Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Centering Your Security Strategy on Leadership, Resilience and Fundamentals Fri, 16 Mar 2018 08:40:00 -0500 Cyber security technology solutions continue to advance, as do cyber-attack methods. Cisco is tracking this phenomenon in malware development by measuring Time To Evolve (TTE) — essentially the time that lapses between distinct changes in evasive file and delivery tactics. Malicious hackers’ inventiveness and sophistication has allowed six malware families to continue creating havoc over an extended period of time.  These strategies only partially explain why we see the same vulnerabilities being exploited year after year. If we worry too much about sophisticated zero-day attacks or become distracted by the overblown promises of the latest software package, we continue to neglect the elements that are proven to protect or expose us.

Verizon’s 2017 Data Breach Investigations Report highlighted that, yet again, it’s the fundamentals that will be our undoing —but they could also be our saving grace. A vast majority of breaches (88%) fall into one of nine attack patterns – the same nine patterns Verizon identified three years ago. Phishing is still among the most prevalent attack vectors, and lots of people are still falling for it: the report found one in 14 users had opened a phishy link or attachment, and a quarter of them did it more than once. Two-thirds of malware is installed via malicious attachments; likewise, ransomware and web application attacks frequently use phishing emails, texts, and calls to initiate access. Finally, the password plague continues to sicken security programs – 81% of hacking breaches used stolen or weak passwords to gain a foothold.

The bad news is that we don’t seem to be learning from our mistakes as quickly as we should. The good news is, raising security awareness across the enterprise doesn’t require capital investments or complex upgrades. It requires diligence, leadership, and contextual threat intelligence — and it starts in the C-suite.

Reducing the Risk of Attack

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience in order to manage, respond and mitigate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Cyber resilience is all about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.

Focus on the Fundamentals

Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do is ensure they have standard security measures in place. This means going well beyond implementing the latest security tools.

Cisco’s 2017 survey of security capabilities found that while CSOs and SecOps managers are confident they have the best technologies available, they are much less certain that, in the face of skills and budget shortages, they are making the best use of these tools. Such fundamental shortcomings are a good place to start if you’re looking to fortify your existing defenses.

Every type and size of organization is vulnerable to cyber-attacks. To control risk and damage, each organization has to develop and maintain a thorough understanding of its particular weak points, targeted mission-critical information assets and industry-specific threat vectors. Executives who leverage threat intelligence, maintain strong contextual awareness, and stay committed to managing insider threats help their organizations develop a deeper culture of defense, injecting security throughout the enterprise.

Companies that prioritize well-equipped security programs and widespread security awareness are more prepared to grow, innovate and compete.  In order to consistently make better decisions about how to align business and security objectives to manage risk, protect brand reputation, and respond effectively to incidents, boards and senior executives have to remain steadfastly engaged.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
An Open Letter to AWS CEO Andy Jassy on Cloud Security Innovation Fri, 16 Mar 2018 07:40:27 -0500 Dear Andy,

Congratulations to you and the entire Amazon team on your latest quarterly results. Your team’s contribution continues to be impressive. I was particularly excited to hear that AWS’ expanding partner base continues to be an important driver of your growth.

From where I sit, your commitment and focus on fueling the ecosystem has never wavered. It once took a few hours to walk the partner expo at re:Invent and the AWS Summits; now it takes a day or more. So, every time I read a media report that says you have partners in the crosshairs, I ask myself the same question: Did I miss the memo advising all small, innovative startups that it’s time to close their doors because you’re investing in technology and companies to make AWS better and more secure?

The focus of late has been on cloud security and rightfully so. Organizations of all sizes are migrating to the cloud to take advantage of cost savings, efficiency gains, and the flexibility to scale. Of course, fraud, hacking and malware are proliferating just as quickly as the good kind of cloud technology, so security is becoming the top priority for organizations that want to stay protected while taking full advantage of the benefits of running in the cloud. 

I will always maintain my steadfast perspective that collaboration of innovators, regardless of size, is essential in helping businesses of all sizes and cyber sophistication to reduce their cyber risk.

It is true that cybersecurity startups do not have as loud a voice as AWS and other large cloud providers. Their greatest asset is the ability to innovate, attract passionate and high-intellect employees looking to do meaningful and impactful work without the bureaucracy, traditional process and politics of the larger, more established companies.

While the story of AWS being a threat to companies like ours may get a lot of clicks and shares (I can attest to this first-hand), it distracts the community from the bigger story about the magnitude of the cybersecurity challenge. The reality of the cybersecurity market is that the sophistication of the attacks and the implications of lengthy times to detect, understand and remediate put businesses of all sizes at risk.  

The role of cybersecurity providers is to provide businesses with security context as a means of reducing the “mean time to know” and accelerate actions to remediation. 

The bigger story is about how continued investments, organic or inorganic, strengthen security context for businesses of all sizes. The more security signals, the more security context; the more context, the more accelerated “mean time to know”; the faster “mean time to know,” the faster the actions to remediate security risk. 

The objective of every startup should be to provide world-class solutions that ingest security indicators that Amazon and numerous partners across the AWS ecosystem make available. This provides correlated security context and reduces business resource requirement to quickly address the growing cyber threats businesses face every day.   

We are not threatened by the actions of AWS but instead are encouraged by it. We welcome the additional security indicators you are making available through your tools and services. I strongly feel that “us vs. them” is not a vendor vs. vendor discussion. Rather, “us vs. them” is the collaboration of innovative cyber companies of all sizes “versus” those that are motivated by widespread global economic, public safety and national security disruption.

The collaboration of innovative cyber security companies is a win-win for all. We are not willing to close our doors at the “threat” of larger companies investing in the cyber market, but instead, we use it as fuel to further our passion and conviction for our defined mission.

This is what is in the best interest of our mutual customers. I encourage you to maintain your commitment to the ecosystem and for my fellow partners to work together to help customers defend and protect themselves from the increased assault on the data companies are moving to the cloud.

Best regards,

Brian Ahern

CEO & Chairman, Threat Stack

Copyright 2010 Respective Author at Infosec Island]]>
Beat Them at Their Own Game: Understanding and Neutralizing Evasive Malware Tactics in the Face of Rising Attacks Fri, 16 Mar 2018 07:34:23 -0500 Chasing malware developers through their cyber rabbit holes might be a fun challenge for security researchers, but for the rest of us, the effectiveness of modern attack methods is frustrating and alarming. Incidents that involved evasive malware, and in particular fileless techniques for bypassing endpoint security measures, were prevalent in 2017. They are set to be even more damaging, costly, and exasperating in 2018.

