications and other commonly used software. Once Agent Tesla has been installed on a target’s computer, it can also be used to download other malware. This feature allows threat actors to intensify their attacks and make them even more devastating. Its pricing shows that the malware industry hasn’t been left behind in the X-as-a-service boom, because it is available as part of a plan that starts from $15 per month. This price includes all the 24/7 support someone might need to assist them in their criminal endeavors. Of course, payments are made in Bitcoin. Despite running what must have been an incredibly profitable business, Agent Tesla’s creators have recently posted an update stating it will crack down on illegal use of the program. Under its terms of service, it declares that the software must only be used within the law, but features such as anti-antivirus throw these intentions into question. Due to the recent media attention that Agent Tesla has received, the developers will strip some of its more questionable features, such as anti-antivirus and webcam capture. They also claim to be banning those who are using the program maliciously. Only time will tell whether the creators are sincere, or if this is merely an attempt to keep the authorities from knocking down their doors. Pony Pony is currently the most popular password stealer, but it’s certainly not new. In the past, it has been used to control a number of enormous botnets, which by 2013 had already stolen more than two million credential sets. In 2014, it involved into a series of attacks that stole $200,000 worth of cryptocurrencies, as well as 700,000 sets of credentials. In recent years, Pony has seen prominence as a loader alongside other malware, such as CryptoWall and Angler. These programs, a type of ransomware and an exploit kit, respectively, help attackers launch even more devastating assaults. LokiPWS As the second most commonly encountered password stealer, LokiPWS has been involved in a significant number of attacks. It can be purchased from a range of illicit marketplaces for between $200 and $400, depending on the desired functionality. LokiPWS is comprised of a loader, a password stealer and a wallet stealer, which makes it useful in a variety of attacks. TrickBot TrickBot was originally a banking trojan, but has since been updated to steal other credentials as well. This malware is modular and continues to have new features added by its developers. The coding for the newest components isn’t as clean as the earlier parts, but if it continues to be refined, we could see TrickBot used in a greater number of password stealing scams. Common Attack Vectors   Attackers can load password stealers to their target’s systems in the same ways as most malware. These include social engineering, fake Adobe flash and other program updates, drive-by downloads, and through “free” online software. The following are some of the most common techniques that we see associated with password stealers: Social Engineering Social engineering (a.k.a. phishing) is one of the most prominent methods that hackers use to load password stealers onto their victims’ computers. They commonly use convincing emails to trick the recipients into downloading an attachment. The level of sophistication in the email will depend on the attacker’s game plan. Some may send highly-tailored emails to a select group of people in the hopes of convincing a large percentage to download the attachment. Others may put less effort into each email, but send them to a much greater number of people. The rate of success won’t be anywhere near as high, but this technique allows them to attempt to manipulate a much larger group of people. The attachments can take many forms, including RTF files, PDF files, PUB files, DOC and DOCX files, XLS files, EXE files, images and more. It is common for the malware to be disguised as seemingly legitimate invoices and other important documentation. These tricks can easily fool users into unwittingly granting access to the password stealer. A recent campaign has been taking advantage of vulnerabilities to spread both LokiPWS and Agent Tesla. The target is tricked into downloading a DOCX file, which in turn downloads an RTF file. This technique takes advantage of both a Microsoft Office remote code execution flaw, as well as a memory handling bug, in order to help slip the malware past antivirus software.        TrickBot is often hidden in Excel files. In these attacks, the user is told that the document was created with an older version of the program, and that they need to “enable content” in order to access the file. Clicking this button runs the macros, which kicks off the malicious code and begins the TrickBot download. Agent Tesla even has a customizable “Fake Message” option. This allows an attacker to tailor a pop-up that convinces the target to install the malware. This feature makes it simple to create a legitimate-looking dialogue box that might say something like “This program needs to be updated before it can launch. Update now?” Users will often click to run the update without even thinking about it. Something so simple can end up having dramatic effects, because of course, the program isn’t actually being updated. What’s really going on is that Agent Tesla is tricking the user into letting it install itself.          Attacks Launched from USBs Malware like Agent Tesla can also be preconfigured to run from a USB stick. This gives attackers more imaginative ways to upload their malware onto a target’s computers. One example involves threat actors leaving a bunch of malware-riddled USBs in an employee car park in the hope that some curious workers will pick them up and plug them into their office computers. When the USB is plugged in, Agent Tesla loads to the computer and can begin logging everything that the user does. Getting Past Your Computer’s Defenses Computers and networks have a range of defenses that help keep the bulk of malware at bay. These aren’t perfect, because the landscape of cyber threats is constantly evolving. This makes it much more challenging to prevent cutting-edge attacks. Agent Tesla has a wide variety of configuration options that enable threat actors to customize how they launch their attack to bypass defenses. With just a few clicks in an easy-to-use settings menu, an attacker can choose whether to disable the target’s Task Manager, how it will get past anti-analysis tools, whether it will launch automatically after rebooting, and much more. The Agent Tesla website used to feature support that gave tips on getting around defenses, including advice on how to hide the malware in other files, and how to trick security tools. The website may have claimed that the software was only designed for monitoring personal computers, but all of this auxiliary information hints at other intentions. How Do Password Stealers Take Your Credentials? Once a password stealer has made its way onto the target’s systems, it starts getting to work. There is some variance in how each of these programs function, but many of the core elements and features are the same. Keyloggers Keyloggers are some of the most commonly used tools for stealing credentials and other information that may be useful to attackers. They can be set up to record every keystroke that the target makes, sending the data back to the attacker. Of course, whenever the target types their usernames and passwords, this information goes straight into the attacker’s hands. Clipboard access Many password stealers can also access the data that is being stored in your clipboard. Clipboards aren’t a secure part of your computer, and the information that is stored in them can be accessed by all active processes, which means that malware can also take this information. This is somewhat worrying for those whose password manager uses the clipboard, but the majority of these programs tend to erase the data straight away. If you ever have to manually copy a password, it’s probably best to clear the clipboard after you have finished pasting. Screenshots It’s also common for password stealers to take screenshots of their target’s activity. This helps attackers keep track of what their victims are doing and enables them to log even more of their information. Videos Some password stealers can hijack a device’s camera and take pictures or video. This allows threat actors to build up an even greater profile of information on their victims. Which Programs Do Password Stealers Target? Most of the common password stealers can take credentials and other information from a wide variety of applications. These include common web browsers like Chrome, Safari, Microsoft Edge and Opera, FTP programs like FileZilla and WinSCP, email clients like Outlook, and many more. Some of these password stealers are set up to access data from more than one hundred commonly used programs. How Does This Information Get Sent Back to the Threat Actor? Once password stealers get their hands on your valuable data, they send it back to the attacker. The information is surreptitiously sent to a server, and then either to the attacker’s email or a dashboard. These dashboards vary in complexity, but some provide an impressive array of organization that makes it easy for threat actors to keep track of a large number of victims. As an example, Agent Tesla’s dashboard shows the progress of attacks against each of its targets. Menus clearly show the keystrokes, screenshots, passwords and other data that has been collected. Once an attacker has this data, they can either sell it in bulk, use it to steal from you, or use it to mount further attacks and penetrate your systems more deeply. How Can Password Stealers Impact Organizations and Individuals? Passwords are one of the most important systems that we have for controlling access to our data. Now that we conduct significant parts of our work and personal lives online, this makes them gateways to incredible amounts of our information. Password stealers can easily grant access to many aspects of our lives and businesses, and the impacts can be disastrous and wide-reaching. At a personal level, password stealers can enable threat actors to withdraw money from your bank account, hijack your social media or even commit complete identity theft. Organizations also face significant threats, because password stealers have the potential to give a threat actor complete access. Once an attacker is inside a company’s systems, they can copy its intellectual property, steal its data, lock up its information with ransomware, or even attempt extortion. The results can be as broad as an attacker’s imagination. Staying Safe from Password Stealers As you can see, password stealers represent a significant threat. Unfortunately, there is no surefire way to completely guard yourself and your organization. Despite this, following security best practices will reduce the risks to an acceptable level, especially if adequate staff training is part of the process. Individuals and employees need to be aware of the risks and only open attachments if they are certain that they are legitimate. It’s important to encourage a workplace culture where employees feel comfortable to check with IT whenever they are unsure of a potential security issue. Implementing two-factor authentication is another crucial mitigator. If an authentication process requires a token, biometric input, an authenticator app or an SMS code in addition to the user password, it can make it significantly more difficult to break into the systems. Password stealers can grant absolute access to our online worlds, so it’s important to be vigilant against them. While there are some programs that claim to be able to remove them, like all things in cybersecurity, it is much less costly to focus on prevention.       

Le 2018-12-06


  Alien Vault - Protecting the Wrong Things
Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin. A traditional business with a brick and mortar presence is probably better-placed to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques. But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone and see how many physical items it has replaced, from maps, to flashlights, to cameras. So, it’s important that the digital infrastructure that underpins the modern world is resilient. The ‘A’ in the security CIA of ‘Confidentiality, Integrity and Availability’ helped professionals focus on business continuity planning, and disaster recovery. But have we been focusing on the wrong things? Earthquake Resilient Buildings Recently a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point that in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car which has designated crumple zones to absorb the brunt of the force during an accident. In other words, resilience in buildings and vehicles is all about saving lives - not the building or the vehicle. Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives? Broadly speaking, while lives are not literally at risk, (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response often summed up as, “let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.” Crown Jewels Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers. One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS is a well-meaning standard, but forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them. That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threats of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. Protecting the buildings at the expense of its inhabitants. Regulations like GDPR are a step in the right direction with its focus on protecting the privacy of individuals. However, it too wields a big stick with the threat of massive fines. So, companies will do what they can to protect their businesses. Retrofitting protection The evolution of many companies mean that protection is often retrofitted under the guise of compliance. But there is a significant difference between retrofitting to prevent business damage, and retrofitting to prevent the entire business collapsing. We need to shift the way we think of information and the controls we put in place that can not only withstand the metaphoric cyber earthquake, but also protect its customers. The first part of this is for businesses to understand what aspects of its digital infrastructure are   commodities or standard offerings that can be swapped out or replaced relatively easily, versus custom-designed and individual data that is irreplaceable. For this, the best place to start is the beginning. Design decisions need to be thought out better and not rely on decisions made from years gone by, when the digital landscape was a different place. Haroon Meer probably said it best when he described customer data as being toxic. It has its benefits, but companies should be prepared to wear hazmat suits when dealing with it. This includes not using personal information for trivial functions. For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, should the user’s email ID be used as their userID? As email has become more important for users, so has the risk of it being targeted. Maybe the data can be captured, but alternative methods used to protect it. Similar to how many companies choose to tokenize card data? Maybe your favourite pizza shop doesn’t need to store your address in all its databases, a tokenized version can suffice. So, if it does get breached, not only are the customer details protected, but business can continue with minimal disruption - allowing true resilience against such events. After all, what’s the point in protecting all your buildings if there’s no-one left to inhabit them?       

Le 2018-12-05


  Alien Vault - Is Cybersecurity Insurance on Your Holiday Shopping List?
Three simple steps to protecting your small business Continued news reports of large-scale data breaches and the steady increase of cyber fraud like spam calls, identity fraud and unauthorized account access should be enough to scare anyone. So-called nation-state hackers attempting to infiltrate government entities and universities, massive data breaches, and new Ransomware threats are constantly in the headlines. So why doesn’t this encourage more small business owners to take cybersecurity more seriously? Many small businesses are currently going digital and moving data, applications and services to the cloud. In fact, the most innovative small businesses have embraced digital transformation as an integral part of their growth plans. This evolution makes their business more vulnerable to a lurking hacker. And perhaps too trustingly, many small business owners think that because of their size, they are not a target. Hackers don’t discriminate. Malware doesn’t discriminate.  Everyone is a target, and in fact, hackers see the data that small businesses have as a gateway to attacking larger businesses. And Malware essentially looks for open doors (i.e. unpatched machines) to infect. As we look to the start of a new year, there is no better time to assess your business’s cybersecurity posture – or in some cases start from scratch – to ensure you are prepared and can respond to cyberattacks. Here are a few affordable and simple recommendations that can improve your cybersecurity posture and help protect your business from the inevitability of a cyberattack in 2019: Stay Aware: The simplest thing you can do is to stay current on trends and threats affecting small businesses. We’ve seen unprecedented levels of attacks on small business in 2018, especially with Ransomware (where your device is essentially taken hostage for a fee). It’s essential to understand the types of attacks that could put your business at risk as well as the current cybersecurity landscape. Visit AT&T Cyber Aware for the latest news, information to report fraud associated with your AT&T Business account. Hire a consultant: A consultant can take a holistic look at your business, identify the gaps and help you understand how to improve your cybersecurity posture. While some see consultants as an added expense, their role is essential for small businesses that don’t have an IT or cybersecurity expert on staff. A consultant can help you develop and implement a plan for monitoring for threats, incident response and remediation that’s within your budget. Buy Cyber Insurance:  Cybersecurity insurance isn’t new. Large enterprises have had a cybersecurity insurance policy in place for decades now. However, 2019 is going to be the first year that it’s accessible and affordable to businesses of all sizes. For AT&T Business customers, this is made possible through policies, underwritten by CNA, with Lockton Affinity serving as the insurance broker.   A recent Ponemon Institute Report found that in 2017, cyberattacks cost small and medium-sized businesses an average of $2,235,000. That’s a staggering number that will only continue to increase as hackers become more sophisticated and continue to target the most vulnerable. My advice to small business owners – as you’re thinking about your holiday shopping list, add cyber insurance to that list to give yourself peace of mind. We know small businesses are focused on what they do best, and cybersecurity isn’t always top of mind. Let’s bring it to the top of the list for next year. Anne Chow, President – National Business, AT&T Business       

Le 2018-12-04


  Alien Vault - Award-winning Quarter Caps a Phenomenal Year
We’ve had a lot to celebrate this year. AlienVault, now an AT&T company, has received many awards, including three this quarter. In October, USM Anywhere was named the 2018 Cloud Security Solution of the Year after receiving the most votes in the industry. This recognition validates our SaaS-driven deployment model that integrates critical security capabilities into a unified platform enabling faster threat detection and response across cloud and on-premises environments. Here’s a photo of Sophia Anastasi, AlienVault UK Partner Account Manager, accepting the award at Computing Security’s awards ceremony. Our channel team is also receiving industry accolades. Last Thursday night at the Channelnomics Innovation Awards ceremony in New York City, Mike LaPeters, Vice President of Global Channels, accepted the award for Security Partner Program of the Year in North America. In October, Mike was selected as a winner of the 2018 Channel Futures Circle of Excellence Awards for his vision, innovation and advocacy of the indirect channel in helping AlienVault solution providers create business value for their customers. On AlienVault receiving these awards, Mike said, “Both of these awards are a testament to our focus on enablement. We help participants in the AlienVault Partner Program to create new opportunities for business growth, expansion and profitability powered by AlienVault USM.” With 2018 coming to close, we are excited to see what the new year brings as we continue to deliver phenomenal security products to our customers and solution providers.       

Le 2018-12-03


  Alien Vault - Things I Hearted this Week - 30th Nov 2018
Last week I was off attending IRISSCON in Dublin and so there was no update, and this week I’ve been at the SAN EU security awareness summit - so while I have been hearting things for the last two weeks, I’ve not had a chance to put them down. I don’t want to miss two weeks in a row - so I’ll give you a quick download and hopefully normal service will resume next week! Chat app Knuddels fined €20k under GDPR regulation The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation. Chat app Knuddels fined €20k under GDPR regulation | Security Affairs IOC Origins Richard Bejtlich gives a historical view into the origins of IoC’s The Origin of the Term Indicators of Compromise (IOCs) | TaoSecurity The spread of low-credibility content by social bots The massive spread of digital misinformation has been identified as a major threat to democracies. Communication, cognitive, social, and computer scientists are studying the complex causes for the viral diffusion of misinformation, while online platforms are beginning to deploy countermeasures. Little systematic, data-based evidence has been published to guide these efforts. Here we analyze 14 million messages spreading 400 thousand articles on Twitter during ten months in 2016 and 2017. We find evidence that social bots played a disproportionate role in spreading articles from low-credibility sources. The spread of low-credibility content by social bots | Nature.com The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet A day in the life of a trickbot hunter Nice writeup! Day in the life of a researcher: Finding a wave of Trickbot malspam | SANS Crypto hacking If you maintain any software libraries that deal with cryptocurrency wallet private key, there's a huge incentive for hackers to compromise your library's dependencies, and dependencies of dependencies. That's what happened with this npm package I don’t know what to say | GitHub Get SaaSy The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government. SaaS security - surely it's simple? | NCSC Today's Deep Learning "AI" Is Machine Learning Not Magic Well, if AI isn’t magic, I should update my Uncybered browser plugin! Today's Deep Learning "AI" Is Machine Learning Not Magic | Forbes Chinese Ramp up AI When I read stories like this, my worry that machines will take over human jobs subsides. In this story, Chinese cities have rolled out AI-powered facial recognition technology to identify jaywalkers (because I’m sure they’ve solved every other crime out there). The results… well, can you say dystopian? AI Mistakes Bus-Side Ad for Famous CEO, Charges Her With Jaywalking | CX Live I hope to be this petty some day Zuckerberg told Facebook execs to stop using iPhone after Tim Cook privacy comments | Apple Insider Although, is it as petty as 50 Cent? 50 Cent buys 200 tickets to Ja Rule concert to keep seats empty in ongoing feud | CBS news Other stories of interest I still miss my headphone jack, and I want it back | Fast Company AWS has released some free training | AWS Regular Exercise May Keep Your Body 30 Years ‘Younger’ | NY Times The Next Data Mine Is Your Bedroom | The Atlantic The Wartime Spies Who Used Knitting as an Espionage Tool | Atlas Obscura       

Le 2018-11-30


  Alien Vault - IAM and Common Abuses in AWS
This is the first of a 4 part blog series on security issues and monitoring in AWS. Identity and Access Management (IAM) in AWS is basically a roles and permissions management platform. You can create users and associate policies with those users. And once those users are established you get set of keys (access key and a secret key), which allow you to then interact with an AWS account. So, it's kind of like having a card key into the data center, and if you get into the data center, you have physical access to assets and you can do a bunch of things - in the AWS world there is no physical access to a data center therefore you can create keys and an API and you can interact with the API to do the same things that you would do in a physical environment, like physically racking servers in a data center. Common IAM risks are associated with folks getting a hold of, for example, a set of keys that have some policy associated with them that enables an attacker to get into the environment and do some potentially risky stuff. Following are a couple examples: EC2 instance creation or deletion. This is fairly common and relatively easy to do compared with the other examples. If somebody gets a hold of a set of keys  that allows them to create EC2 instances in your AWS account, that’s the first thing they're going do. There are a lot of bots out there looking for this access, and if a bot finds a set of keys that allows it to start interfacing with EC2, it's going to spin up a bunch of instances - likely to start mining cryptocurrency. This actually happened to Tesla, a pretty good sized company with quite a few resources to allocate to securing their infrastructure. There are many examples in the news about keys getting published to GitHub inadvertently, and there are bots out there scraping GitHub looking for access keys and the second they find them they’re in your AWS account seeing what they can do. Another scenario is roles that do automated things, like take RDS snapshots or EBS snapshots. The attacker might abuse the automated process to back up various resources like EBS or an RDS database. If an attacker gets access to that role or the keys associated with it and takes snapshots of these resources, they can deploy a new RDS database based on the snapshot. And when they do that they get to reset the passwords associated with the database. So now they've got access to all of your data without actually having to have the passwords required on the RDS instance. It's the same thing with the EBS (Elastic Block Store) snapshot. If somebody is able to take a snapshot, basically of a hard drive in AWS, they can launch a new instance connected to that block store and do some interesting things with it. For example, assuming they’re able to create an SSH key pair in your account, they could launch a new instance from the snapshot and assign their key pair to the instance, giving them full access to the data of the original instance. If they can’t create SSH keys in your account, they might try to mount the snapshot to an existing instance they can already access. Basically this is a crafty way to work around credential control and access control. This is a technique that's been used to actually exfiltrate data out of AWS, just by taking snapshots.   The last example is account hijacking. One story that got some headlines a while back involved attackers getting full control of an AWS account through a set of keys. The account was compromised so thoroughly that trust in the service was eroded to the point that the company went out of business – an extreme scenario, but if someone gets that level of access in your AWS account, you can pretty well expect that they're going to hold it for ransom. There are other risks, like S3 bucket exposure risks, that are much easier to take advantage of. The good news is that Amazon has recently added 4 new options that allow the account owner to set a default access setting for all of an account's S3 buckets. The new settings override existing or newly created bucket-level ACLs (access control lists) and policies. We’re not highlighting S3 bucket exposure risks above because there were too many to choose from. In my search for specific data exfiltration issues that have occurred with S3, I came across this GitHub Repo where the well-known public breaches are organized by date. You'll find 25 different instances of actual breaches where somebody had leaked data from a publicly exposed S3 bucket. It works as follows: Say somebody creates an S3 bucket, where they’ve got some process running that’s capturing some data and writing the information to a file in the bucket. Then somebody else comes along later and makes that bucket publicly readable. Or, the bucket was initially set up as publicly readable and nobody noticed it. This kind of thing happens all the time, and there are adversaries out there just scanning S3 looking for publicly accessible buckets. And once they find the buckets they just scrape the data in them and figure out what treasures they've got later. They don't even care what they’re downloading.    It’s a simple thing for them to carry out. It doesn't require a super sophisticated attack vector. We'll dig further into AWS security risks and what to do about them in the next blog of this series.       

Le 2018-11-29


  Alien Vault - Security Orchestration, Automation and Response (SOAR) - The Pinnacle For Cognitive Cybersecurity
The cognitive tools/technologies of machine learning (ML) and artificial intelligence (AI) are impacting the cybersecurity ecosystem in a variety of ways. Applied AI machine learning and natural language processing are being used in cybersecurity by both the private and public sectors to bolster situational awareness and enhance protection from cyber threats. The algorithmic enablers that make ML and AI pinnacles of cybersecurity are automation and orchestration.  Last year, the research and analyst firm Gartner created a term called SOAR. It stands for Security Orchestration, Automation and Response. A key element of SOAR has been the automation and orchestration elements. An excellent analysis of the impact of automation was provided by Stan Engelbrecht in his column in Security Week called The Evolution of SOAR Platforms.  Stan noted “as SOAR platforms evolve, they are requiring less experience from users. Vendors embed security expertise into the products, in the form of pre-built playbooks, guided investigation workflows, and automated alert prioritization.  Automation and orchestration features have also reached a level of sophistication where they can be integrated into an existing security framework without relying on users to know exactly what should be automated.” Indeed, SOAR and corollary cybersecurity automation technologies combined with ML and AI tools can be viewed as a strong framework for mitigating evolving threats. AI and ML have emerged into new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. Three significant factors are heightening their risk:   1) Skilled Worker Shortage: It is widely noted that the cybersecurity industry is facing major skilled worker shortages. According to data published on Cyberseek, U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That's in addition to the 715,000-plus cybersecurity workers already employed. It is not just a U.S. problem, but a global problem and the demand for skilled workers to address the growing prevalence and sophistication of cyber-threats is growing exponentially. 2) Expanding Digital Connectivity: The expanding connectivity of the Internet of Things (IoT) has greatly increased cyber vulnerabilities. IoT refers to the general idea of devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. This includes everything from home appliances, wearable technology and cars. Gartner predicts that there may be nearly 26 billion networked devices on the IoT by 2020.  The numbers of devices provide a larger attack surface with more targets for cyber criminals and makes defending networks and endpoints even more difficult. 3) Sophistication of Adversaries: Cybersecurity criminals are using machine learning techniques to discover vulnerabilities on their targets and to automate their own attacks (with increasing success). They often share tools available on the Dark Web and hacker attacks are now faster, more calculating, and more lethal. The threat actors are many and varied including nation states, criminal enterprises, and hacktivists.     The three factors I highlighted are not the only ones forcing the need for automation and orchestration tools, but they are prevailing ones. To keep up with cyber-threats and help level the playing field against attackers, companies and governments need to evaluate and assimilate many of the automation and orchestration tools that hackers employ and integrate them into their own Security Automation and Orchestration (SOAR) platforms and security information and event management (SIEM) platforms. They should implement these tools and technologies under a comprehensive risk management strategy. Security automation and orchestration of applications should be commensurate and grow with derived benefits (and adversarial risks) from AI and ML. These technologies can provide for more efficient decision-making by prioritizing and acting on data, especially across larger networks and supply chains with many users and variables. The automation and orchestration tool chest can now utilize horizon scanning technologies, filter through alerts, use predictive analytics, facilitate identity management, coordinate incident response (audits and alerts), use self-repairing software and patch management, and employ forensics and diagnostics after an attack.  Automation and orchestration can be valuable in enhancing existing cybersecurity architecture such as preventive security controls, including firewalls, application security and intrusion prevention systems (IPSs). Perhaps most importantly, automation and orchestration can provide a more rapid response capability across a multitude of security components and tools whether they are located in the Cloud or in onsite data centers. The faster a CISO can identify and address a threat or breach, the better the likely outcome. Combating machine-driven hacker threats requires being proactive by constantly updating and testing cybersecurity capabilities. Using ML automation platforms to recognize and predict anomalies associated with the data-base of behavioral patterns of malicious threats can be an indispensable layer in an integrated cyber-defense. For the public sector, automation, combined with ML and AI, is an emerging and future cybersecurity pathway, especially for industrial systems and critical infrastructure. DARPA is investing for the Department of Defense (DoD) in developing these capabilities for the warfighter.  DARPA announced a multi-year investment of more than $2 billion in new and existing programs called the “AI Next” campaign. DARPA’s website notes that “key areas of the campaign includes automating critical DoD business processes, such as security clearance vetting or accrediting software systems for operational deployment; improving the robustness and reliability of AI systems; enhancing the security and resiliency of ML and AI technologies; reducing power, data, and performance inefficiencies; and pioneering the next generation of AI algorithms and applications, such as “explainability” and “common sense reasoning.”   For domestic federal security, the Department of Homeland Security (DHS) has deployed an automated cyber surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification and detection of malicious activity called EINSTEIN. This system is continually being upgraded. Einstein is only one element of DHS’s use of automation. DHS’s newly created Cybersecurity and Infrastructure Security Agency (CISA) will be using cognitive automation for cyber, collaboration and communication capabilities in many areas of its defined mission: Proactive Cyber Protection CISA's National Cybersecurity and Communications Integration Center (NCCIC) provides 24x7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the Federal government; state, local, tribal and territorial governments; the private sector and international partners. CISA provides cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies. Infrastructure Resilience CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide. CISA provides consolidated all-hazards risk analysis for U.S. critical infrastructure through the National Risk Management Center. Emergency Communications CISA enhances public safety interoperable communications at all levels of government, providing training, coordination, tools and guidance to help partners across the country develop their emergency communications capabilities. Working with stakeholders across the country, CISA conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of natural disasters, acts of terrorism, and other man-made disasters. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021. That is a scary scenario. It is important that both government and industry are investing together in automation and orchestration to harness productivity and to especially address cyber-threats. It will take a vibrant partnership to help meet the threats. With every passing year, cyber criminals become more sophisticated and adept in their cyber-attacks. In view of a lack of skilled workers, expanding digital connectivity, and the growing sophistication of adversaries, automation and orchestration are key elements for a viable cybersecurity posture.   Ultimately, incorporating these elements will become a cybersecurity imperative in an AI and ML guided world.       

