Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 We Can’t Control Devices and People, but We Can Control the Network Wed, 26 Apr 2017 09:47:38 -0500 For decades, consultants and federal systems integrators have served as a bridge between Silicon Valley and the U.S. Federal Government, offering a variety of products with a “mission-first” approach that directly addresses public sector needs. To learn more, I recently met with BAI Senior Director of Operations Ryan Morris to ask about current trends he is seeing, including what challenges federal agencies may face.


What challenges are you seeing in the federal sector?


What I’m not seeing is a budget issue. From a cybersecurity perspective, the federal space is fairly well-funded. The challenge, instead, is that many organizations have several disparate teams, each of whom has purchased myriad different products. It’s my job to help bring them all together. I look to take several years’ worth of investments and advise on how to make them work holistically, rather than as stovepipes so that these organizations can get the most out of what they already have.


What do you see happening in the future?


This industry tends to vacillate, expanding out and contracting back in. I’ve seen organizations who have previously veered away from basic foundational security. Now, they are looking to get back to basics (e.g., network segmentation, security policies).


We’re also starting to understand the way networks naturally evolve and, consequently, what is out of our control. For instance, we know we won’t have control over all network devices—it’s impossible to have an agent on every single one. We also know we can’t control people—they don’t always understand or care about security and will try to go around any limitations placed upon them.


By understanding where we can’t be successful, we can steer toward where we can be successful. We know we can’t control devices or users, but we have control of the network. And that’s a big deal. The network is an optimal place to layer in security.


What about encryption?

With 60 percent of gateway traffic now encrypted, there’s no question it’s an issue, but not everyone is sure of the best approach to solving the problem; they’re looking for guidance. Some innovators want to be the first to tackle it, but many more want to be last, preferring to see if others fail before they jump in.

Do you see increasing migration to the cloud? If so, what types of data are they moving?

We are finally seeing more FedRAMP-approved cloud services that federal government can take advantage of—and it’s happening quickly.

Right now, Office 365-type services (e.g., email, SharePoint) are the most common applications migrated because they tend to be relatively easy to move and offer a great return on investment. However, from a security perspective, I find it interesting that organizations seem comfortable moving these first. Perhaps they are overlooking the fact that emails and attachments can potentially house all the crown jewels of an enterprise.

About the author: Dennis Reilly serves as the Vice President of Federal at Gigamon. In his current role, he successfully manages growth and the integrated business plan for the U.S. Federal Government market. With over 25 years of technology and business experience, Mr. Reilly is a strong advocate for the Federal government, applying information technology to increase collaboration, innovation and productivity.

Copyright 2010 Respective Author at Infosec Island]]>
Smart Cities Must Be Secure Cities Fri, 14 Apr 2017 08:16:00 -0500 If you’ve never heard the term “smart city” before, you are soon going to be hearing it a lot. Smart city technology uses data sensors and analytics, the IoT, information and communication technology to improve the efficiency of city services and the quality of our lives. Smart cities monitor and manage physical assets, infrastructure, connectivity, and information services that affect citizens on a daily basis.

The smart city vision

You have probably already experienced a small sample of what smart city technology can do for you. For example, have you ever approached a highway on-ramp that is controlled by a smart traffic light that manages traffic flow, alleviates congestion and reduces idling time? Do you have a smart meter at home that monitors your daily energy consumption and recommends scheduling appliance usage during non-peak hours? Have you used a smartphone app that tells you where the empty parking spaces are in an airport garage? On a very small scale, those are all examples of smart city technology at work.

On a grander scale, imagine a city in which autonomous buses shuttle employees to work via the most efficient route, reducing individual automobile emissions and improving rush hour traffic flow. Or a virtual grid of sensors that relay data to a central processor to determine where air pollution is at critical levels, or where earth tremors are signaling a potential quake, warning the public of an impending emergency. Or Dedicated Short Range Communications (DSRC) devices in cars that eliminate the need for parking meters.

Does that sound like the Jetsons? Think again. This is reality, in places like Singapore, Columbus Ohio, and Barcelona where smart city technology is being deployed. As more people move into cities and urban sprawl increases, integrated services and system efficiencies are critical to our quality of life. Smart city technologists envision community-wide free Wi-Fi, autonomous public transportation, DSRC traffic flow control, smart street lighting, energy efficiencies, data sensors across the city to collect and analyze metrics, and IoT devices in every smart building.

Public/private partnerships

Smart city initiatives are being planned and funded by both government agencies and commercial firms, with many projects undertaken as public/private partnerships. For example, the U.S. Department of Transportation’s Smart City Challenge is working with Columbus, Ohio (and other finalist municipalities) to implement smart transportation systems that improve traffic flow, reduce transportation costs, and create more efficient systems. The state of Illinois is going after the title of “first smart state” with the 2016 creation of a statewide agency overseeing smart technology across the state, from digitizing public health care services to installing energy efficient street lights.

I recently had the privilege of meeting with Governor Terry McAuliffe of Virginia. As chair of the National Governors Association (NGA), McAuliffe has announced that Meet the Threat is his focus for the NGA this coming year to improve cybersecurity strategies and practices nationwide. He is also working with mayors from four Virginia cities who have submitted proposals to the ongoing DOT Smart City Challenge program. McAuliffe’s initiatives illustrate the reality that cybersecurity is no longer an IT issue – it is a public safety issue, an infrastructure issue, an executive issue that touches all aspects of our lives. Security must be planned for and funded as an integral part of each and every technology initiative.

The technology

Clearly, smart cities are welcome if the technology truly improves our lives. But it can be alarming if our privacy is at further risk. Since these smart city initiatives are just beginning, we have an opportunity and obligation to take the time to make sure that security is an integral part of the overall design. If smart city technology is not secure, we are not only putting our systems at risk, we are risking the safety and lives of the citizenry as well.

In many respects, smart city technology is simply a scaling of our existing technology – an expansion of networks, data repositories, the IoT, and wireless communications. That means bigger networks, expansive cloud-based services, more IoT devices and interconnected devices – infrastructure that moves beyond enterprise walls and permeates all aspects of our lives. That also means more opportunities for adversaries to take advantage of security weaknesses.

Smart technology is not smart enough without security that is completely integrated into the smart devices and applications from the outset. And smart security must scale along with the technology and infrastructure changes.

Smart security at the city level

Take the City of San Diego as an example. As the eighth largest city in the U.S., San Diego operations include 24 networks and 40 departments all running 24/7, from traffic control to library services, from the police department to waste management. With over a million cyberattacks per day, the city’s infrastructure cannot afford anything but the most comprehensive and trustworthy security to prevent potential disruptions and catastrophic losses. With the help of Tenable’s security solutions, the city inventoried all of their systems, deployed active and passive scanning, identified hundreds of at-risk devices to patch or decommission, and implemented continuous security monitoring to protect all assets across the city. City officials estimate that they are saving over one million dollars per year by reducing their threat exposure and strengthening their security against potential breaches. And with the continual development and expansion of Tenable services, security is growing as San Diego enters the smart city era. No asset goes live without a thorough scan and configuration audit.

“Design in” security

There is an old adage that says, “plan, plan, plan and then execute.” I urge all politicians, state and local officials, urban planning and development organizations to take a step back, collaborate and design security into the vision of the smart city. The time spent to get it right out of the gate will save taxpayers significant sums in the future by not having to compensate for security issues later with people, technologies and programs when it could have been designed in from the start.

About the author: Jack Huffard is the president and chief operating officer of Tenable, where he is responsible for driving all global revenue growth and leading the company’s corporate strategy and organizational growth.

Copyright 2010 Respective Author at Infosec Island]]>
Is Fileless Malware Really Fileless? Thu, 13 Apr 2017 11:59:00 -0500 Reports of fileless malware infecting companies around the world have hit a new high, most recently attributed to a single group, FIN7. Besides residing in memory in order to remain nearly invisible, another aspect of fileless malware is the usage of widely deployed tools which systems administrators rely on, such as PowerShell. I wrote back in 2015 on how attackers could be living off the LAN by using similar techniques.

Why are attackers suddenly again leveraging fileless malware?

Fileless malware does not mean memory only malware. There is a migration towards fileless malware, simply because running exploits directly in memory has a lower detection rate for security tools than executing a malicious binary on an endpoint. 