It’s an old story by now — the more security pros learn about protecting their organizations against malware, the more wily and sophisticated the adversaries get. The adversaries will always have the incentive and the ability to bypass detection-based technologies. In order to protect their nefarious creations (and their investments), attackers will try everything they can in order to evade detection.

The ability for attackers to avoid being detected isn’t as simple as it sounds when an entire world’s worth of security experts, artificial intelligence systems, and endpoint protection software vendors are focused on doing just that. And the stakes are getting higher. Experts predict that this year, state-sponsored hackers, hacktivists, and crime syndicates will leverage and target major events like the Olympics and U.S midterm elections. Even more alarming, it is expected that ransomware attacks on hospitals and IoT devices will turn deadly, as attackers extort money and power by hijacking control of pacemakers and other critical equipment.

Malware developers use a number of techniques to ensure that their malicious code runs even on endpoints that use a variety of products dedicated to identifying, detecting, and eradicating malware. These techniques are well documented, can be understood by day-to-day attackers, and are increasingly offered as an easy-to-deploy service by cybercrime syndicates. Common evasive techniques include:

Refusing to Infect in “Hostile” Environments

Malware developers want to avoid having their code fingerprinted, which subsequently makes their malware known to antivirus solutions (and therefore readily blocked). Such malicious software is constructed to avoid virtualization environments, sandboxes, and antivirus solutions by shutting itself down and leaving no trace through artifacts or executed processes.

Using Memory Injection

Malicious code injects itself into trusted processes on the system, abusing the legitimate capabilities of the operating system or software to avoid solutions that look for new and unwanted files and processes. Malicious code is concealed in a file using a packer or other technique, so it arrives looking normal, injects itself into other legitimate applications, and gains a foothold. Such techniques are used in the fileless attacks mentioned above. One of these schemes recently made headlines by targeting organizations providing critical support to the Olympics. The attack combined a phishing email, a weaponized Word file, and a hidden PowerShell script. Using native PowerShell functions to evade pattern-matching solutions and other defenses, attackers are able to establish a link to a remote server, possibly with the intention of downloading more malware.

Using Document Files

Malware hides in documents (Word, Excel, PDF) using macros, website links, and exploits to bypass defenses. This type of attack can also be complex to detect. Consider, for example, a PDF file that contains an embedded Word document, which includes a macro that downloads and executes additional malicious code on an endpoint. These evasive tactics make it difficult for both traditional and next-gen AV solutions to separate malicious from non-malicious files.

Evasion techniques allow adversaries to get past even modern endpoint security solutions, regardless whether they’re based on signatures, behavioral monitoring, file reputation, machine learning, or heuristics. Besides being complex and creatively manipulative, there are several reasons why these evasion techniques work,even against modern AV defenses:

  • All forms of AV are based, at least some extent, on historical information (signatures, behavior patterns, etc), even if this information is used to develop a machine learning model. If there are no fingerprints or historical threat artifacts to “convict” for detection, the malware is invisible to these solutions.
  • Malware gets regular updates. The adversaries are motivated to keep their attack tools fresh and unknown.
  • Malware is often purpose-built to avoid detection and tested against current implementations of defense solutions. Adversaries ensure that their attacks will be invisible to traditional as well as next-gen AV solutions by devising software that differs from expected patterns and adding combinations of obfuscation tactics.

Evolving Your Endpoint Protection Strategy

Baseline AV products, be they traditional or next gen, play an important role in safeguarding the endpoint, but attackers will always find ways around their detection-based approaches. That’s why such technologies aren’t sufficient by themselves to secure laptops, workstations, servers or other devices in the modern enterprise. To block attacks, security teams need to better understand the mechanics of evasion and the limits of signature, pattern, and behavior-based security solutions.

Mind the gap created by your security tools’ ability to detect and block malicious code and the hackers’ ability to evade detection — you can be sure they are well aware of it. Augment baseline AV with anti-evasion solutions designed to stop this kind of malware by blocking its attempts to bypass detection. In other words, focus on breaking or otherwise negating the evasive techniques themselves, rather than solely detecting the malicious software. By “attacking” attempts to evade your security solutions, you will force the adversaries to pick their poison: Implement evasion tactics and be stopped because of them, or don’t evade and be stopped by your baseline security controls.

If there is any hope of disarming modern and well-equipped attackers, we have to beat them at their game. Increasingly, that means outmatching them in a battle of wits by devising creative dodges, artful illusions, and cunning counter maneuvers.

About the author: Eddy Bobritsky is Co-Founder and CEO at Minerva Labs, a leading provider of anti-evasion technology for enterprise endpoints.

Copyright 2010 Respective Author at Infosec Island]]>
Increasing Board Accountability and Expertise Is Critical to Security and Risk Management Fri, 09 Mar 2018 10:21:01 -0600 2017 saw huge numbers of people affected by breaches - 145 million consumer records in the Equifax breach, 200 million voter records in Deep Root Analytics breach, a firm which has contracted with the Republican National Committee, reprehensible corporate behavior (Uber’s breach cover-up); state-sponsored attacks (Russia and North Korea have been busy); and legislative response (by states, New York’s DFS, Congressional hearings, Senate proposals, and more). Harder to quantify, but certainly a major concern, is the erosion of public trust.

Given all the attention (and the apparent lack of progress), the year ahead is certain to bring further backlash from frustrated customers, shareholders, partners, and government agencies. How do Directors prepare for this increasing accountability? Tara Swaminatha, renowned legal expert specializing in cyber security liability and risk, recently outlined developments to watch in 2018, including the push to increase cyber security expertise on corporate boards.

The Board of Directors (BoD) is ultimately responsible for the future of their company. Shareholders expect that the companies they have invested in will follow through on specific, well-informed plans to mitigate risk in every form. As we’ve seen in cases like Target, Equifax, and Uber, the first move in response to scandal and public pressure is often the departure (voluntary or otherwise) of the CEO.