Le 2018-11-29


  Alien Vault - AlienVault Delivers Phenomenal Cloud Security for AWS Customers
Viva Las Vegas! We aliens have landed at AWS re:Invent 2018 (Booth #1506), bringing phenomenal threat detection, response, and compliance to the AWS cloud. As I gear up for a full day of live product demos, I thought I’d take a moment to highlight some of the ways in which AlienVault is delivering phenomenal security to our customers’ AWS environments and beyond. We’re monitoring more AWS services than ever, giving you deeper security visibility of your AWS infrastructure. In 2018, we’ve expanded the number of AWS services that USM Anywhere monitors to include Amazon GuardDuty, Amazon Macie, AWS Application Load Balancer, Amazon Redshift, AWS Lambda invocations, AWS Web Application Firewall, and Amazon API Gateway. This is in addition to the other services we monitor and alert on, including AWS CloudTrail, Amazon S3 access logs, Amazon ELB access logs, Amazon VPC flow logs, AWS Config, Amazon CloudFront, and Amazon CloudWatch. Expanding our AWS threat coverage continues to be a priority for us as more and more customers undergo digital transformations and begin to leverage cloud services and applications to run their businesses. USM Anywhere continuously and automatically monitors AWS infrastructure for threats and anomalous behaviors, assesses your AWS environment for vulnerabilities and configuration errors, and simplifies logging and reporting—all from one cloud-hosted platform. What’s more, USM Anywhere centralizes security monitoring across AWS, multi-cloud, hybrid, and on-premises networks, including SaaS applications like Office 365 and G Suite, ensuring continuous coverage even as you migrate workloads and data from the network to the cloud and helping to eliminate security blind spots. This single-pane-of-glass approach alleviates the need to invest in multiple, siloed security monitoring tools for clouds, networks, and data centers, as John Chesser, Director of Cybersecurity Solutions at DataPath, a certified AlienVault MSSP, pointed out. “There's time, money, resources that are impacted by having to use the multitude of products out there. With USM Anywhere, I've got it all." We’re keeping your defenses current with continuous AWS-specific threat intelligence. As part of the continuous threat intelligence subscription built into USM Anywhere, the AlienVault Labs Security Research team maintains an AWS-specific correlation rule set. Threat actors are increasingly targeting insecure cloud accounts to access exposed data or set up cryptojacking operations. Once an attacker has gained access to your AWS account, their actions and behaviors may be unique or specific to the environment, such as programmatically spinning up new services. It’s not enough to rely on traditional threat intelligence, which focuses on network threats rather than cloud-specific attacks. That’s why the AlienVault Labs Security Research Team curates AWS-specific threat intelligence, researching and analyzing millions of security events every day using a combination of machine learning, human analysis, and the community-sourced threat data of the AlienVault Open Threat Exchange (OTX) and its 100,000+ global participants. Here are a few examples of AWS-specific correlation rules added in 2018: The password associated with an administrator of a Windows instance was retrieved through the AWS console, which may indicate compromised credentials An EC2 instance in your AWS environment is querying a domain name associated with a known command and control server The machine is behaving in a way that deviates from the established baseline; it has no history of sending this much traffic, suggesting it might be compromised A request for temporary security credentials has been followed by the removal of multiple API Keys, a technique malicious actors use to maintain persistence and prevent the owner of the AWS account from regaining access A new AWS user account is deleting multiple user accounts in a short period of time, which could be malicious attackers trying to disrupt incident response efforts The automatic and continuous threat intelligence updates from the AlienVault Labs Security Research Team enables USM Anywhere customers to keep up with the latest cloud security threats with minimal effort. As John Chesser noted, “Ultimately, with that integration of the threat intelligence, I haven't had to take information from a third party and try to integrate that. I'm not having to jump to some other product to do it. It's all there together.” We’re adding another layer of AWS threat detection with the AlienVault Agent. Earlier this year, AlienVault announced the addition of the AlienVault Agent, a lightweight endpoint agent based on osquery that enables endpoint detection and response (EDR) capabilities in USM Anywhere. When deployed to endpoints within an AWS environment, the AlienVault Agent provides host-based intrusion detection and file integrity monitoring capabilities that are not possible through CloudTrail. Whereas CloudTrail provides visibility into activity that occurs at the management level, such as when someone creates a file in an S3 Bucket or spins up a new service, the Agent can reveal system-level information such as which users are logging in, which files are being created, and which modifications and configurations are being modified. This helps USM Anywhere detect activity like persistence by malware and attackers. In combination, CloudTrail monitoring and the AlienVault Agent provide a multi-layered approach to threat detection in USM Anywhere. For example, let’s look at how USM Anywhere helps users detect cryptojacking. Often, an attacker will use compromised AWS credentials to gain access to an AWS environment and begin to consume your resources for cryptomining activities. USM Anywhere detects this activity through CloudTrail event logs. However, another common cryptomining attack method comes with a sneaky twist that’s much more difficult to detect. Instead of spinning up new resources that can be detected through CloudTrail monitoring, an attacker might compromise existing instances within an AWS environment, perhaps through a web vulnerability or SSH. While CloudTrail can’t provide visibility of what’s happening on the system itself, the AlienVault Agent can still detect these exploits with its endpoint visibility. We work hard to provide powerful cloud security for AWS environments, and our customers reap the benefits. For Jason Harper, CEO and Founder of CeloPay, a payment processing technology company whose offering is built entirely in AWS, using USM Anywhere has been a game-changer. “I am thrilled with USM Anywhere,” Harper said. “The platform’s centralized log management consolidates and parses CeloPay’s millions of data points to provide full security visibility, which has reduced our PCI DSS compliance reporting time from eight weeks or more to one week.” Overall, it’s been a great year for AWS security with USM Anywhere, and I’m proud to share the work we’ve done to help keep your AWS environments secure. Join us at AWS re:Invent #1506 this week to learn more about how AlienVault secures customers' AWS environments. Read more: Learn more about Celopay’s experience with USM Anywhere in this case study Watch the AWS security webinar featuring CeloPay Learn about PCI DSS Compliance on AWS with USM Anywhere Read the Whitepaper: Best Practices for AWS Security Check out our AWS Security solution brief       

Le 2018-11-29


  Alien Vault - Let‘s Talk about Segregation of Duties
Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences. One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own. Segregation of duties works best when there is a clearly defined function and where there is some physical separation. For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it. But in many cases, the broader application can sometimes have some flaws. In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded. I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day. Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague. The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD! So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks. What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password. Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out -  which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there. Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud. Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake. When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access should be segregated. Similarly, if a rogue trader can make investments and harm a bank, one needs to question why the systems were setup in a manner to allow them to carry out such trades with little oversight. Or allowing developers to accidentally push code to production environments with one click… Recently a French cinema chain were tricked by an email in a business email compromise (BEC) scam which resulted in the CFO making payments of $21M to the fraudsters. The question shouldn’t be why the CFO allowed themselves to be tricked, but why did the systems allow the CFO to make such large payments without any checks and balances in place? While a host of technologies can help in these situations, a bit of forethought with proper separation and accountability can go a long way. Did these people learn nothing from Bulletproof Monk? Seriously, you should watch that movie – it’s got a lot going on.       

Le 2018-11-29


  Alien Vault - Is the Internet of Things Threatening Your Company‘s Security?
The internet of things (IoT) is changing nearly every industry. Smart devices that can collect and process data, and even make decisions based on that data, though artificial intelligence promises to disrupt business as we know it for years to come. However, there are some legitimate concerns. The more connected devices your company has, the more potential vulnerabilities are out there. As business owners we want to be able to access the data we collect through the IoT, but we also need to be able to protect that data, and we bear the responsibility for keeping that data secure. This, like many areas of business, is a time for brutal honesty. If you have vulnerabilities, you need to fix them. You don’t want to be part of the headlines about companies who acted too late or not at all. Your security must adapt to the IoT, and it needs to do so now. Is the internet of things threatening your company’s security? There are a few questions you will need to ask yourself and your IT department to truly determine the answer: How do I know? Most experts agree that the weakness in any network is the devices that make up the IoT. For example, if you have smart light bulbs in your home, they are likely controlled by a hub which not only provides you with more flexibility in controlling them, but also provides security so they do not become a weak point in your network. This is why an intrusion detection system (IDS) is so important. Technologies from companies like AlienVault allow you to monitor for threats and even give you advice on how to prevent harm from them. Remember there is more than one area of vulnerability in any system. Cloud-based IDS, network IDS, and host-based IDS, along with file integrity management systems, are all essential parts of your strategy. These alerts tell you there is an attack and can even reveal threats to you, which allows you to put remediation and prevention strategies in place. But what are the threats you should be aware of? What are the threats? Why don’t we have houses that are completely smart and controlled by IoT devices? What about our cars? Part of the reason is that a hacker with the right tools could potentially take over control of a house or even a connected car from the owner or driver. For example, the Bangladesh National Bank lost $81 million due to an IoT-based attack. What are these types of attacks? There are actually several, and they mirror other types of cyberattacks. Distributed Denial of Service (DDoS): Chrysler/Jeep was vulnerable to this type of attack. Essentially, control of devices or a system is taken by a hacker. Sometimes this comes with ransomware, where the owner or user has to pay to get that control back. Malware: IoT devices can be used by an attacker to spread malware, sometimes to more than one device. Botnets: A botnet is a network of computers that are infected and used to perform malicious attacks like the fridge that was sending SPAM emails. We hear about these types of attacks in the news on a regular basis, and unfortunately as security evolves and gets better, hackers innovate as well, finding new ways to get past security measures. They are always searching for vulnerabilities, so you and your business must be just as vigilant as they are. What preventative actions can I take? The risks are clearly out there. Just knowing there is an attack and the types of attacks is not enough, however. You also need to know how to prevent them. This is a multipronged answer, but there are some simple, general steps any business can implement to prevent all but the most determined of attacks or at least slow them down. Buy the Right Devices Whether they are for your home or your business, purchasing the right devices in the first place, ones with good security ratings, is probably the most important step. Do they plug into a controller or have a controller of their own? What level of security does it and the device itself have? This means doing some research beyond the hype on the product or company website. Look at other online review sites, scroll through forums and groups about security, and simply just ask IT security professionals who you know or who work for you. Change Passwords from Defaults and Use Strong Ones This may be something that seems obvious, but the number of times that an IT professional can walk into a business or someone’s home and open a device or network with a default password is amazing. Even more frequently, passwords are simple to guess or are just extremely weak. This is perhaps the most frequently vulnerable area of any system, yet it is easily prevented. You can use a password-generator program like LastPass or even iCloud keychain if you are a Mac user, and the program will remember your passwords for you. There’s no reason not to have strong passwords and change them often. Hire the Right People This may be the most important point of all. Encryption, comprehensive security solutions and all of the above actions depend on people, both those who know how to implement them and the employees who use them. Hire the right IT people. A degree matters in many fields, and IT is one of them. Hire someone with a degree in information systems and security, and if they have been in the workforce for a while, look at continuing education and how up-to-date they are on the latest techniques and technology. Educate your employees: There should be regular classes company-wide on what the latest IoT devices are, how they are vulnerable, and how employees play a role in protecting themselves and the company. Address issues right away. If you have a personnel issue or find that someone is out of compliance with your policies, take corrective action immediately. Your security is only as strong as its weakest link, and often that is the person in front of the computer. Anyone who has access to your network is a key player in IoT security. They can bypass many of your safety measures unintentionally. HR plays a big role in this process from the hiring to the training of employees, vendors, and contractors. The IoT is a wonderful tool in the right hands and a dangerous weapon in the hands of others. Make sure that your company security is not threatened by being vigilant, knowing the threats that are out there, taking preventative action, and hiring the right people to help.       

Le 2018-11-29


  Alien Vault - Things I Hearted this Week - 16th November 2018
Collecting stories over the course of the week is always fun. You start reading one story, and before you know it you’re down the rabbit hole of technology, security, and privacy reading up papers on how scientists want to embed IoT devices in giraffes necks. Fear not, I am here to strip away the mundane and irrelevant and bring you only the best in news, designed to make your heart flutter. Why Google consuming DeepMind Health is scaring privacy experts Google’s decision to bring DeepMind Health, the medical unit of the AI-powered company it acquired four years ago, closer to the mothership may leave 1.6 million NHS patients with “zero control” over where their personal data goes, experts say – while an independent body set up to oversee the protection of such data has been broken up. While there’s not denying that there are huge benefits to be gained from better aggregation and analysis, but by whom, with what oversight, and where does it end? Why Google consuming DeepMind Health is scaring privacy experts | Wired In related Google news, the company has published its first quarterly transparency report with stats on the security of the Android ecosystem. Android ecosystem security | Google On a side note, maybe we give big data analytics too much credit sometimes. User Behavior Analytics Could Find a Home in the OT World of the IIoT UBA has been around in data-centric IT for at least four years, but it has never become industry-standard primarily because in the real world, user behavior in IT is so varied and complex that UBA often creates more false alarms than useful ones. In IT, UBA has often failed to find the dangerous needle in the immense haystack of user behavior. But user behavior in process-centric OT is much simpler: OT systems run the plant, and scripted user activity is nowhere near as varied as in IT, with its multiple endpoints and inputs, email browsing, multipart software stacks, etc. User Behavior Analytics Could Find a Home in the OT World of the IIoT | Dark Reading IT-to-OT Solutions That Can Bolster Security in the IIoT | Dark reading Busting SIM Swappers and SIM Swap Myths SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments. REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars. Busting SIM Swappers and SIM Swap Myths | Krebs on Security The deep, dark reach of the magecart group For at least four years, a distributed, sophisticated network of cybercrime groups known collectively as Magecart has been compromising ecommerce sites small and large, as well as payment processors,installing web skimmers to steal confidential information, and raking in a fortune by selling pilfered card numbers on the underground, largely without any repercussions. Although security researchers have been tracking some of the groups since 2015, only recently has the Magecart name begun to ring out, as some elements of the group have hit major targets, including Ticketmaster and Newegg, drawing the attention of several law enforcement agencies and heightened interest in the research community. The deep, dark reach of the magecart group | Decipher Fake news 'to get worse' by 2020 election Krikorian, a computer scientist who previously held senior positions at Uber and Twitter, acknowledged social media companies like Facebook are taking steps to increase transparency. But he said their business models, driven by revenue and engagement, do not incentivize solutions for fighting fake news, and the problem wouldn't fix itself by the next U.S. presidential election. Fake news 'to get worse' by 2020 election unless social media firms act, DNC tech chief says | CNBC DOD prepares endpoint cybersecurity strategy as mobility booms In the end, will it come back to the endpoint? As the use of mobile devices and services pervades the lives of civilians and military personnel alike, the Department of Defense is taking a more endpoint-driven approach to how it secures its networks, developing a forthcoming enterprise cybersecurity strategy focused specifically around the gadgets people use. DOD CIO Dana Deasy said, “One of the things I keep stressing is we have to step up and face the reality about the world around us becoming more and more mobile, each and every day.” And it’s getting to a point where DOD must begin to embrace mobility, even if it means added security challenges. DOD prepares endpoint cybersecurity strategy as mobility booms | Fedscoop The rise of multivector DDoS attacks A really good post on DDoS trends, and the rise of multivector DDoS attacks, which shouldn’t come as a complete surprise to most; but seeing this analysis helps quantify it all The rise of multivector DDoS attacks | Cloudflare Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution So, the ICO does have some teeth after all. A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence. Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of  customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex. He continued to do this after he started a new job at a different car repair organisation which used the same software system.  The records contained customers’ names, phone numbers, vehicle and accident information. Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution | ICO Clickjacking on Google MyAccount Worth 7,500$ A nice writeup by a researcher who found a clickjacking bug on Google. My favourite was the timeline at the end: Aug 11 : Report to Google Aug 15 : Google Staff Ask Detail Aug 15 : Adding Detail Aug 21 : Google Can’t Prove Bug Aug 21 : Give them Video to PoC Aug 28 : Google Ask About Attack Scenario Aug 28 : Give the Attack Scenario Sep 11 : Nice Catch! Sep 25 : Bounty 7,500$ Sep 25 : I Cry. Clickjacking on Google MyAccount Worth 7,500$ | Apapedulimu Other things I liked this week Why I Dislike Applying “Game-ification” To Goal-Oriented | Paul Jorgensen The future of data storage isn’t on the cloud - it’s on the ‘edge’ | Independent Mysterious Re-Routing of Google Traffic Could Have Been an Attack, or Just a Glitch | Gizmondo System error: Japan cybersecurity minister admits he has never used a computer | Guardian       

Le 2018-11-29


  Alien Vault - Defending Against Zero-Day Attacks with AlienVault USM Anywhere
Introduction Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of  zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this. Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own.  There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it. AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how. Early Access to New Vulnerability Information One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public. For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments. Discovering Zero-Day Attacks as they Emerge in the Wild Of course, the “good guys” are not always the first to discover new vulnerabilities.  All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available. The Power of the Global Threat Intelligence Community AlienVault has a couple of strategies here.  First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. Users can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve. AlienVault Labs Security Research Team In addition to the community-powered threat data shared in OTX, USM Anywhere receives continuous and automatic threat intelligence from the  AlienVault Labs Security Research Team. This team works on behalf of all USM Anywhere customers, monitoring the global threat landscape daily, analyzing threats with a combination of human and machine intelligence, and curating the threat intelligence that is delivered continuously and automatically to USM Anywhere. AlienVault Threat Intelligence is ready to use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments. Behavioral-Based Detection Detecting threats based on IOCs like file hashes and IP addresses enables security teams to identify emerging attacks quickly and with higher confidence. Yet, alone, IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. Less volatile are the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks. Think of these as the recipe for the attack - it’s the high level tasks they perform at each stage of attack.  These steps are often the same for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection. For example, consider a network attack.  The initial network intrusion may be done using a brand new, unidentified vulnerability.  But, once the threat actor gains access to the system she attacked, her recipe calls for downloading tools needed to move laterally in the network and extract data.  These tools can be identified when they are downloaded or when they communicate on the network.  These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack. To do this, AlienVault Labs uses machine learning algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. The algorithms further analyze these clusters to identify anomalous behavior. The AlienVault Labs team uses this information to codify the tactics, techniques, and procedures, which are packaged as correlation rules and delivered continuously to USM Anywhere as part of the threat intelligence subscription. Using this strategy, AlienVault was able to detect and block "ALPC zero day" months before it was actually identified in the wild and an IOC was written for it.  This exploit is designed to take advantage of an API vulnerability in the Windows task “SchRpcSetSecurity” that controls the ALPC (Advanced Local Procedure call) interface allowing local users to obtain SYSTEM privileges. AlienVault Labs detected this privilege escalation technique with generic detection mechanisms that are resilient to a changing attack vector. In other words, they came up with a way to detect this type of privilege escalation that is independent of the exploit it is wrapped in.  So any attack, even a zero day, that uses this technique is effectively identified by AlienVault. Another example is the well-known Apache Struts vulnerability.  When it was first released, there was no defense against the attack.  However, once it got onto a system, it leveraged a Webshell to communicate back to its masters.  AlienVault USM Anywhere was already able to detect this Webshell because it was used by other attackers in previous campaigns as part of their TTPs. Summary In this blog post, I’ve outlined a few of the techniques that AlienVault leverages to detect emerging and evolving threats, including zero-day attacks. To quickly summarize: Early access to new vulnerability information allows us to update the vulnerability signatures in USM Anywhere ahead of public release. OTX acts as an early warning system of experts around the world, and they are bolstered by our internal threat team to quickly find and analyze new attacks. Advanced detection techniques like identification of behaviors and TTPs means AlienVault can detect many zero-day attacks even if the IOCs change frequently. See the table below for some examples of how these efforts have resulted in early detection of several different recent threats by USM Anywhere. Vulnerabilities and Zero-day Attack Examples that USM Anywhere Defends Against       

Le 2018-11-29


  Alien Vault - Top 10 PCI DSS Compliance Pitfalls
Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations. For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers.  Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance. As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS.  1. Improper scoping The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope. Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more. Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks. 2. Failing to patch systems regularly PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach. Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation. 3. Failing to audit access to cardholder data PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected. In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants. Pro-tip: Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline. Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats.

Le 2018-11-29


  Alien Vault - New Vice President of Asia Pacific Graham Pearson Joins the Alien Nation
Today, we are happy to share that Graham Pearson has been appointed Vice President of Asia Pacific (APAC) for AlienVault, an AT&T company. In this role, Graham will lead our operations and sales strategy in the region. He is excited about joining AlienVault and providing APAC companies with the unified security management approach they need in moving to the cloud and keeping up with today’s evolving threats. “Joining AlienVault is a huge opportunity for me; it’s the right time and they have the right product at the right price for enabling fast, effective threat detection and response.” With more than 30 years of sales experience in the IT industry, 22 of those in cybersecurity, Graham has worked with Fortune 500 companies and fast growing start-ups. Most recently, he was Vice President for Okta, an identity management company, in APAC. In four years, he grew Okta’s Australian office from one employee to 50, supporting 400+ customers in the sales territory. Graham’s experience includes sales leadership roles for Oracle’s Security and Identity Management solution and Security Business Unit within the Fusion Middleware space. He also held various sales positions at CA Technologies and Websense for security products. When Graham is not working, he enjoys spending time with his wife and two kids, ages 17 and 13. Here’s more about Graham’s journey to AlienVault! Here’s a picture of Graham with his wife, Leila, while vacationing in Las Vegas.       

