Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 SAP Cyber Threat Intelligence Report – December 2017 Thu, 14 Dec 2017 10:29:00 -0600 The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
  • Implementation Flaw remains the most common vulnerability type this month.
  • Researchers found a vulnerability in SAP HANA XS classic user self-service after exploring a patch for a half-year vulnerability allowing an unauthenticated user to know valid and invalid user accounts.
  • SAP re-released a patch for a 3-year-old security issue.

SAP Security Notes – December 2017

SAP has released the monthly critical patch update for December 2017. This patch update includes 19 SAP Security Notes (15 SAP Security Patch Day Notes and 4 Support Package Notes) ranging from Medium to Very High priority. 4 of all the patches are updates to previously released Security Notes.

6 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

3 of the released SAP Security Notes received a High priority rating and one, which is an update to the previously released SAP Note, was assessed at Hot news with the highest CVSS score of 9.1.


The most common vulnerability type is Implementation Flaw.


SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, one critical vulnerability identified by ERPScan’s researcher Mikhail Medvedev was closed.

  • A Log injection vulnerability in SAP HANA XS classic user self-service (CVSS Base Score: 5.3 CVE-2017-16687). Update is available in SAP Security Note 2549983. An attacker can use it to inject arbitrary data in the audit log. A large amount of illegal data can complicate the analysis of the audit log. It also can lead to a rapid filling of a disk space and damage the event log.

Other critical issues closed by SAP Security Notes in December

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2449757: SAP Additional Authentication check in Trusted RFC has an Implementation Flaw vulnerability (CVSS Base Score: 7.6 CVE-2017-16689). Trusted RFC does not require a Trusted/Trusting Relation from the system to itself. A system always trusts itself. The trust relationship maintained in SMT1 is used as a secure way to identify remote trusted systems. For calls on the same system this is not necessary as the RFC infrastructure always knows that a call came from the same system in a secure way. Install this SAP Security Note to prevent the risks.
  • 2537152: SAP BI Promotion Management Application has a Missing authorization check vulnerability (CVSS Base Score: 7.3 CVE-2017-16684). An attacker can use it for accessing a service without any authorization procedures and using the service functionality with restricted access. It results in information disclosure, privilege escalation and other cyberattacks. Install this SAP Security Note to prevent the risks.
  • 2537545: SAP BW Universal Data Integration has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.9 CVE-2017-16685). An attacker can exploit it to inject a malicious script into a page. The critical information stored and used for interaction with a web application can be accessed, and an attacker might gain access to user session and learn business-critical information or even get control over this data. In addition, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Information Disclosure vulnerability in SAP HANA XS Classic User Self-Service

Six months ago, Onapsis identified a bug that allows getting a list of users in Self-Service. The point is that it is possible for an attacker to abuse the “forgot password” functionality from different error messages and guess if a user exists or not. It was reported to SAP and a patch was released.

Afterwards, one of ERPScan’s researchers explored this fix and identified another vulnerability in the same service. The details of the vulnerability was mentioned above.

It turns out that the researcher bypassed the check simply by adding a space in a user’s name and got a response:

1 {"name":"SystemError","message":"dberror(Connection.prepareStatement): 331 - user name already exists: : line 1 col 24 (at pos 23)"}

Remote Command Execution vulnerability in Apache Struts

December’s set of SAP Security Notes addresses 4 updates to the previous fixes. One of them that is SBOP solution for Apache Struts1.x Vulnerability has a high priority rating. It is an update to the SAP security note released more than three years ago, in August 2014.

SAP patched it in a third-party product earlier and noticed the vulnerability in Apache Struts just recently. The vulnerability in Apache Struts enables an attacker to exploit the resources that are used to serve BI Launchpad, LCM, Monitoring.

SAP users are recommended to implement security patches as they are released.

Copyright 2010 Respective Author at Infosec Island]]>
Understanding Endpoint Threat Diversification to Help Better Secure Infrastructures Thu, 14 Dec 2017 08:29:27 -0600 The threat landscape has evolved considerably over the years, as the technology stack deployed within local and cloud infrastructures have changed dramatically to include a wide array of tools, services and stakeholders. Threat diversification has enabled the development of new security technologies designed within layers, aimed at preventing advanced and sophisticated malware from breaching security at various attack stages.

Endpoint security has become the new normal and, while it can secure organizations against mass-market malware, advanced persistent threats (APTs) are purposely built to dodge this security mechanism. Only layered endpoint security that can protect against these attacks, as well as a wide range of attack techniques, is fueled by machine learning and behavioral analysis to ensure accurate disposal of new and unknown malware.

Now, deploying aggressive analysis tools on endpoints is not without drawbacks, including performance issues. Therefore, cloud sandboxing has emerged as an increasingly important option for detecting sophisticated attacks pre-execution, or for securing endpoints without compromising its security.

Sandboxing vs. Emulation

Although the terms sandboxing and emulation are sometimes used interchangeably, the two technologies show fundamental differences when we dive deeply into how advanced malware works, and how it’s detected. Standard endpoint protection (EPP) emulation is usually handled locally and only select chunks of code are analyzed, followed by some process of feature extraction performed by machine learning algorithms. Since the entire analysis process is performed in mere milliseconds, it is limited by local computing resources, and therefore at risk for false positives.

Emulation is an integral part of anti-malware’s pre-execution security stack and plays a vital role in the overall security stack of an EPP solution. As such, its importance should not be downplayed–it offers a vital pre-execution layer designed to filter out garden-variety threats without overtaxing a cloud-based sandbox with easily predictable threats.

Conversely, cloud sandboxing detonates the actual file, including additional payloads, in a virtual cloud host meant to replicate the endpoint configuration. The biggest difference between the two is that unlike emulation, where local resources are limited, a cloud-based sandbox utilizes a significantly larger pool of computing power to fully analyze the complete behavior of a potential threat in real-world conditions.

Since most advanced threats employ sophisticated reconnaissance techniques before dropping additional malicious components, a sandbox analysis provides complete visibility into the entire attack chain. This enables the security solution to prevent the initial attack vector and identify other components or tools that threat actors use to gain access to a machine. As the sandbox analyzer is not a production machine, the security tools designed to perform behavioral analysis can be configured to a heightened state of alert – a sort of paranoid mode – that would allow close monitoring of all actions performed by the execution of a potentially malicious file.

The entire process of submitting an unknown file to a sandbox analyzer may take longer than simply running the local emulator, but the amount of behavioral information collected from the sandbox analyzer is far more detailed and more reliable. A verdict on whether a file is malicious is based on more than one technology. For example, specifically trained machine learning algorithms and advanced behavioral-based security tools can assess the threat more in-depth than locally configured, performance-friendly, security tools.

In a nutshell, while both emulation and cloud-based sandbox analysis are an integral part of threat detection, the latter is specifically built to detect and analyze sophisticated threats using machine learning algorithms and aggressive behavior analysis technologies that would otherwise negatively impact the performance of the local machine.

Disarming Threat Actor’s Weapon of Choice

One thing that sophisticated threats have in common is their reliance on commonly used files to deliver malicious payloads. Documents and executables are often used as both reconnaissance and malware delivery mechanisms when infiltrating an organization.

Taking those files and “detonating” them in controlled environments - away from the victim’s endpoint – means threat actors are practically disarmed, as their most effective and commonly deployed weapons are essentially rendered useless.

Tightly integrated with a company’s EPP, cloud-based sandbox analyzer technology can only strengthen the overall security posture, acting as a new security layer specifically designed to detect malware and report unusual artifacts that employ all sorts of anti-evasion techniques. Moreover, with its rich forensic information, it can give companies a complete and detailed analysis of any detected threat, enabling them to strengthen or rethink a variety of security policies across the infrastructure.

About the author: Liviu Arsene is a Senior E-threat Analyst for Bitdefender, with a strong background in security. He has been closely working and interfacing with cross-company development teams, as his past Product Manager role involved understanding Bitdefender’s technology stack.

Copyright 2010 Respective Author at Infosec Island]]>
BankBot Targets Polish Banks via Google Play Tue, 12 Dec 2017 14:17:16 -0600 Two new applications that managed to slip into Google Play despite being infected with the BankBot Trojan have been observed targeting the legitimate apps of Polish banks, ESET warns.