That being said, the point where attacks like this are detected easily is when they attempt to establish a persistence on the victim machine. Any persistence leaves behind evidence in predictable locations on disk. This is typically in the registry, system services, or scheduled tasks. Monitoring these areas can provide early indications of even the most advanced attacks. 

Groups such as FIN7 operate like any other legitimate business. They are after return on investment for their criminal endeavors. When they see success in business opportunities such as fileless malware, they will continue to fund development in exploit techniques. It’s easy for an attacker to change the tools at their disposal, it is much harder for someone to change their tactics, techniques, and procedures. 

While a migration to using fileless malware is a new development, the data they are after and the attack patterns they use will still be very similar. Adopting best practices and leveraging critical security controls will continue to be the best bet for defending against advanced adversaries, such as FIN7.

Since not every endpoint solution inspects memory directly, this makes memory an ideal place to hide. In addition, tools such as PowerShell are already deployed. These have multiple benefits for the attacker. Being able to live off the LAN reduces the noise in having to deploy malware to their victims.

Since every endpoint solution will monitor the file system, writing to disk can trip the tripwire where defenses are looking. Having malware only reside in memory will avoid that risk. These tools are also widely used, malicious usage can attempt to blend into the typical noise of the environment.

Because Windows is the primary focus of existing fileless malware, we’ll look at why fileless malware isn’t really fileless. With a narrow scope of defining malware as the actual code executing on the operating system, then fileless malware can indeed be fileless.

Even the best endpoint products can miss advanced malware running in memory, and few organizations are running memory analysis tools like Volatility.

Taking a step back from the narrow definition, the goal of the person behind the malware is to gather as much data against their target as possible. In order to do that, the malware needs to be able to recover from interruptions, and the way to do that is persist across reboots. In order to persist, something needs to be written to disk.

In looking at research conducted earlier this year, the fileless malware created a service in order to persist after a reboot. The two registry keys written to were:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp

The services section of the ControlSet hives are where system services live within the registry. This is how the malware will persist after a system reboot. The registry hive has CurrentControlSet, ControlSet001, and ControlSet002. According to this helpful Microsoft KB Article:

“ControlSet001 may be the last control set you booted with, while ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows NT. The CurrentControlSet subkey is really a pointer to one of the ControlSetXXX keys.”

Registry hives are stored as a file on the operating system in the System32 directory. The SYSTEM hive referenced above is written to the %WINDIR%\System32\config\SYSTEM file on the operating system – definitive proof that fileless malware is in fact, not actually fileless.

Any malware that hopes to survive for an extended length of time ultimately needs to persist somewhere, and that will likely be found somewhere on disk.

It doesn’t matter how advanced your adversaries are, the simple defensive measures still matter. Adopting just the first five critical security controls will stop 85 percent of attacks. For the remaining 15 percent, monitor the endpoints for change to quickly identify malicious behavior.

About the author: Travis Smith is a Senior Security Research Engineer at Tripwire. He has over 10 years experience in security, holds an MBA with a concentration in information security, and multiple certifications including CISSP, GIAC and GPEN. Travis specializes in integrating various technologies and processes, with a passion for forensics and security analytics with the goal of helping customers identify and mitigate real threats.

Copyright 2010 Respective Author at Infosec Island]]>
What Is Your Security Canary? Thu, 13 Apr 2017 09:38:00 -0500 At the turn of the 20th century, coal miners were in a tough spot - their livelihoods and the continued operation of their respective employers required work in dangerous conditions and where exposure to invisible toxic gasses killed large numbers of miners every year. Then, Scottish physiologist John Scott Haldane proposed the use of sentinel species - small animals with fast metabolisms who were more sensitive to the atmospheric conditions and potential contaminants - to give miners an earlier warning that toxic gasses were present so they could escape. This is the origin of the well worn canary in the coal mine idiom.

“But wait, didn’t the miners already have a warning? If their buddy falls over dead, then they know they should get out. Why do they need a canary?” [queue appalled silence]

The miners are the thing being protected, so we’d never accept the loss of one as an early warning system for the rest; the goal is to protect all of them. But what if the thing being protected wasn’t individuals? What if it was sensitive data distributed across the computers on a corporate network? A really accurate indicator that you have a ransomware infection is if you have a computer with all its contents encrypted and it’s asking you for a ransom. Of course, at that point, you’ve already lost at least one of your miners. This clearly isn’t an ideal approach, but this is effectively how many organizations become aware of ransomware infections today.

Ransomware is arguably one of the biggest challenges facing security teams today.  Just a few years ago a potential malware infection would be somewhat slow moving as the attacker navigates the environment looking for the crown jewels while also trying to remain undetected. However, in the case of ransomware, endpoints, servers, and file shares are attacked and encrypted more indiscriminately and with very little delay. This problem is amplified by the relatively low barrier to entry for creating ransomware and the proliferation of ransomware-as-a-service offerings. With the change in attacker tactics, security teams must also evaluate their detection and prevention systems to ensure they are prepared for the new landscape of ransomware attacks.

When looking at security infrastructures for addressing ransomware, an obvious place to implement detection solutions is on the endpoints themselves. After all, it’s the scene of the crime and it’s where antivirus protection traditionally sits - what better place to detect ransomware? Turns out, the obvious approach is less than ideal.

To begin with, detection of ransomware on an endpoint has the same challenges as detecting other types of malware. Namely, that through custom repacking of the malware, attackers can easily circumvent even the most up to date signature-based detection. This evolution of AV avoidance over the past decade has dramatically impacted the efficacy of AV solutions and has resulted in many declaring that “AV is dead.” It’s hard to not see endpoint detection of ransomware in the same light.

The second challenge to endpoint detection of ransomware is that new strains of ransomware are not strictly file-based. For example, the encryption of the host files can be easily achieved using PowerShell to download malware directly into memory.  Without a file to analyze and check against known signatures, ransomware detection and prevention tools are at a significant disadvantage as process or active memory analysis is extremely challenging.

The third, and arguably the biggest, challenge to detecting ransomware on the endpoint is that once an attacker is able to establish a presence on it, it’s largely game over for that endpoint. As the attacker is on the same endpoint as the data intended to be encrypted and the tools designed to protect that data, a savvy attacker will first attempt to disable the protections before continuing to encrypt the data. Some may argue that ransomware delivery and execution is a largely automated process, so disabling any local protections is unlikely. This would otherwise be true, but attackers have learned their lessons from previous malware development and are able to leverage their automated AV avoidance in similar fashion to attack ransomware solutions.

So what would a better ransomware detection approach look like?  It should be independent from production workloads so that when an attack occurs, no critical data is impacted, it should be able to generate high fidelity alerts so that security teams don’t waste time chasing down false positives, and it should provide broad detection coverage across the environment so that infections can be detected reliably. Deception technologies, though not often thought of as a prevention mechanism for ransomware, can provide capabilities for early detection without impacting production workloads. 

Deception solutions implemented at the network, rather than running on the endpoints themselves, can create the illusion of additional endpoints, file shares, and other vulnerable services across the environment. By creating additional “fake” endpoints that contain no production data, any ransomware attacks on these systems are a win for the organization’s security teams as they are able to identify, quarantine, and remediate the ransomware prior to it impacting real production workloads and data.

As deception solutions are designed to lure attackers outside the realm of legitimate network traffic, any communications intercepted by the deception can immediately be classified as suspicious, if not outright malicious. In addition to identifying suspicious activity where no traffic should ever be, network-based deception solutions are also isolated from the inherent noise of endpoint processes, further increasing the accuracy of any resulting alerts. Deception-based ransomware detection approaches also have an advantage over many other types of detection systems as they are able to monitor for changes to the deception file system with total disregard for the contents of the data. This provides further certainty to the ransomware alerts generated, still without impacting any production data or workloads.

Lack of broad coverage has historically been an inhibitor to more widespread adoption of deception technologies as although they were isolated and accurate, it was challenging to ensure an attacker/infection would stumble upon the deception. In recent years however, deception vendors have been introducing various technical solutions to increase the breadth of coverage provided by their respective solutions.  In some cases, these technical solutions are achieved without significant increases in the solution’s existing footprint.