Le 2018-11-29


  Alien Vault - Things I Hearted this Week, 9th Nov 2018
Another week, another trove of articles I read so that I could bring you only the best. Because that’s just the kind of person I am. You’re welcome. A SOCless detection team I can’t remember if I shared this article a few months back, and I’m too lazy to go take a look - but it’s worth revisiting. We don’t talk about threat detection and response without mentioning a SOC in the same breath. But a SOC is just one mechanism to facilitate the desired outcome. What if we could achieve the same result, but without a SOC? A SOCless detection team at Netflix | Linkedin Related Threat Detection Is A Multi-Stage Process | Gartner blogs Hey there! How much are you worth? Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all? Hey there! How much are you worth? | Securelist US Cyber Command starts uploading foreign APT malware to VirusTotal I think this is a good move, the more sharing, the better for defensive security right? Of course there are always caveats and scenarios where one would not share, but broadly speaking I hope more companies and government departments jump on board. The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples. US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet You're Going To Get Breached -- So How Should You Respond? We live in an age in which the rate of technological advancement is unparalleled. But of course, with new technologies come new security vulnerabilities. The best example being the imminent arrival of 5G and the rise of connected devices, which alone already present numerous vulnerabilities. According to Ponemon Institute's 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report, 52% of organizations are not confident their current anti-virus software will protect them from ransomware. Even with the rise of artificial intelligence in cybersecurity and enhanced defensive software capabilities, hackers have shown themselves to be consistently one step ahead. With this in mind, businesses need to stop asking, “Will I be hacked?” and instead tackle the inevitable question, “When will I be hacked?” You're Going To Get Breached -- So How Should You Respond? | Forbes Destroy Logs, Hide Attacks Apparently hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks. Nothing really new here. I remember once messing up a change as a young secops admin, and erased the logs to cover up my mistake. But that’s a story for another time. Hackers are increasingly destroying logs to hide attacks | ZDNet Finding Gold in the Threat Intelligence Rush Threat intelligence feeds, sold for hundreds of thousands of dollars per year, are marketed on a specific premise: If an entity is seen acting maliciously in one place, it can be expected in others. But is that always true? Finding Gold in the Threat Intelligence Rush | Dark Reading DJI plugs security flaws that could have enabled access to users’ data and drone images If exploited, the vulnerability would have given an attacker full access to a user’s account and the information within it, including video footage and photos taken by their drone’s as well as flight paths, GPS locations and other confidential data, without the user being aware of any intrusion. Alexa, what’s the best way to burn a drone? DJI plugs security flaws that could have enabled access to users’ data and drone images | HelpNetSecurity Oracle’s VirtualBox vulnerability leaked by disgruntled researcher An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle. Sergey Zelenyuk discovered a flaw that would allow him to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges. Oracle’s VirtualBox vulnerability leaked by disgruntled researcher | SC Magazine Other stories and articles I found interesting this week Retail focus is key to Alibaba’s new London datacentre | Computer Weekly What it takes to be a ‘Chief Data Officer’ in 2018 | IT Pro Portal How Amazon Makes Money: Amazon Business Model in a Nutshell | FourweekMBA       

Le 2018-11-29


  Alien Vault - The Many Ways your Phone Communicates
Are you familiar with all the ways that your smart phone communicates?  The other evening, at dinner, I was describing to a friend how the VPN software I use on my phone masks my location when I am on the internet.  Sometimes, am in Helsinki, and other times, I may be in another part of the world.  My friend asked “how expensive are your data charges for all the texts you receive while you are masquerading around the globe?”  I realized that she was unfamiliar with all the ways that a smart phone communicates.  Others at the table were also curious. You have probably heard about how the smart phone in your pocket is more powerful than the computer that powered the Apollo Space missions.  Not only is your phone computationally more powerful, but it can also communicate across more conduits, most of which did not exist back in those early days of space exploration.  These technologies are separate and distinct. Here are some non-technical explanations that we, as InfoSec professionals, should share with our friends and family about how a phone communicates: Text messages rely on a cell number in order to function.  This is controlled by the Subscriber Identity Module (the SIM card), which resides in the phone.  Your SIM card holds your cell phone number.  Anyone who can access your SIM card can make phone calls under your identity, and sadly, leave you holding the bill.  This s why it is very important to report a lost phone to your cell phone provider.  It does not matter if your phone is password protected.  The SIM card can be used in any similar unlocked phone to make phone calls.  Internet and other data connections are governed by your IP address.  The phone relies on information from the SIM card to determine the carrier, but it does not use the same signal pathway as a text message.  That is why using a VPN does not result in international text charges.  You can connect to any Wi-Fi in absence of a SIM card.  The Wi-Fi Signal does not need a phone number or a carrier to communicate.  It is relying on the Wi-Fi provider to complete its connection.  Of course, you cannot receive text messages without a SIM card, even on Wi-Fi.  Usually, your phone will often remind you that there is no SIM card installed. Recently, 75% of Americans experienced a test of the “Presidential Alert” system.  Even if your phone was in silent mode, the alert triggered the klaxon-level alarm on the device.  This raised some speculation by none other than the comically adorable John McAfee about the presence of an “E911” chip on the phone.  Bruce Schneier commented that, “This is, of course, ridiculous. I don't even know what an E911 chip is. And -- honestly -- if the NSA wanted in your phone, they would be a lot more subtle than this.” Remember that there are also both Bluetooth and Near Field Communication (NFC) capabilities on your phone. These are usually used in conjunction with the other communication features. For example, you can connect to your Bluetooth in your automobile and then use the phone to make a phone call.  Although Bluetooth and NFC possess very short-range capabilities, they are yet another method by which your phone communicates to an external entity.  The smart phone is truly a remarkable technological achievement. I wonder if most folks who own a smart phone have ever considered the various ways that these devices communicate, and one has to wonder how much they communicate without our knowledge or permission.  Excuse me while I go and put my phone in the refrigerator.        

Le 2018-11-06


  Alien Vault - Financial Data and Analysis Predictions for 2019
https://pixabay.com/en/analytics-google-data-visits-page-3680198/Paste The use of big data and data from the internet of things (IoT) is changing business so rapidly it is hard to predict what is next, and financial analytics are certainly no exception. While the need for financial analysts continues to rise, the way analysts performs their day-to-day functions is evolving. More data than ever before is put into the evaluation of company financials, market analysis, and investment predictions. A company’s decision to issue bonds, split stock, or even initiate stock buyback options is much more informed than ever before. So where is data and financial analytics taking us in 2019? Here is a closer look: Advanced Analytics and Data Science https://www.gartner.com/ngw/globalassets/en/information-technology/documents/insights/100-data-and-analytics-predictions.pdf Data and analytics are more pervasive than ever in nearly every enterprise. They are increasingly the key to nearly every process a business engages in. These statistics tell the story best: Deep neural networks or deep learning is in 80 percent of data scientists’ toolboxes. By 2020 more than 40 percent of data science tasks will be automated. Nearly 50 percent of analytics queries are done via natural language queries (voice) or are auto-generated. In large part, this is due to wider adoption of artificial intelligence options. What this means for business and the future of analytics is simply this: by the end of 2019, 10 percent of IT hires will be writing scripts for bot interactions. In fact, according to the McKinsey Global Institute, despite the growth of both data and the use of artificial intelligence to analyze it, most companies are “only capturing a fraction of their potential value in terms of revenue and profit gains.” Their weaknesses, ones that can be solved with proper data and analytics, are many. Here are a few: Inefficient matching of supply and demand. Many companies are not taking advantage of analytics that can predict with amazing accuracy seasonal demand and annual lulls. Prevalence of underutilized assets. Many businesses have assets that sit idle or employees and departments duplicating tasks, something easily determined by honest analytics. Dependence on demographic data rather than more efficient behavioral data. Behavioral data says a lot more about both clients and employees, and is much easier to use. Over the next year, more companies will become dependent on analytics, and those companies who do not adapt will be three times more likely to fail. The Blockchain, Predictive Analytics, and Security What role does the blockchain play in all of this? The key is this: the blockchain security system is based on a shared ledger, a much more transparent way of saving data. Predictive analytics — essentially the ability to predict the future with some accuracy — requires a lot of data and until recently, a lot of specialized training. This is because data scientists are a new breed and help determine what data is appropriate for the predictive model. The more data produced, the more accurate the prediction. Thousands or sometimes even millions of points of data are needed. This data analytics is directly related to real-time decision making, and predictive analytics leads to goal setting and future business planning. These are all things business analysts learn through coursework and on-the-job training and understanding. Blockchain, because of the shared computing power it uses, can use natural language processing to determine the defining boundaries of the data to be analyzed. As mentioned above, more natural language queries than ever before will be posed, and blockchain has the ability to bring the power of artificial intelligence to even the smallest of businesses. Along with this power comes the security of blockchain and the stability of the data created (a complex discussion in and of itself). Multiple Expansion and a Bullish Market https://www.cnbc.com/2018/09/04/credit-suisse-releases-bullish-2019-stock-market-target.html From  this financial analysis, Credit Suisse has given us our first financial predictions for 2019: it is going to be a bullish year, with annual gains of around 11.4 percent. That could mean that the Fed’s recent decisions to raise rates could be right on. Why? Because according to artificial intelligence, the next recession in the U.S. is expected to begin in 2019 according to the San Diego based company Intensity. What is this artificial intelligence method, and how does it compare to its human counterparts? The company’s forecasting “engine” relies on continual model updating, much like data scientists depend on analyzing the latest data. In fact, the company is comprised of data scientists, statisticians, and PhDs. The engine takes real-time data and feeds it into several different models, which it combines to make predictions that vary with real-time conditions. You can look at the latest prediction here, which says that a recession is 82 percent likely in the next 12 months and sets the likelihood over 50 percent in March of 2019. As 2019 approaches, this kind of data, fed into artificial intelligence and deep learning models, will impact how more companies than ever do business. While we can’t take the human factor out of the equation, it seems we are becoming more and more predictable — or the machines are just getting better at it. But as always, predictions, even those with supporting data, can be wrong. All we can do ist work with the data and have an advantage on the predictions being right.       

Le 2018-11-05


  Alien Vault - Things I Hearted this Week, 2nd Nov 2018
It’s November already, where has the year gone? I can almost still remember typing out the words for the year’s first ‘Things I hearted’ blog back in January. Re-reading it now, it feels as if not much has changed, big messes, breaches, an in-fighting seemed like the usual for the year. I was speaking with my colleague Chris Doman a couple of days ago, and he did point out that 2018 overall has largely been better because we haven’t seen any large scale attack like WannaCry. He did pause and then add “yet” - so I suppose you could say we’ve improved because this year has caused less havoc than last year? Let’s chalk risk reduction down to a win and get on with it. IBM Acquired Red Hat A few weeks ago, prior to the announcement of the acquisition, IBM came up in discussion with a few friends and one of them said that IBM is one of those companies that everyone has heard of, but hardly anyone knows what they exactly do outside of a few services they use. As the cool kids say, this may have been a statement designed to “throw shade” (young and hip people, please correct me if I’ve used the term incorrectly - I already embarrass my children enough by misusing lingo), but the fact is that the statement is rather true, only because most people are still trying to work out why IBM would shell out 33.4 Instagrams for Red Hat. IBM acquires Red Hat, but what does that mean? | 451 Research blog Why IBM bought Red Hat: It's all open source cloud, all the time | ZDNet 6 Things to Know About IBM's $34B Acquisition of Red Hat | CMS Wire IBMs old playbook | Stratechery The Supply Chain I won’t give any more air time to that ridiculous ‘grain of rice’ Bloomberg story. However, it did give everyone time to pause and think about the supply-chain and how fragile it is. It’s easy to overlook the reliance businesses have on partners and their security. Dan Goodin took a peek behind the curtain of this shady practice and wrote on two supply-chain attacks. Two new supply-chain attacks come to light in less than a week | Ars Technica Would you Compromise Privacy for $850m? Under pressure from Mark Zuckerberg and Sheryl Sandberg to monetize WhatsApp, Brian Acton pushed back as Facebook questioned the encryption he'd helped build and laid the groundwork to show targeted ads and facilitate commercial messaging. Acton also walked away from Facebook a year before his final tranche of stock grants vested. “It was like, okay, well, you want to do these things I don’t want to do,” Acton says. “It’s better if I get out of your way. And I did.” It was perhaps the most expensive moral stand in history. Acton took a screenshot of the stock price on his way out the door—the decision cost him $850 million. WhatsApp Cofounder Brian Acton Gives The Inside Story On #DeleteFacebook And Why He Left $850 Million Behind | Forbes On the topic of money for ads We posed as 100 Senators to run ads on Facebook. Facebook approved all of them. | Vice On the other side of privacy. Tim Cook blasts 'weaponisation' of personal data and praises GDPR | BBC What are Everyone’s Kids Doing at School? Another one to be filed under “what were they thinking?” - both the developers, and to be honest, do schools really need to share every minor detail via an online portal? What happened to good old-fashioned parent-teacher meetings? Remini, a smartphone app that launched in 2013, aims to provide parents and educators with a social network to follow a child’s progress throughout school and their early life, documenting important milestones and letting parents share images with their child’s school. But Remini exposed these, and the personal information of its users to the internet writ large, thanks to an API that let anyone pull the data without any sort of authentication. The data included email addresses, phone numbers, and the documented moments of the children as well as their profile photos, according to a researcher who discovered the issue. 'Remini' App Used by Schools Left Personal Info Open to the World | Motherboard Pakistani Bank Has Millions Taken Apparently Bank Islami Pakistan was subject to a massive attack where many customers reported seeing transactions on their cards abroad. It’s alleged that attackers were able to breach the data centre of the bank and sold the customer details. I found this interesting because Pakistani businesses probably have had lesser worries in the past. But as organisations such as banks go through a digital transformation, they are opening themselves up to a much broader range of threats. Something, they probably haven’t accounted for. It’s not too dissimilar to what we see in other parts of the world, where companies such as small or medium businesses didn’t used to get attacked as often, but now it’s pretty much a daily part of life. Bank Islami Comes Under Biggest Cyber Attack of Pakistan’s History | Daily Punch Explain TLS Easily A good way to explain TLS to someone. The Illustrated TLS Connection | @XargsNotBombs How to Choose Which Conference to Attend There’s no way to say this nicely, but there are just too many security conferences in the world today. I think it would be a good idea to try to emulate Tom Hanks from “The Terminal”, but instead of living in an airport, see if one can spend a whole year or half a year only going to conferences. Actually, that sounds like a terrible idea, don’t try it. But what makes a conference worth attending or not? I found a good post by Valerie Lyons which may help you decide. Conference trick: how to choose worthwhile security and privacy events – and which to avoid | BH Consulting       

Le 2018-11-02


  Alien Vault - Cybersecurity & Formula 1 Racing - It‘s a Profession
This is perspective from one of our MSSP partners, CyberHat. Formula 1 is a serious business.  It takes years of expertise and practical foot work to design, build and operate a winning Formula 1 team.  It's easy to think that success depends on the car and the technology.  But in reality, a cutting edge engine in the best car in the world can’t win a race alone. Without an expert driver and a highly experienced and dedicated support team, you just can’t finish first. When it comes to Cybersecurity everyone wants to win the race of protecting their assets and detecting and responding to threats to mitigate risk.  Most organizations today will invest heavily in cyber security technology, buying it, integrating it and implementing into the organization, yet very few will focus on the teams driving the technology, supporting and utilizing it. It’s a simple belief that if you get a good enough car, you don’t need to be a good driver, when the reality is exactly the opposite – if you’re a good enough driver, you can get a lot out of pretty much every car.  Today, more and more companies are looking for fully encompassing cyber security solutions and are gradually consolidating in to Security Operation Centers (SOC)s to help manage their security issues and this is a smart move. SOCs are where Cybersecurity teams detect, analyze and respond to threats on an organization.  Their core task is to use the tools and skills at hand in order to provide the organization with an ongoing, relevant and professional security posture.  Yet in the current cybersecurity landscape not all SOCs were created equal. It is important to understand what components are imperative for a SOC to be most effective.  Formula 1 fact: The best Formula 1 Pit Crew can refuel and change a tire in just 3 seconds. They are the best in their field and they are dedicated to a strong set of processes.  This is true for the SOC team as well.  High expertise and seamless teamwork are important to effectively curtail the dangers of cyber-attacks and navigate the cyber field safely and in a timely manner.  Many SOCs might have dedicated Tier 1/2 analysts, who can change tires and refuel seamlessly on the usual runbook procedures for many common or predictable cyber threats, but they are not experts in managing larger scale incidents like a blown gasket or jammed piston which entails the response of more experienced Mechanical Team or in Cyber Tier 3/4 Analysts. These are highly trained specialized professionals with in-depth experience that are able to tackle complex unusual incidences and attacks under severe time pressure. For example, sometimes cyber-attacks cannot be detected, deflected or blocked before they begin.  Then it is the SOCs responsibility to contain and protect as well as investigate and conduct a meticulous analysis for preventing similar incidences, through a dedicated Forensics Team.  The Forensics Team of a SOC is dedicated to evaluating necessary damage repair and implementing novel  or near realtime responses. The core trade for a professional is the old saying – “practice makes perfect”, it’s a simple question of constantly getting your hands dirty with the nitty gritty work, repeatedly executing complex tasks in as versatile an environment as possible, is the only way to become a professional and the only way to stay one. Not all security issues are as dramatic as a direct attack but are measured in how “ready” your organization is for the when scenarios.  In the race to being secure, organizations many times fail to properly calibrate or stay up to date with internal components - whether it is infrastructure or personnel.  A dedicated SOC has an Onboarding Team that ensures that specific security and IT elements like Security Incident Event Management or SIEMs are properly configured and calibrated and that employees are properly trained to understand, analyze and act in response output. Just like a Formula 1 team, when a SOC has a solid, strong and professional Cybersecurity team, the synergy in the teamwork ensures optimal performance and protection within the dynamic and complex cybersecurity world.   Professionalism is the key to effectively curtailing the dangers of cyber-attacks.  Ensuring a complete, professional and experienced team is what turns an ordinary team into a winning team. As it is said "The whole is only as good as the sum of its parts". Register for our webinar on Thursday, November 8th at 1pm CST to learn more about how profesional SOC are designed, built and operates.          

Le 2018-11-01


  Alien Vault - It‘s the Season of Lists - Time for a Meaningful Risk List
I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event. We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today.  According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key. Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below. • What are your top 5 cyber risks based on priority? • Can you describe the actual loss impact in business terms for each of your top 5 risks? • How are these cyber risk impacts aligned to your risk appetite? •Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness?  • Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis? A common business edict is: “If we can measure it, we can manage it.”  In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management. 1. Risk counts, but don’t just be counting Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives. 2. Ongoing debate of Qualitative versus Quantitative The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk.  After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources. 3. Continuous Cyber Risk Monitoring Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place. 4. Know your Risk Appetite Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing; and getting close to secure is elusive. The current level of controls for security and privacy that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize. It is a truism that different types of risk require different types of defensive strategies. A more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring.  The key is to balance risk versus reward. Conclusion Risk management is at a fascinating point in its evolution. It is now recognized to be not only fundamental to an organizations financial stability and regulatory compliance, but also an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and tolerance for risk.  All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap that will help them reduce their risk as their business expands. How are you able to identify and address new risks quickly while you deliver new technologies? Would love to hear successful techniques and insights on your partnership with finance, operations, and the businesses as we move to the risk function of the future?       

Le 2018-10-31


  Alien Vault - AlienVault Open Threat Exchange Hits Major Milestone with 100,000 Participants
Today, I’m excited to announce that AlienVault® Open Threat Exchange® (OTX™) has grown to 100,000 global participants, representing 36% percent year-over-year growth. AlienVault OTX, launched in 2012, is the world’s first free threat intelligence community that enables real-time collaboration between security researchers and IT security practitioners from around the world. Every day, participants  from more than 140 countries contribute 19 million pieces of threat data to the community. OTX enables companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyber-attacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). As Russell Spitler, SVP of Product for AlienVault, an AT&T company,  explains, “Attackers rely on isolation - they benefit when defenders don’t talk to each other. We can’t be everywhere at once, but they can learn from each others’ experience. With the growth in OTX membership, we all benefit from the diversity of threat intelligence from an even wider variety of participants.” To provide big-picture perspective on the billions of security artifacts contributed to OTX this year, AlienVault Security Advocate Javvad Malik and Threat Engineer Chris Doman have created the OTX Trends Report for 2018 Q1 and Q2. Like the 2017 report, this analysis reveals trends across exploits, malware, and threat actors, including top-ten rankings of the most seen exploits and adversaries recorded in vendor reports. The analysis reveals changes in the threat landscape, including a shift in the most reported exploits. For example, this year’s report reveals a rise in server exploits, as well as marking the first time an exploit targeting IoT devices (GPON Routers) has made the list of most-seen exploits. Encouragingly, the OTX Trends Report shows an uptick in information sharing across the InfoSec industry, including a plethora of independent research sharing on Twitter. According to the report, “As more companies and researchers look at ways to share threat data, we see more usable and useful information flow into OTX. This openness and collaboration has resulted not only in organisations being able to defend themselves better - but increasing circles of trust within the industry where actual threat intelligence is being shared more openly. A trend that we have seen grow over the years.” The sheer volume of security events included in the OTX Trends Report reflects the importance of keeping up with the latest threat intelligence. Without threat sharing, malicious actors can easily reuse effective exploits and pivot their attacks from target to target. A campaign affecting the UK legal industry can be repurposed for bankers in the United States, while security researchers operating in silos start from scratch each time. For example, the OTX Trends Report shows that the most commonly reported exploit, CVE-2017-11882, has been reused widely. By joining OTX, participants can strengthen their defenses and share real-time information about emerging threats, attack methods, and malicious actors. The diversity of OTX participants representing different countries, industries, and organization sizes provides every community member with more comprehensive set of data, enabling better threat detection. Beyond participant-contributed threat indicators, the OTX community also benefits from the robust threat data provided by AlienVault’s broad network of OTX partners, including Intel, Microsoft MAPP, Cyber Threat Alliance, QiHoo360, Telefonica, Hewlett-Packard Enterprise, and more. OTX partner contributions enrich the threat intelligence data available within the community and support the analytics available to OTX participants. This collaboration across the InfoSec industry provides added assurance that participants have the information they need to detect the latest threats as they emerge. In addition, OTX can serve as a STIX / TAXII provider and platform, enabling ISACs and other threat intelligence providers to share their curated threat intelligence through STIX/TAXII to their devices or to their customers. AlienVault has made it easier than ever to leverage OTX data to detect and respond to threats in your own environment.  Earlier this year, we introduced OTX Endpoint Security™, a free service in OTX that allows anyone to quickly identify threats by scanning their critical endpoints. OTX participants can use the osquery-based AlienVault Agent to scan their endpoints for the presence of known indicators of compromise catalogued in OTX. For example, when a major attack like Petya or WannaCry occurs, OTX participants can run queries against the latest threat data in OTX pulses to find out if their endpoints have been compromised, without requiring additional security products. OTX Endpoint Security is available to all registered OTX participants at no cost. For users of AlienVault USM Anywhere™, OTX provides even deeper benefits. AlienVault USM Anywhere consumes OTX threat data in multiple ways, enabling busy security teams to detect and respond to the latest global threats as they emerge, without extra cost or effort. As Lee Thomas Hagen, Strategic Consulting, Dataprise, Inc. explains, "With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX." The AlienVault Labs Security Research Team consumes OTX threat data, applying machine learning and human analysis to validate and expand on the threat scenarios. The team uses this intelligence to curate and deliver continuous threat intelligence updates to USM Anywhere. USM Anywhere users can subscribe to OTX threat data and use it directly for correlation with any connected data source. Whether integrated directly with USM Anywhere or synchronized with your other security products through the OTX DirectConnect API, emerging threat data from OTX can help your team keep up with the ever-changing threat landscape. According to Christian B. Caldarone, Information Security Officer at Deutsche Post Dialog Solutions GmbH, "AlienVault USM is very effective in detecting real security threats, as their OTX integrated threat intelligence has a very good reputation in the industry. Thanks to its being open to others too, other heavyweight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words." Additional Resources: Read the OTX Trends Report for 2018 Q1 and Q2 Join the AlienVault Open Threat Exchange today New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™ Learn more about threat intelligence in USM Anywhere Take USM Anywhere for a test drive in the online demo       

Le 2018-10-30


  Alien Vault - Spicing up the MSSP World
We love conducting  surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better. So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights. How Much is Outsourced? The first question was to establish a baseline as to how current security operations programs are currently sourced. A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations. The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house. Attitudes Towards Outsourcing The question that then arises is how participants felt about outsourcing security operations as a whole. Just over a quarter, 26 percent, believed that security should never be outsourced. However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured  that the provider is fulfilling its part of the deal. Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance. Another aspect which we did not go into were some of the drivers that lead to companies outsourcing. The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million  cybersecurity professionals. Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner. Budgets In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends. The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale.  Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a planned increase in budget over the coming year, and 25 percent are looking to spend more on outsourcing security operations.   Conclusion In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring. Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors including a skills shortage, standardisation of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.       