Boards Must Ensure Security Efforts Align with Risk Management

Innovations in technology, online services, and cybercrime exploits create disruptive ripple effects, creating new risks for organizations and consumers. Security and risk management programs have to be resilient enough to adapt to constant change. Boards and executives are uniquely positioned to ensure that security initiatives align with business strategy and take an enterprise-wide view of risk and opportunity.

No matter what technical systems, advanced controls, or frontline security experts a company has in place, no one can say they have zero risk of a security breach. The BoD needs to focus on asking, and answering, tough questions to ensure risks are understood and kept at acceptable levels. They must play out the scenarios — what would the aftermath of a breach look like in your organization? Would investigators find evidence of negligence, as in the Target Stores breach, or glaringly insufficient standards of care? In the final analysis, answers to these questions will determine levels of liability.  BoD’s have to understand this. 

The questions that frame this responsibility at a high level are these:

  1. Does my company perform reviews on a regular basis for vulnerabilities that could present risk to us or our customers?
  2. Has my company developed an Acceptable Risk Profile, and a methodology for prioritizing risks?
  3. Does my company have a plan to address these risks, and are we executing against that plan

Board level reporting is key —BoDs need current, clear information about the effectiveness of their security programs, reported on a consistent basis. Specific examples of useful information for Board level decisions include:

  • Trend data for measuring effectiveness of security investments;
  • Year over year external security assessment test results;
  • Employee security awareness training completion statistics;
  • Results from incident response table top exercises; and third party risk reports.

Board Education and Risk Awareness

The BoD should approve an Acceptable Risk Profile that can help shape risk reduction programs and reporting. Boards should also review annual risk assessments and evaluate how resources are being allocated to address the findings. This assessment must include vendor/partner risks, a key area of focus for regulation and guidance in coming years. The BoD should constantly ask those responsible to demonstrate that the information security program is aligned to the risk profile of the company and that incident response plans are in place to address the breach and attack scenarios that are most likely to occur, and most likely to cause critical damage.

In short, the Board (or appointed committee) should maintain direct visibility into cyber security posture and improvement efforts. Supporting documentation for the FFIEC’s Cyber Security Assessment Tool contains related recommendations for Boards and CEOs. While this is a tool geared toward financial institutions, the guidance is broadly applicable. It’s important for Directors and executives to familiarize themselves with national standards like the NIST Cyber security Framework as well as risk management guidance specific to their industry.

Organizations are increasingly seeking to recruit board members with cyber security expertise. Boards also engage outside experts to support and inform their decision-making. To that end, the BoD must learn how to make the best use of external consultants and identify trusted sources of timely cyber security related information, while at the same time avoiding internal politics inherent in most organizations. Annual reports geared toward non-technical professionals will help BoDs stay up to date on threat environment trends and actual breach data (e.g., Verizon – Data Breach Investigation Report, Ponemon Institute, and other IT analyst firms).

Proactive Oversight, Continuous Improvement

To stay on top of security and build resilience into your organization, it’s important to put mechanisms in place for ongoing improvement. The technology used to develop both threats and countermeasures is on a very steep growth curve. Directors will find it useful to focus on the following as they plan ahead in 2018 and beyond: organizational structure; Acceptable Risk Profile and routine risk management reviews; internal and external resources for staying informed; and regular reporting that establishes metrics for baseline performance, improvement, and measurable results.

When it comes to cyber and information security, Directors cannot afford to be bystanders. Regulators, law enforcement, legislators, clients, and consumers are watching closely. Blaming cyber criminals, IT teams, and third parties won’t keep Boards and executives out of hot water. Shrewd, visionary leadership is required to build an integrated risk management and security program. Directors who combine mature cyber security awareness with deep industry experience have an increasingly important role to play in protecting their organization and positioning it for sustained success and growth.

About the author: Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. Reber was among the first to recognize and address the risks presented by consumer-facing applications, and built AsTech’s reputation over 20 years as a leader in risk management.

Copyright 2010 Respective Author at Infosec Island]]>
Number of Domains Hosting Crypto-Miners Up 725% in Four Months Wed, 07 Mar 2018 09:26:52 -0600 The number of websites hosting code that mines for crypto-coins using visitors’ CPU power went up a staggering 725% in a four-month period, Cyren reports.

The massive increase took place between September 2017 and January 2018 and was observed upon the monitoring of a sample of 500,000 sites, the security company says. The firm also noticed that some websites would run the crypto-mining scripts on more pages, knowingly or not.

The number of new mining sites registered a massive increase in October, plateaued in November, and then doubled in December and again in January, which suggests that the rate at which crypto-mining is spreading is accelerating.

This jump in activity, however, isn’t surprising, considering the meteoric rise in crypto-currency values over the past months, Cyren points out. Most of the scripts were designed to mine for Monero, a virtual coin that increased by almost 250% in value recently, attracting a lot of attention.

The spike in mining sites was also fueled by the launch of a Coinhive API that would allow websites to mine for Monero currency directly within the browser, Malwarebytes says. The API was launched in mid-September 2017 and the service has become highly popular fast.

Within weeks, the Coinhive API started being abused to launch crypto-mining attacks where the mining operation is automated, silent, and platform agnostic that doesn’t provide a site’s visitors with the possibility to opt out.

Coinhive has since introduced an API (AuthedMine) that explicitly requires user input when starting the mining operation. Between January 10 and February 6, however, the opt-in version of the API saw low usage at 40,000 per day, while the silent one was massively employed, at 3 million a day.

Malwarebytes says that crypto-mining has been their top detection overall starting September 2017, and that in-browser mining has been only one type of such malicious activity observed. To maximize profits, miscreants attempt to deliver their miners on as many devices as possible.

Some websites even found ways to make the mining operation persistent, by using of pop-unders that are placed right underneath the taskbar, thus being virtually invisible to the end user. Other miscreants booby-trap browser extensions to inject code in each web session and ensure continuous mining operations.

“Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing,” Malwarebytes says.

In a report this week, Kaspersky too warns that crypto-mining has become a top threat. The number of users attacked by malicious miners went up 1.5 times in 2017 compared to the previous year, to reach 2.7 million.

Victims who end up infected with crypto-miners have their computer’s power harvested for the benefit of the attackers, and the popularity of these malicious applications appears to be surpassing that of ransomware, the security company says.

One infection campaign was using a Potential Unwanted Application (PUA) module as the infection vector and a process-hollowing technique to inject the malware into a legitimate system process, and was also setting a system critical flag to the process, to prevent users from closing it. The malware was mining Electroneum, and earned operators over $7 million during the second half of 2017.

