Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Why the GDPR is Important to Your Organization Mon, 14 Aug 2017 02:32:24 -0500 The General Data Protection Regulation (GDPR) officially goes into effect in May of 2018 and will have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with.

At the Information Security Forum (ISF), we consider this to be the biggest shake-up of global privacy law in decades as it redefines the scope of EU data protection legislation, forcing organizations on a global scale to comply with its requirements. This includes US-based organizations. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including an absence of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.

However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. The GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.

Understanding the Consequences of Non-Compliance

Most countries, including all EU nations, have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the US, a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.

Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the supervisory authority with territorial responsibility.

If an organization is found to be infringing the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects.

Preparation Must Begin Now

No organization that operates on a global footprint of suppliers can afford not to prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility all of which must shouldered by the organizations who cannot look solely government or regulators for help.

The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next year will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is essential that organizations prepare in advance.

Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements. A Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes and technical solutions in place to achieve compliance.

With reform on the horizon, organizations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it and who has access to it.

In theory, an organization should have completed its GDPR preparations well before next May in order to gain assurance from, and provide assurance to, third parties’ requests. This will require resources with the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline.

Copyright 2010 Respective Author at Infosec Island]]>
NIST Offering Much Needed Guidance for Neglected SMBs Fri, 11 Aug 2017 11:19:00 -0500 It’s refreshing to see that SMB cybersecurity is getting noticeably more attention on a national level in the United States. Awareness of the risks is growing, and with the Congress and organizations such as the National Institute of Standards and Technology (NIST) publicly playing a larger role in the public discussion, we’re on our way to making some notable inroads.

After all, small to medium-sized businesses account for over 46 percent of the entire output of the private sector in the United States, and therefore they are a vital cog in our overall economic engine. SMBs are responsible for creating 63 percent of all new jobs, yet they have been largely overlooked in the cybersecurity arena as fast-growing threats and opportunities for disruption emerge.

According to NIST researchers, in a recent interagency report (PDF) titled, “Small Business Information Security: The Fundamentals,” while many companies are investing heavily in people, processes, and technology to boost their security posture, “small businesses typically don’t have the resources to invest in information security the way that larger businesses can and so criminals view them as soft targets.”

Usually motivated by profit, most cybercriminals can actually be viewed as small business owners themselves (albeit illegal ones), who like legitimate business owners try to squeeze as much revenue from as few resources as possible. The financial and manpower costs to breach a Fortune 500 company are usually much greater than the few dollars they might spend to compromise a local dry-cleaning chain, and owners must be able to identify and protect themselves from their unique risks.

While attacks are a mix of both random than targeted efforts, there are certain characteristics that serve as “common denominators” for attacks against SMBs. According to research presented at BlackHat 2017, cybercriminals generally target SMBs because of weaknesses in either people, processes or technology.  Any business that requires its employees to have regular access to desktops, laptops, and company email is a more susceptible and enticing target for cyberattacks. A surprisingly high number of systems are still outdated, and unpatched, and therefore highly vulnerable.

Another way to gain the unwanted attention of hackers is to host online customer service portals or other website resources that store customer or company information – and then fail to protect the website properly. SMB owners or IT administrators should understand the risks and best practices that are associated with them. Those who don’t think about enforcing proper policies and training initiatives are also inviting trouble, as this makes a hacker’s task akin to taking candy from a baby. Thus, the welcomed heightened discussion on federal level.

The NIST framework provides the much-needed guidance that organizations of any size can use to identify their major risks in cyberspace, assess their vulnerabilities in people, processes, or technology, improve their ability to prioritize and invest smartly in cyber resources, and demonstrate their good faith efforts to manage risks and safeguard themselves and their customers (which can be crucial to regaining customer trust after a breach).

Having strong people and processes can be just as important to securing information as the technological component, and therefore establishing intelligent policies and proactively seeking guidance can make the difference between an SMB falling victim or successfully mitigating risk.

About the author:Avi Bartov is co-founder of GamaSec (, a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

Copyright 2010 Respective Author at Infosec Island]]>
What Is Hypervisor-based Security and Why Is It Important in Stopping Zero-Day Exploits? Fri, 11 Aug 2017 08:40:00 -0500 Recent studies show that it takes a company an average of five months to discover a data breach, and 53 percent of these incidents are detected only after an external audit. This is concerning in the face of the current cyber security landscape, where endpoint security is offered with varying degrees of success and data center security is largely uncharted territory. As the complexity of attacks against data centers rises exponentially, product development for an effective data center security solution is moving too slowly to meet the demands of enterprises struggling to defend against the onslaught of new threats.

Why don’t enterprise security solutions pick up more threats?

One thing common to all vulnerabilities, both known and unknown, is memory exploitation. Traditional endpoint security solutions are very good at identifying file-based malware and monitoring the operating systems (OS) from within the network. However, because all in-guest security solutions rely on information from the OS, advanced threats can cloak infiltration through zero-day vulnerabilities and file-less attacks. In these cases, the attacks instruct the OS to “lie” to the endpoint security solution so that it cannot identify the suspicious activity.

How do you catch something you can’t see?

Fortunately, even though cyber-attacks have rapidly evolved, the framework of enterprise IT infrastructure has transformed completely, enabling it to better protect threat vectors. The hypervisor now sits as an intermediary between virtualized endpoints and physical hardware. This provides the brand-new opportunity of delivering security through the hypervisor layer.

The hypervisor, mainly a tool for performance, has an untapped security potential. The hypervisor sees clean, unaltered information about the memory being used by each virtual machine, and it is completely isolated from them. It can detect and prevent advanced attacks by offering real-time detection at the hypervisor layer.

Leveraging the hypervisor to tap directly into raw memory, hypervisor-level security solutions can secure workloads from outside the operating system. Marking memory pages as Read-Write only, when the VM attempts to execute a page - as a result of the attack - the hypervisor will stop the operation and notify the engine in the security appliance.

How do hypervisor-security solutions “see” processes in memory?

Hypervisor-level security systems protect against malicious techniques and most importantly isolate the security virtual appliance from guest VMs that may be housing malware. This means rootkits can’t hide from the security appliance or interfere with its operation. With full access to guest memory, the solution can see what’s truly going on.

Traditionally, when trying to detect an attack, endpoint detection technologies look for who tries to initiate the attack (signature-based), or for signs of malicious behavior, or what an attack looks like. However, hypervisor-level security provides insight to what attacks look like at a memory level. Even if everything looks normal within the OS, malware inevitably leaves certain traces in the memory space.

Utilizing the hypervisor for security measures is a crucial paradigm shift, as the number of techniques for utilizing exploits remains very small, and all center on misusing memory to have malicious code executed. Hypervisor-level security solutions can identify common exploitation techniques (e.g. code injection, function detouring, API hooking), without knowing beforehand the actual vulnerabilities the attackers use.

Placing security measures outside the operating system (or in this case, guest machines), security solutions gain unparalleled visibility into advanced threats while being isolated from them. This means enterprises of all sizes can reduce blind spots in endpoint security solutions, fortifying infrastructures against cyber-attacks.