Le 2018-10-29


  Alien Vault - Things I Hearted this Week, 26th October 2018
Wordpress Wants to Erase its Past I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes. WordPress team working on "wiping older versions from existence on the internet" | ZDNet The Penalties Keep Rolling in Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security. First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out. Morrisons Loses Insider Breach Liability Appeal | InfoSecurity Magazine In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal. The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place. The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May. Facebook fined £500,000 for Cambridge Analytica scandal | BBC Breaches at 32,000 feet Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry. Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare | The Register British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised! British Airways reveals a further 185,000 users affected in September data hack | City AM Fool Me Once Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018. The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29. Children’s Hospital of Philadelphia victimized twice by phishing attacks | Health Data Management Some Notes for Journalists About Cybersecurity The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism. Journalism is about telling the truth, not a close approximation of the truth,  but the true truth. They don't do a good job at this in cybersecurity. Some notes for journalists about cybersecurity | Errata Security CVE-2018–8414: A Case Study in Responsible Disclosure Vulnerability management and responsible disclosure can be a tricky tightrope to walk at times. But this writeup by Matt Nelson on the process he recently went through is really insightful. CVE-2018–8414: A Case Study in Responsible Disclosure | Medium, Matt Nelson What Does it Take to be a CISO? How do people working in a Chief Information Security Officer (CISO) position or its equivalent view cybersecurity? Which problems do they face? To learn the answers to those questions, Kaspersky Lab surveyed 250 security directors from around the world. What it takes to be a CISO: Success and leadership in corporate IT security | Kaspersky The Hunting Cycle and Measuring Success This is an older article I came across, but the principles are worthwhile going over again. The Hunting Cycle and Measuring Success | Finding Bad Other Things I Liked This Week The Wildly Unregulated Practice of Undercover Cops Friending People on Facebook | The Root Compassionate—Yet Candid—Code Reviews | YouTube, April Wensel       

Le 2018-10-26


  Alien Vault - Why Spending More On Security Isn‘t The Answer
Volume 8 of the AT&T Cyber Insights report looked into whether organizations who are investing more in cybersecurity are achieving better outcomes than those who aren’t. The outcome of the research was a resounding no. On the surface, this may seem counter-productive. After all, how many CISO’s have you ever heard complain about having too much security? However, if we look at the trend as an inverted U, or the law of diminishing returns, when you overdo something, you eventually stop seeing benefits, and may even see losses. Getting the Porridge just Right Much like Goldilocks, the question that arises is how much security is just right? Former Director of the Enterprise Security Practice at 451 Research, Wendy Nather, wanted to establish The Real Cost of Security. In her research,  security professionals provided a wide range of responses as to what security technologies are needed, with the majority of the respondents being able to trim down their list to around 10. The pricing of these 10 technologies varied greatly depending on a number of factors such as vendor, mode of deployment, whether it was open source, and so on - the price range varied anywhere from $225,000 to $1.46m in the first year, including technology and staff. Expense in Depth For many companies, especially those with small or mid-sized security teams, managing 10 or more individual security products can be challenging. Former Forrester analyst Rick Holland coined the phrase ‘expense in depth’. That is where many companies will use the defense in depth concept to justify the need for more security products. The problem with this approach is that it can lead to buying too many technologies which don’t complement each other, which inevitably results in a multi-layered approach that provides minimal return on investment. This leads us to a bit of an impasse. A variety of security controls are needed to provide adequate coverage. But too many security products lead to an increase in expense not just to procure, but to manage, which can lead to security shelfware. More Capability in Fewer Products In order to avoid some of these pitfalls, companies, especially ones with small to mid-sized security teams, should look to invest in fewer products that offer greater functionality. The good news is that many security technologies have become standardised and no longer need to be acquired or deployed individually. For example, vulnerability scanning is largely a standardised function. While some scanners may perform better than others - by and large, you can point it to your assets and receive an expected output. So, the question companies should ask, what benefits are being gained by running vulnerability scanning as a separate service with a standalone technology? Compare this to a platform which offers several security functions of which vulnerability scanning is one. The same could be said for anti-virus, or IDS, or SIEM’s. The value in running any of these as dedicated standalone services is diminishing. Take the example of your smartphone. It has replaced many devices such as a pager, phone, camera, even a flashlight, into one device. One could argue that a standalone dedicated camera, or flashlight is a superior product, which may be true, but it comes with the overhead of additional batteries, and carrying those devices around. Getting a Helping Hand In addition to reducing the number of disparate security products, companies can also take advantage of managed security providers that can complement their teams’ security capabilities. This can be a good approach to offload non-critical monitoring tasks, so that the in-house security team can focus solely on protecting the crown jewels within the organisation. One of the additional benefits of this approach is that it takes the process of choosing the right technology away, too. The MSSP will monitor logs and alert you if there is something that warrants further investigation. Think of it like your energy provider. You may not know how your provider is generating electricity, maybe it’s burning coal, or using wind-farms, solar energy, or some other option, the end result is the same - you receive a consistent supply of electricity coming into your home. Insurance The third leg of the stool could be cyber insurance. This is perhaps of more importance for smaller companies wanting to do business with large enterprises which may insist on cyber insurance in the event of an incident or a breach. As companies rely more and more on their digital infrastructure, any disruption has greater impact on the bottom line. Ransomware can grind businesses to a halt, and leak of sensitive documents can have far-reaching consequences such as damaging critical business relationships. Managing the Risk Ultimately, cybersecurity boils down to managing risk. As Todd Waskelis, AVP at AT&T cybersecurity solutions said, “It’s not about the number of dollars an organisation spends that leads to them reducing risk. It’s whether you have approached this from a business perspective and you have a risk management program that will not go stale.” Having a business-focused risk management plan doesn’t mean having all of the best security technologies in place. Sometimes it means having enough of the right security technologies in place, having the right partners, and even transferring some of the risk via cyber insurance. Considerations for your security strategy: Consolidate your security tools Outsource functions to an MSSP Offshore some risks via Cyber-insurance       

Le 2018-10-24


  Alien Vault - How to Defend Your IoT Devices from IoT Botnets
The Internet of Things (IoT) is changing how the world works. Machine to machine (M2M) communication simply makes for faster, more timely, and transparent connections, thereby saving us a lot of time and money. This means that your doctor no longer has to wait a few hours to receive your heart monitor readings when it automatically transmits such information to your doctor’s computer or tablet. It’s much easier for manufacturers and retailers to keep track of inventory when they receive real-time updates on remaining supplies. At home, you’ll never forget to write something on your shopping list when your smart refrigerator updates that list for you.   In the hands of the right people, the IoT has great potential to improve quality of life. But some people have found a way to exploit the IoT for their own gain. They do this through the IoT botnet. What is an IoT botnet? To answer this, we first have to define what the IoT and botnet are. The IoT is simply the wireless interconnection of devices (things) through the Internet. It basically means that devices such as phones, refrigerators, and heart monitors have a “switch” that lets them connect to the Internet. On the other hand, a botnet is simply a network of computers infected with malicious software and controlled as a group without the owners' knowledge. These computers are then used to perform tasks like sending spam emails. Now, if we put those two together, we’ll have a network of computers and other devices (things) connected through the Internet infected with malicious software being controlled without the owners’ knowledge. An IoT botnet is, therefore, much more intrusive and dangerous than a regular botnet. An example of IoT botnet attacks includes the large botnet network discovered when a fridge was caught spreading spam emails. Another example was Mirai botnet which was used to perform DDoS attacks on French hosting firm OVH. A final example involved the enslavement of 18,000 Huawei devices in one day! So, how can you defend your IoT devices from an IoT botnet? Well, I’ve got some bad news and good news for you. The bad news: IoT devices and cybersecurity aren’t necessarily a match made in heaven. This is because IoT devices are designed to be open to the Internet (and, therefore, to anyone who can access their connection). The good news: you can improve your IoT devices’ security yourself by trying the following steps. 1. Do your research Before you buy any IoT device for your home or company, do a little digging online. See if your prospective purchase has built-in security features. Look for any exploits and vulnerabilities that may become concerns in the future. Don’t just rely on the product’s Official Site. Trawl through forums (like Reddit) for user reviews on the product. These reviews come with invaluable information from first-hand users. 2. Change default passwords into strong ones Another way you can secure your IoT device is by making sure you’re the one managing and controlling it. You should retain the power to activate and deactivate your device as well as deciding when your device goes on and offline. The manufacturer should be prevented from operating the device without your authorization. This means retaining proper user identification and authorization by changing your IoT device’s default password. Doing this prevents just anyone (whether manufacturer or hacker) from taking over as the device administrator. Finally, practice strong password habits. This involves not only formulating long phrases but also sprinkling in upper case letters, numbers, and symbols (if allowed). You can also use a password generator to make strong passwords for you. Strong passwords ensure that your IoT devices are well-protected from Brute Force attacks. Also, consider changing your IoT devices’ passwords on a regular basis to make sure no one ever gets a bead on them. 3. Separate your IoT device network You may want to create a separate network solely for your IoT devices. This prevents attackers from gaining access to all the data-filled devices on the same network. Use a third-party firewall or other intrusion prevention system. A firewall prevents unwanted data from entering your network if no request from any of your connected devices was made for that unwanted data. Utilize your router’s built-in security features to gain first-line protection for all the devices in that network. 4. Disable unused features These unused features, like Universal Plug and Play (UPnP), make it easier to connect with other players on the Internet when you game on your console. The problem is hackers from outside your network can detect your devices by exploiting certain vulnerabilities in the protocol. This is why you should turn off these features when not in use. 5. Use comprehensive security software You may notice a commonality when inspecting botnet attacks -- they often exploit vulnerabilities in devices relying on default software. While your IoT devices might come with built-in security right out of the box, these default security features are often weaker compared to third-party security software. One software your home or enterprise should never be without is a VPN. Simply put, a VPN works to protect your IoT devices from botnet in two ways: It hides your true IP address which makes it harder for hackers to target your IoT devices. It encrypts your online data thereby preventing anyone who has actually infiltrated your network reading and utilizing your data stream. While it may be impossible to secure every single IoT device you have with a VPN (since some devices simply aren’t compatible with a VPN), there is a way around this problem: install a VPN on your router. That way, all the devices connected to your router gains the protection offered by the VPN. Do note that you’ll have to get the best VPN services you can afford and avoid free VPNs as some of them have been known to sell users’ spare bandwidth which resulted in these bandwidths being used for a botnet.  6. Keep your device’s software, hardware, and firmware up to date This may be old news but there’s a reason it’s repeated. This is because updates for a manufacturer’s product often includes security updates that they just discovered. Hackers will often make attacks during the time between the release of these security updates and when users actually update their device. If you don’t install updates when they become available, you’re inadvertently running the risk of having your device being targeted for an attack. Securing your IoT devices relies mainly on your own actions The current environment makes defending the IoT against botnet a personal task for each user in the absence of further developments on the issue. Users have to take some time getting to know the manufacturer of the IoT devices they want to purchase. Separating IoT devices and computers into different networks can help prevent a catastrophic compromise of the whole network in case one device is infected by botnet malware. Disabling unused features also help prevent such devices from being found by hackers outside the network. Built-in default settings and security features have to be changed and bolstered with third-party security software that provides added layers of protection. And remember to immediately install updates when they become available ensures that all hardware, software, and firmware remain air-tight in their defenses.       

Le 2018-10-24


  Alien Vault - Things I Hearted this Week, 19th October 2018
It’s been another eventful week in the world of cyber security. So let’s just jump right into it. NCSC has Been Busy NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes. Joint report on publicly available hacking tools | NCSC The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week. NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre. Targeting Crypto Currencies It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Targeted attacks on crypto exchanges resulted in a loss of $882 million | HelpNet Security Twitter Publishes Data on Iranian and Russian Troll Farms In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms. Twitter’s focus is on a healthy public conversation | Twitter In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran. British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents | Motherboard Equifax Engineer Sentenced An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop. Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet Mind the Skills Gap (ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million. It’s worth bearing in mind that estimating the skills gap isn’t an easy task. You have to look into the types of organisations, the tools in place, the risk appetite, economic, political, environmental factors, a whole bunch of things. You need a pretty deep methodology (don’t get me started on survey methodologies) to accurately assess the skills gap - so, a survey of 1500 individuals won’t necessarily be completely accurate, but serves as a good discussion point to start from. Global cyber security skills gap widens to three million | IT PRo Cybersecurity workforce study 2018 | (ISC)2 On the topic of the skills gap, there are plenty of free resources for learning available these days. Check out this awesome list: 190 Universities just launched 600 Free Online Courses. Here’s the full list | Medium / Dhawal Shah GitHub Announcements When Microsoft acquired GitHub, many speculated this was the end of the site. However, on the contrary, a series of new features and enhancements shows GitHub ploughing forward in leaps and bounds. Future of Software: Developers at the center of the universe | GitHub California to Change State Law for Connected Devices In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features. By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. A great initiative, but part of me feels like it’s a bit premature. California just became the first state with an Internet of Things cybersecurity law | The Verge Why tech companies need to reinvent themselves every three to four years Former Cisco CEO John Chambers says doing the same thing, even if it’s the “right thing,” for too long is dangerous. Why tech companies need to reinvent themselves every three to four years | Recode The CumEx Files investigation Finally, a long, but fascinating read into a huge, months-long investigation that involved the cooperation of dozens of international partners to uncover how some of the wealthiest have swindled European taxpayers of billions. The CumEx files | cumex files       

Le 2018-10-24


  Alien Vault - AT&T Business Summit 2018 - First Impressions and Recap
From the 25th to the 28th of September 2018, I had the opportunity to attend the AT&T Business Summit in Dallas. I walked away with a whole new perspective on AT&T business, what a conference could be like, and the Dallas Cowboys. The Future is Here The show floor at the summit was small when compared to some of the mega-conferences like RSA. But what it lacked in volume, it more than made up for in quality and variety of technologies.on display across different industry verticals. There were robots that could fold your laundry, or take you on an augmented reality tour of a factory. We were even introduced to “Pepper” a cute interactive robot. Pepper's a fan of @gwenstefani, too! Check out those dance moves. #ATTBizSummit @ATTBusiness pic.twitter.com/MX5ntUsrj2 — Sarita Rao (@saritasayso) September 27, 2018 There were a lot of other embedded technologies on display, like portable medical devices, which can be operated by anyone to provide details to a doctor. Or, IoT technology embedded within trucks that can send a whole host of data to allow effective fleet management. Some of the broad themes from the technology were on display, and the topics discussed on stage included IoT, smart cities, 5G, and software defining of most things. Day 1 Video Recap Hitting High Notes with the Keynotes Showcasing technology aside, conferences can be defined by the quality of speakers and talks that are given. AT&T Business did not disappoint, with some great discussions and presentations by the likes of Malcolm Gladwell, Anderson Cooper, Thaddeus Arroyo, Barmak Meftah, Queen Latifah, Reese Witherspoon, and Tony Blair, to name a few. Power panel - Anderson Cooper, Doug Parker, Meg Whitman, Thaddeus Arroyo...Disruption is Coming for EVERYONE! #ATTBizSummit #transformation pic.twitter.com/SM9lu0xxkG — Anne Chow (@TheAnneChow) November 1, 2017 “Security isn’t a technology problem. We need to view security as a business problem” Barmak Meftah, President AT&T Cybersecurity Solutions & CEO @alienvault #AttBizSummit @ATTBusiness pic.twitter.com/8IwA6QFQ3g — Susan Torrey (@smtorrey) September 26, 2018 A brief history of the ATM per @Gladwell. 30 years to mass adoption! #banking #fintech #ATTBizSummit pic.twitter.com/g0qFieGt1o — Evan Kirstel at @InterSystems #GlobalSummit18 (@evankirstel) September 27, 2018 Tip of the day. Even when things get rough Queen Latifah’s advice is to make time for yourself. @IAMQUEENLATIFAH #ATTBizSummit #IoT #WomeninTech #EmergingTech #cybersecurity #SDN #Healthcare #5G #ATTInfluencer pic.twitter.com/kEGnOfjYjf — Peggy Smedley (@ConnectedWMag) September 28, 2018 "It's incumbent on us as business leaders to do better." "We're 50% of the population, we should be there 50% of the time." Reese Witherspoon at the #ATTBizSummit #WomenInTech pic.twitter.com/BHKyxW1KXX — Kayne McGladrey has been to the UK (@kaynemcgladrey) September 27, 2018 Just because the keynotes were great and featured celebrities, it doesn’t mean the other talks were any less impactful. Some talks that particularly stuck out in my mind included a panel with Kayne Mcgladrey and Derek Scheid who discussed what the future of the SOC (Security Operations Centre) looks like and what companies should do. A particular quote that stuck out for me from the discussion was around the importance of an actual action plan, and how companies can sometimes get fixated on pulling in all the information they can without much thought as to what would happen next. I believe it was Derek who said, “You shouldn't be proud of what you know. You should be proud of what you do.” I was also invited to moderate a panel entitled “The best way to predict the future is to invent it”. It featured AlienVault CTO Roger Thornton, Chief Scientist Jaime Blasco, Terra Verde’s Ed Vasko, and Looker CSO Ryan Gurney. Lively panel discussion w @alienvault’s @J4vv4D @jaimeblascob & CTO Roger Thornton, MSSP Ed Vasko @ Terra Verde and USM customer Ryan Gurney @ Looker “the best way to predict the future is to invent it.” pic.twitter.com/NGwgar38DL — Susan Torrey (@smtorrey) September 27, 2018 It was a great panel from where I learnt a lot. Ryan, in particular, had some great anecdotes on being the CSO. Recalling that when he joined his current job, he had no office, so had to make do by sitting at a desk in the hallway. The benefit of which he claims is that he was ableto meet and know nearly all the staff as they had to walk by him. He believes that knowing staff and understanding them is the key to good security within a company. Day 2 Video Recap Alien Invasion AlienVault was fully embraced and welcomed with open arms at the summit. I certainly made a few new friends, and there was no shortage of attendees sporting flashing green AlienVault sunglasses, or Alien masks. However, perhaps the biggest achievements in the battle to win the hearts and minds, were at the concerts, where Billy Idol, and Gwen Stefani both donned the AlienVault sunglasses. If that isn’t the sign of a hugely successful event… then I don’t know what is.       

Le 2018-10-24


  Alien Vault - Security Travel Tips
In honor of NCSAM, we decided to ask the Twitter community for security travel tips, to help us be more safe when travelling. Here's the original Tweet: Want some AlienVault swag? Send us your top tip for #security while traveling by October 8 for potential inclusion in an upcoming blog. Of the tips we include in the blog, we’ll randomly select 3 people to win an AlienVault swag bag! #securityawareness @J4vv4D @securitybrew pic.twitter.com/1XvzKnMbMv — AlienVault, an AT&T company (@alienvault) October 3, 2018 We got some neat answers.  1. Use a screen protector on an airplane or while working in public 2. Buy Freeze Fraud bags to store your laptop in while out of your hotel room. Tamper evident bags give you peace of mind your hardware hasn't been tampered with. — Jake Williams (@MalwareJake) October 4, 2018 For the love of everything confidential: privacy screens for phone, tablet, phablet, laptop, etc! Flights to DC make for the best shoulder surfing! — Glenn it's S��CTOBER �� (@NTKramer) October 4, 2018 Know your threat model. Not everyone needs a burner phone, burner laptop, and 7 proxies. Know the trust boundaries, and mitigate the issues that make sense for you. — Willa (@willasaywhat) October 4, 2018 Dont do work. Your work existed before you and wont end cuz you disapeared for a week or less. Smart companies and CEOs always have backup for critical employees. No matter how secure you can try to be... if you are targeted they will get you while you are traveling. — 9656B73F0889AC044EB47F452C059A6C (@SGFja2Vy) October 4, 2018 Avoid beig an obvious target by studying the area well enough to not need a map upon arrival. Carry the bare minimum hardware & files - if a device is lost/stolen/damaged, better for it to be a stripped down chromebook than your main PC. — Josh Gibbs (@quizzicaljosh) October 4, 2018 dedicated travel phone, vpn, and don't eat at restaurants that aren't busy — Space Force Panda (@TrashPandaFTW) October 4, 2018 Use an EVDO solution along with VPN such as a Verizon USB 4G LTE device and VPN. This prevents the unencrypted WiFi traffic to a hotspot AP and also encrypts your 4G LtE traffic. While you can use a hotspot and vpn, your initial traffic over that hotspot is all unencrypted. — John Alves (@CyberLowdown) October 4, 2018 Do not download sensitive information in a hotel business center. — lazyMalware (@LazyMalware) October 4, 2018 And there was a technology to investigate: Keezel — EmmaB247 (@EmmaB247) October 4, 2018 Stay safer while travelling! Thanks for all the suggestions from the Twitter community.        

Le 2018-10-24


  Alien Vault - Things I Hearted this Week, 12th October 2018
What is a Vulnerability? The part that most people don’t seem to understand enough is that an attack only matters if something is at stake. A transaction of some sort needs to occur, otherwise it doesn’t matter if someone performs the particular attack against you. When is a vulnerability not a vulnerability? | Medium, Tanya Janca An Analysis of CVE-2018-0824 While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken. Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works. Marshalling to SYSTEM - An analysis of CVE-2018-0824 | Code White Sec Visualising Your Threat Models Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to: Support DFD and attack trees Enjoyable and easy to us Free and cross platform Not web or ‘cloud’ based Draw.IO for threat modeling | Michael Riksen Brutal Blogging: Go for the Jugular Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love? Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk Brutal blogging: Go for the jugular | Youtube Blockchain Eating its Greens? Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019. Walmart Requires Lettuce, Spinach Suppliers to Join Blockchain | Wall Street Journal Do you Know What You’re Building? Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere. Tech Workers Now Want to Know: What Are We Building This For? | The New York Times Why Logic Errors Are So Hard to Catch The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as defined by CWE 840, the exploitation can be incredibly damaging. The worst part is that finding logic errors can't be solved with automated tools alone. The best advice on how to avoid logic errors comes from Aristotle: "Knowing yourself is the beginning of all wisdom." Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch | Dark Reading What NOT to do When Researchers Notify you of a Breach A  short but useful reminder what not to do when a researcher tries to contact you about a potential security issue. TL;DR - try to be nice. What NOT to do when researchers notify you of a breach | Cyberwar news Argos Doesn’t Take Care of IT What happens when scammers target the wrong company? More specifically what happens when a social engineer tries to scam a company named, ‘the anti-social engineer’? Argos Doesn’t Take Care of IT | The antisocial engineer Amazon AI Scrapped for Being Biased Against Women Apparently Amazon has scrapped an internal project that was trying to use AI to vet jobs after the software consistently downgraded female candidates. I don’t know, sounds like a case of shooting the messenger. What about the developers? Surely the AI inherited the biases from somewhere. Simply scrapping the AI won’t necessarily fix the issue. Amazon reportedly scraps internal AI recruiting tool that was biased against women | The Verge Random Stories I Enjoyed This Week How New York City Tells the Story of Its Open Data Work | Gov tech America Is Losing Its Edge for Startups | CityLab The battle for the Home | Stratechery       

Le 2018-10-24


  Alien Vault - AlienVault Product Roundup ? the Latest Updates!
September was another busy month for product development at AlienVault, an AT&T Company.  We are excited that the AlienVault Agent is getting great traction with our USM Anywhere user base, and we are continuing to add feature enhancements to the Agent. You can keep up with all of our regular product releases by reading the release notes in the AlienVault Product Forum. Here are the highlights from our September releases.ea Enhancements to the AlienVault Agent! Coming off the successful introduction of the USM Anywhere EDR functionality enabled by the AlienVault Agent, we are excited to announce more improvements to the Agent.  The feedback from our users on the Agent has been great thus far, and in September we added more filtering capabilities, designed to give users more control over what types of data the agent is collecting.  You can now apply regular filtering rules to Agent events, giving you the flexibility you need over what data you collect.  We will continue to add feature enhancements to the Agent in the coming months.   The USM Anywhere API is here! Following up to our API release in USM Central, which has been very popular with our MSSPs, we are happy to announce the introduction of the API in USM Anywhere.  Available for Standard and Premium Edition customers of USM Anywhere, you can now extract alarms and events from USM Anywhere to help you with independent workflows.  This is the first major step towards a full set of API functionality build out in USM Anywhere. Enhancements to the AlienApp for ConnectWise Building on its initial release, the AlienApp for ConnectWise now works with on premises deployments of ConnectWise Manage. Service management teams that use on premises deployments of ConnectWise Manage can now leverage automated service ticket creation from USM Anywhere for alarms and vulnerabilities, as well as the synchronization of asset information. Defects and Optimizing the UX In addition to these new capabilities, the team has rolled out enhancements to the user interface and has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Highlights Following on the introduction of the API in August, we are pleased to announce the availability of additional API endpoints that allow customers and partners to retrieve vulnerabilities, deployment information, and configuration issues for connected USM Anywhere instances.  This continues the build out of the USM Central API, and stay tuned as we continue to add more API endpoints in the coming months. Threat Intelligence Highlights It’s been a typically active month for the AlienVault Labs Security Research team, curating the threat intelligence for USM as well as writing content on new & emerging threats.  As a reminder, USM receives continuously updated correlation rules and endpoint queries to detect & respond not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated by the human intelligence of the AlienVault Labs Security Research Team, bolstered by AlienVault’s machine intelligence. The AlienVault Labs team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are researching and delivering as actionable threat intelligence automatically to the USM platform. Read the AlienVault Threat Intelligence newsletters here. In addition, here are some recent blogs from the Labs Team, which highlights their recent research: Malware Analysis using Osquery Part 2 Off-the-shelf RATs Targeting Pakistan Malware Analysis using Osquery Part 1       

