Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 The Cyber Car: The Intimate Tango of the 21st Century Thu, 25 May 2017 07:00:00 -0500 The automotive industry is currently undergoing a dramatic revolution. This is a statement being echoed by leaders from across the sector, with individuals such as GM CEO Mary Barra professing that the automotive industry is set to change more in the next five to ten years than it has in the last 50.  

The question that arises is why those of us involved in the automotive world seem to believe that such a monumental paradigm shift is taking place. Quite simply, in-car connectivity is increasing at an almost stratospheric rate. In-car connectiveness has now reached the point of no return and is set to proliferate rapidly throughout the next decade, with 150 million connected cars set to be on the road by 2020.

The Connected Car - A Great Opportunity or Existential Threat?

As previously asserted, experts and leaders in the automotive sphere unanimously believe that the industry is undergoing a revolution – arguably the most dramatic since the advent of the first car. As the car becomes computerized and increasingly connected, with access to the Internet and cloud computing, so the propensity for hacking grows. This explosion of in-car connectivity is analogous to the revolution experienced in computing with the creation of the Internet. It is particularly necessary for automakers to take heed. This is because in the computer industry there was also an existing infrastructure (of data processing and computing power) that had not been built to be connected. The moment the computer became connected, it created a negative result – hacking and cyber attacks. What the automotive industry is experiencing today is a very similar phenomenon. However, automobile manufacturers have an additional issue to contend with that their counterparts in the computing sector did not – with car hacking, the results can be fatal.

To add some perspective on the connectivity of cars today, it’s amazing to think that the modern car already has over 70 dedicated CPUs that are responsible for the most sensitive systems. These range from functions such as central locking through to the transmission and engine ignition. It is also worth noting that that the quantity of the software is not only growing, but is becoming increasingly complex. A car manufactured today can be expected to have around 100 million lines of code, with a third of manufacturing costs now relating to the hardware and software that is installed within. Intertwine these variables to the ability of cars today being able to connect to cellular networks, Wi-Fi and Bluetooth, then it is extremely easy to see how vulnerable and susceptible cars of the future could be to cyber attacks. Not to mention that a car in production today can have up to 15 points of entry for hackers via these connective methods.

The Journey – Next Steps into the Future

The automotive industry is now at a point of no return. Cyber is here to stay and the industry is very well aware of the vulnerability of connected cars. It is now the responsibility of the main players to address the fact that an inherent cyber security capability becomes a precondition for the continued development of connected and autonomous cars. At all costs, it is integral that consumers remain protected from the threats that increased connectivity bring. If protection is guaranteed and consumers remain safe, then the opportunities this will present for manufacturers is almost limitless, with consumer experience moving to another level.

Solutions – Detecting and Blocking Attempts to Penetrate a Car’s Internal and External Networks

To secure connected cars, firewall-like systems are needed to protect against attacks on the internal network of the car and stop penetration from outside the network. Having this protected network sit in a strategic location inside the vehicle can also prevent malicious threats.  

Through sophisticated machine-learning algorithms, systems can identify anomalies and attempted attacks quickly. At the same time, they can block cyber attacks and simultaneously issue reports with deep analysis to the central vehicle management system. Connected cars also need cyber security solutions that defend against threats through wireless interfaces such as cellular networks, Bluetooth and Wi-Fi. They need to be able to mitigate against hackers that have already entered the car’s communications network via micro-controllers, considering they are especially vulnerable to attack via a wireless network.

The stakes are always high when dealing with safety-critical functions, but the automotive industry and the tech companies that support it are rising to the challenge. By working together, adopting a holistic approach and evolving with the technology, we aim to remain one step ahead of threats at all times. That way the connected car will be free to maximize its huge and fascinating potential.

About the author: Asaf Atzmon is Director, Business Development & Marketing, Automotive Cyber Security - TowerSec at HARMAN, the premier connected technologies company for automotive, consumer and enterprise markets. Asaf joined HARMAN with the acquisition of TowerSec in January 2016 where he served as VP, Business Development & Marketing.

Copyright 2010 Respective Author at Infosec Island]]>
Adylkuzz: WannaCry’s Older and More Devious Cousin Thu, 25 May 2017 05:32:25 -0500 Think you got off scot-free with this whole WannaCry business? Well, it turns out that you might be immune to infection by WannaCry because you've already been infected by Adylkuzz. #irony

Last week, the WannaCry ransomware attack made headlines around the world as it spread at an unprecedented and almost mindboggling fast pace, infecting thousands of computers worldwide. Now, the next wave of attacks using the same tactics and techniques is underway. In fact, it’s already been active for weeks—and is quietly getting bigger, too.

Proofpoint claims the Adylkuzz attack likely predates the WannaCry attack by several weeks and may have begun as early as April 24. Much like WannaCry, Adylkuzz now possibly affects hundreds of thousands of PCs and servers worldwide and spreads leveraging the same exploits—EternalBlue and DoublePulsar—that were released by the Shadow Brokers and allegedly stolen from the NSA.

Unlike WannaCry, however, Adylkuzz is not ransomware. While Adylkuzz infects computers through similar techniques as WannaCry, instead of making a lot of noise and encrypting all of the data on a user’s computer and demanding a ransom to restore access, it hides in the background and digitally makes money by installing a cryptocurrency program otherwise known as a “coin miner.”

What Are the Symptoms of an Adylkuzz Infection?

Adylkuzz doesn’t want to be found and so will do everything possible to evade detection and go unnoticed by the user. It doesn’t interfere at all with a user's ability to use an infected computer, but there are some tell-tale signs of infection that are more subtle than WannaCry’s bright red ransom note. For example, symptoms could include loss of access to shared Windows resources such as network drives and printers as well as a general and unexplained sluggishness or slowness of overall system performance.

Adylkuzz Isn’t Ransomware. It’s a “Coin Mining” Botnet. 

So why is Adylkuzz so stealthy and what’s it doing with your computer?

Unlike WannaCry, Adylkuzz doesn’t want your money. It wants to use your computer to mine Monero coins. When it installs, Adylkuzz uses a computer's resources, its processor and/or graphics card to perform complex computations that “mine” new Monero coins, a cryptocurrency similar to Bitcoin. At the time of this writing, one Monero coin is worth $31.3575262 USD and the entire Monero cryptocurrency has a market cap of $454,268,360 USD. So even though you may have never heard of it, it’s serious business.

Running a coin miner on a single computer like yours, for example, wouldn't likely result in much of a financial gain. However, combining thousands, tens of thousands or even hundreds of thousands of infected computers into a single botnet that can be controlled by cybercriminals could be lucrative.

How Does the Adylkuzz Attack Actually Work?

Around since about October 2014, Adylkuzz has seen a resurgence and began accelerating its infection rates substantially in April of this year.

The Adylkuzz attack is launched from multiple virtual private servers that scan the Internet for vulnerabilities and make it possible to install the Adylkuzz miner. When a computer or server on the Internet is identified as vulnerable to the EternalBlue exploit, the malware targets the system for infection with DoublePulsar, which then downloads and runs Adylkuzz.

This is where it gets interesting. Adylkuzz not only terminates any pre-existing versions of itself on a target machine, it also deploys cleanup tools to mask itself. This includes blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. Not only does this prevent other malware and ransomware attacks from using the same techniques to infect the system, it also prevents cybersecurity professionals from identifying that these computers were already infected.

Here’s a great example of this in action. While researching WannaCry, Proofpoint exposed a lab machine vulnerable to the EternalBlue attack on the Internet as a honeypot. It was immediately and unexpectedly infected by Adylkuzz within 20 minutes. They repeated the experiment several times with the same result.

Why Is Adylkuzz Potentially a Bigger Problem Than WannaCry?

For starters, Adylkuzz is clearly being run by professionals. Unlike WannaCry, which has attracted an Incredible amount of attention from both the media and law enforcement, Adylkuzz has quietly gone about its business infecting systems at a similar pace unnoticed.

Just Google WannaCry and Adylkuzz to see the difference for yourself.