The same as ransomware, crypto-mining isn’t targeting only end-users, but organizations as well, given that their networks provide more mining power. Regardless of whether performed in-browser or through malware, the mining operations are expected to expand further, causing more harm in their path.

“Cryptomining is in its infancy and is expected to continue to grow exponentially. Companies need to address and protect against the threat now,” Cyren concludes.

Related: Crypto Mining Malware Infects Thousands of Websites

Related: Crypto-Mining Attack Targets Web Servers Globally

Copyright 2010 Respective Author at Infosec Island]]>
Today's Threat Landscape Demands User Monitoring Tue, 27 Feb 2018 07:38:59 -0600 One of the most important metrics in infosec is “attacker dwell time”—how long does it take to detect and remediate an intrusion? While each year brings improvement, the latest research reveals an average of 95 days, still over three months. Attackers continue to hide in plain sight by impersonating company users, forcing security teams to overcome two challenges. First, companies must centralize all security-related events and employee behavior on the network. Then, security teams must analyze that mountain of data to expose signs of compromise.

Security information and event management (SIEM) tools are great for data centralization, but have struggled with the analytics layer—making sense of the data mountain. This has led to the explosion of user behavior analytics (UBA), which impacts attacker dwell time via intelligent detections and faster investigations. By first building a baseline of normal user behavior across the network, and then matching new actions against a combination of machine learning and statistical algorithms, UBA exposes threats without relying on signatures or threat intelligence. If you’re investing in user monitoring as a facet of your program, here are suggestions—two tech, two human—to maximize your impact.

Comprehensively Collect Data

For a complete picture of user behavior, you need visibility both on and off the corporate network. Traveling employees, remote workers, and cloud services are under your purview, meaning that your user behavior analytics needs to cover that, too. This can include analyzing endpoint authentications and behavior and matching it against user activity from Office 365 or Google Apps. If you’re only collecting logs from headquarters or critical assets, you’ll have glaring blind spots and fewer opportunities to identify an ongoing attack.

Devote Cycles to the Technology

Today’s leading SIEM technologies come with user behavior analytics, making it no longer just for investigations and compliance—it can identify real-time risk across users and assets. To get the most out of your user monitoring, you need two types of skillsets: data management and incident response. The right data feeds must be properly centralized, and your team needs to take action on the output.

This is a challenge when the entire industry is clamoring for talent—in response, Managed Detection and Response (MDR) services are quickly rising in popularity. Should you want to tackle incident response in-house, consider a SaaS SIEM or co-managed model. Otherwise, consider a MDR service that both brings security expertise and can help you check the compliance box for log management.

Be Transparent with the Company

Security teams get the bad rap as the “team that says no”. For employees, rolling out user monitoring can feel like an Orwellian mask layered over shadowy operations. Flipping that on its head, UBA can be a great opportunity to share the threat landscape we live in today.

All employees must be vigilant about their credentials: 81% of confirmed breaches involve the misuse of stolen or weak credentials. If an attacker successfully phishes an Office 365 login, they can view that employee’s mailbox, send super-credible phishing mails, and try for a VPN certificate for internal network access—all without malware.

Sharing how user behavior analytics can help detect the use of stolen or misused credentials—and will only be used to detect compromise—can help everyone see through the same lens. Our employees should always be the most reliable sources of truth.

Share Successes

Security savants don’t get a lot of the company spotlight. Similar to IT, security often comes to mind only when something is amiss. User behavior analytics can shift that dynamic, as it gives your team the opportunity to improve security posture, and help with employee awareness. This includes identifying risk across credentials and configurations, which can range from unknown admins and running processes to non-expiring passwords. If you’re able to identify and coordinate with IT on fixes, it’s a great story—share both progress and how an attacker could have taken next steps.

Perhaps the best benefit of user behavior analytics is that it can give you room to breathe. Instead of being plagued by endless alerts and scattered investigations, you’ll have the chance to execute a long-term security strategy. We walked through a few suggestions—if you’re able to build mutual trust with employees and have teams see through the same lens, you won’t just be monitoring users; you’ll be understanding normal. And security isn’t about the obviously bad. It’s about the barely abnormal.

About the author: Eric Sun is the Solutions Manager for Incident Detection & Response at Rapid7. Their UBA-powered SIEM, InsightIDR, was named a Visionary in the Gartner 2017 Magic Quadrant for Security Information and Event Management (SIEM).

Copyright 2010 Respective Author at Infosec Island]]>
EDR for Everyone Is about Fighting Alert Fatigue Wed, 21 Feb 2018 04:16:58 -0600 Endpoint detection and response solutions (EDR) are predicted to become a key security technology by 2020, with 80 percent of large organizations, 25 percent of midsize organizations, and 10 percent of small organizations investing in them. Demand for incident response tools that offer early visibility into advanced threats will fuel the EDR market growth, with expectations of a CAGR of 45.27 percent from 2015 through 2020.

The EDR market is already booming, having grown from $238 million in 2015 revenue to about $500 million in 2016. By 2020, it’s going to be a billion-dollar market and could even match the $3.2 billion (2015) endpoint protection platform (EPP) market.

Despite the rapid growth in the EDR market, these preventative controls are still out of the reach of mid-size and small organizations. As EDR requires dedicated security operations center (SOC) teams to manually investigate alerts, the high cost barrier is something that only large organizations can currently overcome. Or is it?

Fighting Alert Fatigue

EDR solutions have emerged from the premise that it’s impossible to prevent all threats, meaning their purpose is to minimize dwell time of an infection while also reducing the amount of damage it can cause. However, managing the number of security alerts for potential threats can be overwhelming for any under-resourced IT team. Because of that, investigation decisions may end up being either ill-informed or based on summary judgements. This broad strokes approach can lead to full network compromise, especially if traditional EDR is not properly managed or used to its full potential.

Since EDR agents often come installed on top of existing EPP agents and other security technologies, such as SIEM, IDS and IPS, security teams are often bombarded with up to tens of thousands of alerts coming from multiple security consoles, making prioritization nearly impossible. Instead of increasing visibility and raising the overall security posture of the organization, this fragmentation and segregation of security consoles only makes security more cumbersome.