Like computer worms, botnets, and remote access trojans, ransomware has come to the forefront of threats facing organizations in recent years, and although new approaches are required to address this threat, there are solutions available to better detect and respond to ransomware without impacting production workloads or data.  By diverting attackers away from production endpoints, deception technologies are able to better protect the organization with broad coverage, high fidelity alerts, and broad environmental coverage. Although traditional anti-malware approaches tend to focus on looking deep within each endpoint for suspicious activity, in the case of ransomware particularly, this equates to monitoring the coal miners and when an event happens, you’ve just lost a miner. Ransomware is an aggressive and fast-moving threat facing organizations of all sizes, so rapid, accurate, and isolated identification of potential infections is a necessity in today’s fast-moving threat landscape.

Copyright 2010 Respective Author at Infosec Island]]>
Ask a Security Pro: Encryption Explained Thu, 13 Apr 2017 07:29:00 -0500 Over the last year I’ve led a multitude of security workshops aimed to educate entry-level WordPress users about website security. Some of the questions I regularly field in these workshops are related to the mechanics of SSL certificates, and their role in protecting website data from prying eyes. As you may know, the installation of an SSL certificate on a web server allows the server to accept traffic on the hypertext transfer protocol (secure), or simply ‘HTTPS,’ the primary form of encrypted data transfer between websites and visitors. I’d like to share the answers to some of the most frequently asked questions I’ve had on the subject.

SSL is the Armored TruckThe first thing I’d like to clarify on the subject of HTTPS and SSL certificates specifically is that the use of SSL certificates and HTTPS do not in any way, shape, or form protect the data on your website itself. HTTPS encrypts data in transit only. Neither does it protect data resting on visitors’ computers. You should consider HTTPS the armored truck of websites, not the bank vault. It acts as the protection against adversaries while data travels from point ‘A’ to point ‘B’. you know that most HTTPS connections are actually using TLS (Transport Layer Security) ciphers, not Secure Sockets Layer (SSL) ciphers? SSL ciphers have been phased-out in favor of newer TLS technology. Vendors continue to use the term SSL likely due to consumer familiarity with the term.

While SSL certificates form a very important part of your overall security posture as a WordPress website owner, the security of your website itself should instead be entrusted in security processes and mechanisms, such as a secure development life cycle (SDLC), the implementation of network and web application firewalls (WAF), and regular malware and vulnerability scans.

SSL Certificate

When it comes to the subject of encryption, I think most of us correctly visualize the rather abstract concept of jumbled words or characters so the original message is no longer legible, and thus protected from adversaries. However, few that I’ve encountered outside the security community have a firm understanding of what exactly the mechanics are behind that process. Encryption holds very ancient roots in human society, most obviously in military communications, where it’s designed to conceal the true message from enemies attempting to intercept to learn about troop movements and strategies. However, avoiding a verbose lesson in cryptographic history, for this article we’re going to focus on the concept of encryption and how it works in reference to modern websites utilizing SSL certificates for HTTPS.

Modern-day websites using HTTPS typically rely on a system called public key cryptography, also known as asymmetric cryptography, to protect data in transit. In public key cryptography the website owner generates a set of unique keys, one public key and one private key. The public key is as its name denotes, the non-private half of the relationship used by the public to facilitate private communication that can be nearly impossible to decode without possession of the associated private key. The integrity of this system depends entirely on both the secrecy of the private key and its strength against breaches. Much like if the keys to your house are stolen, if the private key is stolen, you are compromised and the only solution is to change the locks. This process is called re-keying in terms of SSL certificates.

Public Key Encryption

Web servers will typically support a variety of different encryption ciphers. When you visit a website using an SSL certificate to provide HTTPS, a discussion occurs between your browser and the website server to communicate what ciphers you both support. The browser and website server will then agree upon the strongest common cipher to use. This process is called negotiation. Once your browser and the website server have agreed upon a cipher to use, the web server provides your browser a public key to use for the initial encryption of the data your browser wishes to send. Once this asymmetric key relationship has been established, a second symmetric key relationship is formed using the same cipher already agreed upon and the initial public key so that both parties can encrypt and decrypt messages from each other.

SSL Asymmetric Key Relationship

The reason that both asymmetric and symmetric keys are used in these communications is due to the initial stages where an agreed upon cipher has to be transmitted over plain text, and the following communications are what need to be protected. As a result, the website server hands your browser the method for keeping the main symmetric keys safe by providing its public key in the beginning of the conversation, essentially providing two layers of protection for the data that follows.

Not all ciphers are created equally. The strength of a cipher is determined by the difficulty involved in reversing encrypted data back to plain text without possession of its associated private key. This is measured in the time and computational resources required to complete the process. Some ciphers would take hundreds of thousands of years to reverse by the current modern computational power available, where as other older ciphers may now only take but a few minutes to break. Cipher generations evolve relative to the average computational power available to the public because while we want our data to be secure, we also demand that websites load quickly. The strongest ciphers generally create messages that take a long time to decrypt, so a balance must be struck between speed and security. As computers become faster, we are able to use stronger ciphers without sacrificing speed.  On the other side of the coin, we must increase security because computers are able to break encryption with more ease. This is why you may hear about ciphers becoming outdated or obsolete. Modern encryption has become an arms race between brilliant mathematicians and their computers, and hackers and theirs.

Have a question for our security professionals or a topic that you would like us to write about? Message @SiteLock and use the #AskSecPro tag!

Copyright 2010 Respective Author at Infosec Island]]>
Plugging the Gaps in Your Incident Response Thu, 13 Apr 2017 05:21:00 -0500 ‘It’s not the problem that matters: it’s how you deal with it’as the old saying goes.  So how well-prepared is your organization to respond to a cybersecurity incident such as an attack, data breach or unexpected outage? According to the 2016 SANS Incident Response Survey, 87% of organizations said they responded to at least once incident in the past year, and 59% of these resulted in a breach. As such, it’s critical to handle these incidents in a way that minimizes damage, recovery time and costs. 

To help them do this, organizations have introduced a range of tools and processes to make incident response more intelligent and effective. But a gap still exists in many organization’s response processes, which is the ability to identify the business context of incidents. Let’s take a close look at what this means, and why it matters.

Most incident response processes are built around a SIEM (security information and event management) system, which collects alerts and logs from security sensors including anti-virus, firewall alerts and so on. This can amount to hundreds or even thousands of alerts per day in a large enterprise, which the SIEM system and associated tools filters to remove false alarms and low-level alerts, flagging only the events that merit closer investigation by the security operations center (SOC).

For every relevant alert – let’s say 100 per day – that is classified as a genuine incident that needs closer scrutiny, the SOC then needs to make two key steps. The first is to triage the incident, gathering information on what is happening, what it affects and what the potential for real network damage it is; and second, to put together and implement a prioritized action plan.

Context matters

Currently, most businesses do not have an automated process for handling these steps. Some may have documentation to guide the SOC engineers on what to do, or in other cases the entire process may be ‘free-form’, relying on the engineers’ experience and intuition. What’s frequently neglected is the business context of the incident.

Business context in incident response is all about connecting data regarding the security incident to the actual, real-life, business processes or critical applications that the incident may affect. The aim, ultimately, is to enrich the technical detail of the incident, such as ‘this server is affected by this piece of malware’, with the context of the business applications it affects, such as ‘this server is part of our European ecommerce system, and it connects to these core payment applications, and if we shut it down we will be unable to process any payments from European customers.’

As such, business context not only helps the SOC identify which security incidents need to prioritized, but also which course of action is most appropriate and crucially, when it would be best to address them.

Let’s, for example, imagine that your SOC discovers that your European e-commerce system needs critical security patches. It’s a business priority – but does it absolutely need to take place during peak European shopping hours, with the risk of unexpected downtime and substantial lost revenues? Could it instead wait until 2am Central European Time? With the intelligence provided by the business context, your SOC can quickly weigh up the security risks versus the operational risks, and make the smartest incident response decisions from a business perspective.

Making the connections

Another process that can further enhance an organization’s incident response capability is connectivity analysis, offers the SOC team an even deeper understanding of an incident’s potential impact by highlighting the connectivity between compromised assets. In other words, it shows how far the attack could potentially spread, and highlights the security risk.

So, turning again to the example of a server being infected by malware, a connectivity analysis process asks: what is that malware going to do next? What is that malware going to do next?  One typical action might be an attempt to spread to and infect other systems on the network. Another might be to try to steal data from the infected server, and attempt to send that information out to an external controller. A third action might be to open the server to connections from external addresses to trigger a download of further malicious code (which is typical behaviour for ransomware).