About the author: Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild Trojan horses.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – August 2017 Fri, 11 Aug 2017 05:41:00 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
  • One of the vulnerabilities closed this month affects Adobe Flex software development kit, thus every custom application written with the help of the library is susceptible to XSS vulnerability.
  • The most common vulnerability type is XSS. By the way, Cross-Site Scripting remains the most widespread security loophole in SAP Applications with 20% of the released Notes addressing this type of issues.
  • Vulnerabilities in SAP Customer Relationship Management module deserves attention. The number of SAP Security Notes for this module totals 393. This month, 3 Notes belong to this area, including an SQL Injection which allows stealing sensitive customer data.

SAP Security Notes – August 2017

SAP has released the monthly critical patch update for August 2017. This patch update includes 19 SAP Security Notes Notes (16 SAP Security Patch Day Notes and 3 Support Package Notes).

1 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

3 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.7.


The most common vulnerability types is XSS.

image Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Vahagn Vardanyan and Vlad Egorov were closed by 4 SAP Security Notes.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan team.

  • An SQL Injection vulnerability in SAP CRM WebClient User Interface (CVSS Base Score: 6.3). Update is available in SAP Security Note 2450979. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
  • Multiple vulnerabilities (Cross-site scripting and Information disclosure) in SAP SRM Live Auction Application (CVSS Base Score: 6.1). Update is available in SAP Security Note 2493099. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modification of displayed content. Moreover, an attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.), which will help to learn about a system and to plan further attacks.
  • A Cross-site scripting vulnerability in SAP CRM IPC Pricing (CVSS Base Score: 6.1). Update is available in SAP Security Note 2481262. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • A Open redirect vulnerability in SAP NetWeaver Logon Application (CVSS Base Score: 4.3). Update is available in SAP Security Note 2423540. An attacker can use an Open redirect vulnerability for redirecting a user to phishing or malicious sites without his or her knowledge. The vulnerability occurs because an application takes a parameter and redirects a user to the parameter value without any validation.

Focus on vulnerabilities in SAP CRM

Customer Relationship Management (CRM) is among the most widespread and important business applications. Moreover, enterprises consider this software the most critical in terms of business processes – according to the ERP Cybersecurity Survey 2017 55% of respondents find CRM a most critical asset. It comes as no surprise taking into account that this module stores and process the essential business data – from list of customers to pricing information.


Unfortunately, this application also contain numerous security drawbacks, a total of 393 SAP Security Notes fixes different vulnerabilities in SAP CRM. This month, 3 SAP Notes belong to the SAP CRM application area.

Nonetheless, not the number of issues, but their criticality and, what’s more important, business impact play a significant role in terms of the enterprise cybersecurity posture. For example, an SQL Injection vulnerability in SAP CRM WebClient User Interface (SAP Security Note 2450979) identified by ERPScan allows a remote attacker to conduct corporate espionage by sending a special request and steal all the customer data such as customer datasets, pricing, sales, or prospective bids.

About XSS Vulnerability in third-party library

In the time gap between SAP Security Day for July and August, the vendor released its SAP Security Note 2393021. Some in-house written SAP applications may be vulnerable to XSS in case developers are still using unpatched Adobe Flex Software Development Kit. The advisory states that SAP also “consumed the same SDK in our framework”, meaning SAP’s Web Dynpro Flex. In general, applications written using old versions of Adobe Flex SDK and Web Dynpro Flex are susceptible to the Cross-Site Scripting Vulnerability.

The issue was first identified in 2011 and the appropriate patch was released in March 2012. The vulnerability (CVE-2011-2461) allowed remote injecting arbitrary web script or HTML by the use of vectors related to the loading of modules from different domains.

As the issue affects a library, simply applying the fix would not be enough to get rid of the vulnerability. Applications which were written with the vulnerable libraries should be rebuilt using the patched version of SDK.

XSS is the most spread vulnerability affecting SAP applications (see the statistics below). SAP Cyber Security in Figures revealed that 20% of vulnerabilities belong to this type. This set of patches is not an exception, 5 of the closed issues are XSS, including 2 identified by ERPScan’s researchers.

image Other critical issues closed by SAP Security Notes August

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2486657: SAP NetWeaver AS Java Web Container has a Directory Traversal vulnerability (CVSS Base Score: 7.7). An attacker can use a Directory traversal vulnerability to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2376081: SAP Visual Composer 04s iviews has a Code Injection vulnerability (CVSS Base Score: 7.4). Depending on code, attackers can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
  • 2381071: SAP BusinessObjects has an Cross-Site AJAX Requests vulnerability (CVSS Base Score: 7.3). An attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights. An attacker may use a cross-site scripting vulnerability to do so, or they can present a specially crafted link to a victim. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Evasive Malware on the Rise: Time to Stop Stealth Attacks in their Tracks Fri, 11 Aug 2017 02:39:46 -0500 Imagine discovering that the locks and alarms on the doors and windows of your home only worked sometimes, in unpredictable fashion. How would you keep thieves away from your valuables and protect your family members? Would you camp out in the front room keeping watch night after night? You’d have to find a way to outwit would-be intruders. Wouldn’t it be nice if you could trick them with an illusion that made your house look completely empty or full of hungry Rottweilers?

This made-up scenario is all too real in cyberspace. Information security solutions dependent on previously identified signatures, behaviors, or patterns simply do not stop every attack. As hackers increasingly employ stealthy evasive malware and ransomware techniques, organizations are recognizing they need an efficient and reliable way to beat the creepers at their own game.  Businesses that don’t address evasive malware and ransomware head-on are in for a rude awakening. Cisco’s Midyear Cybersecurity Report confirms that malware developers are evolving and shifting their techniques with increasing skill and speed, even commoditizing their guerrilla weapons into ransomware-as-a-service platforms.

In a recent rash of attacks (150 organizations in 40 countries), fileless malware was used to access bank networks and install additional malware on ATMs that cause them to dispense cash at the touch of a button. It’s important to understand how these evasive exploits work. Malware authors aim to breach endpoints on their way to more extensive infiltration of systems and networks, often scraping credentials, installing spyware, or establishing the ability to remotely execute commands. In order to carry out such schemes, malware is designed to stay undetected for as long as possible. Malware is built to employ various ways of bypassing existing defenses, including checking the endpoint environment for AV, firewalls, gateways, debuggers, and sandboxes before launching exploit mechanisms.

The most devious malware authors go out of their way to package their malware so that it can’t be fingerprinted: they know that once pinpointed, the unique identifiers will be incorporated into AV updates. These fileless attacks leverage known vulnerabilities (browsers, Java, Flash, etc.) and phishing campaigns to gain entry, run code in the target computer’s memory, and continue to infiltrate by launching script interpreters like PowerShell. Malware that manipulates existing Windows programs in this way are able to trick AV, as it is difficult to distinguish between legitimate macros and malicious document files. Similarly, if malware unpacks its code into a non-malicious process, AV has a hard time preventing the resulting attack. Sophisticated attackers are even using open-source penetration testing tools to inject code into (or scrape data from) system memory.

Fileless, evasive malware is shaping up to be the exploit of the future, at least until something more potent and insidious comes along. Businesses must move quickly to supplement their endpoint protection solutions that depend on previously identified patterns and signatures. Patching and updating remain essential, but realistically, these practices are chronically neglected and incomplete. Disabling macros, limiting access privileges, whitelisting applications, segmenting networks and blocking unnecessary protocols will eliminate many of the entry points and hiding places malware authors rely on, but only until they learn new tricks. Often, these measures are not practical or have an unacceptable impact on productivity. Training employees to detect phishing scams and setting email filters to thwart BEC (business email compromise) attacks is important, but not sufficiently reliable or comprehensive. Monitoring device and Windows logs is a good way to detect unauthorized services and processes, but most organizations are already struggling to keep up with alerts and incident reviews.