The malware hid inside the seemingly legitimate Crypto Monitor, an app for tracking cryptocurrency prices, and StorySaver, a utility that helps users download stories from Instagram. Both applications provide their users with the promised functionality, but also serve a nefarious purpose.

On the victim’s device, the apps can display fake notifications and login forms that have been designed to look as if they come from legitimate banking applications, which allows them to harvest the credentials victims enter into the fake forms.

They can also intercept text messages, thus being able to bypass SMS-based 2-factor authentication.

The BankBot banking Trojan was first observed about a year ago, when its source code leaked online alongside instructions on how to use it. It took over a month for the first malware based on that code to emerge, but numerous BankBot variations have been observed since, some in Google Play.

In a report published in early November, RiskIQ revealed that the malware managed to slip into the official Android application store disguised as Cryptocurrencies Market Prices, an application for users looking for timely information for people who engage in cryptocurrency marketplaces.

Only a couple of weeks after that report, the Crypto Monitor malicious app was uploaded to Google Play, under the developer name walltestudio. Four days later, on November 29, StorySaver was published to the marketplace, under the developer name kirillsamsonov45, ESET says.

The applications had between 1000 and 5000 downloads when ESET reported their malicious behavior to Google on December 4. Both of them have been removed from the application store.

After being launched on the infected device, the malicious apps retrieve information on the installed programs and compare these against a list of targeted banking software.

According to ESET, the malware targets the official apps of fourteen Polish banks, namely Alior Mobile, BZWBK24 mobile, Getin Mobile, IKO, Moje ING mobile, Bank Millennium, mBank PL, BusinessPro, Nest Bank, Bank Pekao, PekaoBiznes24, plusbank24, Mobile Bank, and Citi Handlowy.

The malware can display fake login forms imitating those of the targeted apps and can do so either without any action from the user, or after the user clicks on a fake notification.

ESET claims that most of the infections (96%) were detected in Poland, but that a small set of users in Austria were infected as well (the remaining 4% of detections). The local social engineering campaigns propagating the malicious apps contributed to this.

“The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them,” ESET says.

Mobile banking users who installed one of the malicious applications are advised to check their bank account for any suspicious activity. They should also consider changing PIN codes, the researchers say.

Related: Millions Download "ExpensiveWall" Malware via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Copyright 2010 Respective Author at Infosec Island]]>
Creating a Meaningful Security Awareness Training Program Is a 12-Month Commitment Mon, 11 Dec 2017 10:49:00 -0600 Let’s start by asking ourselves a question: As an industry, do we do ourselves a disservice with National Cybersecurity Awareness Month (NCAM)?  

When we have a month and event established on the premise of raising awareness, we start to see corporations, government agencies and organizations put all their efforts and resources around building a big splash that month. In doing that, they tend to downplay and deemphasize the other 11 months of the year. They unintentionally communicate that cybersecurity is not something that needs to be integrated into their day-to-day, or even week-to-week lives, but rather it’s presented as an externality. It becomes an “other,” or an “add-on,” and it’s approached in a way that isn’t tied into, or even relevant, to the rest of their lives. NCAM is an event, and events by their very definition imply that it is other or special, something out of the norm.

When you look at different disciples in life, where people, or cultures, or companies try to integrate ideas within our thinking, it is much more frequent and distributed. And while it may be less flashy, the consistency is more valuable.

A great comparison is the world of marketing. You don’t see McDonald’s having burger month once a year, instead they hit you with information, ideas and promotions as often as they can afford to. Why? They want to integrate into the everyday decision-making process, they want you to have immediate brand recognition and immediate relevance. The security industry has a lot to learn from people who know how to make ideas stick and know how to influence behavior.

So yes, in my opinion NCAM can be a disservice. But should we get rid of it? Absolutely not.  

NCAM is a good call to action, but don’t put all your eggs in that basket. When you talk about things in that context, you’re hitting people with information that may not be relevant to that day or week. For example, if you’re teaching password best practices during October, it will not sync up with when the vast majority of people in your organization need to change their passwords. By the time password change requirements occur, employees will divert to previously-learned behaviors and forget to leverage the information they were given. Instead, we need to more strategically distribute the password tools and lessons at the right time or place, so we’re hitting employees with the most relevant information when they are about to make an action. That’s where we need to be -- we need to put the trigger at the point, or as close to the point, when the action is about to happen.

When it comes to what you can or should be doing - particularly on the security awareness training front -  you need two things: 1) to have your finger on the pulse of organizational culture and 2) executive buy-in. If you get both, you can understand the company dynamic and can then set clear expectations about what your level of engagement will be and how you will effectively use people’s time and attention.

But how do you get there, and then how do you implement?

Best Practice #1: Get Executive buy-in. Speak the language of the business and tie awareness training into the way your organization views risk and opportunity. Explain that if you only raise awareness during NCAM, or if you only do new hire training, it will be ineffective and you will not be able to change behavior. Don’t allow training to become solely a legal or compliance checkmark.

Best Practice #2: Work with your internal marketing team. Not only do they know how to communicate and influence, but they understand your brand identity, the goals that you have, and the way your company talks about things, as well as an informed view of how/when other internal communications are occurring. Don’t be an outsider; instead take an internal communications approach.

Best Practice #3:Be strategic with frequency. Treat it like marketing swimlanes. Think about different channels (modes of communication and types of messages) and how you would distribute them overtime. As a result, you’re building greater awareness of your security ‘brand’ and core messages, and having the best change secure reflexes.  

A piece of this is implementing the “Five Moments of Need” model within training. If you want communicate new ideas or get people to adopt a new patterned behavior, use points in time training. At a high-level, this looks like: 1) telling people about something for the first time (new hire, or yearly training, etc.); 2) learning more - ongoing training, it’s still point-of-time and event-based; 3) “just-in time” training when employees want to apply knowledge (e.g. a password change); 4) when something goes wrong, e.g. simulated phishing or traditional blocking technologies come into play here; 5) when something changes (systems, law, regulation, etc.), people may need associated training.  

Best Practice #4: Use variety when sharing ideas and tools… Various forms of content resonate differently with different people. People are individuals and each have unique ways of absorbing communication, so it’s important to think about sharing content in a variety of ways - from newsletters to video - options are necessary to get everyone’s attention and focus.

In general, I recommend an 80/20 rule. You want to apply approximately 20 percent of your budget and efforts during NCAM while the remaining 80 percent should be dispersed over the other 11 months. That allows you to make a big splash in October but still stay relevant and top-of-mind all year long when it will matter most.

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Putting Off Plans to Strengthen Data Security? It Could Cost You Your Job Mon, 11 Dec 2017 08:33:00 -0600 When considering the consequences of a data breach, plummeting stock prices, deserting customers and diminishing brand reputations immediately come to mind. These damaging and costly repercussions impact the livelihood of a company. However, a cybersecurity incident can also adversely affect individuals within an organization, costing an employee their job, career and possibly their future.

For examples of post-data breach job casualties, look no further than recent news headlines: Equifax CEO Richard Smith suddenly “retired” after the company’s breach exposed 143 million consumers’ sensitive information, while the credit data firm’s chief information officer (CIO) and chief security officer (CSO) resigned. Similarly, after Target’s infamous 2014 breach, both the CEO and CIO were forced to step down. While these are examples of job loss at the C-level, the effects of a data breach can resonate and impact many other staff members. In fact, a Trustwave and Osterman Research survey showed that 38 percent of organizations consider a data breach that becomes public a fireable offense for IT professionals (not just the C-suite).

The problem is that today’s security and compliance professionals are extremely busy people, with high-priority projects coming in from all different departments. At the same time, they must attempt to keep abreast of constantly evolving cyberthreats and industry regulations, while devising and implementing a security strategy that addresses these ever-changing elements. In spite of this fast-paced work environment, it’s easy to allow the seemingly less-pressing tasks fall off a “to-do” list. From there, it’s even easier to justify procrastination. “We’ve never been breached, so we must be doing everything right. We can put off our compliance audit a couple more months, or worry about our software security patch next week.”

Alas, many professionals put off security and compliance initiatives for these reasons and others, often with catastrophic results. Take Equifax, again, for example: the company allegedly waited months to patch a well-known software security vulnerability, which perhaps, if addressed in a timely manner, could have prevented the breach. Now, imagine if you were the person who must explain why you didn’t act sooner and allowed your firm to experience a data breach. Keep in mind that if you’re subsequently fired, you’ll have to justify your failure to act to all future potential employers, and you may find it extremely difficult to land another job.