The potential severity of these actions depends on the structure of the organization’s network, and where in that structure the compromised machine is placed. Is that server able to make outbound connections to IP addresses on the internet? If so, then malware on that machine is likely to be able to exfiltrate data – which makes resolving the infection a priority to avoid data breaches. However, if traffic from the compromised server is blocked by a perimeter firewall, then the risk of a breach is reduced. 

Similarly, if the malware cannot move laterally to infect other systems that host critical data, because the network is robustly segmented, then security staff are in a better position to prioritize incident response. 

As with business context, connectivity analysis helps categorize and prioritize incidents according to their risk and impact level. The analysis is done by using a security policy management solution to run automated ‘what if?’ traffic simulations, to identify which assets on the network have been compromised, and which other systems and resources those assets can connect to, both inside and outside the network. For example, the simulation may show that an infected machine is secured against external connections, but not properly segmented from internal servers hosting sensitive material. As such, infections on that machine should be prioritized for cleanup before the infection spreads laterally.

Together, business context and connectivity analysis help organizations to answer the “what if?” questions: what could that incident lead to? What could its impact on the bottom line be? What’s the optimum approach to fixing it, and when? They enable more efficient incident response by helping IT teams to focusing on what really matters to the business.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – April 2017 Thu, 13 Apr 2017 03:21:08 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • This month, the software vendor releases 27 SAP Security Notes; the majority of them are missing authorization checks.
  • The most severe vulnerability is RCE in TREX/BWA. It was assessed at 9.4.

SAP Security Notes – April 2017

SAP has released the monthly critical patch update for April 2017. This patch update includes 27 SAP Notes (17 SAP Security Patch Day Notes and 10 Support Package Notes).

12 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes has a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.4.

SAP Security Notes April by priority

The most common vulnerability type is Missing Authorization check.

SAP Security Notes April 2017 by type Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • A Remote command execution vulnerability in SAP TREX / BWA (CVSS Base Score: 9.4). Update is available in SAP Security Note 2419592. A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Central Technical Configuration (CVSS Base Score: 6.3). Update is available in SAP Security Note 2406783. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Java Archiving Framework (CVSS Base Score: 6.1). Update is available in SAP Security Note 2308535. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • An XML external entity vulnerability in SAP Knowledge Management ICE Service (CVSS Base Score: 4.9). Update is available in SAP Security Note 2387249. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to OS file system.

The most critical issues closed by SAP Security Notes April 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2421287: SAP SAPLPD has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability for terminating a process of vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2410082: SAP Web Dynpro Flash Island has an XML external entity vulnerability (CVSS Base Score: 7.5). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorised access to OS file system. Install this SAP Security Note to prevent the risks.
  • 2423486: SAP NetWeaver ADBC Demo Programs have a Missing authorization check vulnerability (CVSS Base Score: 6.3). An attacker can use Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Growing Risk In IoT & Mobile App Security Fri, 07 Apr 2017 12:44:51 -0500 Mobile and IoT applications continue to be released at a rapid pace to meet user demands, and despite widespread concern about their security, organizations are still ill-prepared for the risks they pose. In fact, for many apps, security isn't built in. Too often, the binary code is left unprotected, which allows for an easy entry for hackers and heightens the potential negative impact not only for the organization but also their customers.

A new report from Ponemon Institute, IBM Security, and Arxan, examined  the practices and opinion amongst IT and IT security practitioners titled “2017 Study on Mobile and Internet of Things Application Security”. The report found that IoT and mobile app security is at  considerable risk, as confusion of who owns security within the development, testing and implementation process remains in question. This highlights the laissez-faire attitude toward the security of mobile and IoT applications.

Let’s take a look at some of the detailed findings.

  1. Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace - Organizations are having a more difficult time securing IoT apps. In fact, respondents are slightly more concerned about getting hacked through an IoT app (58 percent) than a mobile app (53 percent). However, despite their concern, organizations are not mobilizing against the threat. Forty-four percent of respondents say they are taking no steps and 11 percent are unsure if their organization is doing anything to prevent such an attack.
  2. 63% are not confident or have no confidence their organizations know all of the mobile applications used by employees - An even larger percentage of respondents (75 percent) are not confident (38 percent) or have no confidence (37 percent) they know all of the IoT apps in the workplace. However, respondents estimate that the average number of mobile apps in their organizations is 472 and the average number of IoT apps is 241.
  3. The functions most responsible for mobile and IoT security are outside the security function - Only 15 percent of respondents say the CISO is most responsible and only 11 percent of respondents say application development is primarily responsible for security of apps. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible. Instead, the head of product engineering and lines of business are most responsible (31 percent and 21 percent of respondents, respectively).
  4. Hacking incidents and regulations drive growth in budgets - Only 30 percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (54 percent of respondents). Other reasons to increase the budget are if new regulations were issued (46 percent of respondents) or if they were exposed to media coverage of a serious hacking incident affecting another company (25 percent of respondents).
  5. Only 32% of respondents say their organization urgently wants to secure mobile apps - In fact, only 42 percent of respondents say it is urgent to secure IoT apps. Factors revealed in the study that might explain the lack of urgency include: not enough budget being allocated to the security of these apps and the individuals most often responsible for stopping attacks are not in the security function. Rather, they reside in the lines of business, development or engineering.
  6. Material data breach or cyber attacks have occurred and are reasons for concern - Respondents report they know with certainty (11 percent), or most likely (15 percent) or likely (34 percent) that their organization had a security incident because of an insecure mobile app. Respondents report they are less certain whether their organization had a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (4 percent), most likely (11 percent) or likely (31 percent).
  7. Almost half (48 percent of respondents) say security testing of IoT apps does not occur - On average only 29 percent of mobile apps and 20 percent of IoT apps are tested for vulnerabilities. An average of 30 percent of mobile apps tested contain vulnerabilities and an average of 38 percent of IoT apps tested contain significant vulnerabilities. 
  8. Rush to release is the main reason why both mobile and IoT apps contain vulnerable code- Sixty-nine percent of respondents say pressure on the development team is why mobile apps contain vulnerable code and 75 percent of respondents say the same reason contributes to vulnerable code in IoT apps. Accidental coding errors in mobile and IoT apps are another primary reason for vulnerable code (65 percent of respondents). An additional issue affecting the security of apps is the lack of internal policies or rules that clarify security requirements.
Copyright 2010 Respective Author at Infosec Island]]>
Are Job Seekers at Risk of a Cyber Breach? Fri, 07 Apr 2017 03:17:38 -0500 America’s JobLink (AJL), a Kansas-based system that works with state governments to provide job seekers with information, recently experienced a cyber-attack that revealed the information of job seekers in its database. The breach exposed the names, Social Security Numbers, and birthdates of users. According to the investigation, the breach first occurred in February and users who created JobLink accounts before March 14th could be affected. Ten states were affected by this data breach, and 4.8 million user accounts throughout the nation were compromised.   

According to an independent forensic firm that was hired by AJL to look into the data breach, the cyber attackers were able to exploit a vulnerability to access this confidential information. The attacker created a fake account on one of the JobLink portals and then accessed information about other users. The cyber attack is under a criminal investigation by the FBI. In addition, the Department of Labor has launched investigations in each state and published information about the security incident on its official website.  

The Department of Labor has advised job seekers who have had their information compromised in this breach to place a fraud alert on their credit reports. JobLink users should also review their bank and credit card statements regularly to uncover any suspicious or inconsistent activity.   

As hackers continue to target databases like JobLink for sensitive information, organizations should consider implementing consistent security practices to keep user information secure from breaches. Below are five security tips that organizations can use to safeguard user data:   

  1. Conduct Vulnerability Audits: Regular vulnerability audits are important for organizations because they uncover gaps in security. By uncovering security gaps before they have a chance to be exploited, organizations can prevent hackers from compromising confidential user data.
  2. Conduct an IT Applications Audit: Another audit organizations can conduct is an audit of IT applications. Through an IT applications audit, organizations can uncover unauthorized software and apps running on the network. This unauthorized software could have a vulnerability that a hacker could exploit. By getting rid of unauthorized software, organizations can decrease the amount of potential vulnerabilities.
  3. Monitor Networks: Organizations should monitor their networks for suspicious activity and unauthorized users. In particular, organizations with BYOD policies should be wary of endpoint threats to their networks. Through continuous and consistent monitoring, organizations can uncover malicious threats before they get a chance to deploy and compromise data. 
  4. Encrypt Data: Consumers now expect most, if not all, organizations to encrypt sensitive data. Data encryption provides an extra layer of security against hackers and nefarious users. By adding in this extra security step, organizations can make it more difficult for hackers to gain access to sensitive information.
  5. Limit Data Access: Organizations should limit the amount of data that employees and users are allowed to access. Not all employees should be allowed to access confidential data, especially without proper training. By limiting the amount of data certain employees can access, companies can in turn limit the amount of damage a data breach causes.