As a criminal business venture, Adylkuzz is doing much better, too. Highly sophisticated and automated versus the amateurish execution and manual processes that have limited WannaCry’s profits to a mere $92,896.91 as of May 19 at 11 a.m. EST, Adylkuzz had made . . . well, no one knows for sure how much money it’s made.

Proofpoint, however, claims the system is set up in a way to avoid paying too many Monero coins to a single address, and has easily found several addresses that have received $7,000, $14,000, and $22,000 and says there are "many more." This indicates that the creators of Adylkuzz have avoided the collection and laundering problems that plague WannaCry and, by doing so, have also made it extremely difficult to determine just how much money they are making.

Another concern is that users and companies who were “lucky” enough to have avoided WannaCry may have been spared because of a previous Adylkuzz infection that protected them. This may encourage complacency in patching and allow Adylkuzz to continue to go undetected for weeks, months or even years on older systems.

Lastly, the creators of Adylkuzz appear to have iterated their attack vector to include the specific exploits that also made WannaCry possible and went unnoticed by security researchers for weeks. It’s possible that without the noise created by WannaCry, Adylkuzz may have continued to ply its criminal trade unnoticed for some time.

This begs the questions: What other exploits have they incorporated into their cybercriminal arsenal? And what else have they already deployed that we’re unaware of?

About the author: Kevin Magee is a global security strategist with Gigamon, where he assists customers to successfully adopt and implement enterprise-wide Security Delivery Platforms. He also writes, teaches and advises security and business executives, government leaders, and corporate and non-profit boards around the world on the topics of cyber security, cyber risk governance, cybercrime and personal digital security awareness.

Copyright 2010 Respective Author at Infosec Island]]>
Cloud Control: Key Points to Consider When Going to the Cloud Wed, 24 May 2017 11:12:00 -0500 Many of today’s organizations are considering public cloud storage options for their data, due to their low upfront cost and ease of use. Several public cloud providers, such as Amazon Web Services, are designed with an OpEx model that can often seem more appealing than constructing an onsite data center, because of cost. But, there are some very important things to keep in mind when “going to the cloud.”

1. Not All Clouds Are Created Equal: A growing number of companies are entering the cloud storage and service provider market today, yet most will not succeed. Over 100 cloud providers evaporated in 2016, illustrating how important it is to stick with the ones that are established. Take a look at this recent article from Network World for classic examples of cloud providers going out of business and not giving their customers enough time to retrieve their data: Cloud’s Worst-Case Scenario: What To Do If Your Provider Goes Belly Up

2. Always Keep a Local Copy: Users that keep a local copy of their data are able to easily change cloud providers. They can simply delete existing data and move to a new provider with their local copy. This eliminates the need to download data and pay the expensive costs associated with exiting the cloud. If you decide cloud isn’t the right option for you, you can easily pull out of the cloud with no cost to your organization. If your cloud evaporates, you still have your data.

Clouds often experience outages. By keeping a local copy, business is not interrupted when your cloud is out of order.

Performing large data retrievals can be costly when using the cloud. With a local copy, all large retrievals can be executed from your local hardware. This also relates to speed of access. When dealing with the cloud, there are different Service Level Agreements (SLA’s) that are available, ranging from milliseconds to hours until data is available for download. Then, you also have to download based on your network connection (different options for off-site storage are presented in the white paper Iron Mountain vs. Amazon Glacier: Total Cost Analysis For Off-Site Storage).

3. Determine a Recovery Time Objective: It is important to know how long your organization can manage without access to your cloud data before it negatively impacts operations. Understand how long it will take to recall data from the cloud under current environment. Consider, what’s your SLA? Your bandwidth/internet connection speed? How much of this bandwidth can be dedicated to restoring data from the cloud? What is the cost associated with pulling data from the cloud?

4. Look at the BIG Picture: Be aware of how much your data is growing and how long you need to keep it for. Ask yourself: How much data will your organization have in three years? How much will it cost to store? How much would it cost to retrieve?

Establishing a solid plan when deciding to transition to the cloud is essential. By understanding the costs to store, transfer, and retrieve data, organizations can protect themselves from making a costly mistake. From keeping a local copy, to laying out a detailed recovery time objective, it becomes clear that when going to the cloud, a hybrid cloud approach that combines both on and off premise storage strategies can save substantial money over the life of your organization’s data.

About the author: Eric Polet brings more than 10 years of corporate experience to his marketing position at Spectra. As the emerging markets program manager, Eric is responsible for product positioning and messaging, brand development, demand generation, sales enablement, launch management and market intelligence.

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry Shows World the Need for Endpoint Security Wed, 24 May 2017 09:05:00 -0500 Computers all around the world were hit with one of the worst ransomware viruses in history earlier this month. The virus, dubbed “WannaCry,” hit over 200 thousand computers in 150 countries. The virus was able to attack hospital systems in the U.K. and a telecom company in Spain. WannaCry has also hit universities and companies in China and Japan. Security experts say that the WannaCry virus is so fast-moving because it spreads from computer to computer by itself, rather than through emails or malicious links.

The WannaCry ransomware virus scans the victim’s device for personal files, encrypts them, and then holds them for ransom until the victim pays $300 in bitcoin. If the user doesn’t pay the ransom within three days, WannaCry will increase the payout demand to $600 in bitcoins. Through these threats, the attackers were able to get at least $50,000 in Bitcoin in ransom payments from infected users.

Windows users who put off updating their operating systems were affected by the ransomware. Microsoft designed a patch for people and organizations that used unsupported versions of Windows, like Windows XP, last Friday. The National Health Service in the U.K. had many devices that were operating on Windows XP, which is why 48 of its centers were affected. Although Microsoft provided a patch to users who bought the Windows product, people who are using a pirated version of Windows have to rely on third parties to provide them with a security patch.

The WannaCry virus has also been causing tensions between businesses and the government. Microsoft is blaming the National Security Agency of the U.S. for its role in stockpiling the WannaCry ransomware. The WannaCry ransomware was stolen from the NSA back in April, but Microsoft suspects that the NSA didn’t disclose that the security risk existed until the ransomware was stolen. Security experts are advising that governments should be more careful with cyber weapons, just as they are with physical weapons. Researchers have also found that the WannaCry virus was developed using some of the same code that was used in the 2014 Sony Pictures hack. The cybercrime organization behind the Sony Pictures hack, Lazarus Group, may have connections with North Korea.

Although WannaCry has been stopped, security experts are still concerned that people can be infected. Below are a few tips organizations can take to limit the consequences of a ransomware attack:

  1. Backup all data: Organizations should create backups of all of their important information, ideally on a daily basis. When information is backed up, it is more readily accessible when a security incident occurs, and organizations won’t have to pay ransoms to get their data back. Organizations can also consider making backups of their data on separate devices, so they have uninfected machines ready to go if a ransomware attack hits.
  2. Limit user access: Not all employees should have admin level access, or the ability to install third-party software onto company devices. Decreasing the number of people who have administrative access, or access to confidential databases, can decrease the chances of that information being compromised by a ransomware attack.
  3. Regularly inspect networks: Regularly conducting inspections for cyber threats lets organizations detect chaos-causing viruses before they get a chance to execute. By taking measures to prevent an attack, organizations can avoid losing thousands on compromised data and lost productivity.

Ransomware attacks will continue to become more sophisticated and effective as the year goes on. It is now imperative that organizations prepare their networks and devices for a ransomware attack. By conducting regular data backups and limiting user access, organizations can decrease the impact of a ransomware attack. By using endpoint security software to detect malware, organizations can stop potential ransomware attacks.

About the author: Amir Geri handles research and development at Promisec, a pioneer in endpoint detection and remediation.


Copyright 2010 Respective Author at Infosec Island]]>
The Administrative Credentials Security Hole Wed, 24 May 2017 07:23:00 -0500 Here’s the problem: the existence of administrative credentials stored on machines throughout the network. What could happen if some of these credentials become known to an unauthorized user? That user would have partial or complete administrative access to the entire domain.