Are you a security procrastinator?

No matter how long their “to do” lists, security and compliance professionals must take a proactive approach to safeguarding data, thereby protecting their company’s reputation and their own careers. Yet many continue to put off the company’s most crucial security and compliance efforts. The primary reasons I hear in the field, include:

  1. Lack of internal expertise: While some executives understand the need for a compliance program, the majority don’t recognize the work needed to implement and maintain an ongoing, successful program. This means that less-motivated compliance managers could get away with reporting, “We’re working on it,” for an extended period. Maintaining this façade may work in the short term, but it sets you up for massive failure if a breach does occur.
  2. Cost-cutting: Compliance doesn’t necessarily create new functionality, nor does it garner a pat on the back from your superiors. “Nothing happened today and that is a good thing,” may ring a little hollow to those that don’t understand change control. So, many security personnel are likely to look elsewhere to spend their money. After all, if nothing happened at the end of the day, and you can report that to your boss, you’ve done your job, right? Wrong. With the average cost of a data breach hovering above $3.6 million, a single security incident could render all your “cost savings” completely futile.
  3. Seemingly low odds of a data breach: Data breaches are in the news just about every week, leading many to falsely believe that other companies present a bigger, more attractive target. Or, some security professionals may simply hope that their organization is not hit by a cyberattack. I’m all for wishing for the best, yet, the reality is that the odds of a experiencing a data breach are as high as one in four, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. This is a gamble with your company’s and your own future that is not worth taking.
  4. Urgency exceeds importance: Some security and compliance personnel begin the process of searching for a new solution with a high sense of urgency. They reach out to vendors, looking to get their project started immediately. But, at the drop of a dime, they’ll turn right around and say, “Never mind. We’ll come back to you in three months.” Most of the time, these people know what they must do, but will find every reason to wait. Whether it’s because their compliance assessment isn’t until next year, or they found something seemingly more pressing, there are a million ways to avoid doing the compliance tasks that need to be done.

Many or all of these circumstances may ring true to you and your company. In the future, it doesn’t always have to.

Why wait? How to convey urgency for data protection

Of course, not every company is guilty of playing the waiting game for strengthening data security. Even the biggest brands, with large budgets and robust security systems are vulnerable to data breaches. Regardless of where you and your company stand in your security and compliance initiatives, take heed of the following advice to convey a sense of urgency for protecting your most sensitive data:

  1. Share your vision: Serve as a champion to your cause. Emphasize to your team and other executives the importance of protecting your company’s reputation through proactive compliance. Help them understand that such programs are actually investments in your brand, your customers and your colleagues’ future – not another line item expense.       
  2. Talk costs to the C-suite: Upper management may not necessarily care about how a security incident may affect your job, but they will certainly take notice when you talk money. Share how protecting your company from a data breach also protects the organization from reputation damage and loss in customer trust, which directly impact the bottom line. You’ll find it’s much easier to obtain buy-in for supporting your security efforts if you speak their language.
  3. Stress compliance as an ongoing initiative: Compliance isn’t a check-the-box, one-and-done exercise; it requires continuous effort. For example, you could receive a Payment Card Industry Data Security Standard (PCI DSS) Report on Compliance (ROC) one day, and then be vulnerable to a breach the next, if even one security control changes. Therefore, assure your executives that you are “working on it,” and mean it.
  4. Remove sensitive data from your business infrastructure: Because you cannot predict or prevent every potential breach, the above advice will only go so far. The most effective way to strengthen data security is also the simplest approach: remove any sensitive information from your business infrastructure. Simply put, no one can hack the data you don’t hold or process. Investigate and deploy technologies that keep data away from your network and business systems, and you’ll be far less vulnerable (and less attractive) to hackers, fraudsters and other cybercriminals.

No matter what your industry, compliance and security are not something you can put off until next year, next month, or even tomorrow. It takes just a single incident to not only adversely impact your organization, but also your current job and future career. Act now and act decisively. Once you’ve acted, understand that the work still isn’t done. Take an ongoing, proactive approach to security. Make compliance a living and breathing part of your organization, and you’ll have both greater data security and increased job security.

About the author: Tim Critchley has been the CEO of Semafone since 2009 and has led the company from a UK start up to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups including the BGF and Octopus.

Copyright 2010 Respective Author at Infosec Island]]>
Unidentified Leak Paths Led to Successful Hack of South Korean Military by North Korea – Part I Mon, 11 Dec 2017 06:31:00 -0600 According to ABC News, the recent breach of South Korean classified systems holding joint South Korean-US military files were attributed to missed leak paths between the intranet and internet. These leak paths were used by North Korean hackers, operating out of China, to steal classified data. North Korea used malware that originally was hidden inside a commercially known anti-virus solution used by a contractor to compromise these classified systems and exfiltrate data across these leak paths. The initial compromise was executed in September last year and the leak path established at that time went undetected, while South Korean and U.S. military secrets were progressively stolen. The Wall Street Journal reported, “South Korean officials [were caught] off guard, the people said, because it occurred within a military intranet believed to have been cut off from the internet…”

Leak Paths Are Central to Most of Today’s Successful Breaches

Perimeter defenses are well-tested protective elements that have been used for thousands of years. Instead of protecting each house in a city against invaders, walls were built around the city, and well-guarded gates controlled access to the city. Often, there were lesser entry points through the walls, for convenience or special uses. These included “postern gates,” which were small entrances far from the main gates. There are numerous tales of cities that fell because their perimeter defenses were subverted by these little known entry points. Spies on the inside, who find these long-forgotten “postern gates”, provide an entry point for covert operations and that is exactly what happened in this case.

These unknown or unauthorized entry points are leaks – a means to malicious or unauthorized entry across the network perimeter. Firewalls and intrusion detection systems serve as gatekeepers to defend the network; nevertheless, circumvention can and does happen. Unlike data leaks, which represent the egress of sensitive information from an organization’s control, Internet leaks are unrestricted pathways into and/or out of an organization’s network perimeter. Malicious attackers use these paths to infiltrate networks, compromise endpoints, shuttle additional malware, install encryption software for ransomware, move laterally to find sensitive data, and even take over additional systems through more infections. According to a Ponemon Institute and an IBM survey enterprise losses from attack activities, which use worms, viruses, spyware, and other attack vectors, average $3.6M annually in 2017. If one includes additional recovery and reputation costs, that figure grows even larger.

Core of the Problem

Continuous changes to the network landscape, including infrastructure, operating systems, and applications can cause organizational security policy and network defense configuration to become misaligned, contributing to a proliferation of leaks. And it only takes one leak to allow malicious intrusion into a network.

Proactive identification of leaks and exposed network zones allows effective prioritization of remedial resources to prevent network subversions. When combined with the other aspects of a comprehensive Network Assurance program, real-time leak discovery can be a powerful mechanism for comprehensively protecting an organization’s network.

Stay tuned for Part II of this two-part series which will cover the differences and implications of inbound versus outbound leak paths. While it may not seem obvious, an inbound leak path is often the precursor to an outbound leak and more indicative of a breach attempt. In addition, we’ll cover some recommendations in proactively identifying leak paths and segmentation violations.

About the author: Sanjay Raja runs Marketing and Strategic Alliances for Lumeta Corporation. He brings over 20 years of engineering, product management and marketing experience in cyber security and networking, specifically focused on Network Security.

Copyright 2010 Respective Author at Infosec Island]]>
Cybersecurity’s Dirty Little Secret Wed, 06 Dec 2017 15:10:50 -0600 “Who got breached today?” It seems that rarely does a news cycle go by without a revelation of some company, government entity, or web service experiencing a major breach with implications for vast numbers of people. The thinking has shifted from a mindset of “how can I prevent a breach?” to “I know it’s going to happen, how can I minimize the impact?” And what are those impacts? They range from embarrassment and brand degradation to significant financial loss, careers in shambles, and even companies going out of business.

The most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands. No one in their right mind would hand over the keys to their kingdom to a bad actor. But these bad actors are sneaky. They’ll get their hands on a relatively harmless user credential through social engineering, phishing, or brute force and use escalation techniques and lateral movements to gain super user access – and then all bets are off.