Job seekers are regularly expected to input personal information about themselves to company and state databases, but it should be guaranteed that their information will remain secure. In today’s cybercrime environment, organizations should regularly conduct audits, continuously monitor networks, and enable additional layers of data protection to keep their users’ information secure from malicious actors. 

Copyright 2010 Respective Author at Infosec Island]]>
Cybersecurity Industry Must Adopt Cyberdefense Tech that Utilizes Analytics, Artificial Intelligence Thu, 06 Apr 2017 11:05:00 -0500 The cyberdefense industry needs to quit playing catch-up and having a reactionary approach to cybersecurity. So what is this industry doing wrong, and how can we change it? 



We must recognize that our cyberdefense technologies are not working and will not work. Cases in point: Our most sensitive cyberoffense technologies have been hackedpower companies admit they would have great difficulty stopping a cyberattack and are being asked to be prepared to operate at much less than full capacity under a cyberattack; 70 percent of oil and gas companies have been attacked — and the threat is growing.

The cybersecurity industry is in chaos and needs to move toward new technologies — cyberdefense technologies that are beginning to leverage analytics, machine learning and artificial intelligence (AI). Hackers are taking advantage of the same technologies, so the cyberdefense industry needs to jump on board. Let's quit playing catch-up and instead take a proactive approach to cybersecurity.

So what is this industry doing wrong, and how can we change it?


One of the core principles in cybersecurity is to establish a baseline of what the operational and industrial system is doing. Once this is done, you can:

  • define your security policies;
  • evaluate the risk;
  • look at security technologies that could reduce the risk;
  • evaluate the potential threat impact cost verses the cost of the security technology;
  • get management approval; and then
  • deploy the security technology. 

Sounds simple, right? Not so. 

We have layered so much hardware, network and software on top of each other that we truly can't see what our systems are doing. And if we can't see what our systems are doing, how can we establish a system baseline of what is normal in daily system operations? The fact is that we can't see it, which is not a good start to one of the most basic principles of security. This must change.


Conventional cybersecurity generally points everything to the human first while the system's machine actions are doing most of the operational and industrial processes. As metadata grows, it becomes increasingly difficult to manage and understand. Even the best analytic algorithms can't keep up and are themselves subject to error. 

Human error is the major reasons for cyberbreaches, and we are pointing increasing complex systems toward people who can neither see nor understand what the systems are doing; it is a dangerous scenario to continually disconnect the human from massively automated systems that run without audit. Hackers know this, and they will continually exploit these systems until new technologies can deeply and consistently view and audit our operational baseline.    

People need to be able to see with deep inspection the structured and unstructured data that run the systems. Without this being done first, a true operations and security baseline cannot be established, leaving the system exposure to cyberattacks. AI, machine learning and analytics can assist in the viewing of this data, but exponentially increases the amount of structured and unstructured data that must be secured. These approaches also create vulnerabilities because they layer additional algorithms and software over critical data and systems actuaries. This gives hackers a targeted system exploit capability that could allow a complete hijacking of system processes. This is being done while humans are continually being removed from our system processes.


Industry experts are warning of the use and abuse of AI and its use in both cyberdefense and hacking. 

As Sean Carroll, a cosmology and physics professor at the California Institute of Technology told, "It is absolutely right to think very carefully and thoroughly about what those consequences might be, and how we might guard against them, without preventing real progress on improved artificial intelligence."

And Nick Bostrom, director of the Future of Humanity Institute at Oxford University, also told that “the transition to machine superintelligence is a very grave matter, and we should take seriously the possibility that things could go radically wrong. This should motivate having some top talent in mathematics and computer science research the problems of AI safety and AI control.”

Even the newest neural network technologies that Google is using — the basis of its DeepMind Artificial Intelligence technologies — can be hacked. The reason is that we're using existing technologies to learn what our systems are doing, so we are essentially adding points of offensive exploit to cyberdefense technologies that are supposed to reduce the attack vector. The cybersecurity industry is, in essence, going in the wrong direction. 

A good example of this is tech giants buying up AI cybersecurity startups. This is being done while the DARPA Cyber Grand Challenge demonstrated how AI could hack into AI. Machine learning and AI connect to a very sensitive part of operational and industrial control systems. That’s how it learns. Hackers can use AI to watch what AI is doing, which in turn can offer total control of the machine systems. All third- and fourth-Generation programing language (code) can be hacked, period. We must find a migration path to codeless fifth-generation programing language (5GL) that uses codeless signature patterns.


I have discussed the use of 5GL in previous articles and spoke about the technology at Oak Ridge National Laboratory. I clearly discussed how we need to use 5GL codeless patterns in parallel with existing operational and industrial system technologies. This use of 5G in cybersecurity as a system auditing tool could be the much-needed answer to new cyberdefense technologies.

A company called On Point Cyber has been watching the development of these 5GL technologies for years, and CEO Tom Boyle said he thinks the timing is right for 5GL.

"Disruptive technologies must have a migration path back to existing technologies and forward to newer technologies. To achieve this, we first index all the current structured and unstructured data, then run them in parallel to the new 5GL codeless signature pattern technologies," he said "This offers a real-time deep inspection of the operational system security baseline and the immediate detection of anything not part of that baseline. 

Boyle also noted that what's great about 5GL technology is that it can be used without changing any of the current operational and industrial system technologies.

"These newer technologies can then offer older technologies a migration path to code vs. codeless signature pattern technologies that could even be used in the Quantum computer," he added. "The use of 5GL in cyberdefense could prove the most important use of this technology today. Clearly, we need to do something different.”


We are entering dangerous times in cybersecurity, and both the public and private sectors must recognize the urgency in finding an industry correction. Immediately invest in cybersecurity technologies that offer more than calculated risk remediation. We are throwing things on the wall that could potentially put our cyberdefense technologies in greater danger. We need to find solutions that stop cyberattacks. 

In the confusion of pretty words and explanations of cyberdefense technologies, government officials and CEOs are asking the simple question, "Can I invest in cyberdefense technologies that work?" It is time to answer that question with the recognition that we need to move on to entirely new technologies that can secure us today and prepare us for the future. 

About the author: Larry Karisny is the director of Project, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

Copyright 2010 Respective Author at Infosec Island]]>
4 Things that Make Cloud Compliance Harder Than You Think Thu, 06 Apr 2017 10:04:41 -0500 I’m often surprised that as organizations make the move to the cloud, achieving compliance (whether PCI DSS, NIST 800-53, SOC, ISO, HIPAA, etc) is often an afterthought. The cloud providers themselves maintain aggressive compliance programs and adopt new standards quickly, so many folks figure that their part will be a breeze.


However, there are some factors to take into consideration that may make compliance in the cloud a bit more challenging.  


1.) Auditors & Compliance Officers Don’t Understand the Cloud

The fast-changing technology of the cloud has left auditors and compliance teams in the dust. They struggle to get up to speed with the environments and applications that you’ve built out, let alone keep up with all the changes that the public cloud platforms introduce continuously. In a shared responsibility model it is important to understand what controls are the responsibility of the cloud provider and what controls are the responsibility of the internal team. Do you have a clear understanding of this and can you explain it to your auditors and compliance teams? It is in your best interest to teach and coach the auditors and compliance officers about the cloud, your environment, and the safeguards you’ve built out to ensure security and compliance.


2.) The Disappearing Change Management Committee

Gone are the days when we could get our environment to a compliant state and then lock it down. Compliance would be managed by Change Management Committees and formal code-check in processes that would validate against our secure and compliant state. Today, more and more, the change management committee has been replaced by the conscience of the DevOps team. Too often when the pressure to deliver is high, those change management processes go by the wayside putting compliance at risk. The teams that are most successful at managing cloud compliance have introduced change management as a key component of their Continuous Integration / Continuous Deployment (CI/CD) workflows.