EDR should be about having a single agent and a single management console, and only focusing on really important security events, instead of spreading human resources thin. After all, EDR should enable your security “SWAT team” to focus on truly important tasks, and not just chase ghosts and put out fires.

EDR for Everyone

Advanced threat hunting capabilities enabled by EDR agents require alert prioritization and manual investigation by dedicated teams, something that drives costs up beyond the initial purchasing and deployment price. The key to having an EDR solution for everyone lies in detecting advanced attacks using built-in intelligence in the endpoint agent. This lets admins focus solely on specific elusive and advanced threats that have crossed the other layers of prevention, and prevents them from wasting time on false positives. This enhanced security operation enables automated triage of truly important security events, and doesn’t require a full-time dedicated team of security specialists to investigate each and every event or anomaly.

Incident visualization and investigation are also greatly simplified, as detected elusive threats are presented in a comprehensive fashion, with all contextually relevant information, so that the admins can assess the impact of the threat in seconds. This directly translates into swift incident response tactics that enable admins to use surgical precision to remediate the elusive threat by deleting or quarantining it, containing spread.

This type of evolved prevention, which even comes with the ability to fine-tune the protection level of controls from incident response workflows, helps reduce incident response costs by focusing on truly significant alerts. Unlike traditional EDR, which is usually noisy and overburdens already under-resourced IT teams, a smart EDR solution designed to bring the same early detection capabilities but with pinpoint accuracy is within the reach of any organization, regardless of size, vertical, or IT team size.

It’s the Last 1 Percent of Attacks You Should Worry About

Layered security solutions are doing a great job at detecting, preventing and mitigating close to 99 percent of all threats. However, the last 1 percent – or less – are usually the type of sophisticated attack that flies under the radar. The final frontier in cybersecurity involves having the capability of accurately identifying these elusive threats.

The value of EDR for everyone should lie in its ability to fully integrate with your EPP solution, while enabling IT admins to have a holistic view of the security status of the entire infrastructure. This last 1 percent of attacks is not only elusive, but the attacks can also hide behind background noise generated by trivial security incidents, which is why IT admins need the ability to focus on real dangers and problems by preventing, investigating, detecting, and responding to advanced threats effectively and promptly.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Researchers Detail Linux-Based “Chaos” Backdoor Tue, 20 Feb 2018 09:47:36 -0600 A Linux-targeting backdoor observed in live attacks in June last year was recently found to have been part of an older rootkit, GoSecure researchers reveal.

In a recent report detailing the threat, the security researchers explain that the backdoor was designed to spawn a fully encrypted and integrity checked reverse shell. Dubbed Chaos, the backdoor appears to have originally been part of the ‘sebd’ rootkit that emerged in 2013.

In the observed attack, the malware’s operator penetrated the targeted system by brute-forcing SSH credentials. The assault was launched from two IPs known to be part of the TOR network, the security researchers explain.

The attacker then disabled the logging history, checked the SSHD binary, and searched the system for certain files that would indicate that other malware has already infected the machine. These files are normally used by patched SSHDs to log stolen SSH credentials.

To finalize the infection, the attacker would then download and install the payload. A .tar archive containing two ELF executables (Chaos and Client) and two shell scripts (initrunlevels and install) and masquerading as a .jpg file would be fetched from a remote server.

While the Chaos executable in the archive is the backdoor itself, the Client executable is responsible for connecting to the installed backdoor. The install script would copy initrunlevels to /etc/init.d, thus ensuring it is executed at each system start.

The initrunlevels script was designed to open port 8338, check if certain files exist, and copy them to the paths it checked for. The script also copies the Client to /usr/include/cli.h and Chaos to /usr/include/stabd.h and /usr/sbin/smdb, to create backups of both of them.

As part of the attack, additional files were dropped and executed on the monitored system to make it part of an IRC botnet, the security researchers say.

Chaos first opens a raw TCP socket and monitors for a specific string in incoming packets in all open ports. When the string is identified, the malware connects back to the client listening on TCP port 8338. Next, the two exchange key material to derive two AES keys (which are used for sending and receiving data) and verify that the key negotiation was successful.

By using a raw socket, Chaos can bypass firewalls, as it can be triggered on ports running an existing legitimate service, the researchers point out.

The communication packets transmitted by the backdoor are not only encrypted but also checked for integrity using an HMAC.

The backdoor was previously part of the ‘sebd’ rootkit that first appeared in 2013, but became public after its source code was allegedly caught by a honeypot and the operator decided to release the source code on a forum to make it available for script kiddies.

The backdoor has a low infection rate, with most of its victims apparently located in the United States (the researchers performed an Internet-wide scan using the handshake extracted from the client in order to assess the spread of the malware).

“The Chaos backdoor is pretty interesting as it uses a stealthy raw socket to spawn a reverse-shell with full network encryption and integrity checks. However, the backdoor’s encryption can easily be broken if the pre-shared key is known, as it is transmitted in clear text,” GoSecure notes.

The researchers also point out that the opening of port 8338 for incoming packets suggests the attackers want to use the client binary on the infected machine. According to them, the compromised systems would be used as proxies to conduct further criminal actions, potentially crossing network boundaries in the process.

Related: Iranian Hackers Target IIS Web Servers With New Backdoor

Related: macOS Backdoor Uses Innovative Disguise Technique

Copyright 2010 Respective Author at Infosec Island]]>
Large Crypto-Mining Operation Targeting Jenkins CI Servers Tue, 20 Feb 2018 09:45:28 -0600 A large malicious crypto-mining operation has recently started targeting the powerful Jenkins CI server, Check Point security researchers have discovered.

Dubbed JenkinsMiner, the attack attempts to exploit the CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation and to install a mining application designed to mine for the Monero crypto-currency.

The actor behind this campaign is allegedly of Chinese origin and was previously observed targeting many Windows versions to maliciously install the XMRig miner on them. This has allowed it to already secure over $3 million worth of Monero.

However, it appears that the actor has decided to expand its operation to the Jenkins CI server, which allows it to generate even more coins. Because of that, the attack has the potential to become the largest malicious crypto-mining campaign ever, Check Point says.

The same as the recently detailed RubyMiner attack, JenkinsMiner can prove highly lucrative, but could also have a negative impact on the compromised servers. Once a resource becomes infected with a crypto-miner, sluggish performance and even denial of service (DoS) are to be expected.