One of the foundational pillars of identity and access management (IAM) is the practice of privileged access management (PAM). IAM is concerned with ensuring that the right people, have the right access, to the right systems, in the right ways, at the right times, and that all those people with skin in the game agree that all that access is right. And PAM is simply applying those principles and practices to “superuser” accounts and administrative credentials. Examples of these credentials are the root account in Unix and Linux systems, the Admin account in Active Directory (AD), the DBA account associated with business-critical databases, and the myriad service accounts that are necessary for IT to operate.

PAM is widely viewed as perhaps the top practice that can alleviate the risk of a breach and minimize the impact if one were to occur. Key PAM principles include eliminating the sharing of privileged credentials, assigning individual accountability to their use, implementing a least-privilege access model for day-to-day administration, and implementing an audit capability on activities performed with these credentials. Unfortunately, we now have clear indicators that most organizations have not kept their PAM program on par with ever-evolving threats.

One Identity recently conducted research that revealed some alarming statistics when it comes to this most important protective practice. The study of more than 900 IT security professionals found that too many organizations are using primitive tools and practices to secure and manage privileged accounts and administrator access, in particular:

  • 18 percent of those surveyed admit to using paper-based logs for managing privileged credentials
  • 36 percent manage them with spreadsheets
  • 67 percent rely on two or more tools (including paper-based and spreadsheets) to support their PAM program

Although many organizations are attempting to manage privileged accounts (even if that attempt is with inadequate tools) fewer are actually monitoring the activity performed with this “superuser” access:

  • 57 percent admit to only monitoring some or none of their privileged accounts
  • 21 percent admit that they do not have any ability to monitor privileged account activity
  • 31 percent report that they cannot identify the individuals that perform activities with administrative credentials. In other words nearly one in three cannot assign the mandatory individual accountability that is so critical to protection and risk mitigation.

And if those statistics weren’t scary enough, data indicates that way too many organizations (commercial, government, and worldwide) fail to do even the basic practices that common sense demands:

  • 88 percent admit that they face challenges when it comes to managing privileged passwords
  • 86 percent do not change admin password after they are used – leaving the door open for the aforementioned escalation and lateral movement activities
  • 40 percent leave the default admin password intact on systems, servers, and infrastructure, functionally eliminating the need for a bad actor to even try hard to get the access they covet.

The bottom line is simple, common-sense activities such as changing the admin password after each use and not leaving the default in place will solve many of the problems. But also an upgrade to practices and technologies to eliminate the possibility of human error or lags due to cumbersome password administration practices, will add an additional layer of assurance and individual accountability. And finally, expanding a PAM program to include all vulnerabilities – not just the ones that are easiest to secure – will yield exponential gains in security.

About the Author: Jackson Shaw is Vice President, Product Management at One IdentityHe has been involved with directory, meta-directory and security initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
Four Ways to Protect Your Backups from Ransomware Attacks Wed, 22 Nov 2017 08:52:00 -0600 Backups are a last defense and control from having to pay ransom for encrypted data, but they need protection also.This year ransomware has been rampant targeting every industry. Two highlight attacks, WannaCry and NotPetya, have caused, in excess, hundreds of millions in losses. Naturally, cybercriminals continue to rapidly increase ransomware attacks as they are effective.

Good Backups and Effective Recovery

Proactive, not reactive, organizations have choices when it comes to ransomware. The most reliable defense against ransomware continues to be good backups and well-tested restore processes. Companies that regularly back up their data and are able to quickly detect a ransomware attack have the opportunity to restore and minimize disruption.

In some less common cases, we see wiper malware like NotPetya imitating Petya ransomware delivering a similar ransom message. In this case, the victims are not able to recover their data even with paying a ransom, which makes the ability to restore from good backups even more critical.

Clever Attackers Target Backups

Because good backups are so effective, attackers, including nation-state agents, behind ransomware are now targeting the backup processes and tools themselves. Several forms of ransomware, such as WannaCry and the newer variant of CryptoLocker, delete the shadow volume copies created by Microsoft’s Windows OS. Shadow copies are an easy method Microsoft Windows offers for easy recovery. On Macs, attackers targeted backups from the outset. Researchers discovered deficient functions in the first Mac ransomware back in 2015 that targeted disks used by the Mac OS X’s automated backup process called Time Machine.

The scheme is straightforward: Encrypt the backup to cut off organizational control over ransomware and they are likely to pay the ransom. Cybercriminals are increasing their efforts and aim to destroy the backups as well.  Here are four recommendations to help organizations safe guard their backups against ransomware attempts.

One: Develop visibility into your backup process

The more quickly an organization can discover a ransomware attack, the better chances that business can avoid significant corruption of data. Data from the backup process can serve as an early warning of ransomware infections. Your backup log will show signs of a program that instantly encrypts data. Incremental backups will abruptly “blow up” as each file is effectively changed, and the encrypted files cannot be compressed or deduplicated.

Monitoring essential metrics like capacity utilization from the backups everyday will help organizations detect when ransomware has infiltrated an internal system and minimize the damage from the attack.

Two: Be wary using network file servers and online sharing services

Network file servers are easy to use and always available, which are two characteristics why network-accessible “home” directories are a well-liked method to centralize data and simplify backup. Yet, when presented with ransomware, this data architecture holds several critical security weaknesses. Many ransomware programs encrypt connected drives, so the target’s home directory would also be encrypted. Any server that runs on a commonly targeted and vulnerable operating system like Windows could also be infected; thus, every user’s data would be encrypted.

Any organization with a network file server must continuously back up the data to a separate system or service, and test the systems restore functionality introduced with ransomware specifically.

Cloud file services are also vulnerable to ransomware. A highlight example is the 2015 Children in Film ransomware attack. Children in Film, a business providing information for child actors and their parents, used the cloud extensively including a common cloud drive. According to KrebsOnSecurity, in less than 30 minutes after an employee clicked on a malicious email link, over four thousand files in the cloud were encrypted. Thankfully, the business’s backup provider was able to restore all of their files, but it took upwards of a week to do so.

Subject to whether the cloud service delivered incremental backups or easily managed file histories, recovery of data in the cloud could pose more difficult than an on-premises server.

Three: Test your recovery processes frequently

Backups are worthless unless you have the ability to recover both reliably and quickly. Organizations can have backups but still be forced to pay the ransom, because the backup schedule failed to perform backups with sufficient granularity, or they were not backing up the intended data. For example, Montgomery County, Alabama was forced to pay a ransom to retrieve their $5 million in data as a result of difficulties with their backup files unrelated to the ransomware.

Part of testing the recovery process is determining the window of data loss. Organizations that do an entire backup every week can potentially lose up to a week of data should it need to recover after its last backup. Performing daily or hourly backups significantly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to preventing loss.

Four: Understand your solution options

If ransomware can access backup images directly, it will be almost impossible to prevent the attack from encrypting corporate backups. For that reason, a backup system engineered to abstract the backup data will stop ransomware in its tracks from encrypting historical data.

The process of separating backups from your standard operating environment and ensuring the process doesn’t run on a general-purpose server and operating system, can harden backups against attack. Backup systems running on the most targeted operating system, Microsoft Windows, are prone to attack and are much more difficult to protect from ransomware.

Ultimately, organizations must seek to detect ransomware attacks early with monitoring or anti-malware measures, use of purpose-built systems for separation between backup data and a potentially compromised system, and continuously tested backup and restore processes to ensure data is effectively protected. This approach will preserve backups from ransomware attacks and reduce the risk of losing data in the event of an infection. 

About the author: Rod Mathews is the SVP & GM, Data Protection Business for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products and is also responsible for Barracuda’s cloud operations team and infrastructure.

Copyright 2010 Respective Author at Infosec Island]]>
Shadow IT: The Invisible Network Tue, 14 Nov 2017 06:02:00 -0600 The term “shadow IT” is used in information security circles to describe the “invisible network” that user applications create within your network infrastructure. Some of these applications are helpful and breed more efficiency while others are an unwanted workplace distraction. However, all bypass your local IT security, governance and compliance mechanisms.

The development of application policies and monitoring technology have lagged far behind in comparison to the use of cloud-based business services, as researchers note in SkyHigh’s Cloud Adoption and Risk Report. It states, “The primary platform for software applications today is not a hard drive; it’s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It’s also transforming how business is conducted.” Recent studies show that businesses that follow this trend of migrating operations to the cloud actually increased productivity by nearly 20 percent above those who did not.