3.) Cloud Services are Ephemeral

That server that you just audited isn’t there what do you do? As your organization leverages the dynamic nature and flexibility of the cloud’s elastic infrastructure to manage costs your environment may be composed of services that are here today but gone in five minutes. The requirement to prove 3 months from now that those no-longer-there services  were set up in accordance with best practices can be a real drag. Too often, teams are burdened with the task of sifting through logs to produce that evidence -- a time consuming process and frustrating, for sure, when the service was spun up for just a short period of time.

4.) You Need to Build Trust from a Position of Confusion

The external audit process is all about gaining the trust of the auditor and convince them that you manage your business in a compliant state 24/365, and not just in the last 3 days before the audit. This can be especially hard if you’re doing this from a weakened position if they’re already a little unsure of the cloud technologies that you’re using.

Many of the people I talk with lean heavily on automation to help build up this trust during their audits. If you’re building out automation to manage your cloud infrastructure during the early phases of development, you should not forget to build out automation to help you with evidence gathering once you’re in production. This can include using self-described systems, log aggregation, and the use of 3rd party tools that can provide and independent view of your systems.


I don’t mean to imply that compliance in the cloud is harder than in a data center environment, it will just require some new processes, new tools, and some additional training to get everyone up to speed. By taking advantage of automation tools for security and compliance, teams can simplify the process of inspection and reporting which frees up resources to attack other projects.


The bottom line is this: don’t move into the cloud and assume you can manage compliance the way you always have. Use cloud automation to your advantage for reporting, management and policy enforcement. Leverage 3rd party tools that measure the compliance of your cloud environment and allow the auditors to see that compliance isn’t just something you did in the past days before the audit, but rather something that you do day in and day out. You’ll find over time that automation will get you to a state of continuous compliance faster which will only make you, your auditors and your boss happier.

Copyright 2010 Respective Author at Infosec Island]]>
Bracing for the Future of Information Security Threats Tue, 04 Apr 2017 10:19:56 -0500 Every day, the news is full of stories describing the weighty and often overwhelming effects new technology has on the way people live and work. Terms such as Artificial Intelligence (AI) and the Internet of Things (IoT) are fast becoming everyday jargon, and plans for their deployment will land high on the agenda of business leaders over the next few years – whether they like it or not.

Headlines warning of cyber-attacks and data breaches are just as frequent. Assailants are everywhere: on the outside are hackers, organized criminal groups and nation states, whose capabilities and ruthlessness grow by the day; on the inside are employees and contractors, causing incidents either maliciously or by accident.

Business leaders are left feeling uncertain about the way forward. The dilemma is often stark: should they rush to adopt new technology and risk major fallout if things go wrong, or wait and potentially lose ground to competitors?

New attacks will impact both business reputation and shareholder value, and cyber risk exists in every aspect of the enterprise. At the Information Security Forum, we recently released Threat Horizon 2019, which highlights the top nine threats to information security over the next two years.

Let’s take a quick look at these threats and what they mean for your organization:

Premeditated Internet Outages Bring Trade to its Knees

Conflicts across the globe are rising in number and severity. Nation states and other groups will look for new methods of creating widespread disruption – one of which will be exploiting the dependence on connectivity by causing Internet outages at either a local or regional level.

Commercial and governmental organizations will be considered legitimate targets during times of tension and conflict. Industries will lose millions of dollars as communications and externally connected systems fail and trade grinds to a halt, even if the outage is relatively brief. The resulting shortages in basic goods and services will cause widespread social unrest and severe disruption across all industries.

In a hyper-connected world, the temporary loss of infrastructure will create chaos. Central governments will have to coordinate through their critical national infrastructure programs to contain the damage and restore order.  At an organization level, arrangements must be in place to address the risk of such attacks occurring on a relatively frequent basis. Understanding the extent of the organization’s reliance on the Internet, and fortifying the controls that manage operations when it is unavailable, will be critical to maintaining productivity.

Ransomware Hijacks the IoT

Ransomware is currently one of the most prevalent infosec threats. This type of attack is becoming more dangerous for targets and more lucrative for criminals: average ransoms demanded jumped (PDF) from $294 in 2015 to $679 in 2016. The US Federal Bureau of Investigations (FBI) estimates that ransomware generated around $1 billion in revenue for criminals by the end of 2016.

Over the next two years, cyber criminals behind ransomware will shift their attention to 'smart devices' permanently connected to the Internet. While holding specific devices for ransom will offer lucrative ways to grow their revenues, attackers will also use these devices as gateways to install ransomware on other devices and systems throughout an organization.

The downstream impacts, such as interruptions to business operations and automated production lines, may appear severe, but will fade into the background when lives are put at risk by attacks on medical implants or vehicle components. Simply restoring from a data backup, rather than paying the attacker, will not be an option. An affected organization will face the potential of a double financial hit: a large ransom to protect its people or resume normal operations plus significant expenses related to repairing and strengthening security measures.

Every organization should take immediate action to identify how they are currently using connected devices, how they plan to increase usage in the future, and what the impact will be if one or more devices are rendered inoperable by ransomware. It’s paramount to implement appropriate business continuity plans including back-up systems, disaster recovery, and incident response. Those who fail to act should expect to pay more, more often.

Privileged Insiders Coerced Into Giving Up the Crown Jewels

Even in the cyber-crime era, the age-old threat of violence still spreads fear. To achieve greater gains, well-funded criminal groups will combine their substantial global reach and digital expertise with intimidation or savagery to threaten privileged insiders into giving up mission-critical information assets such as financial details, intellectual property (IP) and strategic plans.

Ruthless criminal groups, rogue competitors and nation states will directly target mission-critical information assets, designated as such by their value to the organization and the business impact if compromised. Consequently, an organization should take steps to identify and record these assets. The individuals with access to, or responsibility for, the management and protection of these assets should also be identified on that record. At the same time, procedures can be put in place for individuals to report any coercion or threat, and arrangements made for anyone affected to receive appropriate protection.

An organization that loses any of their crown jewels to attackers will be impacted by heavy financial losses and brand damage when planned products are copied and released earlier by competitors. Targeted organizations that cannot guarantee the safety of their highly skilled privileged insiders may find recruitment and retention increasingly difficult.

Automated Misinformation Gains Instant Credibility

The practice of undermining a competitor’s reputation, products or services with false or manipulated information will be automated using advanced 'chatbot' programs. These programs will be efficient at their task: they will operate around the clock with an unrivalled capacity to spread misinformation consistently and rapidly, and no scruples or morals to inhibit their pernicious activity.

Advanced chatbots will undoubtedly offer many new ways to conduct legitimate business. However, they will also be programmed to spread misinformation. Developers of such programs will seize the opportunity to industrialize the production of advanced chatbots, profiting by offering them as a service. Access to an array of service providers will make it easy for unscrupulous competitors and disillusioned groups to discredit the reputation of an organization, its products or services.

Continuous monitoring and rapid reaction will be essential. If an organization is unable to disprove false rumors quickly, the damage to its reputation will be complete. Swift, pre-planned action on behalf of the affected organization at any early signs of misinformation – such as substantiated rebuttals online or by making legal claims for libel or defamation – may be able to limit the damage. Additionally, organizations and industry bodies should lobby governments to establish a central authority responsible for combatting misinformation and the proliferation of fake news stories over social media.

Falsified Data Compromises Performance

Criminal groups and unscrupulous competitors will realise that they can do more than just steal and sell information – they will cause significant damage and disruption by adding information distortion to their existing toolbox of threats. The number and scale of these attacks is expected to balloon over the next two years. The integrity of digital information is of such concern to US intelligence agencies, they have specifically included it in their annual briefing to the US government on global cyber threats.

Attacks focused on information integrity can have a major impact on an organization. Examples include: disrupting capacity for informed decision making; severe financial losses as a result of fraud or manipulation of stock prices; or reputational harm from a leak of false or embarrassing information.

Individuals at all levels of an organization, but particularly business leaders, need to understand the importance of information integrity – that it needs to be valid, accurate and complete to sustain the operations that rely on it. Organizations can no longer ignore this aspect of security. They must start preparation now by ensuring that all information risk assessments fully cover the likelihood and impact of attacks on integrity, as well as confidentiality and availability. Consideration should also be given to training communications and marketing professionals to deliver effective statements following integrity incidents, to minimize reputational and legal impacts.