IT administrators have a significant challenge on their hands if their organization’s security requirements dictate that all administrator passwords must change regularly. It is tedious to locate, let alone update, all the local administrator accounts. And that doesn’t include the accounts used by tasks, services, and COM objects on machines throughout the network. Consequently, many of these updates are never done.

Here are some of the credentials that can become compromised:

  • Built-in administrator accounts: Every machine has a local logon account created at the time the machine is built. In many organizations the account name and password is the same on every system. Therefore, all a hacker has to do to become an administrator is to crack the local administrator password on one system. Someone cloud crack the administrator password in seconds using rainbow tables.
  • Service accounts: Many machines use services that require either a local or domain administrator account to run. The bad news about services is that you can find their account names and passwords stored on every machine. Once a hacker has administrator access to a machine, then what? It is simple to run a password cracking program such as rainbow tables to view the secrets area of a Windows system.
  • Embedded credentials: Sometimes usernames and password are stored in clear text or easily reversible encryption and then forgotten about. Due to lack of visibility of these items once implemented they are rarely, if ever, changed. The problem expands over time as fear, uncertainty and doubt grow over how an account may have been used, but rarely documented. These sorts of accounts often represent access to privileged data or personally identifiable information.

Security Best Practices for Workstations

Malicious insiders can easily penetrate the local security of their own machines. From there they can expose the stored credentials. You should take precautions to minimize the problem. First, try to disable the introduction of hacking tools. With group policies in Microsoft’s Active Directory, someone can disable the registry editing tool and hacking tools. But these policies are ineffective if the user can boot to a flash drive or CDROM and run their tools in DOS.

Another option is to remove or disable the ports for flash drives and CDROM drives. This method will be effective. At least until a determined person gets into the case or BIOS and re-enables the devices. The most insidious attack would be to copy the information or image the machine to a location you do not control. Then they can crack it at their leisure.

It seems that for every step you take to counter a hostile user from extracting sensitive information, there is a workaround. This means that the only practical solution is to reduce the value of the information on each workstation. Making sure that all services, scheduled tasks, and COM+ type objects do not reference domain administrator accounts reduces the value.

Next, the local administrator accounts must have their passwords changed on a regular basis. Even better, each machine should have its own unique password. That way, even if someone cracks it, they can’t use the stolen credential to move between systems on the network.

Security Best Practices for Servers

IT administrators who leave an organization can take knowledge of the administrator passwords with them. This is particularly dangerous when all administrator passwords are the same, and rarely changed.

Within a large organization there may be thousands of servers with domain administrator accounts running as services, scheduled tasks, MTS/COM+/DCOM objects, and local logon accounts. Any attempt to change the credentials of these accounts could result in an untold number of critical systems going off-line.

Due to the difficulty of finding all objects used by administrator accounts, many organizations neglect to update this information.

Solutions to the Common Administrative Credentials Problem

The goal of any security program is to stop or mitigate a threat. To resolve the administrative credentials security threat, you must regularly change the administrator passwords. And then make each password unique.

There also needs to be a way of searching through the machines in an organization to find instances of both local and domain administrator accounts. The credentials of those accounts must be frequently updated. And this needs to be done for privileged passwords on every system, device and application in the enterprise.

The least expensive solution involves scripting, a lot of patience, and an up-to-date list of systems. Unfortunately, scripts do not provide any database or GUI front end to perform management. They also lack the ability to manage complex services, COM objects, and scheduled tasks. The problem is not so much in writing the script. The real problem is in testing, troubleshooting, documenting, supporting, and updating the script.

Group policies are a write-only solution with no inherent intelligence. They have no reporting capabilities and rely on the workstation to request an update. This means there can be a lag in time of hours from the application of the group policy in Active Directory to the application of that same group policy on a system. And that’s if it even works.

Automated Privileged Identity Management

So if neither of these options are right for enterprise environments, what are we left with? The answer is commercial privileged identity management. With this solution you can automatically discover privileged accounts throughout your cross-platform enterprise (on-premises and in the cloud), bring those accounts under management, and audit access to them.

You can update each privileged credential as frequently as necessary. Even every couple of hours. This negates the damage inflicted by zero-day attacks and other advanced cyber threats. That’s because even if an intruder compromises a credential, it has a limited lifetime. An intruder cannot leverage the stolen credential to leapfrog between systems.

And with an automated solution handling a complex problem, you can dedicate your limited IT resources to other projects.

About the author: Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is responsible for meeting the real-world needs of the company’s customers. With over 15 years of systems administration, consulting, training, and product management experience, Chris is instrumental in guiding the development of the Lieberman Software products portfolio.

Copyright 2010 Respective Author at Infosec Island]]>
Reducing Identity-related Risks: The Complete Package or a One-Man Show? Wed, 24 May 2017 06:21:00 -0500 When it comes to reducing risk before an issue occurs, do organizations need the unequivocal strength of The Avengers or could they hedge their bets on just Iron Man?

While cybersecurity threats like ransomware and botnets are increasingly making headlines, for most organizations, internal employees are their biggest risks. Studies show that internal employees account for 43 percent of data loss. As such, cybersecurity professionals are increasingly buckling down on identity and access management (IAM) to protect their critical data assets.

In the world of traditional IAM, two-factor authentication, single sign-on, provisioning, governance and privileged management are just some of the related disciplines within this market. More recently, IT buzzwords like “analytics” have begun to proliferate into the realm of IAM – and thus the emergence of “identity analytics.” Like most emerging technologies, identity analytics is often misunderstood and misconstrued. Organizations need to take a step back, examine the areas of identity analytics and why they might need them—and which will bring the most value.

Analytics is the practice of pinpointing key information residing in large amounts of data to provide visibility and comparison that can often predict what might happen next. When it comes to IAM, solutions have been primarily focused on the area of behavior analytics – i.e., looking at what type of behavior occurred and the reasoning behind this behavior. However, they should also be focused on identity analytics and reducing risk before bad behavior impacts the business.

To put it in more playful terms, if we think of the goal of IAM as being to stop villains, would you rather have the combined powers of an entire band of superheroes on your side or to rely on just one hero to save the day? Organizations need to take a more holistic approach by implementing identity analytics in tandem with behavior analytics. After all, do organizations need the unequivocal strength of The Avengers or could they hedge their bets on just Iron Man when it comes to reducing risk before an issue occurs?

Behavior Analytics (Iron Man) – A Lonely Hero

Known also as User Behavior Analytics (UBA), behavior analytics is the practice of gathering information and data based on the user’s behavior. Once supplied with this information, the UBA tool can identify what behavior/usage deviates from a “normal” baseline to determine what action, if any, is needed.

In some cases, a user’s recent activities may differ substantively from their historical activity, which ultimately indicates a change in pattern and more importantly, a possible security breach. For example, an employee within an organization’s finance department (rightfully) has access to the file shares that store all the merger and acquisition (M&A) documentation. And over the course of the last nine months, the user visits the site on average twice per week and collectively downloaded three documents. However, over the past two weeks, the user visited the site every night after 9 p.m. and began downloading a massive amount of data.

While within the parameters of approved access, UBA would notice that the behavior is anomalous – triggering further investigation from management and possibly even security. This is a simple example of how behavior analytics – in this scenario, Iron Man - can be used to reduce security loopholes.

But if you only had Iron Man’s genius-level intellect and his powerful, armored suit, it still wouldn’t guarantee defeat against the likes of Loki or Ultron — or users intent on stealing data, especially after the fact. To do battle against these foes, you’d need mightier defense on your side. In the world of IAM, that means being able to stop enemies in their tracks before they strike.

Identity Analytics (The Avengers)- A More Collective Defense to the Rescue

As opposed to just tracking behavior, identity analytics approaches the issue from a different angle. It fully analyzes and understands the entitlements a user should have vs. what they actually do have.

Simply understanding what entitlements a user has is not enough and any IAM product can report on those. What drives true value is the analytical component of understanding what entitlements a user has as it relates to the rest of the organization, his or her peers, or even between organizations. This collective power translates into the ability to predict trends and behaviors, identify what may potentially happen, and make recommendations for corrective action. It’s not unlike having the diverse knowledge, powers, and strength of an entire band of superheroes like The Avengers on your side.