Le 2018-10-24


  Alien Vault - Time to Cover your Selfie Camera
I am reading an excellent book named “Cringeworthy:  A Theory of Awkardness”, which examines exactly as the title describes, awkward situations and how to deal with them.  I love reading non-fiction books that are not InfoSec related.  There is so much to learn out there about so many topics.  Sometimes, however, I am led back to my InfoSec passion (or, perhaps it’s an illness). In the book, author Melissa Dahl mentions two companies that are working on some fascinating software that can read human emotions via facial expressions.  This is a compelling development in technology, reaching beyond facial recognition. Facial recognition, you may recall has had some of its own challenges to overcome. Of course, emotional recognition software would not be useful for authentication, as there are only seven emotions.  To review, they are happiness, sadness, fear, anger, surprise, contempt, and disgust.  As you read this, are your inner InfoSec senses perking up?  They should be. Part of the way that emotions can be identified are through micro expressions. Micro expressions detect subtle changes in a face, but they happen so fast that it requires specialized training for the human eye to detect them.  Those trained in micro expression recognition can detect, along with the seven emotions, other traits, such as a person’s level of deception.  While there are not many folks trained in micro expression recognition, a computer may be programmed to respond with alarming accuracy and speed.  Rather than thinking that computerized emotion recognition could be used in a court of law (probably inadmissible as evidence, much like a polygraph), or during an interrogation (also of questionable usefulness), think of the economics of the technology. One way in which this new technology may be used is to gauge a person’s response when viewing something on the screen.  Using this technology, an advertiser could change what is presented based on the person’s response.  You seemed to retreat a bit when you were shown the large automobile.  Let’s pop an advertisement of the fuel-efficient hybrid.  You enjoyed the flowers that popped up on your birthday? Let’s pop some chocolate onto the screen with a savings coupon. The privacy concerns of such a technology have led me to place a piece of electrical tape over the front-facing camera on my phone.  I was never a big selfie person to begin with, and this technology is certainly enough to cure me of any urge to have that camera exposed.  Remember, the camera and microphone on your electronic devices are software controlled, so unless you carefully examined that end user license agreement, you may have already given camera control over to one of your applications.  Like many others, I have had my laptop camera covered for years. When we think about how our emotions may be manipulated by these powerful little handheld devices, it becomes a scarier proposition that our emotions can be interpreted as we look at the screen. Does this technology have a place in society?  Perhaps it could be used in a hospital emergency room to expedite triage of the most severely ill or injured, or perhaps it can be used for training exercises for law enforcement to determine the level of an individual’s anger during a sensitive interpersonal exchange? My cynical side, however, is more certain that this technology will be used merely to boost sales of the corporations who use it.  There are definitely beneficial uses for this technology, although, if my camera were uncovered right now, the software could only interpret my expression as a mix of sadness and contempt.       

Le 2018-10-24


  Alien Vault - 5 Steps to Maximize Your Financial Data Protection
A series of high-profile data breaches in 2017 made it clear that it's becoming more difficult to protect your and your customer's sensitive information from nefarious agents. As businesses expand, they develop and implement security policies that help protect their sensitive information from outsiders. Still, business growth means more computers, more laptops and more mobile phones—and more network endpoints means more security vulnerabilities and more opportunities for a small oversight to turn into a major data breach. Financial data breaches can spell disaster, especially for small businesses that have fewer resources to allocate toward proactive security measures and fraud prevention. To help out, we've outlined five steps that you can take to maximize your financial data protection in 2018. Take Inventory of Your Sensitive Financial Data The first step to effective financial data protection is to identify the data that is more important to protect. Your full assessment should answer the following questions: What data do I need to secure? What computers, servers, laptops, networks, or other devices is the information stored on? What devices can be used to access the data? What roles/titles will have permission to view the data? The best way to start enhancing data security is by restricting access. Isolate or segregate the data onto the fewest number of devices possible, and make it accessible to the fewest number of people. Conduct thorough background checks and ask for references when hiring employees that will come into contact with financial data. Implement Effective Password Controls Passwords are an important security measure used to prevent unauthorized users from accessing company laptops, e-mail accounts and other resources that could contain sensitive financial information. Password controls are a set of imposed guidelines for how your staff should set up the passwords that they use to access your sensitive data. Typical password controls include: Ensuring that passwords are long enough and that they contain a mixture of upper and lower-case letters, numbers and symbols. As passwords get longer, they become exponentially harder to hack by brute force. Hackers use all kinds of tricks to try and guess passwords—writing software that guesses dictionary words or combinations of words from the dictionary, or that guesses birth dates formatted in different ways. Passwords should be 10-12 characters long. Ensuring that passwords are changed on a regular basis, at least every 90 days for passwords used to access sensitive financial data. Ensuring that each individual user is assigned one username and password, and that login credentials are never shared. Protect Your Network with a Firewall Companies storing and transmitting financial data on an internal network should implement a firewall. A firewall is a hardware or software security device that monitors all incoming and outgoing network traffic and uses predefined security guidelines to determine whether it should be allowed or blocked. Firewalls establish a barrier between your trusted internal network and unauthorized external actors that might try to access or attack it. You may want to hire a cyber security expert who can help customize your firewall to your unique circumstances and advise you on how to address other potential network security threats. Look Out for Phishing Scams Sometimes, fraudsters don't have to gain access to your systems using technological means to attack your company financially. E-mail phishing scams can fool your unsuspecting employees in the worst ways—entering their login information into a fake portal, or opening a malicious program that steals sensitive information from their inbox, copies their contact list, and forwards malicious e-mails to others. Employees need to be educated about the most current fraud and phishing scams and how to avoid them. They should be instructed only to access sensitive data from a secured network, using their company device, and only through the prescribed channels—never by clicking a link in a newly received e-mail. Employees should never open unexpected e-mail attachments, and should report all suspicious e-mails to the company's IT department. Use Data Encryption Encryption is the translation of stored data into a secret code, ensuring that only someone with the encryption key can decrypt the data and use it for its intended purpose. Encrypting stored data acts as an insurance policy in case the data is ever lost or stolen. If a hacker or thief gets their hands on properly encrypted data, chances are they still won't be able to access any meaningful information that can be used to harm you, your company, or your customers. You can also use encryption to reduce the vulnerability of network endpoints like computers and mobile phones. Mobile phones should be encrypted, and you should be able to wipe them remotely in case one is ever lost or stolen. Encryption can be used to encode the data on a computer hard drive, preventing anyone from reading it who doesn't have access to the encryption key. Summary Organizations can maximize their financial data protection by implementing the right proactive policies and procedures, even without a large investment in security measures. Organizations should start by taking an inventory of their financial data, understanding how it is stored and accessed, and restricting that access exclusively to those who need it. Implementing stringent password controls and investing in network security devices like a firewall can significantly reduce the risk of a data breach. Further, employees should be trained to avoid unknown links and e-mail attachments, and report any suspected phishing scams to your IT department. Finally, stored financial data can be further secured through encryption, reducing the likelihood that the data could be used for harm even if it were stolen.       

Le 2018-10-24


  Alien Vault - The Importance of Patch Management
With each passing year, our world becomes more and more digital. Our social interactions and personal data as well as many of our jobs are based primarily on the internet. Although this shift has come with great benefits, it’s also opened us up to a heightened threat of cyber terrorism. 2017 saw some of the most devastating high-profile attacks in history, opening the eyes of business of all sizes to the importance of stronger security. With no end to cybercrime in sight, the best defense is to be better prepared. There are various practices that can be applied to achieve this, and implementing a patch management system is one of them. In its most basic sense, patching is the process of repairing IT system vulnerabilities that are discovered after the infrastructure components have been released on the market. These patches can apply to a variety of system components, including operating systems, servers, routers, desktops, emails, client info, office suites, mobile devices, firewalls and more. Depending on a company’s information system design, the method of patch management may differ slightly. Failure to follow adequate patch management procedures greatly increases the risk of falling victim to a devastating attack. In the second quarter of 2017, we saw a global ransomware hack the systems of over 150 countries and hundreds of organizations all as a result of poor patch management. These unattended vulnerabilities in IT infrastructure open companies up to numerous security challenges, the top five being: Absence of proper coordination of security measures taken by the operations department and the IT department. Inability to keep up with regulatory standards. Failure to develop an automated security channel. Inability to protect systems from malware, DDoS attacks and hacktivism. Failure to upgrade the existing software and applications to improve the system security. Outsourced patch management For many companies, the reason behind their failure to properly patch vulnerabilities is the simple fact that it’s difficult. The process is time-consuming and, depending on the size of a company, there could be numerous vulnerabilities opening simultaneously. Outsourcing patch management to a more qualified company can relieve IT teams of that immense burden and prevent potentially fatal neglect. Additionally, outsourced IT companies have the advantage of economies of scale and can spend the necessary time required for testing updates before updating client systems. Automated patch management Automation is a trending feature in technology this year, including patch management. With this method, a cloud-based automation system is able to regularly scan and apply patches to software and systems of any kind regardless of location. This reduces the need for ongoing management of the patching system itself, meaning even the most limited IT teams can stay up-to-date with security. Furthermore, as automation allows for patches to be applied 24/7, the downloading and installation processes won't disrupt a work day, and the potential for human error while installing patches is removed. Whichever route you choose, the importance of the matter stays the same. While hackers have made it clear they don’t discriminate against company size or industry, preventive measures are necessary for everyone. With a strong patch management system in place, the occurrence of a vulnerability can be immediately rectified by way of consistent monitoring of the system and a patch released at the right time. This quick action plan can make all the difference in protecting yourself from a “Zero Day Attack,” which is an exploit that occurs before a patch is available. Though it may sound like an unlikely occurrence, 85 percent of exploits have had a patch available for more than one year and 74 percent of organizations take 3 months to apply a patch, according to industry leader Mark Hurd. The risk of not recognizing and reporting a vulnerability in time is too great a risk to take. With the imminent risk of cyber-attacks, it’s critical to assemble a plan against the potential vulnerabilities that put your information at risk, particularly with SMBs. Smaller organizations have become increasingly targeted for their tendency to discover security breaches late and because of their generally limited cybersecurity resources. In fact, Small Business Trends reports that the percentage of cyber-attacks targeting small organizations rose from 15 to 43 percent of total attacks between 2011 and 2015. Both automation and outsourcing serve as solid solutions to key concerns companies have about the sheer number of patches required and the manpower needed to support them. Regardless of size or speciality, new technologies are making patch management implementation more cost-effective and simpler for everyone. Make the decision to prevent your potential downfall and organize your patch management plan today.       

Le 2018-10-24


  Alien Vault - People and Passwords
In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep our accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords. Weak passwords are common For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember.  People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.  Current practices require complex passwords   Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.  There is a problem with difficult passwords People, out of convenience and frustration, will try to circumvent the password policies mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321).  While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passwords. This leads to the same or similar passwords used across accounts. The same password for different accounts is dangerous Research by LastPass states 59% of people use the same password and 47% apply the same even for work. Notably, the reuse of passwords stems from frustration and convenience. Sure, it's easier to remember one password for everything or variations of the base password, but not advised. To clarify, if an account gets compromised, it puts your other accounts at risk.  Using Passphrases is better  We have a hard time remembering many passwords and more so when they have to change often. Similar to starting a different job and learning coworkers' names. Then you find out 60 days later that everybody is being replaced and you now need to remember a different collection of names. It's difficult. For starters, use a passphrase that includes numbers. A passphrase is a password in usage but is longer for added security. For example, 2Cats3DogsRunFar is an easy to remember passphrase. It is a 16-character alpha-numerical password. Why add a number, aren't four or five words enough? No, because modern toolkits can crack a passphrase with four to five words. Adding a number (not just at the beginning or end), or even a space will strengthen the password while keeping it easy to memorize. NIST 800-63-3 supports the use of passphrases. Encourages users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. What about password managers? At the same time, we cannot use this passphrase for other accounts. Instead, use a password manager which will accommodate for having a different password for each account. A password manager is a tool or service that will store your passwords for later use. An example of a common password manager is your browser. I will point out it is not recommended to use your browser's password manager. Some password managers offer free or inexpensive versions. LastPass and RoboForms to name a couple; EverKey, Keeper, and DashLane are pay-to-use. Be responsible with your passwords All things considered, having the best passwords does not mean you are 100% immune. Password hashes are stored and anything stored can be stolen. Strong passphrases make it more difficult for a malicious actor. You can use password managers to store passwords but this itself can be risky. For example, browser password managers do not require multi-factor authentication. Remember not use words or dates that can be guessed via social engineering. If a website such as a bank, offers mutli-factor authentication then enable it. Overall, passwords can be a nuisance but dealing with compromised accounts can be much worse.        

Le 2018-09-17


  Alien Vault - Things I Hearted this Week, 14th September 2018
With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology. There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices. The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse. But enough about that, let’s get down to business. British Airways Breached BA suffered a rather large breach which included payment information (including CVV) and personal details. While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems. British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register As an affected customer, I accept that companies get breached. But the advice seemed pretty poor. British Airways breached | J4vv4D Boards need to get more technical - NCSC The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk. NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman Hunting in O365 logs Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful. Detailed properties in the Office 365 audit log | Microsoft GCHQ data collection violated human rights, Strasbourg court rules GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment. But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal. It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations. GCHQ data collection violated human rights, Strasbourg court rules | The Guardian A Mega hack! Cloud storage service Mega.nz has announced that users that installed their Chrome browser extension may have had their passwords compromised. A malicious version of the browser extension was uploaded to the Chrome web store to gain access to user’s logins to Amazon, Microsoft, Github, and Google. MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency | Bleeping computer The Effectiveness of Publicly Shaming Bad Security Is publicly shaming a company a good idea? Personally, I’ve tended to steer away from it - I don’t feel like it’s a very constructive approach. But when there’s data to prove otherwise (albeit we aren’t talking in the scientific sense), then one may need to reconsider. There are ample examples of companies that have fixed their security issues after being publicly shamed - as my favourite blogger from down under, Troy Hunt shares in his blog post. These are all good examples, but it’s not too far away from digital pitchforks and mobs going after institutes over a simple misunderstanding. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt On the topic of shaming, I would recommend the book, “So, you’ve been publicly shamed” by Jon Ronson. FDA to Ramp Up Medical Device Cybersecurity Scrutiny The Food and Drug Administration should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed, a new government watchdog agency report says. FDA says it will carry out the report's recommendations. The Department of Health and Human Services' Office of Inspector General's report recommends that FDA better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices. About time! FDA to Ramp Up Medical Device Cybersecurity Scrutiny | Data Breach Today Hacking Tesla’s keyless entry With about $600 worth of equipment, it is possible to wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing the theft of the associated car without a trace. Hackers can steal a Tesla Model S in seconds by cloning its key fob | Wired Researchers Show Off Method for Hacking Tesla’s Keyless Entry, So Turn on Two-Factor Authentication | Gizmondo       

Le 2018-09-14


  Alien Vault - Explain Cryptojacking to Me
Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found in cryptojacking attacks this year. In fact, one recent report analyzed cryptojacking sites and found that nearly 50,000 websites were running cryptocurrency malware, Coinhive among them. Recent Coinhive victims include the Los Angeles Times, Politifact.com, and both AOL and Google’s Ad Networks. Further blurring the lines, Coinhive has been heavily criticized for its handling of (or lack thereof) abuse complaints. As a result of the dramatic rise in cryptojacking attacks this year, many in the infosec community have come to consider all cryptominers as malware. And, browser developers have started to introduce browser extensions to block cryptomining activities, such as No Coin. This “trust-no-miner” sentiment is strong in the infosec community. According to our own AlienVault research, only 8% of cybersecurity professionals would consent to their computer being used for cryptomining in exchange for accessing content on a website, although slightly larger group of altruists (38%) would consent if that cryptomining activity benefited a charity. So, while legitimate cryptomining activities will likely continue to grow as the cryptocurrency markets evolve with investments in large-scale operations, it’s unlikely that cryptomining as a form of micropayment will gain mass adoption any time soon. Cryptojacking – What’s at Stake? While a cryptojacking attack might not be as acutely devastating as a ransomware attack, it can cause serious damage to your business. Here’s a list of possible impact a cryptojacking attack can have: A slow-loading website: When an attacker exploits a website vulnerability by injecting a cryptomining tool like Coinhive, it can slow down page load time, driving away your visitors, users, or shoppers. Some attacks intentionally add a delay so that they can use more resources while the user waits for the page to load, as seen in the attack against Starbucks’ WiFi network in Buenos Aires cafes. High resource costs: If cryptominers persist in your infrastructure, you might unknowingly be footing a higher data center utility bill or cloud services provider bill. Think of it like this: If ransomware were grand theft auto, cryptojacking would be more akin to someone siphoning the gas from your tank little by little. You might not notice it right away, but your more frequent stops at the gas pump would eventually add up. That’s not all. Running CPU and GPU higher for a longer time can accelerate the wear and tear on your hardware, shortening its lifecycle and increasing your hardware costs. Data loss: No one wants to wake up to an egregious bill from your cloud services provider because an attacker spun up infinite resources overnight for cryptomining. While many security and IT teams have put in place auto-scaling limits to safeguard against this, some cryptojacking attacks are designed to start deleting existing cloud services when that limit is met. Security breach: Attackers are becoming increasingly efficient in their maldoings by packaging multiple attack modules and payloads into a single campaign. A malware campaign might drop a cryptominer packaged alongside a keylogger, backdoor, and other tools and techniques. If you detect cryptomining activities in your environment, don’t assume that the attackers’ intentions are single threaded. Opportunist attackers seeking financial gain will try to maximize their profits, whether by stealing your resources, your data, or both, if you let them. Explain How Cryptojacking Attacks Work Cryptojacking attacks take on multiple forms in the wild, often packaged with other modern attack modules found in various malware and ransomware attacks. Here are three common ways we see cryptojacking attacks unfold in the wild: Browser-based Cryptojacking Attacks In this common type of cryptojacking attack, an attacker injects a cryptominer into a compromised website, ad platform, or browser extension, often by exploiting cross-site scripting (XSS) vulnerabilities. This enables the cryptominer to use a device’s resources whenever the user browses the website, plays an ad, or installs the malicious browser extension. However, some attacks have been known to persist by launching a separate “pop under” window that hides behind the taskbar clock and continues to mine after the user exits the website. Because this type of cryptojacking attack doesn’t download or install any payload to the device, not every antivirus solution is able to protect against it. So, it’s important to ask your vendor specifically how it detects and blocks browser-based cryptomining activity. Using ad blockers, pop-up blockers, or even disabling JavaScript can add extra layers of cryptojacking protection. When it comes to your own website, know your vulnerabilities and patch, patch, patch. Vulnerabilities like Drupal CVE-2018-7600 and more recently, CVE-2018-7602 are common exploits for cryptojacking attacks. Cryptojacking the Public Cloud Public cloud environments provide near-infinite computing resources for an attacker bent on cryptomining. Once an attacker has infiltrated your public cloud environment, they can silently siphon your resources and perhaps delete or flood logs to cover their tracks. Or, more aggressively and with sufficient privileges, the attacker may spin up resources rapidly and programatically while deleting other user accounts in an attempt to lock you out of your account to disrupt the cryptojacking. Modern attacks against cloud infrastructure use bots to look for easy targets like unsecure servers or account credentials shared in Github. Practicing good cloud security hygiene across your organization is the best first defense to avoid becoming an easy target and an unfortunate headline. Here are a few good resources on cloud security best practices: 11 Simple Yet Important Tips to Secure AWS AlienVault Best Practices for AWS Security AWS Security Best Practices (Amazon) Introduction to Azure Security (Microsoft) Advanced Fileless Malware Attacks Fileless malware attacks are on the rise this year, and many of the campaigns we’ve observed in the wild include a cryptominer payload. Fileless attacks take advantage of PowerShell, Windows Management Instrumentation (WMI), and other common IT admin tools in order to evade detection by traditional antivirus and signature-based detection tools. For example, the AlienVault Labs Security Research Team recently analyzed MassMiner, noting that it uses PowerShell to download the cryptominer onto infected hosts. As I mentioned above, advanced fileless attacks are increasingly packaged with multiple tools, modules, and payloads into a single campaign. Detecting modern fileless attacks requires advanced threat hunting capabilities that go well beyond perimeter and endpoint protection tools. You must be able to identify new and evolving tools, tactics, and procedures (TTPs) that attackers employ for exploitation, installation, lateral movement, persistence, and exfiltration. Unless you have dedicated resources to research the latest TTPs found in the wild, hunt for threats, and analyze all the security data from across your environment, it can be a challenge to stay at pace with these types of emerging attacks. How AlienVault USM Anywhere Detects Cryptojacking As you can see, there’s no single way that a cryptojacking attack unfolds in the wild. These types of attacks evolve quickly and target critical infrastructure across cloud and on-premises environments. Fortunately, USM Anywhere delivers the capabilities needed to detect and respond quickly to the latest cryptojacking attacks. In order to detect and defend against cryptojacking attacks, it’s crucial to have visibility of your entire IT environment. USM Anywhere detects modern threats anywhere they appear across your public cloud infrastructure (AWS, Azure); SaaS / cloud apps (Office 365, Oka, G Suite); physical and virtualized on-premises; endpoints (Windows, Linux) on and off the network; even the dark web. To keep you at pace with the latest cryptojacking attacks without draining your security resources, USM Anywhere automates security monitoring and threat hunting activities. For example, to detect cryptojacking attacks against your AWS cloud infrastructure, USM Anywhere detects and correlates events like: AWS temporary security credentials with long duration New user starting a high number of instances New user account deleting multiple users Multiple instances being started or shut down programmatically CloudTrail trails deleted On endpoints and across your network, USM Anywhere detects and correlates indicators of a cryptojacking attack, including anomalous or suspicious behaviors by normal processes and services. Examples include: RDP (remote desktop protocol) Session Hijack using tscon.exe Reverse PowerShell use A SSH process created a tunnel between two hosts Suspicious command executed by a listening process (JBoss, ElasticSearch, Jenkins) Windows User Account Control (UAC) Bypass activity detected A Docker container recently launched is involved in cryptomining activities. Installation of Malicious Chrome Extension This list of TTPs is continuously and automatically updated in USM Anywhere through the threat intelligence service from the AlienVault Labs Security Research Team. This team uses machine learning capabilities, human intelligence, and the 20 million IOCs shared daily in the Open Threat Exchange (OTX) to identify emerging and evolving TTPs, which they curate and write into actionable correlation rules, endpoint queries, and more. As a result, you get alerts on real high-priority threats as well as response guidance and integrated incident response capabilities – all from a single cloud platform. There’s much more to discover about USM Anywhere. Start your free 14-day trial to test drive USM Anywhere and see for yourself the powerful threat detection and incident response capabilities built into the unified platform.       