Shifting to a new security model before we determine the rules  

Traditional security thinking and products have focused solely on keeping the network and those within it safe from outside threats, and auditing information from users, devices and alerts. The application revolution is now pushing beyond the traditional network boundaries and into the cloud for security teams, before establishing acceptable-use policies and new auditing and compliance parameters. However, it is much more efficient to lay the auditing and policy groundwork first and then allow security operations to adapt to this new element of application awareness.

Why does application awareness change security operations so drastically? Because it:

  • Emphasizes outgoing (as opposed to incoming) communication
  • Requires relating users and devices to the applications (which older tools can’t perform)
  • Shifts the focus away from signature detection and into analytics and policy
  • Requires creating network and device use policy and implementing a means to track and measure it
  • Requires pulling logs from cloud services

Despite the security implications, there are important governance challenges when developing new application policies. While the discussion of implementing application awareness is mostly technical, the way employees use applications can also be deeply personal. Making a decision to allow or block Facebook, Twitter, Dropbox, Bit torrent, Tor and personal Gmail accounts touches a human factor that goes beyond merely stopping viruses and preventing breaches. Yet, allowing such applications (especially Tor) can increase the level of risk exponentially – even beyond the threats posed by many viruses.

Changing direction to a different point of view – the insider threat

Security follows business, and business is rapidly putting its information in the cloud. Most newer security products have evolved to focus both on what is entering the network and what is leaving the network. However, the shadow IT system often circumvents corporate monitoring and security measures, and allows corporate data to flow outside the organization into the public cloud without proper oversight or control.

Replacing the thread-bare notion that threats could only come into our systems from the outside is an ever-growing (and different) point of view that’s being complemented with products/devices that also monitor outgoing communications. Until recently, this capability has been limited to security interests in data loss prevention, policy filtering and compromised system detection.

Cloud Access Security Brokers (CASBs) are one type of outgoing protection for the network, and it does provide more visibility into network flows. It does add the burden of analysts having to sort through vast quantities of data. One Gartner analyst commented that the competitive forces currently amongst the CASB market providers “is a consequence of newness that limits the consistency and richness of the service they can provide.” He continued, “Data without action is kind of useless. Data has to be automatable so your team can solve the problem and move on to bigger projects.”

At this point, the point of view must pivot to gain vision into both the external threat and the internal or insider threat. The focus here is on your employees and their careless and maybe malicious behavior on network-connected devices. While some workers feel entitled to check social media or personal email applications at work, it is crucial that an organization develop smart and enforceable “acceptable-use” policies, along with regular, relevant training for all workers. This area of governance has lagged far behind the technological solutions; however, it is no less of an important piece of the visibility puzzle.

What about solid, consistent governance?

Governance is all about identifying risk and deciding what is acceptable. What is the risk of non-approved applications in a current enterprise environment? SkyHigh wrote a solid white paper on what they see as the risk in their Q4 2016 Cloud Adoption Risk Report (PDF). It should be noted that this report is biased in terms of the threat, but it does, at a minimum, provide a high-level explanation of the risk.

The above report prominently noted that email/phishing is the number one vector of attack, while web-based malware downloads are rarer by comparison. Buried deep in the SkyHigh study was the reason that we need to effectively capture application usage: while greater than 60 percent of organizations surveyed had a cloud use policy, almost all of that particular group lacked the needed enforcement capability. Roughly two-thirds of services that employees attempt to access are allowed based on policy settings, but most enterprises are still struggling to enforce blocking policies for the one-third in the remaining category that were deemed inappropriate for corporate use due to their high risk.

The ideal standard of control through enforcement is complicated even with a CASB in place, by security “silos,” and a struggle to consistently enforce polices across multiple cloud-based systems. Major violations still occur despite policies, such as: authorized users misusing cloud-based data, accessing data they shouldn’t be, synching data with uncontrolled PCs, and leaving data in “open shares,” in addition to authorized users having access despite termination or expiration. In short, before using a CASB you can implement use knowledge passively with other tools.

Implementing a means to passively detect applications and tracking that activity to the user and device is an essential aspect to governance and risk management. Shadow IT is the term most related to the risk associated with the threat that application awareness addresses, as opposed to the much more arduous task of drafting and implementing policies that could be controversial with fellow staff members.

About the Author: Chris Jordan is CEO of College Park, Maryland-based Fluency , a pioneer in Security Automation and Orchestration.

Copyright 2010 Respective Author at Infosec Island]]>
4 Questions Businesses Must Ask Before Moving Identity into the Cloud Wed, 08 Nov 2017 04:50:00 -0600 The cloud has transformed the way we work and it will continue to do so for the foreseeable future. While the cloud provides a lot of convenience for employees and benefits for companies in terms of cost savings, speed to value and simplicity, it also brings new challenges for businesses. When coupled with the fact that Gartner predicts 90 percent of enterprises will be managing hybrid IT infrastructures encompassing both cloud and on-premises solutions by 2020, the challenge becomes increasingly more complex.

As is the case with any significant technology initiative, moving infrastructure to the cloud requires forethought and preparation to be successful. For many enterprises, a cloud-first IT strategy means a chance to focus on the core drivers of the business versus managing technology solutions. As these enterprises consider a cloud-first approach, they will undoubtedly be moving their IT infrastructure and security to the cloud. And identity will not be left behind.

The big question for many IT and security operations departments is: can you move your identity governance solution to the cloud? And then, perhaps more importantly, should you? The answers to these questions will vary from company to company and are dependent on the needs of the business and the current structure of the identity program.

As such, here are 4 questions every organization must ask to determine if moving identity into the cloud is the right move for their business:

  • Have you already moved any infrastructure to the cloud?

While many business applications are relatively easy to use as a service, transferring a complex identity management program into the cloud can be more challenging to implement. If your organization is already using infrastructure-as-a-service (e.g. Amazon Web Services or Microsoft Azure) then you’re likely ready to move forward with implementing a cloud-based identity governance program. However, if you haven’t experimented with moving mission-critical apps into the cloud, you should carefully consider whether your organization is prepared before making the leap. 

  • How flexible is your organization?

Regardless of how it is deployed, an effective identity governance solution must provide complete visibility across all of your on-premises and cloud applications. This visibility provides the foundation required to build policies and controls essential for compliance and security.For organizations that don’t have the time or expertise to create custom identity policies or compliant processes from scratch, cloud-based solutions can make successful deployments more attainable. However, if your organization has rigid requirements about how identity management must be configured and deployed, it may be more of a challenge to move to a cloud-based solution.

  • Do you have limited resources?

Deploying an identity governance solution can be both time- and resource-intensive, and effective identity programs require a blend of people, processes and technology to be successful. The cloud is a great option for businesses with limited resources because it doesn’t involve hardware or infrastructure upgrades, making it faster and more cost-effective than on-premise solutions. Cloud-based identity is also great for organizations with smaller IT teams or those without as much specific expertise in the space.

  • How well do you understand your governance needs?

Identity governance is more than just modifying who has access to what. Effective identity governance must also answer the questions of should this user have access, what kind of access are they entitled to, and what can they do with that access. And while identity governance can be simple to use, what happens behind the scenes can be very complex. This is important to understand because SaaS-based identity governance is not as customizable as an on-premise solution. So, if your identity needs are fairly straight forward, the cloud might be for you, but if your organization requires more complexity and customization, on-premise might still be the best solution.

Whether you’re moving from an on-premise identity governance solution to the cloud or implementing a cloud-based identity governance solution for the first time, it’s important to take a close look at your organization and its needs before taking the next step. With these best practices in mind, you can properly manage identities and limit the risk of inappropriate access to your sensitive business data.

About the author: Dave Hendrix oversees the engineering, product management, development, operations and client services functions in his role as senior vice president of IdentityNow.

Copyright 2010 Respective Author at Infosec Island]]>
Artificial Intelligence: A New Hope to Stop Multi-Stage Spear-Phishing Attacks Tue, 07 Nov 2017 10:19:11 -0600 Cybercriminals are notorious for conducting attacks that are widespread, hitting as many people as possible, and taking advantage of the unsuspecting. Practically everyone has received emails from a Nigerian prince, foreign banker, or dying widow offering a ridiculous amount of money in return for something from you. There are countless creative examples of phishing, even health drugs promising the fountain of youth or skyrocketing your love life in return for your credit card.