While the technology does not yet exist to fool thieves into thinking you have an empty house or a pack of vicious guard dogs, businesses seeking to outmaneuver stealthy malware do have some tricks at their disposal. Prevention-oriented solutions use the attackers’ evasive strengths against them, by purposefully deceiving the malware as it tests its target environment. By simulating a forensic environment that the malware identifies as inaccessible or not exploitable, these methods trigger the malware to disarm before it unpacks or does any damage. These simulation methods deceive the malware regarding its ability to interact with other processes, thereby preventing its access to memory and sensitive data. This approach is effective against a variety of memory injection techniques, which is essential to defending against the spread of fileless malware.

Creating this “virtual reality” on endpoints enables malware vaccination, contains threats designed to bypass existing security solutions, and works even on previously unseen and rapidly shape-shifting mechanisms. As the cyber wars escalate, it is painfully clear that fighting exploits tit-for-tat is an unsustainable battle plan. Cyber crime is too organized, advanced, and profitable — and the digital systems modern commerce and society rely on are too vast and interwoven. We need to develop and implement creative solutions that are broadly effective at turning “easy target” endpoints into dead ends for hackers and their tricks.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island]]>
Enterprises: Can You Handle 3,680 Phishing Emails per Week? Tue, 08 Aug 2017 04:52:12 -0500 Given its essential role in the business world, it is no surprise that the adoption rate of email security technology is nearly 100%. However, despite this near-universal investment, breaches are still occurring at increasing rates. Targeted phishing has become the single most effective attack type in the world today, and attackers’ emphasis on social engineering tactics make the protection of cloud communication platforms a critical component of any cybersecurity strategy.

An FBI Public Safety Announcement issued on May 4, 2017 outlines the scope of the problem:

“The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries.”

However, communications security at scale is complicated by hybridized cloud adoption and the integration of customized workload integrations with public SaaS communication platforms — Microsoft Office 365 and Google Apps (now G Suite) dominate this space in the email channel.

Legacy security vendors, historically focused on on-premise technology and point solutions for email, have struggled to adapt to these newer platforms. Single-point-in-time reports to block threats at the perimeter through the use of a Secure Email Gateway are clearly insufficient, and provide no visibility, control, or protection against messages that have bypassed the SEG. In order to successfully protect the organization against highly targeted social engineering attacks, IT and Security teams must gain post-delivery visibility into, and control over, messages that have already landed in employee inboxes.

Technology, however, isn’t the only factor to blame for why we keep getting owned; it’s also a resource issue. Enterprise IT and information security teams almost always find themselves pushing against resource limitations in the face of unending attacks and increasingly sophisticated criminals — but a deficit of qualified workers often referred to as the “cybersecurity skills gap” leaves many organizations unable to find and hire the people they need in a timely fashion (if at all).

This shortage of qualified professionals leads to a critical lack of visibility. Attackers often compromise an organization in just minutes, and exfiltrate data in a matter of days; increasingly, organizations don’t know that they’ve been breached until they’re notified by a third party. Security teams must spend their time understanding and preventing threats categorically, rather than being buried in the noise of day-to-day alerts. As information security and IT staff shifts to become a more analytical role, the ability to narrow the time between incident and remediation is key to preventing a major financial or data loss event.

We analyzed information from our proprietary data cloud and found some startling facts that underscore the challenge facing enterprise IT and security teams face when protecting themselves from cyber criminals. Our researchers found that enterprises today face more than 3,680 potential phishing emails per week. This number indicates that not only are cybercriminals raising the level of personalization to entice employees to click, but also taxing enterprise systems through the volume of their attacks.

Let’s take things a step further to truly understand the administrative burden cybercriminals are placing on organizations. Experience tells us that it takessecurity admins an average of 5 minutes to analyze a single email and determine if it is a threat. Multiply this stat by 3,680 potentially dangerous emails and you find that enterprise security and IT teams would need to devote over 305 hours per week to properly review and remediate this amount of email.

The only way to keep up with this volume of work is to implement automation within the corporate cybersecurity strategy. Automation reduces the workload on IT and Security teams by programmatically identifying and addressing threats based on preset policies. Leveraging machine learning and automation can increase visibility of threats, reduce time to detect and respond to threats and also identify patterns that humans may miss.

What’s clear is that cybercriminals are stepping up not only the customization of their attacks, but also their volume. The cybersecurity skills gap has left many companies vulnerable and hackers are eager to exploit those weaknesses. As the number of Business Email Compromise scams continues to grow, understanding whether a specific message is an attack requires fully integrated threat intelligence, with significant amounts of data, to identify threat patterns and help inform incident response actions.

About the author: Kevin O’Brien is the CEO of GreatHorn. With over 20 years of experience in the cybersecurity industry, he has an extensive background in information security and data privacy.

Copyright 2010 Respective Author at Infosec Island]]>
Is Your Data at Risk Due to Third-Party Cloud Applications? Wed, 02 Aug 2017 06:43:00 -0500 In May of 2017, it was discovered that an exposed data repository, an AWS S3 bucket, had allowed semipublic access to the details of at least 2.2 million customers of Dow Jones & Company. The mistake was a simple one: the bucket's permission settings were set up incorrectly, allowing anyone with a free Amazon AWS account to access the content.

This leak highlights the ease with which a simple mistake in one security setting can jeopardize the personal information of your customers. The costs of such carelessness are regulatory fines, a damaged reputation and a possible lawsuit.

You may not think that it could happen under your watch – but how much of your data security is really under your control?

Do You Know Where Your Data Is Stored?

It’s likely that your business is using tens, or potentially hundreds, of third party SaaS applications to do everything from manage prospects and clients to help handle accounts. These applications save your business time and money – but they also put your data in the hands of someone else.

Most of these applications store their data in the cloud, much of it in the same type of data repository as was the leaked Dow Jones Data. What guarantee do you have that your data hasn’t been left unencrypted and accidentally made public?

Your Biggest Data Security Mistake

When most businesses hand over data to a third party, they do so under the mistaken belief that this company now has responsibility for securing that data, barely giving data security a second thought once the application is in use.

Although third parties should and do provide security, the overall responsibility for protecting the data is still yours. If the data gets leaked, it is you and your team who will be held accountable by your shareholders and customers, not the third party.

Even if the third party is contractually obliged to cover the costs of any data security problems, you must still retain oversight.

You Need A Complete Overview of the Data Chain of Custody

You rarely have detailed insight into how third parties are handling data, which means there are a lot of unanswered questions:

  • What security policies do they have in place?
  • Where is your data stored?
  • Do they regularly use contractors? What access do they have to your data?
  • Which other third-party services do they rely on ­­­– could any other businesses access your data?

The problem with getting this information is twofold: Firstly, third parties are only likely to reveal the amount of security information required contractually, but this may leave out critical information. Secondly, with most businesses using many third parties, the job of tracking them becomes time-consuming and expensive.

Implementing a Third-Party Risk Program

Manually tracking the security policies that your third parties use is impractical, if not impossible. A platform that enables businesses to access up-to-date risk assessments for a diverse range of third-party organizations is needed.

By outsourcing and automating your third-party risk assessments, you benefit from a considerable increase in efficiency and a corresponding reduction in cost and complexity. This allows you to easily assess and reduce your exposure to risk, helping you decide which third parties to deal with and which to reject.