Subverted Blockchains Shatter Trust

Because of its potential to significantly drive down cost, reduce delay and lower risk, blockchain technology will eventually effect every organization. Around “15% of top global banks [are] intending to roll out full-scale, commercial blockchain products in 2017”, with 65% likely to have large-scale implementations in place by 2019.

However, blockchains will be vulnerable to compromise. Subverting a blockchain could impact an organization severely and in an extreme case could result in abandoning the affected blockchain – wiping out the anticipated efficiency gains and undermining institutional trust.

Many of the blockchain security incidents to date could have been prevented with known best practices. However, security professionals should remain vigilant to new vulnerabilities that may require innovative controls as this relatively immature technology develops. Organizations must supplement good security practice with a culture wherein trust is supported by transparent communications and thorough feedback mechanisms.

Surveillance Laws Expose Corporate Secrets

To track growing threats to national security, governments will create surveillance legislation that requires communications providers to collect and store data related to electronic and voice communications. While governments and their agencies will use the data to identify specific groups such as terrorists, masses of information will also be swept up from innocent organizations and individuals going about their day-to-day business.

Motivated attackers will be quick to recognise the value of this data, know where it is and how to get it—and they have the capability to analyze, interpret and exploit it. For example, the data may be analyzed to reveal strategically sensitive issues, such as plans for mergers and acquisitions, IP under development, or details of new products in the pipeline.

Every organization should proceed as if it will only be a matter of time before the work-related communications data of their employees is subject to unauthorised access. No organization can guarantee that others will not be using their communications data to gain revealing insights into its operations, people and plans. Consequently, every organization should consider what its external communications might reveal, assess the risk of breaches, and put plans in place to minimize the potential impacts.

Privacy Regulations Impede the Monitoring of Insider Threats

In 2015, insiders—including users, managers, IT professionals, and contractors— caused 43% of all data breaches (PDF). However, new privacy regulations such as the European Union General Data Protection Regulation (GDPR), have the potential to constrain the use of tools that analyze the behavior of insiders.  These regulations could result in large fines levied on organizations that monitor and profile employees. Such constraints will restrict an organization’s ability to monitor online behavior and collate specific threat intelligence, while increasing the opportunities for malicious insiders to compromise organizational information.

Every organization must invest in tools and techniques to strengthen their protection against the insider threat, particularly against malicious insiders who may be able to initiate data breaches while hiding their tracks. Those organizations that use or plan to use User Behavior Analytics (UBA) tools will need to start preparations now, for example, by formulating amendments to employment contracts. Multinational organizations planning to deploy UBA tools across multiple jurisdictions may find this onerous. Local laws and customs may present additional hurdles when negotiating with employees, particularly in unionized environments.

A Headlong Rush to Deploy AI Leads to Unexpected Outcomes

In the quest to leap ahead of the competition and benefit from technical innovation, many organizations will rush to deploy AI systems to automate increasingly complex and creative tasks that previously required human intelligence.

Systems based on AI will learn from their experiences and modify their actions accordingly. However, using a human analogy, AI is likely to only reach adolescence over the next two to three years and will therefore be prone to errors, some of which could have serious consequences. This will present major challenges when organizations come to rely on AI systems in environments where outcomes can affect an organization’s reputation or performance. Any organization lacking highly skilled experts with the required knowledge and experience may be unable to deal with the fallout when AI systems function erratically.

To prevent unexpected outcomes from creating new vulnerabilities, business and security leaders must give full scrutiny and consideration to information security requirements. This means ensuring the content and accuracy of the data feeds from which AI systems learn, conducting pilots to understand how systems react to inputs before scaling to full deployment, and developing detailed contingency plans.

Be Prepared

As dangers accelerate, organizations must fully commit to disciplined and practical approaches to managing the major changes ahead. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.

The nine threats listed above expose the dangers that should be considered most prominent. They have the capacity to transmit their impact through cyberspace at alarming speeds, particularly as the use of the Internet spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large.

So…are you as ready as you could be? Don’t wait to find out. By then, it may very well be too late.

Copyright 2010 Respective Author at Infosec Island]]>
Stop Doing Four Things—and Convince Your Execs and Board to Properly Fund Cybersecurity Tue, 28 Mar 2017 03:58:00 -0500 If you want to convince your execs and board to properly fund cybersecurity, you can start with this: Stop telling them scary stories and using Hollywood clichés to make your case.

Hackers . . . hackers . . . hackers . . . they are everywhere. Stealing millions from a bank. Using ransomware to force grandma to pay up or never see the pictures of her grandkids again. Taking and selling millions of logins and passwords on the darknet.

But why keep calling them hackers? Why not start calling them what they really are: criminals.

To many, a hacker has become a Hollywood caricature, striking fear and awe into minds as it conjures images of Neo from The Matrix. An unstoppable technical adversary and Kung-Fu Master who can fly, stop bullets with his mind, and gain instant access into any system in the world—no matter how well secured—by simply mashing a keyboard.

It all started back in 1983 with War Games, when Matthew Broderick’s character David accidently hacked NORAD, thinking he’d broken into a computer game company.  Why couldn’t he just play a nice game of chess instead of starting a Global Thermonuclear War? The movie reputedly freaked out President Ronald Reagan enough for him to ask Gen. John W. Vessey, Jr., the chairman of the Joint Chiefs of Staff, if something similar could really happen.

The answer that came back, of course, was “yes” and resulted in a classified national security decision directive, NSDD-145, titled “National Policy on Telecommunications and Automated Information Systems Security.” We can only hope that the next thing they did was change the admin password on the W.O.P.R. to something other than “Joshua" or, at the very least, enable two-factor authentication.

While this was certainly a case study where Hollywood helped instill some highly productive and motivating fear, uncertainty, and doubt into the President to take action on developing and implementing cyber security policy, it unfortunately became the model for how IT communicates risk to executives.

For years to come, pocket-protected nerds with taped-up glasses would continue to build super complex systems that only they and angst-ridden teenage boys seemed to be able to understand how to operate while corporate executives and government officials would increasingly distance themselves from the ability to understand what these geeks were talking about.

Subsequent hacker movies such as Sneakers, Sword Fish, Hackers, and The Net have only continued to add to the ridiculous fictional creation that is the Hollywood hacker, making it harder for non-technical executives to take any of this computer and Internet stuff seriously.

And that, in my opinion, is exactly how we landed in the mess we’re in now—where we aren’t looking at the real threats posed by today’s real hackers.

So What Else Can You Stop Doing?

#1 Stop using sensational news headlines in your presentations.

The torn-from-the-headlines slides have become so cliché that no one really cares about them anymore. In fact, over the past few years, they’ve progressed from shocking to mildly unnerving to boring to annoying.

A much better use for sensationalized headlines is for scenario-thinking exercises. As part of your board meeting, executive retreat, or security team training, take a few of these real-life stories and deconstruct them. Imagine that the exact scenario in the news article has happened to your organization and then role-play through exactly how you would address the situation.

At each level of the organization, there are many lessons to be learned from this approach. It not only helps to ground the discussion of the problem in reality, it also engages participants in helping find solutions and trains your teams on a process that can be used for dealing with a real breach.

This way, the next time you need to upgrade those firewalls, the executive leadership team and board will have a much more relevant understanding and context of the situation and will likely be able to apply more effective governance to the decision-making process.

#2 Stop using hacker-themed stock clipart.

There are basically only five pieces of crappy stock clipart that accompany every presentation and article about hacking. The one with the sinister-looking guy in the hoody, the one with the white-and-black-striped bandit running away with the laptop, the one with the skull floating in the Matrix-esque 1s and 0s, the one with the padlock, and a picture of anything with HACKED in big red letters written across it.

Instead of stealing bad clipart off the Internet, you’re much better off getting to the point and using real data specific to your organization that supports your business case or policy-change request in infographic-like representations. Fewer words on each page that let the visuals help tell the story.

#3 Stop using industry jargon.

The CPA on the board can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command and control messaging.  He can, however, relate to the message that we need to spend $100k on a thing called a firewall because criminals just tried to steal $20 million worth of customer credit card data that would also expose the company to the risk of PCI-compliance violation fines and potential class-action suits in the tens of millions.

#4 Stop using fear. Start using reason.

If a CFO were proposing a new program to deter fraud and identity theft that is costing the company millions of dollars in lost revenue and eroding the trust of customers, he wouldn’t toss in a bunch of pictures and quotes from Ocean’s Eleven or The Italian Job to spice up his board presentation. So again, why should we in IT try to characterize our challenges in the context of fictitious movie plots and characters?