Imagine an employee that previously worked in IT and ultimately decided to transition into the role of a pre-sales engineer. When the sales department uses traditional IAM tools to pull a list of “who has access to the pre-sales engineer SharePoint site,” this user would correctly show up. However, what would not be apparent is the fact that this user is now one of the most powerful users in the organization. What the report does not show is the entitlements that the user had as an IT professional had NOT been removed. This signifies that the user was never deprovisioned from their IT role, therefore the remaining, highly privileged access would increase potential security risks.

Identity analytics would find an anomaly of this nature almost instantly by comparing this individual with others from the pre-sales department. Armed with this information, the security professionals would know where to begin their work of securing the organization by removing the IT-related entitlements from this pre-sales engineer.

Beyond that, identity analytics can compare entitlements from one organization to another. If you are in a bank with 3,000 users, an identity analytics tool could show that when compared to banks of similar size and location, your bank has twice as many people with elevated privileges; a security posture you may want to investigate…and quickly.

Identity Analytics: Your Organization’s Newest Security Superpower

Identity analytics is a logical addition to an organization’s larger IAM arsenal. It’s a solution that allows you to preempt bad behavior and, accordingly, reduce your attack surface before an issue occurs. While having Iron Man on your team is no small feat, having more collective powers at your disposal will always be the better bet for fending off foes. Any security-minded organization needs the mightiest IAM heroes, in this case both behavior and identity analytics, to combat the bad guy. 

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
Live Webinar: Combining Pen Testing & Incident Detection Tue, 16 May 2017 12:31:37 -0500

Who has time to build out an Incident Detection & Response program when you're wading in alerts, tedious investigations, and solutions only monitoring part of your network?

Stop the madness. Join SecurityWeek and Rapid7's Eric Sun for actionable takeaways from penetration testing engagements, and see how customers are combining detection technologies to find intruders earlier in the attack chain.

Join this live webcast on Thursday, May 18th at 1PM ET to learn:

• The top attack vectors behind breaches

• How security teams are using user behavior analytics (UBA) today

• The role of deception technology in a detection strategy

• How attackers are moving across endpoints – without malware

Register Now

Presenter: Eric Sun Solutions Mgr., Incident Detection & Response

imageAs a solutions manager for Rapid7’s Incident Detection & Response offerings, Eric works closely with Metasploit, their penetration testers, and managed SOC to help security teams model their programs after the intruder attack chain. Eric brings a layer of behavior analytics and risk management from his many years in Asia as a professional poker player.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – May 2017 Fri, 12 May 2017 07:22:00 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • This set of SAP Security Notes is smaller than usual (the average number of SAP Security Notes closed every month this year equals 25, while May’s bunch of Notes contains 17 fixes).
  • 4 of the closed security loopholes affect SAP Defense Forces & Public Security. The lack of authorization vulnerabilities in this module could allow an attacker (including hacktivists and cyberterrorists) to read read, modify or delete sensitive data.
  • In the wake of proof-of-concept ransom attack via SAP GUI, the vendor released a fix addressing client-side security issues. SAP GUI for Java allowed opening of new connections from an ABAP program that can be used in multi-stage cyberattacks.

SAP Security Notes – May 2017

SAP has released the monthly critical patch update for May 2017. This update includes 17 SAP Notes (11 SAP Security Patch Day Notes and 6 Support Package Notes). 4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.

1 of the released SAP Security Notes has a High priority rating and 1 was assessed at Hot news. The highest CVSS score of the vulnerabilities is 6.5 .

The most common vulnerability types are Missing Authorization check and XSS (PDF).

Issues that were patched with the help of ERPScan

This month, 2 critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Dmitry Yudin and Vahagn Vardanyan were closed. Below are the details of the SAP vulnerabilities identified by them.

  • An Implementation flaw vulnerability in SAP GUI (CVSS Base Score: 5.1). Update is available in SAP Security Note 2448972. SAP GUI for Java unconditionally allows opening of new connections from an ABAP program. Under specific circumstances, it is possible to enhance already existing attacks to a broader user group. The patch allows defining a custom trust level including a permission for opening a new connection.
    ERPScan research team revealed and disclosed in March that a SAP GUI vulnerability could be exploited to conduct a ransom attack on an organization where the German enterprise software is installed. Due to this case, SAP has shifted its focus on client-side vulnerabilities. The previous patch fixed an issue in ABAP engine, and one released this month addresses the JAVA part, that, combined, enhances protection against ransomware.
  • A Cross-Site Scripting vulnerability in SAP Enterprise Portal (CVSS Base Score: 4.8). Update is available in SAP Security Note 2412897. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
    SAP Enterprise Portal is a web front-end component, which provides a single point of access to information, applications, and services. This component can be easily found by Google search (search query: inurl:/irj/portal intitle:"SAP Netweaver Portal") that facilitates attacks.

The most critical issues closed by SAP Security Notes May 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2376743: SAP EA-DFPS has a Missing authorization check vulnerability (CVSS Base Score: 6.5). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2442630: SAP EA-DFPS has a Missing authorization check vulnerability (CVSS Base Score: 6.3). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2443586: SAP NetWeaver Authentication and SSO has a Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Vulnerabilities in SAP Defense Forces & Public Security module on the rise

There are different industry-specific solution in SAP’s portfolio. It covers 25 verticals, including Defense Forces & Public Security. This product is intended for armed forces, police, and aid organizations to help perform the following functions:

  • Mapping organizational structures and material and personnel resource planning
  • Accounting and Funds Management
  • Materials Management
  • Support for Flight Operations
  • Maintenance

In particular, there are 3 software components:

  • Defense Forces & Public Security (DFPS) is a part of SAP ERP and provides additional functions required for defense and public security.
  • The SAP Mobile Defense & Security (SAP MDS) component is responsible for mobile functionality.
  • SAP Military Data Exchange (SAP MDE) provides off-the-shelf force management capabilities that enable interoperability with Command and Control Information Systems (CCIS) and NATO Functional Area Services (FAS).

This set of SAP Security Notes addresses 4 vulnerabilities in this module – 3 Missing authorization checks affecting DFPS and one update to a patch for SQL Injection in the same module. Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating.

The number of closed issues in the SAP Defense Forces & Public Security module totals 18, where the major part (15) were rated Medium priority, and the remaining were assessed at High priority.

It’s safe to assume that the vendor started to focus on this module’s security 6 months ago, as two-thirds of the Notes were released in this within this period of time – 3 in December 2016 and 9 in 2017.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Convenience vs. Control: Achieving the Right Security Balance Fri, 12 May 2017 04:22:06 -0500 In today’s fast-moving world of technology, security risks have grown more complex. Many organizations find themselves struggling to give users fast and effortless access to an ever-increasing number of applications, while at the same time they must work to counteract more frequent and sophisticated cyber attacks. In cartoon format, it’s as if every IT security manager has a frustrated business user on one shoulder shouting “convenience” (easy access now!) and a CISO on the other shoulder shouting “control” (lock everything down tight!).

All humor aside, these diametrically opposing forces are being felt by everyone in IT security today, and especially by identity and access management (IAM) professionals.

The Case for Convenience

Controlling user access has become more challenging with each passing year. Today’s workers want anytime, anywhere access, and not just from PCs and laptops, but also from mobile phones and tablets. Users now want the same convenience and flexibility they get with smart devices when they need to access corporate applications. And people require access to an increasing number of digital assets, both corporate and personal. These assets commonly include a mix of cloud applications such as Salesforce, Workday, and Microsoft or Google Apps; social applications such as Facebook, LinkedIn, and Twitter; web applications such as portals and intranets; and traditional on-premises applications (yes, even mainframe apps are still widely in use by many of our customers).

While corporate security would prefer to mandate strong passwords for every corporate application, maintaining separate passwords and authenticating access for each application can be very frustrating for end users. And it’s not just a matter of inconvenience; it’s also a matter of productivity. Every minute that a user has to spend retrieving a lost password or having the help desk reset a password is an unproductive minute – and when you multiply the growing number of applications by the amount of time wasted, the high price of inconvenience becomes pretty clear. Clearly, what users want is seamless access to all of the resources they need without the need to constantly re-authenticate – hence the popularity of Single Sign-on (SSO) solutions.