The time-and-cost savings a robust third-party cyber risk management plan provides allows you to invest more resources into your own security, further reducing your risk.

About the author: As Head of Business Development, Scott Schneider is responsible for implementing CyberGRX’s go-to-market and growth strategy. Previous to CyberGRX, Schneider led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.

Copyright 2010 Respective Author at Infosec Island]]>
How to Choose the Right Data Protection Strategy Wed, 02 Aug 2017 04:41:00 -0500 The public cloud is an easy way to store a large volume of data, which makes it an ideal backup and data protection fit for most organizations. In fact, a leading analyst firm predicts that 62 percent of organizations will deploy applications and services to the public cloud by the end of 2017, many of which will be focused on data storage and protection.

However, disk-based data center storage options can be an inexpensive and convenient solution as well. While the value of data protection is clear, the clarity on the choices available to enterprises isn’t. Here’s a deep dive on data protection solutions and how they fit unique needs:

1. On-Premises (Private Cloud)

With data protection hosted on-premises in a pure private cloud, you operate a secondary data center for the express purpose of backing up business data.

Pros: You own it, you control it, and you can configure it and upgrade it however you want. If you are handling extremely sensitive data, this may be a compelling alternative, but make no mistake, any machine that accepts connections from the outside world is vulnerable.

Cons: Unfortunately, there are many cons with using on-premises storage for data protection. First, hardware constraints limit  storage space and computing availability. Second, data is hosted in one location so power outages or hardware failures can cripple business and result in lost data. Finally, compliance and security has become increasingly important in the new regulatory and threat landscapes. Consistently maintaining the security patching and upgrade schedules necessary to address constant vulnerabilities takes dedicated resources.

2. Cloud Gateway (Hybrid Cloud)

A cloud gateway is a hardware- or software-based appliance that links on-site systems with cloud storage solutions. It provides the basic translation and connectivity required to access incompatible systems, allowing data to be backed up to the cloud.

Pros: With backup data is stored in a remote location, this option relieves the fear that you could lose data if any of your on-premises hardware fails. In addition, you’re not responsible for the maintenance and upgrading of remote hardware, only the appliance that lives within your data center.

Cons: All data going to the cloud and coming from it has to hit the appliance, and you need an appliance for every site. In this model the cloud is treated as if it were a tape drive, which can drive up cloud storage costs due to inefficient storage.

3. Hosted Solution (Cloud Co-lo)

With this model, you buy or license an application and storage, which is then hosted in the vendor’s remote location or in a cloud platform that you control.

Pros: With a hosted appliance or software solution, you have the familiarity that comes with understanding your own environment, reducing the learning curve for administrators and IT staff. This model also places increased responsibility on the hosting vendor to ensure that power outages and other disasters do not become a factor.

Cons: The hosted solution isn’t natively architected to take advantage of the scalability and flexibility of a public cloud environment. Solutions like these can be both expensive to build and manage, because you’re on the hook for storage costs and could also be exposing yourself to other cloud providers fees for other compute and networking resources. As with the on-premises model, you’re responsible for ensuring that you have the computing power to run applications and the headroom to account for any spikes in demand or growth.

Any model that 'loses connectivity' makes the service unavailable. The main issue with hosted has to do with capacity allocation -- it isn’t dynamic. As such, it incurs all the overhead of a traditional on-premises system, including needed downtime to expand the system. As well, hosted services are typically single-tenant, instead of multi-tenant, which means that the operating vendor has to be update or patch each individual instance -- which means a greater chance of error and complexity in rollback. Lastly, vendors who operate hosted environments typically have access to them, meaning data security and access to service connections are a real concern.

4. Cloud-Native (SaaS)

A true cloud-native SaaS data protection solution is designed from the ground up to take advantage of the public cloud, including global deduplication, auto-tiered and dynamically allocatable storage, uptime guarantees and flexible computing availability.

Pros: This final service option, built natively for existing public cloud service providers (e.g., AWS), creates a well-integrated offering from the start. When more or less capacity is needed, the cloud scales up and down to meet the changing demands of business without complex, cumbersome and costly hardware and software procurement cycles or service interruption. And, because it does not require a translation layer between older deployments and a cloud-like gateway appliance, it eliminates bottlenecks, boosting performance and uptime.

With a pure cloud-native SaaS solution, there is no need for additional resources to maintain adherence to regulatory requirements or to perform the constant maintenance required to combat security threats. Instead, all of this burden shifts to the SaaS vendor.

Most importantly, the predictable subscription cost structure removes complex expenses of other models. Instead, it uses a simple model where you only pay for what you need.

Cons: The biggest concern would be losing Internet connectivity, which would render you temporarily unable to access applications. But, with so much of today’s business conducted online, the impact of this on your overall operation would be minor. Most other concerns, such as the failure of an entire electricity grid (for example), are easily addressed by leveraging multiple availability zones.

The Big Takeaway

Any solution that involves leveraging your hardware will come with the same constraints that you find when operating your own data center. In addition, hybrid or hosted solutions fall short of delivering the full benefits that the cloud can provide. As the public cloud matures and becomes an ever brighter fixture in the IT firmament, companies would be wise to consider the significant advantages of a cloud-native SaaS solution.

About the author: Dave Packer is VP, Product and Alliance Marketing, Druva. He has more than 20 years of experience influencing products in the enterprise technology space, primarily focused on information management and governance. At Druva, Dave heads Corporate and Product Marketing, which serves an integral role leading product definition and direction.

Copyright 2010 Respective Author at Infosec Island]]>
Understanding Hacker Mindset Key for Website Security, Business Resilience Tue, 01 Aug 2017 08:24:00 -0500 Sadly, many SMB owners fail to learn the lessons of cybersecurity preparedness despite being bombarded with messages from the media and fellow entrepreneur victims. With small IT departments and little to no money budgeted for security, many small businesses mistakenly believe that hackers only target websites belonging to the “big boys.”

The balance of power in the cyber realm is constantly shifting in a virtual cat and mouse game; with hackers exploiting hardware and software while researchers constantly race to discover ways to “patch” or close these same vulnerabilities. No matter how high we build our “palace walls” in cybersecurity, hackers are constantly finding new ways to circumvent them. As with most things in the security realm, the best defense usually boils down to having good offensive capabilities and planning.

The vast majority of cyberattacks are entirely unpredictable and often based on mostly random circumstances – like the model of computer or version of software that we currently use. Sophisticated scanning tools are readily available on the dark web and in hacker forums that give anyone the capability to quickly scour the internet for signs of vulnerability, and then hone in on it like a laser. Enterprises must begin to prioritize their data based on its value to hackers. Once you identify your most valuable assets, then you are able to implement a coherent, and layered protection framework.

The prevailing attitude among many business owners who don’t have a security background is that a website attack “won’t likely happen to me!” Once we embrace the notion that our systems have likely already been or will be penetrated, then we can take proactive steps that are perhaps outside our conventional thinking – which is a crucial step for each of us to understand the “new normal” conditions that advanced threats present today. Reaching this conclusion is not an admission of failure, but rather an acknowledgement of how much has changed in the world around us.