The attack is targeting a critical vulnerability in Jenkins, the most popular open source automation server, with over 133,000 installations globally. The security flaw is created because of lack of validation of the serialized object and allows for any serialized object to be accepted.

The bug was addressed in early 2017 with the release of Jenkins 2.57 and 2.46.2 (LTS), but any unpatched system remains vulnerable to the attack.

As part of the newly discovered attack, 2 subsequent requests are sent to the CLI interface. The second request, matched by the session header, contains two main objects: the Capability object to inform the server of the client capabilities, and the Command object with the Monero miner payload.

The injected code includes a hidden PowerShell initiation to allow the script to run in the background, a variable (using case-sensitive diversion) to attempt to evade security products, a command to download the miner from the attacker’s server, and a start command to execute the miner.

Over the past months, the campaign was observed targeting victims all around the world with a mixture of malware that also included a Remote Access Trojan (RAT) in addition to the XMRig miner.

“The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed,” Check Point reports.

Because the campaign’s operator only appears to be using a single wallet for all deposits and does not change it from one attack to the next, the security researchers determined that they managed to mine $3 million to date. Other than that, the attack is “well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines,” the researchers note.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: Monero Miner Infects Hundreds of Windows Servers

Copyright 2010 Respective Author at Infosec Island]]>
Three Ways to Take Home the Gold When It Comes to Cybersecurity at the Olympics Fri, 16 Feb 2018 09:50:00 -0600 The Winter Olympics have officially kicked off in Pyeongchang, South Korea – where the best athletes from around the world showcase their talents and vie for Gold as they represent their countries on the world stage.Although sometimes overlooked, the Olympic Games – and other high-profile events – become ground zero for another global talent race: cybercrime.

The Olympics are a massive undertaking – requiring additional help to be recruited to make sure the host-city is able to accommodate all of the athletes and attendees, under a tight timeline (i.e. building and maintaining the Olympic Village, stadiums, public transportation and lodging). Additional help is also required of the organizations who are broadcasting, sponsoring and advertising the Games. These professionals are not necessarily security experts, which attackers are both aware of and ready to take advantage of.

With the threat landscape and complexity of attacks continually increasing, here are the top three ways to go for the gold when it comes to getting you, your organization and your customers cyber-secure for the Olympic Games:

1) Put a Training Timeline in Place

Just as the cyclical nature of the Olympic Games presents a timeline for malicious actors to design their attacks around, it provides host-city organizations, attending organizations, and participating organizations a two-year timeline to develop threat intelligence. Organizations should be utilizing this timeline to their advantage: it gives them the (rare) opportunity to prepare for attack.

It’s best to put timeline in place to plan ahead and actually train for the likely attack scenarios, as well as preparing a response strategy in anticipation of when the unexpected happens. This two-year timeline leaves no excuse for putting cyber defenders in a position where they experience their first cyberattack scenario when it happens in real-life – requiring them to combat aggressive attackers under pressure (and manage it effectively). Instead, take advantage of the time in between each event to provide cyber defenders with real-life training scenarios, so they can be properly prepared for combat. Tokyo is following this best-practice and is already providinghands-on simulated training for cybersecurity professionals and citizens in preparation for the 2020 Tokyo Olympic and Paralympic games.

2) Evaluate and Identify Your Attack Surface

It’s important to realize that cybercrime is not getting smaller, as the attack surface continues to morph and grow. Therefore, it is critical to determine your own attack surface (which directly relates to your engagement level) – and then ensure that this surface is protected.

The first important step towards assessing your attack surface is identifying the likely targets for the events in question. This will most likely depend on where your engagement with the event exists. Are you a sponsor, are you engaging in business at the event with potential customers at risk, or did you send employees? Individuals often overlook that major events are a major risk –  even if the individual isn’t officially participating themselves. Why? The individual could still have high-value internal resources or employees that will be engaged or participate with the event. For example, is one of your C-level executives will be at the Olympics in South Korea? What preparation have you done to insulate that asset from potential threats at the event – whether they be physical or cyber? It’s time to think ahead and be on the offensive side of the equation.

3) Implement Training at the Individual Level Based on Attack Surface

Depending on the surface area of your attack surface, here are recommended, proactive approaches to ensure protection during future Olympics Games:

Hold a security training class for all employees planning to attend the Olympic Games

Educate attendees about the vulnerabilities associated with the Olympic Village and Stadiums. It will be important to explain that malicious actors are rethinking their approach to cyberattacks and how they execute on them. Thinking about the current trends in cybersecurity – here are two areas to focus on with attendees: 1) identify where IT links to OT or IoT within Olympic sites, and 2) beware of phishing scams and entering through the least protected link.

Secure your CEO

40 percent of organizations believe that C-level executives are the greatest risk to their organization being hacked. Furthermore, C-level executives are the most at-risk of cyberattacks when working outside the office – with airports, hotels and airplanes among the riskiest venues. If your CEO or members of your C-Suite are attending the event, hold a training seminar before they depart for the event to educate them about the threats associated with attending the Games – from “Checking-in” to the host city on social media to connecting to unsecured Wi-Fi during their travel and stay. In addition, pull together a one-pager with security tips and official sites for them to reference while they are abroad.

Educate all employees/customers of the vulnerabilities associated with digitally engaging with the Olympic Games

Make sure your employees and customers are aware of all of the phishing and malware campaigns associated with digitally engaging with the Games. With the Games happening overseas, it is imperative that they know the signs and can differentiate what is safe and what is not. This can be applied to planning to joining social media conversations around the events, purchasing merchandise, or even streaming content from their devices.

The Takeaway

Start planning now for the events on the horizon; hopefully you thought ahead for Pyeongchang – but remember Tokyo 2020 isn’t that far way. Plan, train, evolve from tabletop exercises to cyber simulators, educate your employees on the threats and have a plan for response. At the end of the day, athletes don’t win because they just show up – they win because of the rigorous training, planning, and relentless execution that comes from true focus on the objective. For this month’s Games and all that come after, we need to become World Class Cyber Athletes.

About the author: Ben Carr, is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – February 2018 Fri, 16 Feb 2018 09:29:00 -0600 The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • The second set of SAP Security Notes in 2018 consists of 26 patches with the majority of them rated medium.
  • Missing authorization check is the most common vulnerability type this month, again.