The Urgency of Addressing Cyber Risk

While end-user demands for convenience have never been higher, the need to maintain strong access controls has never been more critical – or more complex. Today’s IT security staff must grapple with the explosion of cloud and mobile applications layered on top of the organization’s traditional on-premises applications. They must also manage and enable a globally distributed workforce and partner ecosytem that blurs the lines between employees, contractors, partners, and sometimes even customers.

To make matters worse, it is no longer enough to focus on defending the organization’s network perimeter. As recent security attacks demonstrate, it is becoming more common for legitimate identities to become the attack vector for cyber criminals. Instead of targeting networks and application infrastructures, hackers are now exploiting identities to gain access to sensitive systems and data. In the past three years, there have been numerous data breaches caused by cyber thieves obtaining the identity credentials of employees (usually via phishing), using them to accessing internal networks, and stealing sensitive customer and financial data.

Is Single Sign-On the Answer?

Single sign-on is a method of access control that allows users to login once and gain access to a variety of applications. Instead of having to remember multiple passwords for various systems, users can gain access to many applications with a single password. SSO has many benefits. It makes it easier for users to remember their username and password combinations and less likely to write them down on sticky notes. It also improves productivity by reducing the time users spend entering passwords and the number of incidents where workers are locked out and must get help to reset their passwords.

While Single Sign-on does enhance convenience and user productivity, it comes with a few security risks of its own. There are inherent risks when a single username/password combination unlocks all the resources employees can access. If cyber thieves obtain that employee’s credentials, they will be able to access all of the resources that the employee can. And without enforcement of strong password policies, SSO could make a user’s accounts more susceptible to breaches by making more sensitive accounts as easy to access as less sensitive accounts.

Perhaps the biggest security risk of all, however, is the temptation to treat SSO as a panacea – to mistakenly think that SSO is a one-stop solution for all IAM needs. In fact, SSO solutions are not designed to provide the complete set of controls required to secure the enterprise.  SSO is one tool in the IAM toolbox, but one that is more focused on convenience than control.

Identity Governance – Balancing Convenience with Control

In order to balance SSO’s convenience with the proper level of controls, organizations need to complement SSO with robust identity governance solutions. Identity governance provides the right preventive and detective controls required to control access and identify and remediate security issues.

Some of the key functionality that identity governance provides to complement and strengthen SSO includes:

  • User provisioning: to automate defined processes for granting, changing, and removing user access privileges.
  • Policy management: to help strengthen passwords across all applications and to enforce unwanted “toxic combinations” of access privileges.
  • Self-service password management: to allow end-users to manage their own credentials, anytime, anywhere, without having to involve the help desk.
  • Access certifications: to ensure that user access is appropriate, conforms to policy, and meets audit and compliance requirements.

With Identity governance, organizations can confidently deploy SSO knowing that appropriate preventive controls are in place. By providing fine-grained provisioning based on defined policies and roles, identity governance ensures that users have access to only the minimum resources they need (“least privilege”). When users are terminated, access privileges are automatically revoked not only on the SSO system, but on the target resources and importantly, those applications that are not tied into the SSO solution (rarely are all apps tied into an SSO solution). Identity governance also provides password management to enable the organization to enforce regular password changes, password strength, and control password reuse across all applications.

Identity governance also provides critical detective controls that allow an organization to review and monitor user access for anomalies that need further investigation. It is not enough to simply define access controls and forget about them. Too many factors in the environment are constantly changing (users, applications, directories, etc.), and sometimes policies and procedures are not followed to the letter. Detective controls allow organizations to identify and rectify problems before they lead to a catastrophic breach. Examples of detective controls include periodic review of access by supervisors and data owners. Every organization benefits from detection of situations like a fired employee whose privileges were removed from the SSO system, but who still has access to applications from his home computer.

Conclusion: Striking the Elusive Balance

Like it or not, the days of “locking down” technology environments – and banning personal tools and devices – are over. Partnering with business colleagues to deliver convenience, service, and value is an important goal for today’s IT security team.  However, as the environment becomes more open and the technology mix becomes more complex, it has never been more critical to implement identity governance with strong controls to mitigate the associated risks.

A balanced IAM strategy will allow organizations to deploy SSO to address business users’ convenience needs, while using an identity governance foundation to strengthen security and meet compliance and risk management goals. By embedding identity governance policy and controls throughout all IAM processes, organizations can achieve a healthy, sustainable balance between convenience and control.

Copyright 2010 Respective Author at Infosec Island]]>
The Enterprise IoT Security Checklist for Today - and Tomorrow Wed, 10 May 2017 04:50:52 -0500 Everyone’s worried about securing the Internet of Things (IoT). IoT is poised to create an expansive network of self-driving cars, connected energy grids, and smart appliances. According to Gartner, by the end of 2020, there will be 21B IoT devices worldwide, only expanding our current ecosystem. As companies build towards this connected future, they must constantly evaluate the risks that come with these large IoT networks.

Developers and decision-makers can combat the unique risks of IoT early by focusing on both preventing attacks and by ensuring the continued safety of their connected systems as they are being developed. By following a few simple best practices upfront and during the the development process, organizations can prioritize areas of focus to remain secure as they build connected products.

Remaining Secure Today

To build a secure system, it’s crucial to reduce the surface area for potential vulnerabilities, and this starts with a comprehensive audit of the system as a whole along with all of its parts. The following components of an IoT system must be reviewed for possible vulnerabilities:

  • Operating Systems: Each point of entry (ports, protocols) is a potential point of attack. A minimal “bare metal” real time operating system running on a microcontroller (MCU) makes it easier to understand your entire surface area. In contrast, many system on chips​ (SOCs) and Linux systems come running various services, and can be listening on a variety of ports by default, adding a hidden layer of attack vectors product developers may not even even be privy to. ​
  • Applications: There can be multiple application programs running on a full system on a chip device - and the more applications you have, the more potential there is for bugs or security vulnerabilities. It is critical to the vitality of your product to run an audit and sanitize these programs.
  • Dependencies: Establishing a rigorous process to check that your external dependencies and libraries are up to date and validated is critical. Modern encryption and communication protocols evolve over time, and you must invest in staying current, or risk ignoring new vulnerabilities. Just like application security, a larger number of dependencies means that more maintenance must be done.
  • Communication: Man-in-the-middle attacks, replay attacks, and loss of sensitive information are just a few of the threats that can occur if communications between the device and the cloud are not encrypted, or are encrypted poorly. Proper encryption ensures confidentiality, integrity, and authenticity.
  • Cloud: Always on and connected servers require constant monitoring and testing.  By minimizing your network, application, and dependency surface area, and closely monitoring access and behavior, you can reduce risk for each cloud server.  You should subscribe to security mailing lists and alerts for your dependencies, operating systems, and service providers.
  • User Access and Security: Threats come in all shapes and sizes - and they could be within the company. Establish a positive culture of security and awareness for your team, educate them about phishing and social engineering attacks.  Practices like two-factor authentication, strong passwords, and whole-disk encryption help reduce the scope of damage from careless user error.

Remaining Secure Tomorrow  

It’s difficult to anticipate how cyber threats will evolve five or ten years from now but all systems require maintenance to avoid falling behind evolving security risks. The following features and actions help prevent future vulnerabilities:

  • Penetration Testing: Finding security researchers that will help identify and fix potential vulnerabilities as they develop will help businesses stay ahead of modern hacking techniques. Investing in maintenance and systems testing is crucial for future proofing current systems.
  • Firmware Application Code Reviews: Allowing security experts to review your firmware during development can help catch and prevent application flaws that might expose your product, customers, and company.   
  • Security Update Mechanisms: Security protocols change and improve over time. Allowing for rapid firmware deployment to all devices at once improves security.