Part of this new reality is that hackers, usually working alone or in loose collaborations, are nimble and able to act much more rapidly than their cyber-adversaries, the enterprise security groups – which usually rely on a reactive “monitor, detect, respond” strategy. Security teams are often crippled by an overreliance on complex technology to watch and warn us (resulting in a lengthy time before detection). We must instead embed in our minds what “normal” activity looks like, and be ready to quickly implement pre-approved actions that allow teams to respond immediately to a potential website attack.

The traditional perimeter solutions that we have relied upon for years are losing their effectiveness since hackers place more value in motive opportunities than they ever have previously. Websites can be a very appealing target, rich with information even an SMB owner could potentially not even know is there. Waiting until the alarms go off is much too late to start getting serious about the security of our brands, companies, and institutions – regardless of your company’s size. But organizations can develop a proactive approach by keeping the data we must protect at the heart of our security operations and having an honest conversation about our own capabilities for handling all of the fallout normally associated with a website attack and a resulting data breach (reputation, customer loyalty, legal, public relations, etc.)

The sooner that we swallow this bitter truth and employ new thinking, the quicker we can recover after a breach that can often be devastating.

About the author: Avi Bartov is co-founder of GamaSec (, a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

Copyright 2010 Respective Author at Infosec Island]]>
Why We Must Work Together to Support Our Cyber Start-ups Tue, 01 Aug 2017 06:16:00 -0500 It’s no secret that life is tough for a start-up company, and although figures on survival rates have varied over the years, some research has suggested that as many as 90 per cent of start-ups are destined to fail. More recently, research from SME advisors Ormsby Street reported four in ten UK SMEs don’t make it beyond their fifth year.

Having a steady supply of new businesses is essential for our economy, especially for the technology sector, which is both increasingly important for the UK’s GDP, but also particularly reliant on innovation and new ideas. When it comes to cyber security start-ups however, we go beyond the creation of new services and the support of the economy, and into the realm of protecting the UK itself from attack.

Unlike any other industry, we also cannot rely on importing technology and services from abroad when it comes to national security. It is vital we have our own homegrown cyber security specialists to provide the UK’s defence capabilities.

It’s easy to fall into hyperbole when discussing cyber threats, but the facts speak for themselves. As recently stated by UK Chancellor Phillip Hammond, UK security services detected 188 high level cyber attacks in just three months. 34,550 potential attacks against governmental departments and members of the public were also thwarted over six months – an astonishing 200 cases every day. The key to fighting the threats arrayed against us is a strong security community that is regularly bolstered by fresh entrepreneurs armed with pioneering new ideas.

The government has made several commitments to increasing its focus on cyber security in recent months, most notably the National Cyber Security Strategy announced in November 2016, which was underpinned with an investment of £1.9bn. The new strategy has many far-reaching plans for our national security, but it was the continued pledge to supporting our security start-ups that I found to be the most encouraging aspect.

Supporting the start-up journey

Ground-breaking new start-ups don’t simply appear overnight of course, and this support needs to extend all the way back into education and research. Many start-ups in the security sector are born out of research projects devised during university, and this is an area the government has wisely focused on with the CyberInvest scheme. The programme, of which Becrypt is a member, aims to promote investment into cyber security research at UK universities, as well as establishing a community that brings together industry, government and academia.

CyberInvest also demonstrates that we cannot simply throw government funds at cyber security and hope for the best – to succeed we need the support and experience of the existing security community.

One of the riskiest and most challenging periods for these would-be entrepreneurs is transitioning their ideas from a pet project into a real, viable business that can sustain itself and become profitable. There is a world of difference between coming up with an idea and actually running a business, and once again established security vendors can play an important role here by mentoring university leavers and lending their experience.

Working together

I believe that all companies in the industry can play a role when it comes to supporting the future of the industry. There are numerous schemes available to help businesses reach out to universities and connect with graduates, particularly for those based in London. For those companies that don’t have any existing schemes nearby, I would suggest any company looking for a way to contribute by contacting their local universities and colleges to see what they can do.

Larger companies are of course able to dedicate more time, money, and expertise into this kind of activity, but SMEs can play a valuable role as well, taking one or two graduates under their wings, or supporting other cyber community events such as hackathons. Mentoring and work experience in particular can also be a valuable source for a cyber company searching for new talent.

Going further back down the career path, Becrypt is a member of the recently launched government initiative CyberFirst, which aims to provide financial support, training and work experience for students and graduates. The scheme is creating a more positive image of the industry and encouraging 14-18-year-olds to consider a career in the field. 

Like many other industries, information security has been suffering from a skills gap for several years now. Recent research from job site Indeed recently found the UK to have one of the most severe cyber skills gaps in the world, second only to Israel. The research found the number of people searching for cyber roles was just 31.6 per cent of the number of job postings, meaning there were three times as many jobs available as workers to fill them.

The particular blend of skill and experience required by the industry means this crisis can only be effectively combated by catching the interest of young people and steering them towards the field as early as possible – which is exactly the aim of CyberFirst. This will help ensure that we not only have a new generation of entrepreneurs and innovators, but other much-needed experts in the security industry.

With both the number and severity of cyber attacks only set to increase over the next few years, it is essential we do everything we can to support the next wave of homegrown cyber entrepreneurs, innovators and practitioners that will be responsible for our national security. The Government has a huge role to play through funding, projects, and bodies such as the National Cyber Security Centre, but the cyber security industry must also play its part. I believe we all have a duty to work together to ensure this country continues to have the defence capabilities it needs to keep its citizens safe.

About the author: Bernard Parsons, Chief Executive Officer and co-founder of Becrypt, is a technology expert with more than 25 years of experience spanning robotics, embedded systems and telecommunications as well as high-end security technology. Working closely with UK Government, Bernard is passionate about supporting the UK’s sovereign defence capabilities and its position as a global leader in cyber security.

Copyright 2010 Respective Author at Infosec Island]]>
How Businesses Can Bolster Security and Stop Attacks Before they Happen Tue, 01 Aug 2017 04:15:49 -0500 It takes businesses approximately 49 days to discover a security breach. As threats continue to bypass traditional security measures and grow in sophistication, enterprises across every vertical are facing the same question – “How can we implement the most effective security program for our business?”

While a reactive security stance may have been sufficient in the past, recent headlines have shown that security needs to get more sophisticated—and businesses need to be more proactive.

There are a few major forces that are holding security teams back from getting their security teams in gear: the worldwide shortage of professionals with the skills required to prevent and respond to attacks, the increasingly creative and advanced hacking techniques from cyber criminals, and the tendency to take a reactive approach to security. When combined, these forces are so strong that they are culminating in negative news headlines daily.

Fortunately, the mistakes that are keeping organizations from preventing these major storms in the first place are not insurmountable. Investing in the wrong areas, being distracted from other business related priorities, and focusing solely on the known “bad,” to name a few, are things that can, and should, be addressed.

Here are the core mistakes organizations are making when it comes to managing their security programs and seeking out and responding to threats - and what they can do to whip things into shape.

Facing Reality

Organizations are beginning to recognize that threats can cause major damage whether they are coming from hacktivists, nation-states or a lone-wolf attacker. Cyber criminals are highly skilled and they are using advanced hacking techniques that help them bypass even the most sensitive and protected of networks, from industrial control systems to the government. In their attempts to respond, organizations are realizing that the teams they have on hand aren't always up to the task of responding to these attackers in the most effective way.