SAP Security Notes – February 2018

SAP has released the monthly critical patch update for February 2018. This patch update closes 26 SAP Security Notes (14 SAP Security Patch Day Notes and 12 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

14 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Five of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.

SAP Security Notes Distribution by Priority (September 2017-February 2018)

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by Vunerability Types – February 2018

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, three critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov were closed.

You can find their details below.

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

Critical issues closed by SAP Security Notes in February

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2525222: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.3 Unrestricted File Upload - CVE-2018-2395, DoS CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, XXE CVE-2018-2393, CVE-2018-2392, Log Injection CVE-2018-2389, Information Disclosure CVE-2018-2382, CVE-2018-2387). Depending on the vulnerability, attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks.
  • 2589129: SAP HANA Extended Application Services has an Security vulnerabilities  (CVSS Base Score: 7.1 CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373). An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2562089: SAP ABAP File Interface has a Directory Traversal vulnerability  (CVSS Base Score: 6.6 CVE-2018-2367). An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
The Only Gold Russia Can Win at the Winter Olympics Is for Cyber-Hacking Fri, 09 Feb 2018 09:52:00 -0600 Russia has already come out swinging against the IOC and WADA in attempted retaliation for being banned from the 2018 Olympics. Unfortunately, their old tricks appear to be decreasing in effectiveness. Each time Russia leaks information in connection to doping commissions, it garners less news attention and is increasingly being viewed as a failed operation.

Stumbling into the games makes Russia the most unpredictable threat actor vying for the title of “most disruptive to the Olympic games” this year. Other major contenders? Non-state actors and organized crime groups. Absent from this list, despite popular opinion, is who many view as the heavy favorite going into 2018, North Korea.

Likely to win Bronze: Your second runner up this year is likely to be organized crime. In the past decade or so they have made a consistent appearance with fraud and scams going after the visitors to the games. This year has the potential for them to expand their operations into match fixing, due to the increased reliance on electronic measurements to determine winners. This years judging scandal might be centered around a hacked timer rather than judges from Old Europe.

Reaching for the Silver: The safe money is on non-state actors (hacktivists, cyberterrorists, and fame seekers) to be the cause of the largest cyber disruptions to the games. They usually use large global events as a springboard for their agendas and are unusually hard to predict and model because of the relative obscurity of most of these actors. Having the element of surprise, a swashbuckling attitude, and a successful outcome being defined as any disruption, makes these actors the hardest to stop and generally the most prolific.

And the outside contender for Gold: We have the wild card Russia. They have the technical sophistication to out perform these other two groups but the question is - Is their heart really in the competition? The declining effectiveness of doxing, combined with recurring punishments could push the Kremlin to up its game. They have proven a willingness to unleash destructive malware in multiple countries for multiple reasons. Even if they just repackaged the self-propagating principles of the NotPetya attack with the payload concepts of the TV5Monde attack. They have the capability to shut down the broadcast of the games. If they decide that the Olympics is no longer a neutral arbiter of friendly competition but rather a politicized organization dominated by anti-Russian sentiments, Moscow could very well debut a few cyber tricks never before seen.

Who’s not taking home any honors? Noticeably absent from this list is North Korea. Cyber threats from groups linked to North Korea have been in the news practically every month in the run up to the games, so if anyone has a shot of pulling off something spectacular it was this group of well-funded and motivated actors. Fortunately for the South Korean defenders they appear to have withdrawn themselves from contention. Kim Jong Un’s strategy of rapprochement means that if negotiations are going where he wants them to, the DPRK cyber menace is likely in standby mode. South Korea, by sacrificing part of its women’s hockey team, made the overall games significantly safer.

Will South Korea prevent any of these threat groups from gaining the notoriety they seek? The country’s capability to deal with these types of intrusions far exceeds that of Brazil during the 2016 Rio games. From a vulnerability and defensive capabilities standpoint, the overall cyber interruption to the 2018 Winter Olympics should be low compared to previous games.

However, given the onslaught of high caliber tools and exploits released over the last year, the ability of the security teams to keep up with all of the needed patches and other security controls will still be a big challenge for South Korea and will be more difficult than in past years.

Like all good competitions, this one will likely be decided by which groups have focused more on the fundamentals. If South Korea has kept their house in order and focused on the fundamentals of network security, they stand a good chance of surviving the short duration of the Olympic games. If they have focused too much on elaborate concepts and advanced skills at the detriment of those fundamentals, they stand a strong chance of falling short when the real games begin.

About the author: Ross is the Senior Director for Intelligence Services at Cybereason. Before joining Cybereason in 2016, he served as a Technical Lead and Cyber Lead for the United States Department of Defense.

Copyright 2010 Respective Author at Infosec Island]]>
Think GDPR Won’t Affect Your U.S. Company? Guess Again Wed, 07 Feb 2018 04:55:00 -0600 When the EU General Data Protection Regulation (GDPR) deadline arrives in May, companies that handle information belonging to European Union residents will have to adhere to a strict new set of guidelines – regardless of whether the company is based within the EU or outside the 28 member countries.

This may be news for some: One in four U.S. cybersecurity professionals believe their firm won’t need to comply with GDPR, according to a recent survey. Organizations that fall under the GDPR mandate could be fined up to 4% of annual global turnover or €20 Million (whichever is greater) in the event of a breach. While this is a worst-case scenario, it should be enough to get the attention of most companies that do business with EU citizens.

Does your company need to comply?

It’s surprising that so many U.S. firms simply aren’t worried, as the GDPR represents a significant change in the way data must be handled.

An important change in the GDPR involves the geographic scope of this new law. To summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" – aka personally identifiable information (PII) -- as part of a marketing survey, for example, then the data would have to be protected GDPR-style.

What kinds of U.S.-based companies are likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services and e-commerce companies will need to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized online content should review their web operations.

U.S. companies without a physical presence in an EU country typically collect most of the personal data belonging to EU data subjects over the web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR? Here’s where the scope of requirements becomes a little more complicated: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count.

For example, a Dutch user who searches the web and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a “.nl” from the Netherlands -- would certainly seal the case.

Do your GDPR “homework”

The best offense is a good defense. Companies that can show they essentially “did their homework” in following the GDPR requirements -- with the paperwork to back it up -- will be better off in the event of a violation where fines are involved. When the Article 40 “Codes of Conduct” -- allowing compliance to existing data security standards count towards GDPR -- are officially approved by the regulators, companies may receive “partial credit” for their compliance.