The conversation on IoT security will continue to evolve as the technology matures, but it’s imperative to the life of a company to follow protocol and conduct security checks early on in the development process. In an extremely risky landscape, a hack could mean loss of revenue or reputation and brand damage. Product developers and the stakeholders involved are the drivers of their own security success and failure, but by organizing and prioritizing what, where and when to test for vulnerabilities, business can remain secure today and tomorrow.

About the author: Zachary Crockett is a Founder and the Chief Technology Officer of Particle, a full-stack IoT device platform, where he is responsible for the core technology, architecture and infrastructure. He provides strategic direction for developing a scalable, reliable, secure and easy-to-use platform.

Copyright 2010 Respective Author at Infosec Island]]>
GDPR: Ignore It at Your Own Risk Tue, 09 May 2017 09:08:00 -0500 If your company does business in the European Union, you are likely to face a major overhaul of the way you handle your customer data. That’s because in 2016, the European Parliament passed the EU General Data Protection Regulation (GDPR), a sweeping change that will affect all companies doing business with EU residents, regardless of where the companies are based.

To understand the GDPR, it helps to understand the European view of privacy. In Europe, unlike in the United States, personal privacy is seen as a fundamental human right rather than just a consumer protection issue. In the interest of protecting this right to privacy, the EU is mandating that as of 25 May 2018, all companies doing business with its residents must

  • Have a valid reason for collecting and using all forms of personal data
  • Obtain consent for any use of data outside of certain pre-approved conditions
  • Present requests for consent to use personal data “in an intelligible and easily accessible form”
  • Notify authorities within 72 hours of any breaches that could compromise personal data
  • Be able to fulfil all privacy rights, including data erasure
  • Nominate a Data Protection Officer (DPO) (only required for companies monitoring data on a large scale or handling special categories of data such as criminal records)

As you may imagine, this regulation will be a game changer for thousands of companies around the world. The upside is that we still have a year to get ready. The challenge is that it will take time, effort, and yes, money to comply with this regulation that many businesses still don’t know about … and still fewer understand. Let’s look at the answers to a few of the most common questions arising from the business community about GDPR.

Which Businesses Will Be Affected?

Regardless of where your company is based, if you handle personal data of EU residents (not just citizens), you will be required to comply with GDPR. The EU defines personal data very broadly as any information that can be used to identify the individual, directly or indirectly, from innocuous information like names, email addresses, and physical addresses to social media posts and online presence footprints to highly sensitive medical and financial information.

How (and When) Will the GDPR Be Enforced?

All requirements of the GDPR will go into effect on 25 May 2018. For the moment, officials are expecting that, as with HIPAA in the United States, most compliance checks will be done via supply chain management. If you work with third parties who process data on your behalf, the GDPR expects that you will assess those companies’ compliance with its requirements.

Apart from defining the fines, the EU has told us little about how it plans to enforce the regulation. Personally, I expect that shortly after the enforcement date, officials will begin performing audits, and I believe they will begin with small-to-medium size businesses. Large companies with sprawling compliance departments and dozens of lawyers will be tricky to go after, whereas targeting a business without a large back office makes it easier to set a precedent and demonstrate that the EU is serious.

What Are the Penalties for Noncompliance?

The maximum fine for the most serious infringements will be up to 4 percent of global revenues or €20 Million, whichever is greater. Lesser infractions will be subject to smaller penalties; for example, a company’s fine for not having its records in order will be 2 percent of global revenue.

How Can We Prepare, and How Much Will It Cost?

The first step in preparation is to fully understand the regulation’s requirements and how they will affect your business. For starters, visiting will give you some solid insights into the regulation as well as into its background and controversies.

Once you have a clear picture of how your business will be affected, I recommend the following steps:

  1. Appoint a cross-functional GDPR task force, reporting to the executive team.
  2. Make a map of how you collect and use personal information from EU residents.
  3. Use the map to assess compliance with GDPR requirements, and make a plan to fill any gaps by May 2018.
  4. Assess all vendors who handle personal data on your behalf, and work with them as needed to ensure compliance by May 2018.

The cost of all this will depend on the size and scope of your company, the nature and sensitivity of the data you handle, your current level of compliance, the number of vendor relationships that will be affected, and so on. Once you’ve determined what needs to be done, you’ll want to assess the costs and work them into your budget.

So, what will the global business environment look like after 25 May 2018? I believe that for large enterprises, apart from additional paperwork, little will change: Many have large compliance teams and have already implemented similar measures as part of their standard practices. Startups, on the other hand, will face a serious burden as they will have to comply from Day One of their existence, and I can see this causing the EU to fall behind United States when it comes to business innovation. One thing we can all be certain of is that the GDPR will change business as we know it, and the best we can do is make sure we’re prepared.

About the author: Tomáš Honzák serves as the head of security, privacy and compliance at GoodData, where he built an Information Security Management System compliant with security and privacy management standards and regulations such as SOC 2, HIPAA and U.S.-EU Privacy Shield, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem.

Copyright 2010 Respective Author at Infosec Island]]>
3 Trends Driving the Need to Improve Your Third Party Cyber Risk Management (TPCRM) Program Tue, 09 May 2017 07:00:00 -0500 To compete in a global marketplacefull of disruptors, organizations are rapidly expanding their reliance on outsourcing, cloud providers and other services that speed up time to market.     

But with agility also comes cyber risk. As companies have maintained focus on their own defenses, cyber criminals have realized third parties are the attack path of least resistance. 

And if their success continues, your data, intellectual property and trade secrets are at risk. But how do you leverage the speed of outsourcing and simultaneously protect your data and trade secrets?

The vast majority of third party cyber risk management market programs we encounter lack scale, speed and efficiency.  These programs are based on archaic processes like sharing spreadsheet based questionnaires and manual processes.  

But according to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees.

So why are organizations still using a cobbled together process of GRC tools, external consultants, spreadsheets and internal resources?

At CyberGRX, we believe security and risk professionals do not have appropriate tools to fight the third party cyber battle. A cobbled together process of GRC tools, assessment services and “shared spreadsheets” is no match for a sophisticated adversary.

In January 2017 report, SurfWatch Labs found “the percentage of cybercrime linked to third parties nearly doubled over the past year – and that only includes publicly disclosed breaches.”

Here are three trends driving organizational need to improve today’s third party cyber risk management process:

1. Explosive Growth in Outsourcing and Growing Consumption of Third Party Services.

Organizations are relying on third-parties to improve the way systems function. And for good reason. Deloitte’s 2016 Global Outsourcing Survey (PDF) found that businesses outsource to reduce costs and drive innovation. And all indicators suggest that outsourcing is here to stay. The average Fortune 500 company has over 20,000 different vendors in 2016. In 2017, companies are expected to bring on even more third parties and will continue to do so into the foreseeable future.

Yet, cybersecurity professionals have not been able to keep up with this explosive growth. According to survey by PwC, 74% of respondents didn’t have a full inventory of third parties that handle confidential data. Part of this stems from how companies define “insiders”.

Insiders should be classified as anyone with physical or remote access to an organization’s assets. In the past, organizations could simply view “insiders” as employees. But many third parties have also become “insiders” as they are entrusted with sensitive data that hackers would love to get their hands on. Some examples being:

  • Manufacturing partners entrusted with intellectual property.
  • HR vendors entrusted with employee data.
  • Banks entrusted with company finances.
  • Call centers entrusted with customer data.
  • Law Firms entrusted with legal documents.

Businesses need to broaden their view of insiders and take appropriate steps to ensure cybersecurity.

2. Bad Guys are Targeting Third Parties

Last year, third party cyber attacks reached a tipping point. Businesses worldwide lost more than $400 billion to hackers. Statistics show that third parties were the source for at least 50 percent of these incidents:

  • In a recent Deloitte survey of 170 organizations, 87 percent of the respondents said they have faced a disruptive third-party incident in the last two to three years.
  • 55% of small- and medium-sized businesses experienced a cyber-attack in the last 12 months, with 41% saying they were impacted by a third-party mistake. (Ponemon Institute survey, June 2016)
  • Over 50% of all breaches come from third-party vendors (PWC)
  • 80 percent of data breaches originate in supply chains (TechNewsWorld)
  • 63% of the 450 data breaches studied in the 2013 Trustwave Global Security Report were linked to a third party component of IT system administration.
  • Ponemon and Verizon studies have estimated 50% or more of corporate breaches occurred through third parties.