And it’s not just due to ability. There has been a longstanding, worldwide shortage of skilled security professionals. Additionally, the daily shortcomings in terms of the types of tools used, response methodology and more has only compounded the problem. For instance, organizations are investing in the wrong areas. Many are investing in adding on more and more point solutions without a real plan on how to best use them to deliver results—and a lot of these solutionsend up just sitting on a shelf. These mismanaged and disjointed solutions ultimately end up generating more risk through visibility gaps while organizations become complacent. Businesses have been operating from a reactive stance for too long and need to stop looking in the wrong places.

The result of such practices means businesses often ignore parts of attack cycles and end up missing threats altogether. Action is then slowed by a mitigation and remediation process that wastes time on looking for the threat, isolating it and understanding it in order to respond. By then, it’s too late.

Getting Aggressive

Gone are the days of sitting back and monitoring your businesses’ system, waiting for it to be attacked. Once attackers have made it into your system, it’s too late. Businesses need to make a shift toward proactively seeking out threats—before they hit.

What’s more, attackers often manifest themselves on a number of different endpoints, potentially all at once. Ensuring your business has a well-oiled detection and response machine in place could ultimately save your business some major headaches.

This type of security plan is tough for an organization to tackle alone. Whether it is simply information sharing or working with outside vendors, businesses benefit from third-party perspectives and insights.

Sometimes businesses even outsource their entire security process. These platforms provide a comprehensive perspective, with an even wider lens than the largest Fortune 500 companies due to their access to global threat intelligence, advanced analytics, and industry visibility. Visibility is important not just for gaining a better internal understanding, but also for understanding what possible threats may be imminent on a global scale. The goal is to do more than detecting in favor of preventing altogether. Moreover, security service providers have already gone through hundreds of dress rehearsals — it takes a lot to surprise someone who is already familiar with the type of problem.

Working with third parties also expands the kind of technology that can be used. Unused or underutilized security products, commonly referred to as shelfware, waste money and deliver no value. The aid extends to bridging the skills gap as well. More than the use of new technology, managed security service providers offer experts that can handle everything from routine to complex tasks, stretching budget while freeing up internal resourced and time to work on IT projects that have been delayed by unresolved security issues.

Ultimately, organizations will have to realize that in-house efforts often won’t be enough when fighting off hackers with attacks they’ve sourced from around the world. Your business should already be on this path or face the wrath of the breach headline.

About the author: Chris Schueler is Senior Vice President of Managed Security Services at Trustwave where he is responsible for Managed Security Services, the global network of Trustwave Advanced Security Operations Centers and Trustwave SpiderLabs Incident Response.

Copyright 2010 Respective Author at Infosec Island]]>
Identifying and Patching Vulnerabilities in a Post-Microsoft Security Bulletin World Thu, 27 Jul 2017 06:57:00 -0500 Microsoft’s security bulletins have provided IT administrators with a monthly list of vulnerabilities and accompanying patches for decades…until recently. Last November Microsoft warned that the Security Bulletins on Patch Tuesday would be discontinued, and they followed through on their promise with the April 2017 edition.  

Companies relying on Microsoft Security Bulletins can now only find information about software vulnerabilities on the Security Update Guides portal (SUG). This change is troublesome for patch management professionals who already have enough on their plate without periodically checking SUG for new vulnerabilities and patches. Moreover, the additional time to research and understand the security patches required for their unique environments will only lengthen the time to patch. While the portal is searchable by Common Vulnerabilities and Exposures (CVE), Knowledge Base (KB) article, product or release date, the change in process will impact the daily routines of IT administrators and security professionals around the world.  

Microsoft says that SUG has functionality that users have been asking for, and that the portal allows users to customize it for their unique needs.  While the portal has advanced capabilities, the change has generated concern about the impact on patch management activities.  

Part of the Microsoft outcry relates to changes that companies will have to make to their IT processes.  Security Bulletins have been around for decades, and administrators have built their processes around the predictable and consistent delivery of these bulletins. Microsoft’s format changes are inconvenient for patch management professionals and may require more time spent researching and identifying the security patches required for their specific environments.  

Consequently, companies relying on Microsoft Security Bulletins must now change their processes, or need to find alternative solutions to streamline and improve efficiency.   

Then and Now

An example of this format change is a vulnerability in Adobe Flash Player (which Microsoft distributes to their users). The older format looked like this:

It was one security bulletin that could be read and used to quickly determine what Windows platforms and products are affected.  

Now, using the SUG, the same vulnerability information is broken out into separate listings in the Website per platform. This same Adobe Flash Player vulnerability now looks like this:

Pulling Vulnerability Information

Even without Microsoft’s long-issued Security Bulletins, businesses and IT administrators can still access vulnerability information from thousands of sources – including Microsoft and Adobe. Businesses can reference the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, use a threat feed provider, or implement a software vulnerability management platform to help them identify and patchvulnerabilities before they impact their business.  

Vulnerability Ratings

Once a business has identified the vulnerabilities present in their software, IT administrators now need to prioritize and address those vulnerabilities based on their criticality. The criticality of a vulnerability is based on the assessment of the vulnerability’s potential impact on a system, the attack vector, mitigating factors and if an exploit exists for the vulnerability and is being actively exploited prior to the release of a patch.  

The vulnerability ratings follow:

  • Extremely Critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not usually require any interaction and exploits are in the wild.  These vulnerabilities can exist in services like FTP, HTTP and SMTP or in certain client systems like email applications or browsers.
  • Highly Critical (4 of 5): Normally used for remotely exploitable vulnerabilities that can lead to system compromise.  Successful exploitation does not typically require any interaction, but there are no known exploits available at the time of disclosure.  Such vulnerabilities can exist in services like FTP, HTTP and SMTP or in client systems like email applications or browsers.
  • Moderately Critical (3 of 5): This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.  Usually used for remotely exploitable Denial of Service (DoS) vulnerabilities against services like FTP, HTTP and SMTP, and for vulnerabilities that permit system compromises but require user interaction.
  • Less Critical (2 of 5): Usually used for cross-site scripting and privilege escalation vulnerabilities.  This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
  • Not Critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable DoS vulnerabilities.  This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).

Additional Considerations

Beyond criticality, IT administrators also need to consider:

  • Impact – what this vulnerability can affect (System Access, DoS, Release of Sensitive Information, etc.)
  • Where – from where this vulnerability can be exploited: Local System, Local Network or Remote (outside of network)
  • Solution Status – is there a patch or other method that migrates the vulnerability?
  • CVE references – uses industry standard CVE to aid in communication across groups
  • Products affected – can show if the advisory is for one product or multiple ones (in this case, the vulnerabilities affect multiple operating system versions)
  • Advisory details – Summary of the issue
  • Solution details – how this vulnerability can be mitigated

We’ll All Be OK!

Many businesses are concerned about Microsoft changing the way they release vulnerability information around their products to the world.  Yes, Microsoftused to publish the Security Bulletins, which helped IT pros understand patches that closed multiple vulnerabilities, patches closing vulnerabilities affecting multiple products, and so on. Thankfully, however, there are solutions available today that achieve a similar view – more than making up for the lack of Security Bulletins.

About the author: Ken Hilker is a Senior Product Manager of Installation Solutions at Flexera. Flexera is reimagining the way software is bought, sold, managed and secured.

Copyright 2010 Respective Author at Infosec Island]]>
How Does UC in the Cloud Impact Your Security Posture? Thu, 20 Jul 2017 03:11:00 -0500 Session border controllers (SBCs) provide the protection UC applications require – and data firewalls lack – enabling enterprises to make the leap to the cloud

Chief security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks. It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be?  