In more recent times, cybercriminals are taking an “enterprise approach” to attacks. Just like business to business sales functions, they focus on a smaller number of targets, with an objective of obtaining an exponentially greater payload with extremely personalized and sophisticated techniques. These pointed attacks, labeled spear phishing, leverage impersonation of an employee, a colleague, your bank, or popular web service to exploit their victims. Spear phishing has steadily been on the rise, and according to the FBI, this means of social engineering has proven to be extremely lucrative for cybercriminals. Even more concerning, spear phishing is incredibly elusive and difficult to prevent with traditional security solutions. 

The most recent evolution in social engineering involves multiple premeditated steps. Cybercriminals hunt their victims instead of targeting company executives with a fake wire fraud out of the blue. They first infiltrate their target organization from an administrative mail account or low-level employee, then use reconnaissance and wait for the most opportune time to fool the executive by initiating an attack from a compromised mail account. Here are the abbreviated steps commonly taken in these spear phishing attacks and solutions to stop these attackers in their tracks. 

Step 1: Infiltration

Most phishing attempts are glaringly obvious for people that receive cyber security training (executives, IT teams) to sniff out. These emails contain strange addresses, bold requests, and grammar mistakes that often invoke deletion. However, there is a stark increase in personalized attacks that are extremely hard to sniff out, especially for people who aren’t trained. Many times, the only blemish to this attack is that malicious email links will be spotted only if you hover over them with your mouse. Highly trained individuals would spot this flaw but not common employees. 

This is why cybercriminals find easier targets at first. Mid-level sales, marketing, support and operations folks are the most usual. This initial attack is aimed to steal a username and password. When the attacker has control of this mid-level person, if they haven’t enabled multi-factor authentication (and many organizations do not), they can log into the account. 

Step 2: Reconnaissance

At this stage, cybercriminals will normally monitor the compromised account and study email traffic to learn about the organization. Often times, attackers will setup forwarding rules on the account to prevent logging in frequently. Analysis of the victim’s email traffic allows the attacker to understand more about the target and organization: who makes the decisions, who handles or influences financial transactions, has access to HR information, etc. It also opens the door for the attacker to spy on communications with partners, customers, and vendors.

This information is then leveraged for the final step of this spear phishing attack.

Step 3: Extract Value

Cybercriminals leverage this learned information to launch a targeted spear phishing attack. They often send customers fake bank account information precisely when they are planning to make a payment. They can hoax other employees to send HR information, wire money or easily sway them to click on links to collect additional credentials and passwords. Since the email is coming from a legitimate (albeit compromised) account like a colleague, it appears totally normal. The reconnaissance allows the attacker to precisely mimic the senders’ signature, tone and text style. So, how do you stop this attacker in his tracks? Thankfully there is a new hope and well-known methods for organizations to implement to thwart these cybercriminals from having their way, a multi-layer strategy.

End of the Line for Spear Phishing

There are three things that organizations should be employing now to combat spear phishing. The two obvious ones are user training and awareness and multi-factor authentication. The last, and newest technology to stop these attacks is real-time analytics and artificial intelligence. Artificial intelligence offers some of the strongest hope of shutting down spear phishing in the market today.  

AI Protection

Artificial intelligence to stop spear-phishing sounds futuristic and out of reach, but it’s in the market today and attainable for businesses of all sizes, because every business is a potential target. AI has the ability to learn and analyze an organization’s unique communication pattern and flag inconsistencies. The nature of AI is it becomes stronger, smarter and endlessly more effective over time to quarantine attacks in real-time while identifying high-risk individuals within an organization. For example, AI would have been able to automatically classify the email in the first stage of the attack as spear phishing, and would even detect anomalous activity in the compromised account, subsequently stopping stage two and three. It also has the ability to stop domain spoofing and authorized activity to prevent impersonation to customers, partners and vendors to steal credentials and gain access to their accounts.


It is absolutely essential for organizations to implement multi-factor authentication (MFA). In the above attack, if multi-factor authentication was enabled, the criminal would not have been able to gain entry to the account. There are many effective methods for multi-factor authentication including SMS codes or mobile phone calls, key fobs, biometric thumb prints, retina scans and even face recognition.

Targeted User Training

Employees should be trained regularly and tested to increase their security awareness of the latest and most common attacks. Staging simulated attacks for training purposes is the most effective activity for prevention and promoting an employee mindset of staying on alert. For employees who handle financial transactions or are higher-risk, it’s worth giving them fraud simulation testing to assess their awareness. Most importantly, training should be companywide and not only focused on executives.  

About the author: Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense.


Copyright 2010 Respective Author at Infosec Island]]>
Category #1 Cyberattacks: Are Critical Infrastructures Exposed? Tue, 07 Nov 2017 06:23:00 -0600 Critical national infrastructures are the vital systems and assets pertaining to a nation’s security, economy and welfare. They provide light for our homes; the water in our taps; a means of transportation to and from work; and the communication systems to power our modern lives. The loss or incapacity of such necessary assets upon which our daily lives depend would have a truly debilitating impact on a nation’s health and wealth. One might assume then that the security of such assets, whether virtual or physical, would be a key consideration. Or to put that another way, failing to address security vulnerabilities of such important systems would surely be an inconceivable idea.

However, the worrying truth is that the security measures of many of our nation’s critical systems are not, in the large, what they should be. Perhaps this shouldn’t be a surprise. The rapid progression of technology has enabled critical systems to become increasingly connected and intelligent, but with little experience of the problems this connectivity could create, few thought about the systems’ security.

Although this new found connectivity has helped industries to realise great productivity and efficiency benefits, the attack on Ukraine’s power grid in 2015 opened the eyes of many in charge of such industries. After nationwide power-outages struck, it has now become clear that if security is not prioritised, the worst-case scenario could wreak havoc across our nations. Prevention is a must; a short-term fix will only delay the inevitable…

Critical infrastructures: an imminent attack

Not a case of if. But when.

It has been two years since news of Ukraine’s power grid cyberattack made headlines across the globe. And once again, critical infrastructure security has been propelled into the spotlight following a number of recent reports suggesting that a devastating attack is imminent.

The UK’s National Cyber Security Centre (NCSC) revealed in its first annual review that it received 1,131 incident reports, with 590 of these classed as ‘significant’. This included the WannaCry ransomware that took down the NHS. While none of these were identified as category one incidents, i.e. interfering with democratic systems or crippling critical infrastructures such as power, the head of the NCSC, Ciaran Martin, warned there could be damaging attacks in the not too distant future.

Furthermore, US-CERT recently issued an alert warning critical national infrastructure firms, including nuclear, energy and water providers, that they are now at an increased risk of ‘highly targeted’ attacks by the Dragonfly APT group. This follows a report by security researchers Symantec, who recently found that during a two-year period the group has been increasing its attempts to compromise energy industry infrastructure, most notably in the UK, Turkey and Switzerland.

Although no damage has yet been done, the group has been trying to determine how power supply systems work and what could be compromised and controlled as a result. If we know the group now has the potential ability to sabotage or gain control of these systems should it decide to do so, this should increase the urgency around the preventative measures needed to defend against a future attack.It is therefore hardly surprising that to combat the rise of such threats, the first piece of EU-wide cybersecurity legislation has been developed to boost the overall level of cybersecurity in the EU. This is called the NIS Directive.

Addressing security from the outset

The potential consequences are disturbing, so infrastructure owners need to consider working in closer collaboration with security experts to ensure the lights remain on. While most in the security industry recognise that there is no silver bullet to ensure total security, we recommend all of those in charge of critical infrastructures ensure they have enough barriers in place to safeguard industrial and critical assets. Proactive regimes that balance defensive and offensive countermeasures, as well as include regular retraining and security techniques such as penetration testing and “red teaming”, are vital to keep defences sharpened.

One of the greatest lessons that should be heeded is that the issue of security must be addressed from the outset of infrastructure development and deployment. It has become abundantly clear that cyberattacks against critical infrastructures are only going to increase in the coming months and years. Those in charge of securing such environments must deploy a new preventative mindset, ensuring strong barriers are in place to avert the hijacking of any critical infrastructures before there is a need to clean up its devastating result.