Le 2018-09-11


  Alien Vault - VLAN Hopping and Mitigation
We’ll start with a few concepts: VLAN A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as 'VLAN Hopping', an attacker is able to bypass these security implementations. Learn more about network segmentation and VLANs here. VLAN Hopping This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques. Switched Network It is crucial we understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations instructing how they operate. On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP). DTP is a Cisco proprietary protocol where one use is to dynamically establish a trunk link between two switches. Switched Spoofing VLAN Attack An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed. Double Tagging Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. VLAN Hopping Exploit Scenario 1 - Switch Spoofing Attack In this scenario there exists the attacker, a switch, and the target server. The attacker is attached to the switch on interface FastEthernet 0/12 and the target server is attached to the switch on interface FastEthernet 0/11 and is a part of VLAN 2. Take a look at the following topology. Once you are familiar with the topology, take a look at a few of the configurations set for the switch: interface FastEthernet0/11 switchport mode access switchport mode nonegotiate switchport access vlan 2 ! interface FastEthernet0/12 switchport mode dynamic auto Hopefully, you can see the configuration issue with interface fa0/12. This port is set to accept incoming negotiations to determine whether the port is for access or trunking. Which means an attacker is able to perform a Switch Spooking attack. Once the attacker connects to the port they can then send a DTP message and a trunking link will be established. An attacker can use the program Yersinia to craft and send a DTP message. Yersinia is a penetration testing framework built to attack many protocols that reside on layer 2. It comes pre-installed with kali Linux and has an easy to use graphical user interface (GUI). Yersinia Homepage - http://www.yersinia.net/ To launch Yersinia:      yersinia -G Here is a quick look at the GUI:  Now to send a DTP message is as simple as the following 4 steps:   click "Launch attack" click the tab "DTP" click "enable trunking" click "ok" Yersinia will the send out a DTP message and within a few seconds, a trunking link will be established. In our scenario, the attacker will then have access to all traffic flowing through VLAN 2 and can directly attack without going through any layer 3 devices. Scenario 2 - Double Tagging Attack In this scenario, there exists an attacker, 2 switches, and a target server. The attacker is attached to switch 1. Switch 1 is attached to switch 2 and finally, our target is attached to switch 2. Take a look at the following topology. Once you are familiar with the topology, take a look at a few of the configurations set for switch 1. interface FastEthernet0/12  switchport mode access  switchport nonegotiate  switchport access vlan 1 ! interface FastEthernet0/11  switchport trunk encapsulation dot1q  switchport mode trunk  switchport nonegotiate  switchport trunk native vlan 1 From these configurations, we see that an attacker would be unable to perform a switch spoofing attack. However, we see that the attacker belongs to the native VLAN of the trunk port. Which means this topology is vulnerable to a Double Tagging attack. An attacker can use the program Scapy, to create the specially crafted frames needed for processing this attack. Scapy is a Python program created to manipulate packets. Scapy Homepage - https://scapy.net/ Scapy Documentation - http://scapy.readthedocs.io/en/latest/usage.html Start Scapy:       sudo ./scapy Using the sendp() function to craft a packet: >>>sendp(Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=2)/IP(dst='<destination IP', src='<source IP>')/ICMP()) This will generate a double 802.1q encapsulated packet for the target on VLAN 2. Take a look at the following topology to view how the switches manage this frame. From the picture, we can see that switch 1 reads and removes only the outside tag. It checks that the host is part of the stated VLAN and forwards the packet to all native VLAN ports (VLAN 1). Switch 2 then receives the packet with only one header left. It assumes the frame belongs to the stated VLAN on this tag (VLAN 2) and forwards to all ports configured for VLAN 2. The target then receives the packet sent by the attacker. VLAN = HOPPED. Due to the nature of this attack, it is strictly one way. Please also note that this attack may not work on new switches as documented here.  Mitigation for VLAN Hopping Switched Spoofing To prevent a Switched Spoofing attack, there are a few steps you should take:   Do not configure any access points with either of the following modes: "dynamic desirable", "dynamic auto", or "trunk". Manually configure access ports and disable DTP on all access ports. switchport mode access switchport mode nonegotiate Manually configure all trunk ports and disable DTP on all trunk ports. switchport mode trunk switchport mode nonegotiate Shutdown all interfaces that are not currently in use. Double Tagging To prevent a Double Tagging attack, keep the native VLAN of all trunk ports different from user VLANs. Final Note Switches were not built for security. However, it is important to utilize security measures at every level. If you are to take the time to segment your network, make sure it is done properly and securely. Be diligent when configuring your network.       

Le 2018-09-10


  Alien Vault - Things I Hearted this Week, 7th Sept 2018
Welcome to another week of security goodness. I think we’re in that weird part of the year where most summer holidays are coming to a close, so people are opening their inboxes - saying NOPE - and shutting them back down again. Or maybe that’s just me. Although I am glad that the kids are finally back to school. But for those of you who may be struggling, here’s a handy article on how to minimise stress before, during, and after your vacation. Hot Hot Security The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume. A Scoville Heat Scale For Measuring Cybersecurity | Forbes Spying on the Spies Spyware may seem like a good option if you want to keep an eye on what online activities your children get up to… or, if you’re the insecure type (or worse), to see what your significant other gets up to. The problem is that these spying tools have been shown to be woefully insecure time and time again. For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records | KrebsOnSecurity Spyware Company That Marketed to Domestic Abusers Gets Hacked | Motherboard Facebook fell victim to fake news It’s not surprising to hear that fake news made its way onto Facebook. What is worrying is that Facebook’s own training materials fell for fake news.   Facebook’s Own Training Materials Fell for Fake News | Motherboard Transparency in security I like what the good folk over in the Photobox security team are doing by frequently blogging about their security. It’s good for other professionals to learn from, but also good for customers, as it helps them understand how their data is protected and treated within the company. Managing information about risk management at Photobox | Photobox Hacking a Retro Knitting Machine to Create a Giant Stellar Map An Australian software engineer has spent years hacking a 1980’s knitting machine to create a spectacular work of art and simultaneously both advance knitting and science education. Sarah Spencer has toyed around with hacking and programming a 1980’s knitting machine for a while before seriously turning her attention to a mammoth task: creating gigantic equatorial star map in tapestry form. This Engineer Hacked a Retro Knitting Machine to Create a Giant Stellar Map | Interesting Engineering CroniX CryptoMiner Kills Rivals to Reign Supreme The operator of a new cryptomining campaign takes aggressive actions against its competition and halts other cryptojacking activity on the machines it claims. Cybercriminals are quick to take advantage of any proof-of-concept (PoC) exploit code that falls into their hands. For the recently disclosed Apache Struts vulnerability (CVE-2018-11776) there are multiple PoCs available, so news of the bug exploited in the wild came as no surprise. CroniX CryptoMiner Kills Rivals to Reign Supreme | Bleeping Computer Put that in your threat model And finally, this week, the story that will likely have you rethinking your threat models, a giraffe sculpture was used as a battering ram in a burglary. Giraffe sculpture used as battering ram in Worcester burglary | BBC       

Le 2018-09-07


  Alien Vault - Malware Analysis for Threat Hunting
If you're not into Wireshark, procmon and Windows Sysinternals you might be in the wrong place :)  Malware analysis allows the analyst to see what actions are taken and allows us to use those actions to build a profile that can be used to detect and block further infections and find related infections.  We run the malware in labs to determine how they act, we give them different inputs to see how the behavior changes, we run them through debuggers to disable safeties and checks that it might have against analysis, and we may even use a disassembler to more fully understand the paths that the malware may take.  Using these techniques, the malware analyst builds a list of indicators that can be used to detect and block the malware that they are examining, build information about who may be targeting their network, and even what the malware may be gathering.  I’m going to narrow my focus to behavior analysis and give some examples of what can be done with threat hunting and this technique. Behavioral Analysis for Malware Behavioral analysis is the step of running the malware under controlled conditions where you can observe the actions that the malware takes.  By running the malware in a completely isolated environment we can tell what the malware would do if it was unable to communicate.  With behavioral analysis, you take everything a step at a time.  When it is completely isolated does it try to scan for a network?  If yes, then go ahead, add it to one, and see what happens.  After that does it start looking for?  Give it to it.  The main goal of this type of analysis is to see what the malware does in a step-by-step process, allowing you to map its different actions and have a better overall picture of the malware before you start examining it in debuggers or through disassembly.  I would say that this is one of the more fun parts of the analysis process. Basic Lab Environment for Malware Analysis Your basic lab environment should contain: VMware/Virtualbox with the following computers: Windows with Wireshark, Process Monitor, and procDOT installed. REMnux (has everything preinstalled that you will need) Make sure that your VMs are set to host only networking and that your windows machine has your REMnux box as the default gateway by setting a static IP address.  This ensures that the first hop will be to REMnux and will allow the traffic control that we would want. Tools for Malware Behavioral Analysis There are several tools that you want to use to gather the most information that you can: Wireshark: This tool isused to gather network traffic on a given interface.  The follow option will allow you to view pages and traffic, and it even allows you to recreate and save files that were transferred while the packet capture was running. https://www.wireshark.org/ Process Monitor: (procmon) This tool is used to record the full activity of a computer for the time that it is monitoring. This is extremely useful for detailing actions taken by processes. https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ProcDOT: This tool takes a CSV from Process Monitor and can show you what a specific process did as a flowchart.  This makes it much easier to interpret what happened, and in what order. http://procdot.com/ FakeDNS: This tool is an included script in REMnux that replies to all DNS requests with its own information and outputs the requested domain to the terminal.  This is useful for determining what domains are being requested by each computer that is connected to it. accept-all-ips: This tool is also an included script in REMnux.  This redirects all IP traffic to the REMnux host.  Very dangerous if activated on a live environment, but very useful to force traffic to your analysis machine. INetSim: This is a software suite that simulates many common services/protocols on the web.  This suite will even provide malware samples with benign executable if something asks for it. https://www.inetsim.org/ Running the Malware through Behavioral Analysis When you run the malware make sure to start procmon and Wireshark on the Windows host always just before you launch the malware.  That allows you to make sure that you catch all the malware activity.  Once you are done with the malware you will be able to save the procmon results and open them in procdDOT.  This will give you a nice view of exactly what the malware did.  Make sure to check Wireshark as well for any unknown traffic as well.  Once you can see what it does with nothing you can reset your windows machine and start again. Yes, it does get repetitive resetting with each go, but you always want to start with a clean environment.  After you have determined what the malware was looking for, set up your REMnux system or clean environment to give it what it wants.  You really want to repeat this until you either cannot determine what it needs, or it stops asking for new things.  At this point you should have a nice list of IP addresses, domains, files, etc. that the malware is looking for, or reaching out to. Make sure to tune your systems to alert for these indicators that are found.  You would not want to end up with a similar infection because you forgot to look for the information you just found.  There are other types of analysis to do with the malware sample you have, but for this let’s concentrate on the next step and look at what our list of indicators can help us with. Let’s Go Threat Hunting Using Our Malware Analysis Once you have determined what the malware is looking for, you have a great place to start looking for other threats.  Find other places on the network that may have a similar build (even if it happens to be all your workstations) and hunt.  Checking system logs, either by querying the logs directly or through your SIEM, for similar activity can be can used to find threats as well.  If you notice that the malware is using a non-standard user agent when making a network connection, looking through your proxy logs for that agent and similar agents can be a great way to find similar threats.  The same could be said on ports and domains. Most of the time if a tool works users will stick with it.  The same can be said of the bad actors who are deploying malware.  If I use WordPress as an example, not to say it isn’t the most secure platform, when a hack occurs there is usually a file that is added to one of the include folders, and malware may point to that file directly.  It is a good idea then to check for similar paths in domains that your firewall and proxy shows traffic to.  This can often reveal different threats in your environment. Be thorough in this type of searching.  Just because you have the indicators and activity blocked and triggering alerts now, doesn’t mean that another system was not compromised before you put those checks and blocks in place. Ensure that you have access to the logs from the computer where malware was found.  If you have access to get the information on network flow even better.  Using these and what you know of the malware after the reversing process you should be able to make the determination if the malware allowed other malicious activity to enter the network.  If it did, the logs and network flow should give you a clue as to what else was allowed in and if it used the computer for any lateral movement. Malware analysis and threat hunting are two concepts and techniques used to ensure that our networks remain secure.  When we use tie these concepts together we can more effectively determine the scope of the threat.  Behavioral analysis is just one step of the malware analysis process that can be helpful.  There are more types of malware analysis and reverse engineering that give information that behavioral analysis does not pick up and you can use to further your threat hunting.       

Le 2018-09-05


  Alien Vault - Cyber Security Awareness Month - Phishing
It’s September, which means it’s almost October, which is National Cyber Security Awareness Month (NCSAM)! NCSAM was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004. This government and industry collaboration was started with the intention to ensure citizens and companies of all sizes have access to resources needed to stay safe and secure online. Every year, the official program focuses on a series of weekly themes. Many individuals and companies also share their own best practices and ideas for security awareness. In doing our part, we’re also publishing a series of posts during September and October to help share some of our favourite resources and tips on staying safe online. Phishing: Kicking off the festivities, I’m highlighting one of the most prevalent threat vectors there is: phishing. Phishing can take place under many guises and have different objectives - but at a high level it’s nearly always an email sent which claims to be from a trusted person or entity that attempts to trick the recipient into performing an action. Examples of phishing emails can include: The tax office claiming you have underpaid, or are due a repayment with a malicious document attached. Your CEO asking that you make a large payment to a new supplier immediately. The IT team asks you send them your password in an email or via a form. Your bank asking you to login and confirm details. A service provider threatening to cut off your service unless you respond to them immediately with information. You get an unsolicited job offer, or a lucrative work-from-home scheme A match on a dating site asks excessive personal information, or for money or gifts. This is not an exhaustive list, but all of these tactics seek to instill a sense of urgency in the recipient, trying to get them to respond quickly usually using the broad hooks of money, employment, love, or threats (MELT). There are many telltale signs you can usually look out for, such as the tone of the email, the grammar and spelling, or the email headers that can indicate whether an email is genuine or not. However, for the most part, it is best to err on the side of caution, and if something doesn’t feel right or genuine it’s best to confirm directly with the alleged sender of the email. While there are a growing number of tools available to defend against cybercrime, education remains one of the most important tools in our defence. It is only by gaining a greater understanding of the threats and techniques encountered - in both personal and business settings - that we can best protect ourselves. A short video on phishing And a slightly more in-depth video on how to spott a phishing email       

Le 2018-09-04


  Alien Vault - Things I Hearted this Week, 31 Aug 2018
After a week in Vegas for Blackhat, and then a week’s vacation, I’m back with your favourite dose of security roundup. Giving you the security news and views you deserve, not need. So, let’s just jump into it and make up for lost time. Adventures in Vulnerability Reporting Discovering vulnerabilities and getting rewarded for bugs is the new hotness. Being new, there are many teething problems as organisations and researchers struggle to get on common grounds as to how to best disclose them. Natalie Silvanovich of Google’s Project Zero has documented her adventures and an example of a particularly poorly conceived vulnerability disclosure process in this blog: Adventures in vulnerability reporting | Project Zero Natalie raises some very valid points in her post about how researchers will sometimes abandon the disclosure process altogether if it becomes frustrating. As we saw when a Microsoft Windows 0day was disclosed unceremoniously through Twitter. Microsoft Windows zero-day vulnerability disclosed through Twitter | ZDNet And while we’re on the topic of vulnerabilities, Adrian Sanabria drops the truth (with stats) on patching. You should always patch when you can, but when you can’t, you need a plan B. Another Year, Another Critical Struts Flaw | Nopsec Twitter Bots Twitter bots are spoken about frequently, usually in the same breath as fake news or disinformation. But how big a problem are bots, and do they actually influence public opinion or are they merely trolls? The good folk over at SafeGuard cyber may be able to shed some light on it with a detailed report that looked at over 300k bots and tracked their behaviour and tactics - providing an analysis of how bots are deployed to reshape public perception. How Russian Twitter Bots Weaponize Social Media | SafeGuard Cyber A True Password Manager Story I can neither confirm nor deny that I’ve ever blamed Graham Cluley for anything… but this is a good post by Stuart on the trials and tribulations of adopting a password manager. I’m OK, but Graham Cluley made me do it | Hidden Text While we’re discussing passwords, a different Stuart has written a very open and honest discussion on the use of two-factor authentication. It’s well worth a read. Before You Turn On Two-Factor Authentication… | Stuart Schechter, Medium Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to watch his keynote entitled, Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models The Importance of Wellbeing Working in any career can take its toll. Technology jobs in particular have a habit of following you around wherever you may go via your connected device. Mo Amin shares a personal account, with some good tips on how one can bring about balance to their lives in the busy times we live in. Smashing the Stack but for None of the Fun or Profit: The Importance of Wellbeing | Infosec Mo Oh, No, Not Another Security Product “The industry doesn't need more products, companies, or marketing hype. We need an overhaul of the whole approach to security solutions, not an improvement of components. Security should be built on platforms with a plug-and-play infrastructure that better supports buyers, connecting products in a way that isn't currently possible.” Oh, No, Not Another Security Product | Dark Reading Somewhat related The most important attributes of a cybersecurity platform | CSO Online       

Le 2018-08-31


  Alien Vault - AlienVault Product Roundup July / August 2018
It’s been a busy summer at AlienVault! Amid some major company announcements, we continue to evolve USM Anywhere and USM Central with new features and capabilities that help you to defend against the latest threats and to streamline your security operations. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Here are a few of the highlights from our July and August 2018 releases: New EDR capabilities with the new AlienVault Agent On July 31, 2018, we publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, extending the platform’s powerful threat detection and response capabilities to the endpoint. Read the blog post here. By deploying the AlienVault Agent - a lightweight and adaptable endpoint agent based on osquery -  you can expand your security visibility to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints, whether in the cloud, in your data center, or remote. The new EDR capabilities were made available automatically and seamlessly to all USM Anywhere customers, without requiring any subscription upgrades, system updates, or the purchase of add-on products to access the capabilities. AlienApp for ConnectWise The AlienApp for ConnectWise is now included in the Standard and Premium editions of USM Anywhere. Service management teams that use ConnectWise Manage can leverage automated service ticket creation from USM Anywhere alarms and vulnerabilities as well as synchronization of asset information. Slaying Defects and Optimizing the UX In addition to these new capabilities and apps, in every update this summer, the team has rolled out enhancements to the user interface and / or has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Roundup and Look Ahead Earlier this month, Skylar Talley, AlienVault Senior Product Manager for USM Central, wrote a blog post recapping the recent improvements to USM Central and outlining his vision for the product in the next few months. You can read the full post here. The highlights include: Two-way alarm status and label synchronization Orchestration rules management across USM Anywhere deployments USM Central API availability (You can find the API documentation here.) Threat Intelligence Highlights USM Anywhere receives continuously updated rules and (new!) endpoint queries to detect not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated for you by the machine and human intelligence of the AlienVault Labs Security Research Team. The AlienVault Labs Security Research team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are researching and delivering as actionable threat intelligence automatically to the platform. Read the AlienVault Threat Intelligence newsletters here. In their spare time, our security researchers break down emerging and evolving threats in excellent blog posts. Recently, the team wrote on the following emerging attacks: Off-the-shelf RATs Targeting Pakistan Malware Analysis using Osquery Part 1 ZombieBoy Malicious Documents from Lazarus Group Targeting South Korea GZipDe: An Encrypted Downloader Serving Metasploit Until next month!       

Le 2018-08-28


  Alien Vault - Earning a Cyber Security Certificate: Pros and Cons
The need for highly skilled cyber security professionals is not slowing down. As cyber crime continues to plague both the public and private sectors, demand is soaring for experts with the skills to help protect businesses and combat ever-evolving threats. If you’re looking to pursue or advance your career in cyber security, you may be wondering how much education you’ll need to qualify for certain jobs. As cyber crime has intensified over the past decade, new educational programs have emerged to help train aspiring cyber security experts. There are now undergraduate and graduate degrees, along with certificates and certifications focused on cyber security. In this article we’ll examine the certificate option. Careers in cyber security tend to pay well and — because a certificate requires a significantly smaller investment in time and money than an undergraduate or graduate degree — it can be an appealing option to those looking to get their start in cyber security or make a career switch. But because cyber security is a particularly complex field, a certificate on its own may not be enough. Depending on your goals and your situation, a certificate may or may not offer the return on investment you are seeking. Here’s a related blog on whether certificates are worth your time. Is a Cyber Security Certificate Right for You? If you are looking to launch a career in cyber security, it’s very possible that you’ll need more than a certificate to get your foot in the door. In fact, although there is an abundance of job openings, many of these openings exist because employers can’t find candidates with the right level of education and experience. A certificate may be a good option if you are just looking to learn more about the field and are still considering your career options but are not ready to commit to more than that. On the other hand, if you are more advanced in your career and are looking into pursuing a certificate with the possibility of moving into a degree program, you should make sure to find a certificate program that will allow you to transfer your courses. A certificate could also be a good option for those working in human resources, information security, web development, computer network architecture or similar tech-related fields who need to brush up their cyber skills but don’t need or want to commit to more. Since most certificate programs include high-level introductory classes that cover the basics of cyber security, such programs can be a great way to get a taste for what working in the field might be like. However, if you’re hoping to pursue a career in cyber security, a certificate on its own likely won’t suffice to get you where you want to go. What to Consider When Pursuing a Cyber Security Certificate If you decide that a certificate program is right for you, be sure to find a university that offers graduate programs in cyber security and will allow you to transfer your credits should you decide to advance your education even further. Be wary of for-profit programs. If you are going to pursue a certificate, there are many well-regarded institutions that offer certificate programs and will likely deliver a stronger education coupled with a better reputation. Remember that there is a big difference between a certificate and a certification. While both can be valuable depending on your goals, they are quite different. A certification is typically looked at as the more significant achievement of the two, as a certification is a specialized credential focused on a targeted topic. Certifications are usually offered by professional organizations or companies and typically require recertification after a certain time period. Certificates, on the other hand, are more often geared toward entry-level professionals and are usually offered by a college or university. Certifications are typically geared toward professionals already in the field or with experience and/or education in cyber security. Final Considerations If you are looking for a way to learn the basics of cyber security and to determine if the field is the right fit for you, a certificate could be a great choice. However, if you determine that you need more than what a certificate program can offer, you may want to consider the many benefits of a graduate degree in cyber security. With a graduate degree, your earning potential increases significantly and your career options expand dramatically. Although it takes a more committed investment to pursue a graduate degree vs. a certificate, the return on your investment will almost always be higher as employers continue to seek highly educated experts who are able to adapt and evolve with changing cyber-crime tactics. Ensuring that you have a strong foundation and the right level of education is the first step to building a successful career in cyber security.          