Traditionally, enterprise security has centered around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware). Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but have they left another window open?    

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications, and thus are prone to the same type of network attacks. Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use the Session Initiation Protocol (SIP) for signaling between UC stacks and endpoints. Unsecured UC expands an enterprise’s potential risk by introducing data exfiltration, Denial of Service (DoS), telephony denial-of-service (TDoS) attacks and eavesdropping into the equation. And data firewalls – even advanced next-generation firewalls – don’t have the deep, stateful knowledge of SIP to protect SIP-based real-time applications. For that, you need a session border controller (SBC).  

As many enterprises are adopting a zero-trust model for security, every application must be secured. SBCs play many important roles in enterprise communications networks by providing intelligent routing, signaling interworking, and media services to ensure quality of experience. But the SBC’s primary function is to protect the UC network from SIP-based attacks. With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.  

As traditional circuit-switched communications have evolved into IP-based UC, the attack surface has grown. It’s now possible, and easier, to mount DDoS attacks, spoof caller IDs for toll fraud, or use media or signaling UDP/TCP ports to exfiltrate data. The importance of SBCs to secure UC has likewise grown – many enterprises today use SBCs as a UC firewall, a demark point for SIP trunking services, and a tool to encrypt and interwork their UC assets.    

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise—for example, on an internal Skype for Business server. But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years. According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.  

The cloud represents a much larger surface area for attack. Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own security weakpoints. Every weakpoint – whether in code, access or protocol – can expose an application to a potential security breach, and once an application is hacked, intruders can move laterally within a cloud-based network to access other applications and data. You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.  

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad UC connections taking place—especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare. The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have less control. For these reasons, enterprises need to scrutinize their security practices so that they can ensure they’re protecting their networks appropriately.   

To create a consistent defense system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network. Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.  

But enterprises need to be mindful that not all SBCs are created equal. They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behavior that could indicate an attack. Or encryption may be turned off, because turning it on causes performance and jitter issues. These security gaps are points of exposure that cybercriminals can, and will, exploit.   

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilization to unified messaging across multiple devices/locations. But it does require a different security posture than an on-premises system. Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks—particularly from traditionally under-secured vectors such as SIP-based communications.  

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the cloud. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the cloud.  

About the author: Mykola Konrad is the Vice President, Product Management and Marketing at Sonus Networks. At Sonus, Mykola is leading the introduction of the Sonus portfolio of products to the Enterprise customer segment.

Copyright 2010 Respective Author at Infosec Island]]>
How to Prevent Ransomware and Cyberattacks Fri, 14 Jul 2017 11:58:00 -0500 The impacts of ransomware and other breaches, which exploit failures in risk management, are preventable. The WannaCry ransomware attack was the most widespread of its kind in history. It took advantage of a Windows vulnerability – one detected and resolved months ago – encrypting victims’ data and demanding a ransom payment for un-encryption.

More recently, many organizations in Europe and the US have been crippled by a second ransomware attack, known as “NotPetya” or “GoldenEye.” NotPetya was a malicious, destructive attack disguised as ransomware.

The scope and speed of these new attacks are major wakeup calls for organizations around the globe; an attack can come at any time, and failing to implement a strong prevention strategy is a recipe for disaster. Often, when a cyberattack is resolved (or even while it’s still ongoing), unaffected organizations may instinctively dismiss its significance, assuming the dangerous mindset that their business’ operations are different and won’t be affected. This frame of mind fails to acknowledge that mistakes made by cyberattack victims are typically shared by many others.

Consider the ever-increasing capabilities of cyberattackers. Constantly improving technologies allow attackers to evolve their strategies, find new points of entry, and make themselves harder to detect. Your security and business continuity programs must stay one step ahead of this evolution, a process that requires implementation across departments and levels.

Cyberattacks – alongside all risk management failures – are entirely preventable with good governance and integrated risk management processes. The standardization and automation of these components does not require a revolution in your operational structure. They are achieved by using centralized monitoring and policy operationalization, making sure you adhere to best practices without exception. Senior leadership can then use the information gathered to make informed strategic decisions.

The traditional understanding of departmental interaction – namely that each department conducts its own operations and is most qualified to evaluate its own risk profile – creates cracks through which incidents and attacks can slip. A truly integrated approach, requiring strong governance and board oversight, illuminates vulnerabilities shared by departments. This allows for efficiency (and efficacy) through collaboration and allocation of responsibilities.

Poor governance and operationalization have led to risk management failures including those seen at Target, Ashley Madison, Dwolla, and Wendy’s. These breaches would have been prevented not with complex, expensive technology, but with improved governance processes.

Strengthening Cybersecurity and Preventing Surprises with Good Governance

Enterprise risk management accomplishes more than simply identifying new risks and to-do items. By revealing the interdependencies and interactions between departments, applications, vendors, and other resources, it closes the gap between policies and everyday operations. This makes it easier to resolve known issues and prevent scandals. For example, which applications contain sensitive data that might have a material impact on your reputation? Which departments use those applications, and which policies and controls (if any) currently address those weaknesses? Are these policies and other mitigation activities effective in addressing this risk?

Going back to WannaCry, prevention would have been as simple as automated alerts. Alerts would have prompted verification that appropriate Windows patches were implemented, followed by a report of all critical systems not covered by patch deployments. This is a good example of the importance of governance over existing processes, as opposed to the wasteful alternative of expensive technology solutions that may not even address future issues.

It’s a known fact in the security community that, due to human or technology errors, 10-15% of authorized, scheduled patches are not implemented. Resulting vulnerabilities are often detected by the “right” people (in this case, Windows itself) before they are by the “wrong” people, but when fixes aren’t implemented punctually, the risk remains. Notifications remove the possibility that risk goes unaddressed.

Mitigating risks presented by any cyberattack can take place at your organization today. If necessary, the following steps can be performed on a manual basis, but for long-term sustainability, use a centrally managed, risk-based approach.

Off-site backups are your first and most basic line of defense. Frequency and scope will be different for each organization; your security team should collaborate with senior leadership to determine minimum standards. Has a restoration test been performed, ensuring that your infrastructure and applications infrastructure can be restored? Can back-up data actually be used within your stated recovery time objective (RTO)? Your RTO is the maximum “downtime” window that can be tolerated for a particular process before financial, reputational, or legal damage occurs.

Most organizations have formal internal policies, but few identify the risks associated with these policies. After risks are identified, regularized tests and notifications verify these risks are mitigated. Backups take time, and without using a risk-based approach to prioritize data and the application infrastructure, much existing activity is wasted. The relationships between your people and resources, once identified, reveals what is integral to critical functions.

Backups will compose a piece of your overall business continuity and disaster recovery (BC/DR) plan. The BC/DR plan needs not just be created, but tested regularly. Most back-up systems only preserve data, not the application infrastructure. Doing so requires a second level of testing; can the applications and infrastructure be reestablished, and will they be compatible with restored data? Test your organization’s ability to implement a “clean recovery,” or total restoration of all data. The program cannot be made fully operational until those regular tests are implemented. Without an operationalized BC/DR program, it’s difficult to impossible to recover from an attack within the required timeframe.