About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Copyright 2010 Respective Author at Infosec Island]]>
The Evolution from Waterfall to DevOps to DevSecOps and Continuous Security Fri, 03 Nov 2017 11:01:00 -0500 Software development started with the Waterfall model, proposed in 1956, where the process was pre-planned, set in stone, with a phase for every step. Everything was predictably…sluggish. Every organization involved in developing web applications was siloed, and had its own priorities and processes. A common situation involved development teams with their own timelines, but quality assurance teams had to test another app, and operations hadn’t been notified in time to build out the infrastructure needed. Not to mention, security felt that they weren’t taken seriously. Fixing a bug that was made early in the application lifecycle was painful, because testing was much later in the process. Repeatedly, the end product did not address the business’s needs because the requirements changed, or the need for the product itself was long gone.

The Agile Manifesto

After give or take 45 years of this inadequacy, in 2001, the Agilemanifesto emerged. This revolutionary model advocated for adaptive planning, evolutionary development, early delivery, continuous improvement, and encouraged rapid and flexible response to change. Agile adoption increased and therefore sped up the software development process embracing smaller release cycles and cross-functional teams. This meant that stakeholders could navigate and course correct projects earlier in the cycle. Applications began to be released on time with translated to addressing immediate business needs.

The DevOps Culture

With this increased agile adoption from development and testing teams, operations now became the holdup. The remedy was to bring agility to operations and infrastructure, resulting in DevOps. The DevOps culture brought together all participants involved resulting in faster builds and deployments. Operations began building automated infrastructure, enabling developers to move significantly faster. DevOps led to the evolution of Continuous Integration/Continuous Delivery (CI/CD), basing the application development process around an automation toolchain. To convey this shift, organizations advanced from deploying a production application once annually to deploying production changes hundreds of time daily.

Security as a DevOps Afterthought

Although many processes had been automated with DevOps thus far, some functions had been ignored. A substantial piece that is not automated, but is increasingly critical to an organization’s very survival, is security. Security is one of the most challenging parts of application development. Standard testing doesn’t always catch vulnerabilities, and many times someone has to wake up at three in the morning to fix that critical SQL Injection vulnerability. Security is often perceived as being behind the times – and more commonly blamed for stalling the pace of development. Teams feel that security is a barrier to continuous deployment because of the manual testing and configuration halting automated deployments.  

As the Puppet State of DevOps report aptly states:

All too often, we tack on security testing at the end of the delivery process. This typically means we discover significant problems, that are very expensive and painful to fix once development is complete, which could have been avoided altogether if security experts had worked with delivery teams throughout the delivery process”

Birth of DevSecOps

The next iteration in this evolution of DevOps was integrating security into the process – with DevSecOps. DevSecOps essentially incorporates security into the CI/CD process, removing manual testing and configuration and enabling continuous deployments. As organizations move toward DevSecOps, there are substantial modifications they are encouraged to undergo to be successful. Instilling security into DevOps demands cultural and technical changes. Security teams must be included in the development lifecycle starting day one. Security stakeholders should be integrated right from planning to being involved with each step. They need to work closely with development, testing, and quality assurance teams to discover and address security risks, software vulnerabilities and mitigate them. Culturally, security should become accustom to rapid change and adapting to new methods to enable continuous deployment. There needs to be a happy medium to result in rapid and secure application deployments.

Security Automation is the Key

A critical measure moving toward DevSecOps is removing manual testing and configuration. Security should be automated and driven by testing. Security teams should automate their testing and integrate them into the overall CI/CD chain. However, based on each individual application, it’s not uncommon for some tests to be manual – but the overall portion can and should be automated. Especially tests that ensure applications satisfy certain defined baseline security needs. Security should be a priority from development to pre-production and should be automated, repeatable and consistent. When done correctly, responding to security vulnerabilities becomes much more trivial each step of the way which inherently reduces time taken to fix and mitigate flaws.

Continuous Security Beyond Deployment

Continuous security does not stop once an application is deployed. Continuous monitoring and incident response processes should be incorporated as well. The automation of monitoring and the ability to respond quickly to events is a fundamental piece toward achieving DevSecOps. Security is more important today than ever before. History shows that any security breach event can be catastrophic for both customers, end users and organizations themselves. With more services going online and hosted in the cloud or elsewhere the threat landscape is growing at an exponential rate. The more software written inherently results in more security flaws and more attack surface. Incorporating security into the daily workflow of engineering teams and ensuring that vulnerabilities are fixed or mitigated much ahead of production is critical to the success of any product and business today.

About the author: Jonathan Bregman is a Product Marketing Manager with Barracuda Networks focused on web application firewalls and DDoS prevention for customers. Prior to Barracuda, Jonathan was a research and development engineer with Google.

Copyright 2010 Respective Author at Infosec Island]]>
From the Medicine Cabinet to the Data Center – Snooping Is Still Snooping Fri, 03 Nov 2017 08:52:00 -0500 We’ve all done it in one form or another. You go to a friend’s house for a party and you have to use the restroom. While you are there, you look behind the mirror or open the cabinet in hopes of finding out some detail -- something juicy -- about your friend. What exactly are you looking for? And why? Are you feeding into some insecurity? You don’t really know, you just know you are compelled to look.

Turns out that same human reaction carries forward to your place of employment. 

At One Identity we recently conducted a global survey that revealed a lot of eye-opening facts about people’s snooping habits on their company’s network.  At a high level, the survey revealed that when given the opportunity to look through sensitive company data that employee may not be permitted to access -- the instinct is to snoop. Before we get into specific  results, here are the demographics:

  • We surveyed over 900 people from around the world.
  • Countries include the U.S., U.K., Germany, France, Australia, Singapore and Hong Kong.
  • Eighty-seven percent have privileged access to something within their place of employment.
  • They all have some level of security responsibility with varied titles ranging from executive to front-line security pros.
  • Twenty-eight percent are from large enterprises (>5,000 employees)); 28 percent from mid-sized enterprises (2,000 to 5,000 employees); the remainder were from organizations with less than 2,000 employees.

Key Finding Number One: 92 percent of respondents stated that employees at their company attempt to access information that they do not need. 

Think about that. Ninety-two percent of us are trying to access the information we don’t need to get our jobs done. Imagine if any employee at your company could access sensitive data like salary. That would. Now imagine employees obtained access to financial data, customer data or merger information -- and then shared it. The result could be catastrophic to your business.

Key Finding Number Two: 66 percent of the security professionals surveyed have tried to access the information they didn’t need.

Worse yet, these are security people that probably have some form of elevated privileges. This means not only are they attempting to access that information but in many cases, they are actually obtaining access and ultimately abusing that privilege.

Key Finding Number Three: Executives are more likely to snoop than managers or front-line workers.

Interestingly, IT security executives are the most likely to look for sensitive data not relevant to their job than any other job level. This is worrisome for many since they tend to have greater access rights and permissions -- once again, indicated abuse of power.

The bottom line here is that organizations should be alarmed by these findings. A common myth among many is that data is safe when it’s on a company network and in the hands of its trusted employees -- it’s the outsiders and hackers you have to look out for. While the latter is certainly true, the data shows that the majority of all employees -- even those within the ranks of IT security groups -- are nosy when given the opportunity to be. Implementing best practices around identity and access management -- like role-based access rights and permissions and applying identity analytics to spot any signs of unusual access behavior -- can help organizations safeguard themselves from letting sensitive data fall into the wrong hands before it’s too late.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
Healthcare Orgs in the Crosshairs: Ransomware Takes Aim Fri, 03 Nov 2017 04:57:00 -0500 Criminals are using ransomware to extort big money from organizations of all sizes in all industries. But healthcare organizations are especially attractive targets. Healthcare organizations are entrusted with the most personal, intimate information that people have – not just their financial data, but their very private health and treatment histories. Attackers perceive healthcare IT security to be the least effective and outdated in comparison with other industries. They also know that healthcare organizations tend to have significant cash on hand and have a high cost of downtime, therefore are more likely to pay the ransom for encrypted data. If you fail to take the necessary steps to combat ransomware and other advanced malware and that trust is betrayed, the cost to your business could extend far beyond paying a ransom or a noncompliance fine. If your reputation for safeguarding patient data is damaged, not only will you be scrutinized under the microscope, in some cases, companies never recover and leadership is forced to resign.