Le 2018-08-27


  Alien Vault - What I Learned at Hacker Summer Camp 2018
The week of August 5-12 was a whirlwind of activity as thousands of cybersecurity professionals descended on Las Vegas, NV to attend the annual trifecta of conferences: BSides Las Vegas, Black Hat Briefings, and DEFCON.  This was my 14th consecutive year in attendance, and I found a number of good, bad, same, and different things to report on. There's More BSides Let’s start with BSidesLV. This has been held at the Tuscany Suites the past few years, and it’s gotten bigger each year. You used to be able to just show up for BSides and grab a visitor badge, but no more. Besides (haha!) being a cool/chill place to network with other infosec professionals, probably the biggest draw about BSides was that it was free. But that concept is going away next year for their 10th anniversary. BSides sprang up as a grassroots effort by some folks who had their papers rejected from Black Hat. They decided to hold their own conference somewhat in opposition to the commercialization and vastness of Black Hat. So, it has the vibe of an edgy conference with open exchange of ideas, but just not on the scale of DEFCON. One nice thing about BSides is that their Proving Ground track provides a forum for first-time speakers, whom they pair up with seasoned veteran speakers as mentors. This gives nervous rookies a welcoming environment in which to spread their wings.  BSides also has an “Underground” track, which, much like DEFCON Sky Talks, features off-the-record discussions on subjects with no press, no recording, no streaming, and no names. One really cool thing at BSides this year was that Jim Christy, a digital forensics and investigations (DFIR) legend who used to run the DoD Cyber Crime Center (DC3), gave a talk on how he put together an online task force to track down D.B. Cooper – the man who skyjacked a Northwest Orient flight in 1971 and somehow eluded capture for 45 years. You can enjoy the entire playlist of streamed talks from BSidesLV here. Hanging Out With White Hats at Black Hat In the Mandalay Bay Events Center, Google’s self-proclaimed “Security Princess” Parisa Tabriz opened the Black Hat Briefings with a cautiously optimistic keynote in which she encouraged more ambitious, strategic, and collaborative solutions to security issues. My favorite part was when she said: “If there's one takeaway from this talk, it’s that blockchain won't solve everything!” Tabriz exhorted the audience to tackle the root causes of security issues – not just treat the symptoms, i.e., no more whack-a-mole. One way she does this is using the Five Why’s method to explore the cause-and-effect relationships underlying particular issues. Tabriz’s big crusade has been to get more websites using HTTPS instead of HTTP. To figure out how to move this forward, she started with a haiku poetry slam (complete with bongos) to spark ideas from her team. Then, she opened up the project to comments from the public, and “shamed” the top 100 websites that did not use HTTPS. Since July, Google has begun labeling all sites still using unencrypted HTTP as “not secure” on Chrome. Tabriz’s efforts have been successful. She said since 2015 when only 45% of all websites used HTTPS, that number stands at 87% today. Just as drinking Smart Water doesn’t really make you smart, we found out from Jen Savage and Daniel Crowley that Smart Cities aren’t, well, all that smart about how they do security. The researchers found some basic vulnerabilities, such as default passwords, authentication bypass, and remote code injection that could allow attackers to take over products from such IoT vendors as Libelium, Echelon, and Battelle. It’s funny that every time there is a new “Smart” thing, we forget the lessons learned from the last thing; and in our race to get something to market, we inevitably make the same mistakes again and again. To wit: Smart Elections, Smart Cars, Smart Medical Devices, Smart Cameras,  etc., etc. In general, you can probably hack any hardware device to which you can gain physical access. You pop the cover, solder some leads onto a UART port, and drop into a root shell. But the ones that really worry me are those that can be reached remotely over the network. Savage & Crowley uncovered 17 0days – including eight deemed “critical” – and now, with Shodan, you could theoretically find hundreds of these vulnerable devices out there on the Internet. This is all the more reason you must continuously monitor your network using a solution such as AlienVault’s USM-Anywhere and a team of trained analysts. You never know when someone is going to pop a box using one of those 0days and then start pivoting into important stuff. You would like to be able to identify, control, and contain any fallout from that. One thing that always makes me wonder is why people don’t use two-factor authentication. Well, this talk by Indiana University's Jean Camp and Sanchari Das found that people simply aren’t educated enough and don't understand the risks of not using two-factor. I know I am constantly having to teach people this – especially in a post-mortem after a breach investigation. In the Black Hat Business Hall, I saw a lot of the S.O.S. While many vendors touted the latest mantra of artificial intelligence/machine learning/deep learning, I would ask specific questions about their products, and many were unable to answer or demo these features. In this realm, you have unsupervised AI/ML that’s pretty much a neural network trying to get smart by characterizing the steady-state of a system and then looking for outliers. Ultimately, these systems are asking you to hand over monitoring of your enterprise to a bot, and I’m not ready to do that yet. As we know, it didn't turn out very well in War Games, Terminator, or The Matrix. I think the more promising technology is probably supervised AI/ML. This is more like an expert system, in which an expert (the cybersecurity analyst) guides the system in its learning - much as you teach Pandora your likes and dislikes through thumbs up/down, and then it starts making music choices that it thinks you’ll like. They also use relationship graphs to start making connections and seeing things the analyst might not have initially picked up on.  I could definitely see this kind of technology being added to traditional Security Information and Event Management (SIEM) solutions in the future to help them be a force multiplier for analysts. However, in my humble opinion, we have not yet arrived there, if this year’s Black Hat were any indication. DEFCON: Dystopia's Edge Okay, well maybe that whole theme was a little over the top. Then again, when you think about the pervasive surveillance, government control, and propaganda out there, it does seem sometimes like we’re on the edge of Orwell’s 1984. But there is a counter-future. DEFCON is a celebration of people whose technical understanding and passions will (hopefully) keep us from falling into that dystopian future. If “they” try to subjugate us by algorithm, a researcher will just hack that algorithm and subvert it to free the people. If “they” try to fake us out with one source, our universal, interconnected access to information will allow us to find numerous other sources and viewpoints to counter the misinformation. So, besides hanging out with colleagues and enjoying adult beverages, this free exchange of ideas is the hallmark of DEFCON. It’s still anonymous – entry only via cash at door. I thought DEFCON did a lot better at not just being “linecon” this year. It only took 15 minutes or so to get my badge, and things didn't seem as stiflingly overcrowded as they were at DEFCON 25. So, it made me wonder: were there actually fewer people at DEFCON this year, or did the organizers do a better job with the logistics and just spreading everything out a little more? I note that they were still selling excess badges at the end of DEFCON this year. I don’t think that’s ever happened before. They always seem to run out by Day 2. Unfortunately, I didn’t get to stay the weekend and lose in the finals of Hacker Jeopardy! as I do every year, because I had to catch a redeye back for a wedding. But here were a few highlights I noted: I guess HP’s new bug bounty program is paying off, as researchers discovered a number of remote code execution flaws in HP printers – including the HP Deskjet, HP Officejet, HP DesignJet, and HP Photosmart. Dang, I think I might have one of those at home. I’d better go patch it ASAP. Here are the CVEs: CVE-2018-5925 and CVE-2018-5924. I’m also going to tell our pen-test team to try those out. We just love printers! Fake news is so 2017. Now, people are trying to change perception in science via fake journals and conferences. This talk especially drew my interest, as I have been adjunct professor teaching cyber courses at University of South Florida since 2000. What I found especially hilarious is that they used the MIT Paper Generator to produce a paper that was accepted to a journal. What is the motivation for these shenanigans? Money, I suppose. But in the case of the fake conferences and papers sponsored by Philip Morris and AstraZeneca – well, also money. As usual, I only went to about three talks – I typically wait for the videos to show up online – but I went to every village and played in a couple of contests. I couldn’t hang out in the biohacking village, because I actually had inside knowledge about a couple of the devices they had there. The Social Engineering CTF is always fun to watch, as they vish their way to prizes. It seems that the lady social engineers are especially good at this. When a guy picks up the phone and hears a female voice treating him nicely, he immediately turns to jelly and tells her whatever she wants to know. The past few years, I said, “Never again” after Hacker Summer Camp. But then, I ended up going anyway.  Maybe it’s the overcrowding at the conferences, or maybe it’s just being in Vegas for nearly a week – that can be rough on anyone. This year, however, I actually left with a good taste in my mouth. I saw all of my friends at AlienVault and heard about the exciting times ahead with AT&T.  I talked to the product folks and got a wee glimpse into the future. Maybe, just maybe, it’s not a dystopian future to which we are headed, but a positive one with hope and optimism. As Princess Tabriz said in her Black Hat keynote, we need to celebrate when we achieve a milestone, no matter how small, and keep pressing forward.       

Le 2018-08-23


  Alien Vault - Antivirus Evasion for Penetration Testing Engagements
During a penetration testing engagement, it’s quite common to have antivirus software applications installed in a client’s computer. This makes it quite challenging for the penetration tester to run common tools while giving the clients a perception that their systems are safe, but that’s not always the case. Antivirus software applications do help in protecting systems but there are still cases where these defenses can be bypassed.  Antivirus evasion is a broad topic and this article only presents very basic methods to bypass detection when the program is resting as a file in a non-volatile storage. Evasion techniques for a run-time state are quite different and challenging because of behavior monitoring done by antivirus programs. In this article, I will be discussing a few techniques that can be used to bypass antivirus software applications like string manipulation and code substitution. Before anything else however, an understanding of programming is required because I’ll assume that the detected software application has its source code available for modification. I’ll probably work out another separate article for evasion of programs that don’t have their source code available. There will be two basic steps to do. First will be finding the cause of the detection while the next step goes into how the detection can be bypassed. This is because we won’t be able to fix something if we don’t know what the problem is.  Looking for the Origin of the Detection For the demonstration, I will be using an object-oriented language, specifically C#, with the help of Visual Studio 2012. I grabbed a snippet from here specifically the functions “startup” and “USBSpread” while creating a new project to put both of these. This is what it looks like after creating a console project in C#: Please note that I have minimized the region of the code in the screenshot above to make it short. I’ll leave the credits where it is due for both those functions. After compiling the project and scanning it in VirusTotal, the result shows two antiviruses detecting it namely ESET and Sophos.     Please forgive me. If any of you are not familiar, VirusTotal actually distributes copies of a scanned file, especially if a few antiviruses detect it. Chances are that if you are reading this right now, the scan results might have changed already when you visit the link. This endangers your tool to become detected very fast and should not be used for scanning when you are developing a penetration testing tool to be used for legal assessments. Now here comes the fun part. How can we find out what’s causing the detection? Since we have a copy of the source code, what we can do is remove parts of the code line by line and rescan it. To start off, I have commented out the whole “USBSpread” function as seen below:   Compiling this and scanning in VirusTotal will give us a result of:      Notice that only ESET is now detecting it and the detection previously shown by Sophos disappeared. Uncomment the function “USBSpread” and then comment out the function “startup” as seen below:   The result after rescanning in VirusTotal will be:   As you may have guessed, the detection found by ESET now disappeared and Sophos has reappeared. From what we did, we can conclude that having the “startup” function actually triggers detection from ESET while having the “USBSpread” function actually triggers detection from Sophos. Sounds easy to identify the detection right?  Bypassing the Detection After being able to identify where the detection came from, we can now try to work out how it can be bypassed. Note that the identification process shown above is in general terms. To successfully bypass the antivirus detecting it, we need to continuously do the previous step while working on a fix line by line. There are a few methods like string manipulation and code substitution that usually work but sometimes also trigger more detection so these methods are quite “experimental”. String Manipulation This method simply points to how a normal string can be converted into another form while being evaluated with the same meaning. To understand this better, suppose we have a registry path: Code: SOFTWAREMicrosoftWindowsCurrentVersionRun In C#, if we declare this, it should look something like:   There are numerous ways on how we can change the form of that string while maintaining the original meaning when the code executes. Here are some very basic ways to do it: Base64 Using an encoder tool, enter the string “SOFTWAREMicrosoftWindowsCurrentVersionRun” and click “encode”. You should get something like this as a result:    Now we copy that string back to the source code with the following evaluator and notice that when the program runs, the string still gets evaluated to the original form:   ASCII Representation This is a pretty simple solution and it actually works sometimes too! Converting the string to its numeric ASCII form looks like this:   In the image above, I have converted the “” character into its numeric ASCII form. If we check out the ASCII table, the character “” is equivalent to 92 in decimal. Doing some other simple calculations basically differentiate the original code from the current one. Encryption can also take part in this like having your string encrypted and written down to a binary file. The program can then load it by browsing and decrypting the contents during execution or so. There are lots of possible methods for string manipulation and this is basically where your creativity comes into play. Code Substitution This method requires more in-depth knowledge of programming because it requires understanding of what a specific line of code or what a specific function does. For example, suppose we have a code that downloads the contents of a web page:   With code substitution, an understanding of what the code does is essential because we will need to find a replacement of the code by commands while achieving the same logic and goal at the end. In this case, the goal of the code above tries to get the client IP address in the network where the program is running. This can also be achieved with the use of this code:   Notice that the output is the same, which means the code logic does the same functionality and goal but the way it is done is different. If ever the first code is detected by a few antiviruses, it can be substituted with the next one or vice-versa. There are other more ways to grab the IP address but I’ll leave that part as a research for the readers.  Going back to the example program, let’s start with Sophos. At this point, the function “startup” is commented out to stop ESET from detecting it while we fix the first one. This antivirus was previously detecting the method “USBSpread” and after some trial and error, the detection was still popping up even after commenting out the whole function contents:   Result This simply means that Sophos notices when the function name is “USBSpread” so we change it to “ThisIsATest” and by scanning it again, we get:   By doing the process again, we uncomment out the function contents as seen here:   Once uploaded for scanning in VirusTotal, the result was 0/65!   Sophos in this case was basically finding that function name and flagged it as malicious. To proceed, we now do the same steps for the “startup” function and the specific line that started the detection by ESET was:   Since there are parameters in the line and one of the parameters is a string, we will need to separate it to another line so we can confirm what is being detected by ESET. A variable “temp” was assigned to hold the string representation of the registry path for this:   Scanning on the other hand still leaves us with an angry ESET here:    Result This confirms that the string is the one being detected by ESET. Below is a short test case that I have tried so far: Test Cases: Reversing the string making it “nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS” -  Another detection popped up Moving the variable outside the function making it a global variable: Code: static string temp = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"; - ESET still detecting Converting each characters to their decimal number equivalent in the ASCII table: Code: static string temp = ((char)83).ToString() + ((char)79).ToString() ... ; - ESET still detecting Removing the string contents after “SOFTWARE” leaving: string temp = “SOFTWARE”; - ESET still detecting At this point, ESET was still detecting the program even if the registry path doesn’t really make sense, so this might not be the “real” thing being flagged by ESET or there is another line of code in which if combined with the current string, gets detected. Once this happens, we need to carefully go back each step and see what could probably be the issue. While leaving the code uncommented:   Code: string temp = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"; Plus having this code commented out: Code: destination = System.IO.Path.Combine(destination, "nvdisp.exe"); We actually get 0/65 from VirusTotal!   Result At this point, new test cases were applied because the string “nvdisp.exe” appears to be the real reason behind the trigger: Test Cases: Changing the string “nvdisp.exe” to “ThisIsAnotherTest.exe” -  ESET still detecting Moving variable outside the function making it a global variable: static string dest = “nvdisp.exe” -  ESET still detecting Encoding the string to base64 deriving to the code:  Code: destination = System.IO.Path.Combine(destination, System.Text.Encoding.Default.GetString(Convert.FromBase64String("Im52ZGlzcC5leGUi"))); -  Another detection popped up Now, there should be a lot of test cases here but to cut the testing short, since some basic string and variable manipulation don’t work, we can try to do some code substitution. Most programmers can understand what the “startup” function does. It simply adds the program to the Windows start up so it can execute once Windows boots. There are numerous ways to add a program in the Windows start up. This could be through copying the executable in “C:Users<USER>AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup” or maybe by using a scheduled task.  The “startup” function in this case was replaced by this simple code:   This basically does a similar job by logic but different in terms of instructions. The final program looks similar to this:   Once compiled and scanned in VirusTotal, the result gives us a rate of 0/65.   While being able to achieve a fully undetected program which helps in penetration testing engagements, it is essential to understand that running this program will probably catch the attention of antiviruses that monitor its actions during run time. This is why antivirus evasion is challenging to do with automated tools because the scope is very wide. P.S. The code presented above might have different scan results as time goes on because as mentioned, VirusTotal distributes copies of applications being scanned and other antiviruses might decide to put a flag on them.       

Le 2018-08-21


  Alien Vault - How to Get into Infosec: InfoSec Career Path Hacking
Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.” If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey.  But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way. “There is no level zero.” Find Your Why Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field.  We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists and turns along the way. “You will meet many who have forgotten we are doing this for people…” Take the Shortest Path The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them. The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at. A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence. Regardless of how you choose to invest your time and energy, be certain to focus on fundamentals and work toward talking through the concepts. Job interviews will often include white boarding architecture, security concepts, and troubleshooting scenarios. “...to be successful in infosec you need strong bases...” Connect with Others - Mentor and Mentee Like Po, once you join the community you will encounter practitioners, commentators and others with their own experiences gathered over years, and some of them will be potentially valuable mentors who have years of training and refinement. They may be skeptical at first but let them see your integrity, motivation, and determination. You may occasionally experience some rather *ahem* skeptical colleagues who are not always silent. We (professionals) apologize for them in advance. Ignore them; they are not the Kung Fu Masters whom you seek. That being said, very few of them will be willing to do much hand-holding. They will expect that you are doing your own research. They will also be the ones you call upon when you’re looking for a job, whether it’s planned or unplanned. Warriors Who Stand on the Shoulders of Legends Information Security is a specialized field. Some would say it falls within the Information Technology realm, but it has taken on a significant business flavor as companies recognize the risks involved and seek to mitigate them. For a satirical commentary on this, check out the classic (in this author’s opinion) video with AlienVault’s own @J4vv4d “Host Unknown presents: Accepted the Risk.” An ever-increasing ability to be able to express the real-world risks to businesses, individuals, and nations has increasingly become a focus of this industry in order to be relevant to the business. Technology is changing rapidly, as you know, and with it the InfoSec industry. It must in order to keep astride the changing threat landscape defined by that technology and which attackers hope to exploit. Develop a continual appetite for consuming new thoughts, trends, tools and research to stay abreast of these changes. The Twitter #InfoSec community is just one thriving example. Make Your own Dojo Many have bemoaned the woes of needing a job to get experience and needing experience to secure a job. Fear not! You can and should practice and document your project(s) in a home lab environment. Documentation can come in the form of a blog, vlog, write-up, or analysis of some part of the project you did in your home lab. Then, include it on your resumé & LinkedIn profile and be ready to talk about it. They say that a journey of a thousand miles begins with a single step. This post is that step. For more details, check out Peerlyst’s ebook “The Beginner’s Guide to Information Security” (create a free account on this important community forum).       

Le 2018-08-20


  Alien Vault - Do You Take Security Seriously?
Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt: The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say. Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset. If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion. Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’. The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are. Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of seriously you take security. Read the whole report here!       

Le 2018-08-16


  Alien Vault - Discovering CVE-2018-11512 - wityCMS 0.6.1 Persistent XSS
Content Management Systems (CMS) are usually good to check out for security issues, especially if the system is gaining popularity or being used by a number of people. Doing a white box type of assessment not only gives the potential to discover security issues but it opens interesting possibilities if ever a bug is found. This is because a white box assessment looks into the internal structure of how an application works.   WityCMS, for instance, is a system made by CreatiWity which assists in managing content for different uses, like personal blogging, business websites, or any other customized systems. In this post, I will walk through the steps of setting up the CMS, finding a web application issue, and processing a CVE for it. Installation (Windows with XAMPP) 1. Download a copy of the source code (Version 0.6.1). 2. Extract the folder /witycms-0.6.1 from the archive to C:xampphtdocs or where ever you have installed XAMPP in Windows. 3. Assuming Apache and MySQL are running, visit http://localhost/phpmyadmin/index.php. 4. Click on the "databases" tab. 5. Type in “creatiwity_cms” as the name of the database and click create. 6. You should now able to browse the application by visiting http://localhost/witycms-0.6.1/ 7. Fill in data required. Like for “Site name”, I’ve added in “Test”. Click on the Next button. 8. Next comes defining the homepage of the system. You can choose any from the options. For example: 9. Setting up the database is next. From step #5, I have used the database name “creatiwity_cms” so this goes in the database setup. 10. Enter the administrator account details and click “Launch install!” (I have added user “admin” with the password of “admin” here) 11. Once successful, this page should pop up: Finding a Web Application Security Issue Since this article is about CVE-2018-11512, I will be limiting the scope of finding web application vulnerabilities to a persistent XSS vulnerability. But first, let’s try to understand what a persistent XSS is.   According to OWASP, “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites”. This simply means that an attack can happen if an injection point can be taken advantage of in a website. Basically, there are three types of XSS but I'll discuss the common ones - namely reflected and persistent.   Reflected XSS can happen whenever an input data is thrown back at us after a request has been made. A very good example of a potentially vulnerable point for reflected XSS is a search function in a website. When a user enters a term in the search field and the website returns the term entered, that search function is potentially vulnerable to a reflected XSS.   Persistent XSS on the other hand is also called “stored” XSS. This type of XSS can only happen if the value is being saved somewhere in the system, whether it is through a database or a file, and later retrieved for presentation. An example of this one can be a field that requires user details such as the user’s email, first name, last name, address, and more. This can also be settings in a system that a user is able to change in any time. In the case of wityCMS, the target is to find fields that can save data in the system. This can basically be done both manually and through automated finding of these fields. Since I have installed it in Windows, I had to use the command “findstr” instead of “grep” (Sorry “grep” fans). A reference of “findstr” can be found here.   To list down the files having input fields, we can use the following flags:   /S = Recursive searching /P = Skip files with non-printable characters /I = Case insensitive /N = Prints the line number /c:<STR> = String to look for   Code: findstr /SPIN /c:"<input" "c:xampphtdocswitycms-0.6.1*.html"   The result of running the command above will be: Now, since the result is surely astounding because there are a lot of fields, we can easily pinpoint potential input boxes to start with once we login to the administrator panel. By visiting the URL http://localhost/witycms-0.6.1/, a noticeable value can be seen as shown in the image: When we were setting up the system, we were asked to input the site name and it’s currently showing up in the main page. Wondering if that site name could lead to a persistent XSS, let’s see if it can be modified within the administrative settings. Login to the administration panel with the credentials entered during the setup. Once logged in, a small link to the administration panel should look like below: When I clicked on the “Administration” hyperlink, I got redirected to the Settings page because this was the page I entered during the setup and the first field there is the website’s name too. A very basic test for XSS is through adding a Javascript code such as:   Code: <script>alert(1)</script> When you click the “save” button, the field returns the value: Notice that the tags <script> and </script> were stripped off. Since the tags were stripped, we now know that there is a sanitizing mechanism in the code. The next step is finding out how the sanitizing method works.   Whenever data like the above is being saved in the database, a request is being processed. In this case, we should be able to identify if the request method is a POST or GET by right clicking the field and doing an “inspect”. After viewing the client source code, it can be confirmed that the method is a POST request. At this point, we should try to find where the POST request happens so we can see the sanitizing method. To do this, type in the following command in cmd:   Code: findstr /SPIN /c:"$_POST" "c:xampphtdocswitycms-0.6.1*.php"   The command is similar to what we did earlier to find files containing the “input” tag but this time, we are trying to find references of “$_POST” in .php files. The result of the command points us to the files WMain.php, WRequest.php, and WSession.php because the other files pertain to libraries included. Browsing these files will then point us to an interesting function found in WRequest.php as shown below and notice that when a script tag is found, it is being replaced by an empty string: Replacing the “script” tag with an empty string actually works as a sanitizing technique but it should filter recursively. After doing more analysis, it has been found out that the “filter” function was being called only once by referring to this function found in the same file: Since there is no recursion for the filter function, the filter can only work for an input like this: The filter can then be bypassed by entering an input like: Trying this out as the input in the website’s name field will get us a result of: Once this payload becomes the site name, a visiting user will be able to come across this script even when he or she is unauthenticated: This opens a whole new world of opportunities because being able to execute an unwanted script when a user visits the website can be disastrous. Examples for this could be redirecting a user to a phishing site, executing miner scripts without the knowledge of the user, or many other possibilities. Processing a CVE Number Since this bug leads to a security issue and the CMS application is being used by about a hundred or more people, I decided to process an application for a CVE number as to get a public advisory. CVE or the “Common Vulnerabilities and Exposures” is simply a list of entries that show references of vulnerabilities for applications used in computing. There are CNAs or “CVE Numbering Authorities” that process these CVE numbers depending on the application support. For instance, if a security issue has been found in a Lenovo device, it should be reported to Lenovo’s PSIRT (Product Security Incident Response Team). After they assess the vulnerability, they will process a CVE number for it. This simply means that if a security issue has been found in a product or project of a company that’s also a CNA, they can process the CVE number directly. A list of CNAs can be found here . In the case of wityCMS, CreatiWity, the creator of the product is not a registered CNA so we can request a CVE number for this persistent XSS through MITRE Corporation. Below are the steps to process a CVE number.   1. Confirm if the product is managed by a CNA. If it is managed by a CNA, report the vulnerability to that specific CNA. If not, report it to MITRE Corporation. 2. Confirm if the vulnerability found has already been assigned a CVE number. This can be done using a simple Google search about the product. Always check for the product updates to confirm if a public advisory already exists. 3. For wityCMS’s case, I have used MITRE’s CVE form which can be found here.  4. Fill in the form with the required details. For wityCMS, I have added in the following: Vulnerability Type: Cross-Site Scripting Product: wityCMS Version: 0.6.1 Vendor confirmed the vulnerability? No (Not acknowledged yet at the time of request) Attack Type: Remote Impact: Code execution Affected Components:

Le 2018-08-15


  Alien Vault - Improving Threat Detection through Managed Security Service Providers (MSSPs)
Executive Summary: Cybersecurity is a growing concern as breaches continue to increase in frequency and make headline news. Unfortunately, due to time and other constraints, many smaller businesses postpone the complicated task of risk management, only to eventually succumb to the devastating ramifications of a cyberattack. While the security solutions themselves appear complicated, the ability to mitigate risk is within reach of all. Through partnering with a trusted Managed Security Service Provider (MSSP) that offers expertise to ensure the safety of sensitive systems and data, every company – no matter the size – can lessen the risks involved. Every day we see a new headline that turns the spotlight on cyberattacks of retail giants and enterprise businesses. It’s alarming and causes a ripple effect of fear across our daily lives. While this intense publicity increases awareness for cybersecurity in general – it’s not always effective at bringing attention to business leaders who think smaller companies are inherently unattractive targets for cybercriminals. In actuality, this sort of misunderstanding leaves companies highly vulnerable, especially those with limited resources, expertise, and budgets. As threat tactics evolve, they are more exposed than ever due to: New malware variants introduced daily Complexity of securing multiple points of access Cybersecurity skills shortage – coupled with lack of time and money What’s more, thinking a company is safe in today’s threat climate is potentially one of the most costly mistakes smaller companies can make. They are easy targets, with slim chances of recovery as an attack averages $117,000 in costs, which factors into a 40% chance of survival.  The Value of MSSPs Fortunately, there’s a silver lining. With help from a trusted Managed Security Service Provider (MSSP), companies with limited resources  can ensure their systems are safe and protected without hiring an in-house team. Whether it’s day-to-day monitoring, analysis, detection, response, and reporting on vulnerabilities, these security experts offer businesses of all sizes the peace of mind they need – at surprisingly affordable costs. For more information on how working with an MSSP can help your business mitigate risk, watch this short and informative video AlienVault MSSPs For nearly a decade, we’ve equipped an extensive network of MSSPs with robust technology that allows for quick reaction and response to security challenges, worldwide. AlienVault Unified Security Management (USM) is a cornerstone in building successful managed security and compliance service offerings. Trusted by 7,000+ customers, we simplify security, save costs, and reduce complexity and deployment time for businesses of all sizes. What’s Next? Visit our website to learn more about outsourcing your security needs or get introduced to one of our trusted MSSP partners.       