Most organizations also understand access rights from a policy point of view. However, are access rights managed effectively by all the users? The principle of least privilege, by which a company grants employees only the access they need to perform their duties, limits vulnerability without compromising efficiency. Begin this process by implementing and enforcing password complexity/change requirements. Rights then need to be defined and updated regularly by engaging front-line managers. Ransomware and breaches target the weakest links in an organization, often through vendors and supply chains.

With an ERM solution, you can maintain an effective asset management process by determining which applications, devices, and other resources require access rights protection. The next step is to create transparency into how effective policies are over these processes.

Through good governance, you can make sure everyday activities are aligned with leadership’s strategic goals. An integrated risk management approach reduces overall exposure and allows the organization to better leverage existing assets and prevent potentially disastrous disruptions like the WannaCry attack – without using additional budget to security technologies.

About the author: Steven Minsky is the CEO of LogicManager, the leading provider of ERM solutions. Steven is also the author of the popular Risk Maturity Model, RIMS State of ERM Report, a frequent contributor to blogs and press, as well as an instructor on many risk management topics.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence report – July 2017 Fri, 14 Jul 2017 10:57:26 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • July’s set of SAP Security Notes consists of 23 patches with the majority of them rated medium.
  • The most severe vulnerabilities of this month affect SAP POS, a point of sale solution. The vulnerabilities allow attackers to Read/write/delete sensitive information and even monitor all content displayed on a receipt window of a POS remotely without authentication.

SAP Security Notes – July 2017

SAP has released the monthly critical patch update for July 2017. This patch update includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.

Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Mathieu Geli, and Vladimir Egorov were closed by 3 SAP Security Notes.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

About Multiple Missing Authorization Check in SAP Point of Sale

SAP POS, a client-server point-of-sale (POS) solution from the German software maker, is a part of its Retail solution portfolio, which products are in use at 80% of the retailers in the Forbes Global 2000.

From a technical point of view, SAP POS consists of Client applications, Store Server side (serve connective, operative and administrative needs) and applications running in the head office to allow central configuration.


This month, SAP released Security Note 2476601 to close multiple severe vulnerabilities in SAP POS Xpress Server. The component lacks authentication checks for critical functionality. The missing authorization checks would allow an attacker to:

  • Read/write/delete files stored on SAP POS server;
  • Shutdown the Xpress Server application;
  • Monitor all content displayed on a receipt window of a POS.

The described malicious actions can be performed over the network without authentication.

The vulnerabilities were rated at 8.1 by CVSS base score v.3, with all 3 impact metrics (Confidentiality, Integrity, and Availability) assessed High

According to the rules of responsible disclosure, ERPScan doesn’t disclose technical details to allow SAP customers a period of time to patch the issues. Researchers who identified the vulnerabilities will deliver a talk at Hack in the Box Singapore (August 24) where they will demonstrate an attack vector against SAP POS.

Other critical issues closed by SAP Security Notes July

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on code type, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks.
  • 2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorized access to OS filesystem. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It Wed, 12 Jul 2017 10:29:29 -0500 On May 12, 2017 a ransomware attack began impacting organizations all over the globe and in just a few days had spread to over 230,000 computers across 150 countries. It’s quite a story with the vulnerability used to spread the ransomware coming from leaked NSA data, speculation that the malware authors were not particularly sophisticated despite the breadth of the attack, possible links to North Korea, and a security researcher stumbling upon a kill switch that largely halted further spread of the malware. Although these aspects are fascinating and worthy of investigation, there is a larger question that needs to be answered: How in the world did we end up with a security paradigm where a malware infection can spread so rapidly and so broadly? And, most importantly, how do we begin to fix it?

The ultimate scope of the WannaCry ransomware attack was a result of two primary factors: the ability to communicate laterally across environments without restriction and an abundance of vulnerable machines to compromise. It is perhaps not surprising that as malware has dramatically evolved over the preceding decades, security architectures would also need to have evolved to effectively defend against these attacks. However, as we look at the security infrastructures used by organizations today, it is clear that most organizations have not evolved their security approaches enough to keep pace with emerging threat vectors.

Standard practice for security teams only a few years ago was to construct as strong a barrier as possible between the internal resources of a network and the chaos of the internet. This perimeter-centric approach made sense at the time when the resources on the network were more or less stationary.  But things have changed.  The capabilities introduced by mobile computing, BYOD, IOT, cloud computing, and increased interconnectivity between business partners and third parties has created a situation where the old perimeter is near impossible to define, let alone control.

With adversaries able to cross an organization's perimeter with little trouble, they are able to reach the largely unprotected interior of the network and data center and then operate with very little standing in their way. A good example of this was observed during the Target breach in 2013 when attackers were able to communicate with a Point of Sale (POS) system in one Target store by connecting to it from a network-connected deli meat slicer in a second store location. The solution to this situation is fairly obvious: implement security policies to isolate machines that should not be talking to each other. For example, POS systems should only be able to communicate with other payment components, different store locations should only be able to access inventory systems for other store locations, and deli meat slicers shouldn’t be able to communicate with very much at all. The industry term for this approach to dividing up a network and data center into smaller zones of communication is called segmentation.

Without proper segmentation of an organization’s network infrastructure, adversaries are able to move about at will - either manually, or in the case of WannaCry, automatically via a computer worm

The second factor that contributed to the scale of the WannaCry attack was the sheer number of machines that were vulnerable to the EternalBlue exploit being leveraged. These vulnerable machines fall into one of two categories: either they were supported OSes that had not had critical security patches applied (Microsoft released a patch for the vulnerability on March 14, 2017 following the NSA leak), or they were unsupported OSes where no security patches were available (Microsoft has since released patches for these older OSes as well).

When you pull those threads a bit, it’s clear to see that organizations not having rigorous procedures for ensuring OSes are kept up to date with critical security patches directly led to the ability of WannaCry to spread as rapidly and broadly as it did. At the same time, the sheer number of organizations using older, unsupported OSes where critical security updates are no longer made available is shocking. According to the Spiceworks 2017 OS Adoption Trends survey, 52% of companies across North America, Europe, the Middle East, and Africa are still running some number of Windows XP systems. This means that more than half of all companies were vulnerable to WannaCry by default.

It’s easy to fault companies still running OSes that have been unsupported for years, however most of these companies are simply maintaining legacy applications they neither fully understand nor have the resources to recreate on a more current platform. They are in a tough spot needing to maintain these older systems while also needing to secure them in wide-open networks where attackers can move about freely. This is the exact situation that created the opportunity for WannaCry to thrive.

Obviously keeping systems up to date with security updates and retiring/migrating systems once their OS is no longer supported can go a long way toward preventing the spread of malware inside an environment, but this approach isn’t always viable. For all the companies that need to maintain legacy systems, regardless of the reason, focusing on isolating these systems as much as possible is a much more effective strategy.

The important points for all organizations to remember are: 1) keep your systems as patched and up to date as possible, and 2) do not leave your network wide open for adversaries to take advantage of but begin segmenting your infrastructure and reducing your attack surfaces. We’re sure to see additional widespread attacks going forward, but by keeping systems up to date and preventing unauthorized communications via segmentation, your organization will be in a much better position to avoid being impacted by those threats.

About the author: Jesse McKenna is Director, Cybersecurity Product Management at vArmour. With over 12 years experience in designing leading edge detection systems, he possesses deep expertise in fraud, security, behavioral analytics, and how theoretical detection and analytics concepts can be applied and operationalized in real world environments.

Copyright 2010 Respective Author at Infosec Island]]>