3. Regulatory Pressure From Every Angle - Regardless of Industry

Regulators, across all industries, are required to examine businesses on their compliance to cyber security laws. Some of the most common laws being, PCI, NERC, FISMA, HIPAA, SOX and GLBA. Recent trends in outsourcing and cybercrime have forced industry regulators to put pressure on organizations to better manage third party cyber risks.

For example in 2013, the Office of the Comptroller of the Currency issued “Third-Party Relationships: Risk Management Guidance.” In this bulletin, the OCC clearly states that that banks must have a complete understanding of new third parties. According to the OCC:

“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

These types of guidelines have been adopted across all industries. Yet, most organizations have not been able to keep up with the complexity regulators require. Organizations must ensure that their third-parties comply with vague standards, complete different auditing frameworks, and implement various “best practices.” All while doing their best to limit use of internal resources. Most find this to be a wasteful and complex approach to managing third-party cyber risks, desperately in need of simplification and improvement.  


To repair the current broken process used by many organizations today, businesses need to focus on four areas:

  1. Understand your inherent risk from each third party
  2. Perform analytics on your portfolio of assessments to understand which pose the most relative risk to your organization
  3. Work collaboratively with your third parties to mitigate risks that pose the most risk to your organization
  4. Monitor your third parties for changes in their business and cyber posture including expansions, divestitures, breaches and new attacks that may alter your exposure  

For Third Parties: Get assessed once and share with many. Utilize a risk exchange to scale your response capabilities to drive scale and shake out costs.

Digital ecosystems will continue to grow. Bad guys will continue to prey upon the path of least resistance - third parties. It’s up to you to ensure your organization takes a comprehensive and risk based approach - rather than focusing solely on compliance.

About the author: Scott Schneider is head of Business Development at CyberGRX. He is responsible for implementing go-to-market and growth strategies. Previous to CyberGRX, Schneider led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.

Copyright 2010 Respective Author at Infosec Island]]>
Cloud-Based Access Governance: Organizational Continuity Achieved Tue, 09 May 2017 05:51:45 -0500 As an IT expert, you know that browser-based apps have no software to deploy, patch and support, meaning there is a great deal less time and hassle to put said system in place. Most CRM systems are browser-based, HR solutions have followed along and even most accounting systems have web-based front ends. Major changes to technology in a very short period of time.

These changes have paved the way for many cloud providers. This is no longer a trend that needs to be taken to a “next level” – it is already at the next level and things are being done in the cloud. Hosted solutions are now the norm. These solutions are having a wide impact on the mobility of workforces. No longer is a connection via secure VPN into the office to access data remotely a requirement, all that is needed now is a URL for the hosted application along with a username and password.

It’s supposed to be an easy solution. That is not always the case. This is where the fun starts -- with the username and password and their use in hosted solutions. For example, how many hosted applications do I need to access; how many of these applications have login credentials controlled by company policy; and how many do I have to create myself?

This means the creation of a multitude of username algorithms and password complexity scenarios. From a user’s perspective, this can be daunting and lead to passwords being forgotten, meaning the “hassle-free” cloud applications have just created a host of issues for the service desk. Alternately, your users store their credentials in a non-secure way, like writing down passwords on a note pad and leaving them around a work desk.

Cloud-based access governance solutions can help solve this problem.

Cloud-based access governance can pull up a portal listing your web-based applications, whether they are hosted in the cloud or running locally within the organization, and can authenticate in the network. Cloud-based single sign-on can handle all logon requests to these applications, entering usernames and passwords on the user’s behalf.

Additionally, with web-based single sign-on, employees outside the corporate network (those working from home or while travelling) can access cloud applications with any device (PC, tablet or smartphone) with one single password and username. No need to remember multiple passwords and user names or the need to write them down. In BYOD environments, employees also are able to enjoy the same features as those on corporate devices.

Traditionally, SSO has been easier to offer in the network, but once outside of it, doing so was problematic. That’s not the case anymore. Current web SSO technology is based on an intelligent browser plug-in that processes various logins for cloud applications automatically. For the login details, the solutions communicates with the SSO service in the company’s own network; those login details remain stored in the network and are not accessible at an unknown location in the “cloud.” For the user, the plug-in is transparent and can be used from any device and from any location. 

In so doing, users receive the same continuity that they have come to rely upon from their employer’s network and those connections are available anytime that your organization’s network provides, and from anywhere you happen to be.

About the author: Dean Wiech is managing director of Tools4ever US.

Copyright 2010 Respective Author at Infosec Island]]>
To Tackle IoT Security’s Murky Future, We Need Only to Look to the Past Fri, 05 May 2017 11:33:22 -0500 Now that the IoT seems to be coming into its own, more manufacturers are eagerly throwing their hats into the ring to capitalize on the rapidly growing market. However, the influx of IoT devices are missing proper security measures.   

In 2017 we have seen more smart home devices being vulnerable to attack from cyber criminals. The Wikileaks Vault 7 release revealed that internet-connected televisions could be used as bugging devices. Even innocent cute teddy bears have been hacked at the cost of the privacy of children and their family. And if businesses think they’re safe, they’re far from it. The devastating Mirai malware attack on Dyn services last fall and other botnet attacks since then prove this. Not to mention that more than 90 percent of IT professional expect to see an increase in attacks.  

Why are these devices proving to be so vulnerable? Many of the manufacturers trying to cash in on the IoT game are not companies that have traditionally thought about networking — or network security for that matter. Building an IoT device is more than just adding internet capabilities to a thermostat or camera. It means building in security features and preventive measures for vulnerabilities. Unfortunately, manufacturers, especially those creating low cost IoT devices, are seemingly eager to ship off IoT devices without investing in security.   

Experts have even proposed that government IoT regulation is inevitable considering the lack of urgency from manufacturers and consumers alike. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) in the U.S. have already stepped in and released documents providing recommendations for how companies and individuals should approach security for IoT. 

Therefore, one of the biggest uncertainties about the future of IoT security is whether IoT manufacturers will be able to get a handle on what it takes to develop and deliver devices that are secure out of the box. Only time will tell, but I do think there are steps that we can take today to begin addressing the issue.   

Consider Protocols Created with the IoT in Mind Design challenges are a given with new technologies. For IoT, a big problem is limited computing power and memory or storage, which makes it difficult to use complex encryption or agents that require more resources. New protocols used specifically for the IoT, like Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CAP), need to be accounted for as well.  

Stick to the Guiding Principles  Developers should look at best practices established over the past 30 years of internet history in order to create secure firmware for these emerging IoT devices. Some general guidelines that are often overlooked by manufacturers and developers include: generating random admin passwords for each new devices rather than shipping with default passwords or exposing network ports and services unnecessarily. Additionally developers should implement mechanisms for devices to verify integrity at system boot time.    

Conduct Regular System Checks and Updates System maintenance and updates are other key areas of consideration. Often IoT devices that are taken over with malware have known weaknesses which could have been resolved. Manufactures, ISP, and others who have responsible discloser processes for vulnerabilities and provide firmware updates addressing those issues are doing the right thing. Their actions help limit the number of IoT devices which can be used for malicious purpose.    

Focusing on the security of systems, network services and applications can help achieve the goal of preventing system breaches or compromises as well as support continuous monitoring and resiliency. Initial steps like stringent authentication requirements and system orchestrations can go a long way.   

Ultimately, the correct approach for IoT device security and authentication depends on the device and the traffic it will handle. To build secure IoT devices today, companies new and old need only to look to the past. Rather than reinventing the wheel, they should consider textbook security fundamentals that have been set by companies making networked devices for the past few decades.

About the author: Sean Tierney is the Director of Cyber Intelligence for Infoblox. He leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence.