Le 2018-08-14


  Alien Vault - The Black Hat Recap
BlackHat is always one of the most interesting conferences of the year. Firmly sandwiched between BsidesLV and DefCon, it brings a unique mix of research and people to Las Vegas. We unveiled our new booth design, which featured a huge Alien head hovering above the shiny new green and black booth, which had a presentation theatre on one side and demo pods on the other.  As always, the booth proved to be a great hit and served as the central point where we could meet old friends and new. The Talks Parisa Tabriz, director of engineering at Google, delivered the keynote address at this year’s BlackHat. Tabriz likened most security to a game of whack-a-mole and encouraged security professionals to embrace three steps of in an interesting address: Tackling root cause Picking milestones (and celebrating achieving them) Building out a coalition (beyond the industry) Our own Aliens had a couple of speaking sessions. Sanjay Ramanath delivered a session entitled the Defender's Dilemma to the Intruder's Dilemma. Over at the Diana Initiative at DefCon, Kate Brew presented, "Age Like a Fine Wine, not a Fine Whine" - I was particularly disappointed to have missed this talk as I had to fly back home and there was a no photos or video policy. The ever-expanding show I missed BlackHat last year, and this year it felt as if I'd almost walked into RSA. The vendor halls seemed a lot bigger and spaced out than before. With over 250 vendors exhibiting, there was a lot of floor space to cover, technologies to see, and swag to be grabbed. However, perhaps one of the most interesting aspects of the show floor is across from the main hall in the BlackHat Arsenal. The Arsenal is an area for independent researchers where open-source tools and products are demonstrated in 20-minute sessions in an informal setting. I recall the first time I saw the Arsenal a few years back, it was in a small corner with a handful of tools - but it has grown into an almost con-within a con. The organisers have definitely done a great job with it, and you should have it on your list of things to see next time you are at a BlackHat. Swapping parties for breakfasts People usually ask what the parties are like - every night in Vegas there appears to be a party or event of some sort. However, if you're like me, then parties may not be your scene. So I spent the week getting early nights and arranging breakfast meetings instead. Personally, this was one of the best decisions I made. It was great to get up well-rested, to sit in a quiet venue and have good discussions over breakfast. While this approach may not be for everyone, my pro tip for Vegas is always to schedule some quiet time away from the noise. Until next time When it was all said and done, it was a very enjoyable, if not tiring week filled with great content, the opportunity to meet up with old colleagues, and make some new connections. We look forward to seeing you at an event soon.       

Le 2018-08-13


  Alien Vault - What You Need to Look for When Choosing a Hosting Company for Your Startup
Whether you sell clothes online or have recently set up a financial services firm, every startup needs to have a strong online presence in order to make the right moves in 2018. To do this, it is critical that you align with a premium-quality hosting provider. After all, if you choose a web host that is unreliable and does not deliver high levels of performance, then the usability and speed of your website will suffer. Not only will this frustrate your customers and prospects, but it will cause your search engine ranking to fall too. This is something that no business can afford, but especially not a startup that’s struggling to get established. So, with that in mind, read on to discover all of the different things you need to look for when choosing a hosting company for your startup. Start by identifying your hosting needs The first thing you need to do is understand your hosting needs. You won’t be able to find the right web host for you if you do not know what you need. To determine this, you need to first ask yourself a number of different questions, including the following: What type of platform are you going to use for your website? For example, will it be WordPress or a different platform? What sort of website are you going to build? Are you going to build a portfolio website, organisational website, blogging website, or something else? Are you interested in building more than one website? What is the sort of volume of traffic that you are aiming for? Are you going to require special software to code your site, for example, .net, java, php, etc.? By answering these important questions, you will be able to figure out what you need so that you have a good starting point in your quest to find the best web host for your particular requirements. Reliability, performance, and server uptime There really is only one place to begin when it comes to assessing the quality of a web host business, and this is by looking at the level of performance and the guaranteed uptime they provide. Don’t settle for anything less than the best in terms of uptime, as your business cannot afford to be offline. Companies like HostGator and SiteGround guarantee 99.9 percent uptime. You should not settle for anything less than 99 percent. Other factors also play a critical role in helping you determine whether a web host is reliable or not. This includes things like bandwidth, daily back-ups, and RAID protected storage. You will also want to ensure that the company provides 24/7 customer support, as you want to have complete peace of mind that any issues will be dealt with immediately so that they do not have a negative impact on your business. In terms of site back-ups specifically, there are a few key questions you can ask a prospective company to get a better understanding of this aspect: Do you only provide the back-up itself or do you offer assistance in restoring the back-up? Do you offer any plug-ins for site back-ups? How often do automatic back-ups take place? Are there any options for manual site back-ups? Is there the option for site back-ups within the admin control panel? This will help you determine how frequently back-ups occur and whether or not there is any level of customisation. This is critical because no business can afford to lose their critical data, so you need to be able to back-up your data according to your requirements. Price and refunds Businesses need to assess every purchase with care. This is especially the case with startups, as the way you spend your money is going to have a massive impact on whether or not your company survives. Most hosting providers charge around the £3-mark per month. You do need to be mindful of companies that charge more for additional services, as well as those that put their prices up considerably when you renew. The refund policy is also important. Is there a trial period during which you can get a refund if you cancel your web host account? Can you upgrade your plan after the trial period? Are there any cancellation charges in place? The level of customer service provided Customer service is another critical factor that needs to be taken into consideration before you sign up with a web host company. Some host providers claim to offer 24/7 customer support, but if that actually consists of typing your message to a live chat bot and getting a generic response, then it’s not going to be of much use, is it? Customer service not only needs to be easily accessible but it needs to be of a high level of quality too, so make sure you are clear on what their customer service policy entails. Upgrade options It is highly likely that your needs and requirements will change as your company grows and progresses in the industry. In the beginning, many startups opt for a shared web hosting plan because this is a good way to keep expenses low. As a rough estimation for WordPress websites that have been optimised correctly, a shared web hosting account can host up to 50,000 unique visitors. When your website starts to exceed these numbers, you will probably need to upgrade your account. It is unlikely you will want to go through the hassle of transferring your website to another host, so it is important to consider upgrade options from the beginning. As you can see, many different factors need to be taken into consideration when choosing a hosting provider. However, if you take note of all of the points that have been mentioned above, you should have no trouble finding the right provider for your needs, budget, and requirements. Don’t underestimate the importance of this decision. After all, your web host is going to have a huge influence on your web performance as well as an impact on your ultimate success, and we all know how important having an effective online presence is in the current day and age.       

Le 2018-08-09


  Alien Vault - USM Central Product Roundup and Look Ahead
We have an audacious goal on the USM Central Product team. We believe that we can create the most phenomenal security platform for MSPs and MSSPs on the market with the combination of USM Central, USM Anywhere, and USM Appliance. As we move into Q3, we wanted to take some time to stop and reflect a bit on our journey. We thought it’d be helpful to provide some perspective on the problems we believe USM Central should solve for our customers, recap what we’ve built so far, and preview what’s ahead of us as we storm ahead into the back-half of the year. When prioritizing our efforts for USM Central, we always try to ask ourselves two questions. The first is, “how can we help our MSSP / MSP partners to be more efficient?” For instance, are they taking some redundant action multiple times across several deployments? What data are they looking for in the “child deployments” that would be helpful to view in USM Central? The second is, “how are USM Central users “patching” our functionality?” By talking to our partners every week, we try to understand what other systems or tools they are using in conjunction with our products and find ways that we could either 1) address that need in product or 2) integrate with the existing workflow. While USM Anywhere continues to push the envelope on core security capabilities, we believe we can create “SOCs with superpowers” with USM Central by showing up every day and trying to answer those two questions. Below, you’ll find a short summarization of our recent efforts and what we’re excited about moving forward. Alarm Status and Label Synchronization Labels are a simple yet powerful method to track the status of alarms in the various stages of the investigation cycle, classify alarm data for analysis/reporting, or even show “proof of work” to your end customers. Before USM Central, any edit to a label in the child instance would not be reflected in the Federation Server, requiring an analyst to make the label or alarm updates in multiple places. Today, any changes made to an alarm from connected USM Anywhere deployments are automatically synced to USM Central, and USM Central users can standardize labels across all of their USM Anywhere deployments. We're hoping this will dramatically streamline alarm workflows. Check out the details of this feature in the documentation here. Orchestration Rule Management Often, when our MSSP partners create an orchestration rule in USM Anywhere for one client, they recognize that it would be useful to deploy that same rule to another client. Additionally, when onboarding a new client, we’ve found that it’s helpful to do a comparative audit with another more mature deployment to make sure all of you've covered all of your bases, from filtering to alarm rules. With the most recent release of USM Central, all of the rules for your connected USM Anywhere deployments are now synced to USM Central. USM Central users can filter their view to only view rules from selected deployments or to copy a rule and quickly apply it to another customer. API Availability Do you use a ticketing system to generate tickets for alarms generated within your AlienVault deployment(s)? Maybe you customize reports or dashboards by using data from AlienVault and other products for use internally or client presentations? You can now generate an API key in product for the USM Central API. The REST interface will allow you to search for alarms for all of you connected USM Anywhere or USM Appliance instances. For this first release, we've only exposed an Alarms endpoint, but we're looking forward to adding additional capabilities in the coming months. Check out our documentation here or head to the Profile view within your USM Central instance to test it out today! What’s Next? In an upcoming release, you’ll have the ability to manage labels for connected USM Appliance deployments, too. Next, we’re going to look at adding additional API endpoints for vulnerabilities and configuration issues (only applicable for USM Anywhere to start). After that, we’ll circle back and expand on our role-based access control feature set. As a manager, you’ll have the ability to assign your analysts to specific deployments in your USM Central installation. For example, Analyst A could be assigned to deployments 1 - 3 while Analyst B is assigned to Deployments 4 - 6. Each analyst’s view and permissions would be limited to their assigned deployments. We’re hoping this makes it easier to manage USM Central deployments with a large number of child deployments. Late this year, we’ll begin to bridge the gap towards allowing you to initiate incident investigation and response workflows directly from USM Central. We’ll start with managing vulnerability scans and go deeper from there based on your feedback. Thanks for tuning in. You can give me a shout anytime you want by hitting the “mail” icon and messaging me within your USM Central instance. We’d love to hear any feedback or learn about your business! Cheers, Skylar Talley Senior Product Manager, USM Central & USM Appliance       

Le 2018-08-07


  Alien Vault - Black Hat 2018 will be Phenomenal!
The AlienVault team is ready to meet and greet visitors at Black Hat USA 2018, August 8th and 9th at the Mandalay Bay Convention Center in Las Vegas! Black Hat is one of the leading security industry events. The conference features the largest and most comprehensive trainings, educational sessions, networking opportunities and a two-day expo packed with exhibitors showcasing the latest in information security solutions from around the world! Visit us at Booth #528! Visit booth #528 located below the large, green alien head! We will be leading theater presentations twice an hour. Attendees will get a cool AlienVault collectors t-shirt, as well as a chance to win a pair of Apple® AirPods during our daily raffle. Stop by and meet the AlienVault team and learn about the recently announced endpoint detection and response capabilities now part of the USM Anywhere platform! USM Anywhere is the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform. Check out this awesome video by Javvad Malik, Community Evangelist for AlienVault, to learn more here! Attend "From the Defender's Dilemma to the Intruder's Dilemma" Session for a chance to win a Nintendo Switch! Join AlienVault VP of Product Marketing Sanjay Ramnath at a Black Hat speaking session. Sanjay will be speaking on Wednesday, August 8th from 10:20am-11:10am in Oceanside E on 'From the Defender's Dilemma to the Intruder's Dilemma'. We will be handing out raffle tickets before the session begins. Be sure to check out this session for the chance to win a Nintendo Switch! Get Access to the Exclusive Security Leaders Party at Black Hat! AlienVault is co-sponsoring one of the hottest security parties at Black Hat! Join us on Wednesday night from 8:00 - 10:00pm - guests will enjoy music, food, and a full open bar at the best venue at Mandalay Bay, Eyecandy Sound Lounge! This will be the most talked about party of BHUSA 2018! We expect to reach capacity, so don't hesitate to get on the list now! Event Details: Date: Wednesday, August 8th Time: 8:00 - 10:00 PM Location: Eyecandy Sound Lounge, Mandalay Bay We can’t wait to see you all at #BHUSA this week!       

Le 2018-08-06


  Alien Vault - Things I Hearted this Week, 3rd Aug 2018
It’s August already. The kids are off on their summer vacations telling me how bored they are every 5 minutes, and the annual security gathering in Las Vegas of Blackhat, Defcon, and BsidesLV is all but upon us. There will be no recap next week because I’ll probably be getting ready to fly home - but normal service should resume the following week. The Red Pill of Resilience in InfoSec Another insightful write up by Kelly Shortridge, which happens to be the full text of her keynote on resilience. It touches on, and expands many concepts to uncover what it really means to be resilient in infosec, and what the industry can do. The Red Pill of Resilience in InfoSec | Medium, Kelly Shortridge VDBIR Data The Verizon Data Breach Report has become the staple go-to report for security professionals wanting to understand the breach landscape. But a once-a-year report is usually too long for most of us to wait to see what’s new. So the good folk have created an interactive portal where you can explore the most common DBIR patterns. VDBIR Portal | Verizon enterprise Reddit Breached Reddit disclosed a breach and say they’re still investigating. It appears that the attacker was able to bypass SMS-based two-factor (two-step) authentication. We had a security incident. Here’s what you need to know | Reddit It’s worth revisiting this blog by Paul Moore on the difference between two-factor and two-step authentication. The difference between two-factor and two-step authentication | Paul Moore Alex Stamos off to Academia Facebook chief security officer Alex Stamos is leaving the social network to work on information warfare at Stanford University. The social network has not named any replacement. Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions | The Register CISCO + DUO = DISCO! Cisco has announced it will be acquiring DUO Security for $2.35bn in cash it found lying behind the sofa. Cisco is buying Duo Security for $2.35B in cash | Tech Crunch Farcial Recognition Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition,” the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime. Amazon’s Face Recognition Falsely Matched 28 Members of Congress With Mugshots | ACLU Secure Design Part 3 of an ongoing series of articles by Tanya Janca on secure system development lifecycle. Worth reading all parts with fun titbits such as, Threat modelling (affectionately known as ‘evil brainstorming’) Pushing Left, Like a Boss: Part 3— Secure Design | Medium, Tanya Janca Randomness Other stories from broader tech and beyond that I enjoyed reading this week When a stranger decides to destroy your life | Gizmondo Meet the Anarchists Making Their Own Medicine | Motherboard How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions | The daily beast       

Le 2018-08-03


  Alien Vault - Standing Out as an Information Security Student
As students, we get told that college is enough to land us anything we want, I can honestly say from my experience, that was not the case at all. I grew up in a household where education will land you where you want, and you don’t need to be external with the system, so I assumed as long as I have a good GPA to show, any company would want me. You don’t have to do exactly what I did. Honestly, I advise you not to, and you’ll see why. Instead, use this as awareness that you shouldn’t just allow your classes to speak for you and you should get ahead while you have time. I’m going to explain a little about my background in education and then dive into what I did during my 3rd year of university to make me go from being declined from every position I apply for, to having a table full of internship offers that were from many different sides of business, including the medical field. My Educational Background I started university at a school that focused on the offensive side of security, I finished 2 years then decided to travel to a different city to attend a new university that titles me as a cybersecurity engineer, so I started to focus on the defensive side of security. Note that this university has a cybersecurity program that is very well known in the state, that’s why I transferred. So 3rd year hit, I figured it was getting close to start applying for internships for the upcoming summer. I felt like I needed to finally enter this field, 3 years of being JUST a student is enough. I want to finally have a title I loved in the real world. How it started It got close to winter break, so I decided to start applying for 2018 summer internships. I felt pretty confident, 3.98 GPA, engineering school, strong courses, and a good university. Unfortunately, this is where it started, decline after decline, not even getting past the first stage prior to interviewing. It felt like not a single company wanted me and I was becoming more and more destroyed after each "We regret to inform you" letter. I felt like the past 3 years have been a waste. Okay, decline after decline, it’s clearly my fault, I’m doing something wrong, but what? My GPA is really good, I don’t understand why I’m not even getting past the first stage, I felt weak and unimpressive. I opened up my resume and really started looking at it. I tried looking at it from a professional perspective, if I was hiring this student, what am I looking for? Then I noticed it, I’m just a student, I noticed all I have to show was a number (my GPA), and courses I’m required to take for my field, that’s it. I had no other way to show who I AM, other than my resume representing that I am a college student. There was no information about ME, WHAT I LIKE, WHAT I DO, NOTHING. The 4-month long journey That’s when I really freaked out, I want so much in life yet all I’ve been is a student that doesn’t work on my career outside of school. Book after book, I’ve been a student, I never really introduced myself to this field, to my future, and to who I want to be. All I’ve been doing is listening to my professors teach me, rather than also teach myself. So, I did the only thing I felt like I needed to do, time to play catch up and get ahead. During school, for 4 months, I began doing side project after side project. This was fun yet destroying my mental and physical health, I slept on average 2-4 hours a night (7 nights a week) on my couch right next to my computer just to get up and continue. I didn’t eat much, didn’t see my family much, barely socialized, and didn’t care to go to some of my classes. A few projects I’ll say I was doing were created/solved cryptography puzzles, built a self-driving car, researched/experimented hacking air-gapped computers, participated in National Cyber League to gain some sort of external experience, wrote security articles, read a lot, introduced myself to security frameworks, and so on. This was around the time where CryptoCypher introduced me to the existence of the infosec community, and I started to meet great people that gave me an understanding of many different aspects of this field. Being ready Okay, nearly 4 months later, I’ve strengthened my resume (had about 8 professionals look at it), I’ve introduced myself more to this field, but now I feel like I need to understand what my responsibilities are in a company before I go into interviews. Where do I see myself in 5 years? Why do I want to work here? Many simple questions like that would originally get me speechless. I asked a few friends in class what they would answer, they said typical stuff a student would say, “in 5 years I see myself as a (insert title)”, “I want to work here because as a student being introduced to this type of environment would help my future.” I saw right through this, my entire objective is to bypass looking like an average student, I want companies to look at me differently. So that's when I started to create small 5-year plans for my future. So, when asked, instead of saying where exactly I want to be in 5 years, I can elaborate on what I want to know in a 5-year window, and the process I'm wanting to take to build my knowledge while getting there, and how the company I’m applying for would strengthen that. The next thing is understanding security from a real-world perspective, so that's when I started to read articles, understanding different titles in security, cyber threat intelligence versus business risk intelligence, and things like that. When I get asked why I want to work here, I can respond with how based off the responsibilities the title represents, I would tailor projects surrounding them to strengthen the company with the team based off real activities with IT as a whole. BEING ACCEPTED Well, summer is right around the corner, so it was time to finally start applying, I am ready. Yes, I am still getting decline emails from companies I applied to months ago, but that's okay, I'm in a better position. I started applying, and that's when I realized the past 4 months have been a success. Company after company wanting to interview me from many different areas of business. I started going to interviews, all of them I was super nervous towards but the second I walked in the door I felt really confident all of a sudden, and that's what made me nail so many of them. Confidence. I don't want to go too deep into how to nail interviews, but please make sure you know yourself, the company, and the position, correlate all 3 of those into the interview. Questions like biggest weakness, strengths, tell me about yourself, all the "basic" questions can really mess up a position, I used YouTube tutorials for hours to learn how to answer each one confidently. Also, when you get asked if you have any questions at the end of the interview session, ASK. It will feel empty if you say, "No Thank you" and walk out. Ask questions like "Working for this company as a (insert your title), what does the day to day look like?" and "As a (insert title) intern, what do you expect from me 30 days into this internship?" and so on, just get an idea of what the company is and show your interest in the position you are being interviewed for. Conclusion So that's my story, I hope this helps some of you to realize that companies do care about your side projects, and a GPA isn't the only thing that's important. Be productive outside of classes, read articles then turn the concept into projects, join the infosec community and make friends, ask professionals for help on your resume, know what you want and walk into that interview confident. As far as where I am now, I am getting ready to start my 4th year, working as a cybersecurity engineer intern at a multi-billion dollar headquarter, and finally being introduced to this field outside of being a student, and the only thing I can say to that is I am in love with all of this. Also, I will be attending Black Hat USA 2018 and DEF CON this year, so if you’re there, feel free to make plans with me for a meet-up. Anyway, work for the position you want, I promise you're going to thank yourself for doing that.       

Le 2018-08-02


  Alien Vault - Extending Threat Detection to the Endpoint with New EDR Capabilities in USM Anywhere
Back in April, we began to invite USM Anywhere customers to try out our new endpoint agent, the AlienVault Agent, in an Early Access program. The overwhelming interest in the program alone was telling; over 37% of USM Anywhere customers (60% of our MSSP partners) raised their hands to participate. Our conversations with customers during the program were even more telling; Our customers want deeper security visibility of their endpoints without having to manually deploy and administer third-party endpoint agents.  What’s more, they want advanced threat detection capabilities for the endpoint that pick up where their traditional antivirus tools fall short. What we heard from our customers echoes the current conversation in the larger cybersecurity community regarding endpoint security. That is that, today, malicious actors are increasingly targeting the endpoint with attacks designed to evade traditional endpoint prevention and protection tools. Organizations are struggling to keep up, as the enterprise EDR solutions that offer advanced endpoint threat detection are often too complex or expensive for most organizations. USM Anywhere is uniquely positioned to solve for this challenge, as the platform is built to evolve as the threat landscape changes. Its extensible architecture allows us to seamlessly and automatically introduce new security capabilities, integrations, and threat intelligence to the platform, giving our customers comprehensive threat coverage without having to layer on more point security solutions to contend with the latest attacks. Since we first launched USM Anywhere, we’ve been steadily extending its reach to detect modern threats wherever they appear. The endpoint is no exception. Today, I’m pleased to announce the launch of new endpoint detection and response (EDR) capabilities in USM Anywhere. You can read the full press release here. With EDR capabilities delivered as part of the unified platform, USM Anywhere users can centralize security monitoring of their endpoint and network activities across their cloud and on-premises environments, without having to deploy or integrate a separate EDR solution. This not only streamlines security operations, but it also allows users to correlate network and endpoint security data for better threat prioritization and faster incident investigation and response. These capabilities work through the AlienVault Agent, a lightweight, adaptable endpoint agent based on osquery that easily deploys to Windows and Linux endpoints and is easy to manage in USM Anywhere. The feedback we’ve received from USM Anywhere customers in the Early Access program has been positive and has helped to drive the product development leading up to today’s launch and beyond. We asked customers which features or use cases were the most exciting or useful to them. Top responses included: Continuous endpoint monitoring / automated detection of advanced endpoint threats File integrity monitoring (FIM) to help with PCI DSS or other compliance requirements Remote and bulk deployment and management, which is simple and straightforward Off-network endpoint monitoring (remote sites and employees) Proactive endpoint querying for forensics info as part of an incident investigation We are excited to make these new capabilities available to all USM Anywhere customers today, without requiring them to purchase any add-on products or modules or upgrade their subscriptions to access them. It’s part of our mission to provide phenomenal security to organizations of all sizes. To learn more about why we think EDR is an essential part of any robust security program, watch this two-minute video from AlienVault’s own Javvad Malik: For more information about the new EDR capabilities in USM Anywhere, you can: Try it for yourself in our interactive demo experience  Join us at BlackHat 2018 for a live demo with our sales engineers, Booth #528 Read the EDR solution brief  See a real-world example of malware analysis with the AlienVault Agent in this Labs blog post  Ready to get started? Do a free 14-day trial of USM Anywhere  Read the press release       

Le 2018-07-31


8041697