When you present scary stories and Hollywood clichés to an executive, they become a consumer of information much like watching a movie. An executive can’t take action on fear or fictional references. Nor will them. They can, however, act on a clearly articulated risk analysis accompanied by well-conceived strategies to manage that risk.

Copyright 2010 Respective Author at Infosec Island]]>
Webinar: How to Use Good, Actionable Threat Intelligence Tue, 21 Mar 2017 10:25:16 -0500 Threat Intelligence Webinar

How to use good, actionable threat intelligence  

We don't need more undigested data. We need answers. Enter Threat Intelligence.  

Useful threat intelligence is not data feeds of indicators without context; it's interpretation that boils things down to provide recommendations so we can operate safely in the Internet age.  

Join F5 Networks and SecurityWeek for this interactive webinar on March 22nd at 1PM ET, where we will provide the following takeaways:   

• What good, actionable threat intelligence looks like

• How to effectively use threat intelligence to neutralize potential attacks before they strike. 

Register Now

Can't make the live webinar? Register today and you'll get a link to watch on demand at your convenience.

Copyright 2010 Respective Author at Infosec Island]]>
Malvertising and Exploit Kits Still a Significant Threat: FireEye Sat, 18 Mar 2017 14:40:50 -0500 Malicious online ads and the exploit kits (EK) used to infect computers with various types of malware continue to pose a significant threat, FireEye warns.

Used in “drive-by” attacks, malvertising can infect computers without users even being aware that malicious code on the web page they are visiting is covertly installing malware. Bad actors use HTTP redirect protocols or iframe redirects or code injected in legitimate web pages to exploit unmitigated vulnerabilities and infect users. In some cases, domain shadowing is used to hide rogue ad servers as legitimate advertisers.

As FireEYe explains, popular ad servers sometimes redirect to affiliate networks, and these organizations might forward traffic to servers supporting other malicious domains, referred to as “Cushion Servers” or “Shadow Servers.”

Over the past four months, FireEye observed malvertising campaigns associated with a group of first layer compromise pages that used the same injected script to redirect to Magnitude EK. Popular mainly in the APAC region, the EK was observed affecting web servers with a specific header information, with the injected script appearing only when the site was being loaded through the advertisement and not when the URLs were accessed directly.

Some of the domains associated with the EK were hosted on Webzilla B.V and appear to be from the same actor, while others were Flash game websites registered with ‘Alpnames Limited’ registrar and hosted using a PlusServer AG server ISP in Germany. On rare occasions, advertiser poptm[.]com hosted on CloudFlare was used.

The researchers also observed campaigns abusing domains registered under [.]organisation: TTA ADULTS LIMITED and using advertisers belonging to Adcash group, along with other campaigns abusing domains registered under [.]organisation: China Coast and using ads.adamoads[.]com, and other ad sites for redirection.

RIG EK, currently the leading toolkit out there, has been associated with well-known campaigns such as EITest Gate, Pseudo-Darkleech, and Afraid Gate, but also with other malvertising campaigns that use redirection.

In late 2016 and early 2017, FireEye observed [.]info and [.]pw TLD domains that acted as intermediate redirect domains invoked via legitimate advertisers, but which lead to RIG EK domains instead. These were ad service-loaded casino-themed domains featuring injected malicious iframes for redirection, acting as shadow servers for the EK.

The ad service was provided by AdCash ad group, which stopped supporting these domains in February 2017. The campaign then switched to new domains and started leveraging the popular ad service popcash[.]net, which has been notified on the matter.

Sundown, the second most active EK at the moment according to Symantec, is leveraging redirection in a series of malvertising campaigns as well, including one that leverages domains hosted on two neighboring addresses: and Multiple legitimate advertisers are currently redirecting to one of the domains hosted on these IPs, which then redirect to a Sundown EK landing page.

The security researchers also discovered a group of redirect domains that has been leveraging advertiser popcash[.]net to lead users to Sundown EK landing pages via a chain of two domains. Another campaign was observed using shadow servers loaded via legitimate ad sites hosted on Webzilla B.V.

Another active toolkit is Terror EK, which FireEye says is similar to Sundown EK. The threat has been consistently leveraging advertiser serve.popads[.]net to redirect traffic to domains it controls, with some instances observed using this technique as early as December last year. Terror EK was observed downloading ccminer payloads.

“Malvertising and exploit kits continue to be a significant threat to regular users. While we strongly recommend using ad blockers for all web browsers, we understand that it’s not always possible. For that reason, the best approach is to always keep your web browsers and applications fully updated. Also, regularly check your browser to see what plugins are being used and disable them if they are not necessary,” FireEye notes.

Related: RIG Grabs 35% of Exploit Kit Market in December

Related: Edge Exploits Added to Sundown EK

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – March 2017 Fri, 17 Mar 2017 11:20:00 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • This month, the software vendor releases a record-breaking number of security Notes for 2017. The recent patch update consists of 35 SAP Security Notes;
  • An RCE vulnerability in the SAP GUI client was closed. Millions of end users could fall victims;
  • HANA vulnerabilities are on the rise. This month, 5 Notes addressing this platform were released, one of which were rated 9.8.

SAP Security Notes – March 2017

SAP has released the monthly critical patch update for March 2017. This patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 7 of all the Notes are updates to previously released Security Notes.

8 of the released SAP Security Notes has a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.8.

SAP Security Notes March by priority

The most common vulnerability type is Cross-Site Scripting.

SAP Security Notes March 2017 by type

Issues that were patched with the help of ERPScan

This month, 6 critical vulnerabilities identified by ERPScan’s researchers Boris Sanin, Dmitry Chastuhin, Dmitry Yudin, Mathieu Geli, and Vahagn Vardanyan were closed by releasing 5 SAP Security Notes.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • A Remote command execution vulnerability in SAP GUI for Windows (CVSS Base Score: 8.0). Update is available in SAP Security Note 2407616. An attacker can exploit a Remote command execution vulnerability for unauthorized execution of commands remotely. The commands will run with the same privileges as the service that executed them.
    SAPGUI is the graphical user interface client. It is the platform used for remote access to the SAP central server in a company network. It allows an SAP user to access functionality in SAP applications such as SAP ERP, SAP Business Suite (SAP CRM, SAP SCM, SAP PLM, and others), SAP Business Intelligence.
  • A Denial of service vulnerability in SAP Netweaver Dynpro Engine (CVSS Base Score: 7.5). Update is available in SAP Security Note 2405918. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.
  • A Denial of service vulnerability in SAP Visual Composer (CVSS Base Score: 7.5). Update is available in SAP Security Note 2399804. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.
  • A Cross-Site Scripting vulnerability in SAP Enterprise Portal (CVSS Base Score: 6.1). Update is available in SAP Security Note 2408100. An attacker can use a Cross-site scripting vulnerability to injecting a malicious script into a page.
  • A Denial of service vulnerability in SAP Java Script Engine (CVSS Base Score: 2.7). Update is available in SAP Security Note 2406841. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.

SAP HANA Vulnerabilities closed by SAP Security Notes March 2017

SAP HANA was first introduced in 2010 and is marketed as a platform converging application and database capabilities with in-memory technologies that allow speeding up the performance, analytics, and other processes.

SAP HANA Security is always in the spotlight, however, this year, SAP HANA Security issue have been attracting special attraction of researchers. The current security update contains 5 SAP Security Notes addressing the flagship platform. The most dangerous of them are the following ones:

  • 2424173: SAP HANA User Self-Service has a Missing Authorization Check vulnerability (CVSS Base Score: 9.8). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2429069: SAP HANA has a Session fixation vulnerability (CVSS Base Score: 8.8). An authenticated attacker can predict valid session IDs for concurrent users that are logged on to the system. Install this SAP Security Note to prevent the risks.
  • 2424120: SAP HANA has an Information Disclosure vulnerability (CVSS Base Score: 4.9). An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc), which will help them to learn about the system and to plan further attacks. Install this SAP Security Note to prevent the risks.

“The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan). There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia.”

– commented Alexander Polyakov, CTO at ERPScan.

The aforementioned multiple vulnerabilities affecting Sinopia can be exploited together to crash applications on SAP HANA XS remotely without authentication.

The number of security patches addressing SAP HANA totals 51 (of note, one Note can close one or more security issues).

SAP HANA security notes

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>