Copyright 2010 Respective Author at Infosec Island]]>
When Is Not Faked Punycode Domains Running Rampant Mon, 01 May 2017 05:13:48 -0500 We have seen a significant uptick in phishing attacks using “Punycode” to exploit a basic vulnerability in web browsers, with phishers able to have the address bar represent what (to the naked, Roman alphabet-reading eye) appear to be correct domains for prominent websites like,,, and – but they’re not! The vulnerability affects Mozilla Firefox and un-updated Opera and Chrome web browsers, and makes it additionally difficult for users to identify a faked web page without checking the SSL certificate or carefully inspecting the complete URL.

What’s Punycode?

Punycode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. This is done to allow the display of internationalized domain names (IDNs) in languages that don’t use the Latin alphabet (or use variations of it). For example the Punycode domain ““ will show up in your browser as“Bü“  The potential to abuse this functionality has long been known to cybercriminals, mixing characters from multiple languages – and Internet browsers in response were upgraded to display potentially confusing domains in the “xn-…” form.

However, there’s a new twist – if every character is replaced with a similar character from a single foreign language, the domain name will be shown – potentially leading to confusion among users that can be exploited for phishing attacks. Xudong Zheng, a Chinese security researcher, discovered the vulnerability, and as a proof-of-concept set up the web page “,” which the browser translates to “https://www.аррӏе.com/.”

How Do You Spell Paypal?

For our part, we’ve seen a significant increase in Punycode domains over the past few days meant to exploit the newfound vulnerability:

For example, by using the Cyrillic “a” the attacker is able to fake the domain “” Usually you can spot a fake phishing website by its domain, but in this case the domain will be displayed to the user as it’s supposed to be.

Figure 1:  “paypḁ” that has already been blocked by Google.

Here’s an example for “”, where the user clicks a link that has this URL: and the browser translates this to “hotmaı”


Figure 2:. “hotmaı” displayed as the main domain

When the “Sign in Hotmail” link is clicked, the user is taken to a phishing page to choose an email provider from a drop-down list (Figure 3). After selecting Gmail, we were asked to install a chrome extension (Figure 4). The extension hijacks the browser and changes the startup page, installs a toolbar and will display ads in searches and try to have the user install a “PC Cleaner tool” that’s supposed to remove adware and malware


Figure 3: E-mail provider selected.


Figure 4: User is asked to install the browser extension.

What Can I Do?

In the latest version of Google Chrome, this vulnerability has been fixed (version 58.0.3029.81), as it has in Opera (Version 44.0.2510.1449). To disable Punycode support in Mozilla Firefox, type about:config in the Firefox address bar and press enter. Then type network.IDN_show_punycode and set it to true by double clicking it.

About the author: Magni Reynir Sigurdsson is a senior malware researcher at Cyren, an internet Security as a Service provider that protects users against cyber attacks and data breaches through cloud-based web security, email security, DNS security and cloud sandboxing solutions.

Copyright 2010 Respective Author at Infosec Island]]>
SWIFT Attacks are Evolving - Is Your Segmentation Strategy? Fri, 28 Apr 2017 06:58:06 -0500 Not too long ago, very few people had heard of the Society for Worldwide Interbank Financial Telecommunication or SWIFT. The organization’s standardized message format has been adopted as the global standard for interbank financial transfers, and the associated software and messaging network drives the majority of international banking transfers today, in excess of five billion financial messages a year. However, this is not why most people have heard of SWIFT.

In recent years, reports of cyber attacks and fraud utilizing or compromising SWIFT applications have increased significantly. In 2016, the Bangladesh Central Bank and the New York Federal Reserve were involved in a cyber heist that netted $101 million - most of which has not been recovered. An additional $850 million would likely have been stolen if a typo in one of the transactions had not been noticed and questioned. Other attacks on the SWIFT network have since been reported in Vietnam, Ecuador, and Ukraine, though the majority of banks and countries affected by the dozens of breaches being investigated have not been made public.

Evolving Attack Strategies

Attacks on payment systems, including SWIFT, are nothing new. Financial institutions have been combatting fraud and theft since day one and attackers have kept pace with changing technologies to exploit vulnerabilities wherever they exist. A few years ago, the strategy of choice for attackers was to compromise a user’s computer and then submit fraudulent financial transactions “as the user.” This drove the prevalence of banking malware and remote access trojans (RATs) that were a primary concern for financial institutions. And although these strategies still exist and are a threat to individuals, businesses, and banks, awareness of these threats has led to better safeguards and a lowered success rate for criminals.

Not ones to back down from a challenge, attackers began shifting their attacks from the user endpoints to the applications and networks that drive the banking systems themselves. The significance of the attack on Bangladesh Central Bank, aside from the massive amount stolen, was the actual methods the attackers used. In addition to leveraging credentials stolen from authorized users, the attackers installed malware to prevent the payment system from giving the attacker’s presence away.

For example, there was a system in place where all transactions would be printed out so there would be a hard copy of all transaction records. To circumvent this, attackers disabled this process so that their fraudulent transactions would not be in plain sight on the printed copies. In the Vietnam heist, attackers modified the PDF reader used to track SWIFT transfers so that the fraudulent transfers would not appear.

In addition to disabling the printing of transaction records, malware was installed on the server hosting the SWIFT Alliance Software - a software stack built by SWIFT for managing and connecting to the larger SWIFT network. This malware was designed to decrypt various configuration files to search for specific terms and then subsequently bypass validity checks to avoid the transactions being spotted.


It’s obvious to see that these attacks are becoming more sophisticated, but they are also moving down the stack from the end users to the banking systems and safeguards that were previously beyond the reach of attackers.


Screen Shot 2017-04-13 at 2.45.53 PM.png

SWIFT Alliance Software Architecture


Distilling an Effective Defense

SWIFT has since released their Customer Security Programme which provides guidance to financial institutions for improving security protections around the Swift Alliance Software or any custom applications which interact with the SWIFT network. Although the guidance is a step in the right direction, actually securing a SWIFT application stack can be easier said than done as many components of SWIFT applications are typically legacy physical systems which don’t support newer security software, don’t receive security updates, and often exist in data centers struggling to adapt to new security protocols themselves.

There are a variety of security controls that go into securing banking applications - transaction monitoring, user behavior monitoring, anti-malware, and user security training to name but a few - but network security for SWIFT Alliance Software (or custom SWIFT applications) has traditionally been challenging to implement.  

Until recently, a best practice was to place the various SWIFT components in a firewalled zone, but this still allowed unfettered communication with any other workloads in that zone and provided no visibility or control above Layer 4. Clearly when dealing with adversaries who are skilled enough to compromise and exploit the very logic of the SWIFT applications themselves, a more nuanced approach is needed. The ideal solution would have three ingredients to effectively secure SWIFT application stacks:


  1. Microsegmentation for full visibility and control of all data center communications

  2. Ability to enforce security policies up through Layer 7 for a fine-grained and more effective policy construct

  3. Support across both virtual and physical workloads -- since many financial institutions still straddle both environments


Micro-segmenting the various components of the SWIFT application architecture ensures that only the appropriate endpoints and application components can communicate with each other and only over approved application protocols. Suddenly, if an attacker wanted to compromise your SWIFT application stack, they would need to do so using a vulnerability in a SWIFT application protocol and from another approved application component rather than simply gaining a foothold through an available port or protocol on the server running the SWIFT component. This is an extremely high barrier to entry for even the most skilled attacker.

Obviously there is no single silver bullet for protecting payment systems from fraud or cyber attacks. However, the ability to restrict the communications between the components of a payment system to only those that are required dramatically reduces the attack surfaces available to adversaries and provides far tighter controls than other approaches. As we continue to see attacks levied against banking and payment applications directly followed by the tightening of security best practices and cybersecurity regulations, the need for fine-grained visibility and control over all aspects of communication between system components will only rise.

About the author: Jesse McKenna is Director, Cybersecurity Product Management at vArmour. With over 12 years experience designing leading edge detection systems, he possesses deep expertise in fraud, security, behavioral analytics, and how theoretical detection and analytics concepts can be applied and operationalized in real world environments.

Copyright 2010 Respective Author at Infosec Island]]>