Healthcare is making strides but isn’t there yet

There is good news. Healthcare organizations have made significant security improvements over the last year. According to the HIMMS 2017 Cybersecurity Survey, it is clear that IT security is an urgent business challenge for leadership, rather than solely an IT problem. There is a marked increase in the employment of CIOs and Chief Information Security Officers (CISOs) among healthcare organizations, and security shortcomings are being addressed.

Nonetheless, there is still room for improvement and ransomware attacks continue to be a serious and growing challenge. Those who continue to commit vital resources to implementing effective security measures will emerge as winners and you will never hear of them in the media. Effectively combating ransomware requires a well-thought-out combination of technical and cultural measures.

Detection: discovering the weaknesses

Keeping your network free of ransomware and other advanced malware requires a combination of effective perimeter filtering, strategically designed network architecture, and the capability to detect and eliminate resident malware that may already be inside your network. It’s an exercise of cleaning house as your infrastructure likely contains a number of latent threats. Email inboxes are full of malicious attachments and links just waiting to be clicked on. Similarly, all applications, whether locally hosted or cloud-based, must be regularly scanned and patched for vulnerabilities. There should be a regular vulnerability management schedule for scanning and patching of all network assets, which is checking the box for basics but extremely critical for thwarting threats. Building a solid foundation such as this is a fantastic start for effective ransomware detection and prevention.

Prevention: A non-negotiable requirement

There are some very effective security technologies that are a requirement in today’s threat landscape in order to prevent ransomware and other attacks. Prevention of threats entering the network requires a modern firewall or email gateway solution to filter out the majority of threats. An effective solution should scan incoming traffic using signature matching, advanced heuristics, behavioral analysis, sandboxing, and the ability to correlate findings with real-time global threat intelligence. This will ultimately prevent employees from having to be perfectly trained to spot these sophisticated threats. It’s recommended to control and segment network access to minimize the spread of threats that do get in. Ensure that patients and visitors can only spread malware within their own, limited domain, while also segmenting, for example, administration, caregivers, and technical staff, each with limited, specific access to online resources.Even with the most sophisticated methods like spear phishing, where attackers impersonate your coworker, there are now machine learning and artificial intelligence solutions that can spot and quarantine these threats before they ever get to an employee. The risk for healthcare organizations is immensely reduced when solutions such as these are deployed as part of an overall security posture.  However, when data is encrypted and held ransom, the fight isn’t over yet.

Backup—Your Last, Best Defense Against Ransomware

When a ransomware attack succeeds, your critical files—HR, payroll, electronic health records, patient financial and insurance info, strategic planning documents, email records, etc.—are encrypted, and the only way to obtain the decryption key is to pay a ransom. But if you’ve been diligent about using an effective backup system, you can simply refuse to pay and restore your files from your most recent backup—your attackers will have to find someone else to rob.Automated, cloud-based backup services can provide the greatest security. Reputable vendors offer a variety of very simple and secure backup service options, priced for organizations of any size, and requiring minimal staff time. Advanced solutions can even allow you to spin up a virtual copy of your servers in the cloud, restoring access to your critical files and applications within minutes of an attack or other disaster.

When all of these things are working simultaneously, healthcare organizations are well equipped to stop ransomware attacks effectively. Ransomware and other threats are not going away anytime soon and healthcare will continue to be a target for attackers. The hope is that healthcare professionals continue to keep IT security top of mind. 

About the author: Sanjay is a 20 year veteran in technology and has a passion for cutting edge technology and a desire to innovate at the intersection of technology trends. He currently leads product management, marketing and strategy for Barracuda’s security business worldwide

Copyright 2010 Respective Author at Infosec Island]]>
Thinking Outside the Suite: Adding Anti-Evasive Strategies to Endpoint Security Fri, 03 Nov 2017 01:52:29 -0500 Despite ever-increasing investments in information security, endpoints are still the most vulnerable part of an organization’s technology infrastructure. In a 2016 report with Rapid7, IDC estimates that 70% of attacks start from the endpoint. Sophisticated ransomware exploded into a global epidemic this year, and other forms of malware exploits, including mobile malware and malvertising are also on the rise.


The only logical conclusion is that existing approaches to endpoint security are not working. As a result, security teams are exposed to mounting, multifaceted challenges due to the ineffectiveness of their current anti-malware solutions, large numbers of security incidents requiring costly and intensive response, and added pressure from the board to undergo risky and expensive “rip and replace” endpoint security procedures.


Current endpoint security solutions employ varying approaches. Some restrict the actions that legitimate applications can take on a system, others aim to prevent malicious software from running, and some monitor activity for incident investigations. The challenge for most IT department heads is finding the right balance of solutions that will work for their particular business.


Endpoint Protection Platforms (EPP), usually offered by established endpoint security vendors, promote the benefits of packaging endpoint control, anti-malware, and detection and response all in one agent, managed by from one console. While EPP suites can be useful and practical, it’s important to understand their limitations. For starters, a “suite” does not always mean the products are integrated — you may end up with one vendor but multiple agents and management consoles. Second, no single vendor offers the best-in-breed or best-for-your-business options for all the component solutions. If you adopt the EPP approach, be aware that you will be making trade-offs of some sort. Finally, it is likely that even after going through the painful process of deploying a full endpoint protection suite, it will still fail to prevent many attacks.


All these solutions, whether installed separately or as a suite, produce alerts. Many work by finding attacks that have already “landed” to some degree. This means your team will be busy (if not overwhelmed) sorting through the alerts for priority threats, investigating incidents, and remediating any intrusions. This can lead to inefficiencies and escalating staffing requirements, which will quickly wipe out any cost savings you hoped would come from installing bundled solutions.


In the end, it is imperative to understand the strengths and weaknesses within each suite and evaluate whether a best-of-breed or “suite-plus” approach offers better protection for your investment — this is often the case. EPP implementation can help companies consolidate vendors in order to reduce administrative overhead and licensing costs. It may also help minimize complexity and reduce the impact on operations, end-users, and business agility. But none of this matters much if the shortcomings of the platform end up introducing unacceptable levels of risk, draining staff resources, or constraining productivity and agility.


For example, it’s important to recognize that accepting the low detection rates of your conventional antivirus solution also means accepting the high likelihood of a breach. That’s because there is one critical factor most platforms don’t adequately address: unknown malware that has been designed specifically to evade existing defenses. Innovative endpoint defense strategies have emerged that allow you to block evasive malware, regardless of whether there is a known signature, behavior pattern, or machine learning model. This is achieved through the creative use of deceptive tricks that control how the malware perceives its environment.

Endpoint defense solutions that can neutralize evasive malware use three primary strategies: creating a hostile environment, preventing injection through deception, and restricting document executable capabilities. All three strategies contain and disarm the malware before it ever unpacks or puts down roots. 

To create a hostile environment, the malicious program is tricked into believing the environment is not safe for execution, resulting in the malware suspending or terminating its execution. To prevent malicious software from hiding in legitimate processes, the malware is deceived into registering that memory space is unavailable, so it never establishes a foothold on the device. To block malicious actions initiated by document files (via macros, PowerShell, and other scripts), the malware is tricked into registering that system resources like shell commands are not accessible.

These new strategies reduce risk without requiring increased overhead (nothing malicious installed, so nothing to investigate) or replacement of existing solutions. Anti-evasion solutions work alongside installed AV solutions to provide an added layer of protection against sophisticated malware and ransomware. The threat intelligence they produce (identifying previously unknown malware exploits) enhances your overall security program. In addition, because incident responders have fewer alerts and incidents to sort through, they can focus their expertise on high-priority threats and investigating attacks where the intruder has already gained access to the network.

Working smarter is key to managing the growing and ever-shifting challenges and responsibilities faced by security teams. Reducing workload and manual processes while reducing risk is a tough balancing act. Ongoing cyber security talent shortages combined with multiplying threat vectors make effective automated defenses a critical priority. Getting the most value out of your security budget and skilled experts requires neutralizing threats upfront, preventing as many attacks as possible, and developing automated threat management processes. It’s essential to cover gaps and shortcomings, augmenting existing endpoint security by layering on innovative, focused solutions. Given the recent surge of virulent, global malware and ransomware, anti-evasion defenses are a smart place to start.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva Labs, an endpoint security and anti-evasion technology solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island]]>