In short, Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

While we'll have to wait for more guidance, the point is that EU regulators will eventually let companies leverage their efforts (and investments) in meeting standards such as PCI DSS or ISO 27001 for GDPR compliance.

Take stock of your data

The GDPR also mandates "data minimization" -- not keeping data when it's no longer needed or even collecting it in the first place when it's not completely necessary for a business function. Most companies already have a policy for deleting "stale" data, though they may not follow through by applying those policies.  GDPR says that this IT practice is not just a good idea, but the law!

So companies that proactively automate their retention and disposition policies for their files will be better prepared for compliance -- and they will also better protected from insider threats and cyber attacks.

Unfortunately, many organizations have lost track of where their most sensitive information lives and who has access to it – over 70% of folders we analyzed  on corporate servers contained stale data and almost half had 1000 files with PII, credit card credentials, and other data on file servers accessible to everyone.

With just a few months left to go, 60% of cyber security professionals in the EU and 50% of respondents in the U.S. say they face some serious challenges in being compliant with the GDPR by the May deadline.

Organizations are running out of time to take stock of how exposed their data is to attack. Now is the time to reduce your risk profile by locking down sensitive data, removing users that no longer need access, and deleting or archiving stale data – plan to maintain a least-privilege model to keep data secure.

Ignorance is not bliss when it comes to the GDPR, and organizations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect. Start taking control now.

About the author: Ken Spinner joined Varonis in 2006 and leads all technical pre- and post- sales engineering activities for Varonis customers worldwide. Ken’s career spans 30 years with organizations ranging from startups to Fortune 500 industry leaders. Prior to Varonis, Ken held leadership and senior engineering roles at Neoteris, Netscreen, Juniper Networks, BlueCoat Systems and Merck.

Copyright 2010 Respective Author at Infosec Island]]>
Advancing the Usability of PKIs Tue, 06 Feb 2018 09:48:46 -0600 Public Key Infrastructure (PKI) certificates have long served as the optimal method for securing the servers on the web and, increasingly, Internet of Things (IoT) devices. Deploying and updating PKIs used to be a largely manual process that required the time and attention of IT personnel. Today, there are tools that can automate those tasks, which makes securing the connections between networks, devices and their users simpler and more cost-effective. 

Certificates can be used to encrypt data at rest. PKI also enables the authentication of users, systems, and devices without the need for tokens, password policies, or other cumbersome user-initiated factors. In mutual authentication scenarios, certificates will uniquely identify devices which enhances authorization and secure device-to-device communication.  As a result, certificates ensure that any data or messages transferred cannot be altered.

The challenge for an enterprise becomes determining what exactly it’s trying to protect, particularly as more companies embrace the IoT trend. PKIs ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured for all devices.

That’s becoming more complex, and virtually impossible to perform via manual processes. Why? Because of the sheer number of devices that are coming online.

By 2020, over 25 billion devices will be connected to the Internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.

To give you a better sense of scale, consider that 10 years ago, Certificate Authorities issued approximately 10 million certificates that verify a digital entity’s identity on the Internet worldwide. Today, just one company may request 10 million certificates for its realm of devices and services. That’s where the math starts to get complicated.

After all, PKI is built on math, leveraging algorithms to direct the inspection and validation of the signatures that enable secure communication and data-sharing between devices and networks. Fortunately, technology has advanced to enable computers to handle the complex algorithms used to inspect and validate the secure connection to a device or web site.

Unfortunately, the cyberattacks targeting those systems are also becoming more sophisticated and hitting more frequently. That is why a critical aspect of the effective use of PKI is updating those certificates as the threat landscape changes. In other words, PKI usage is not something to “set and forget”, and today requires thoughtful security planning in the process. Too often, a cloud service provider will experience a system outage simply because someone forgot to renew a certificate. The blame falls on a faulty manual process.

Therefore, the way PKI becomes more usable is by partnering with a Certificate Authority (CA) that can introduce and manage automation technologies to relieve IT of those responsibilities. IT and users should not have to worry about “breaking” something because they were not paying attention to the right discussion forum or right threads about new attacks. 

This can also be especially valuable in development environments, where developers are checking code in and out. PKIs enable each developer to sign what they are accessing, thereby creating chains of trust. This can be very useful to both open source projects, and to protecting a company’s download site from being hijacked and falling victim to a DNS attack.

If your organization is going to rely on PKI, it’s important to also leverage the benefits that automation can provide. This is where partnering with a CA can help, both today and tomorrow. CAs take on the responsibility of managing PKIs, which includes participating in forums and working groups to ensure that PKIs evolve to meet the ever-changing threat landscape. This relieves enterprises of having to take on those responsibilities, so they can focus on their strategic business priorities.

About the author: Dan Timpson is DigiCert Chief Technology Officer, responsible for DigiCert's technology strategy and driving development that advances PKI innovation for SSL and IoT customers. Timpson’s team focuses on continuous improvement to deliver a comprehensive digital certificate management platform for DigiCert customers that includes standards-based, automated certificate provisioning for devices and APIs for seamless integration with third-party systems.

Copyright 2010 Respective Author at Infosec Island]]>
The Five Secrets to Making Security Awareness Work in 2018 Mon, 29 Jan 2018 11:29:00 -0600 So, it is the start of a new year and you are hoping to do great things with your security awareness and training program. You have a desire to move beyond simple ‘box checking’ and to actually change hearts, minds and behavior patterns. You know that it is the right thing to do for your organization and are looking forward to seeing the positive results. The sticking point, however, is that – like most organizations – you probably don’t exactly know how you are going to make it happen.

My hope with this article is to help you begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation. With that goal in mind, here are the five secrets that I use to best position security awareness leaders for success:

Secret 1: Have a vision of what ‘good’ looks like for your organization

The key to implementing this secret is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework—I use the Michael Hyatt version.

Secret 2: View Awareness through the lens of organizational culture. I’ll be writing about this more in the coming months. But here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will ‘win out’ over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture.

Remember the survey and interviews that I mentioned at the start of the first secret. This where you’ll really get an idea of any organizational culture gaps that you need to account for. When you find these gaps, you’ll have a few choices: 1) modify your awareness program’s expectations and goals based on the identified gap, 2) work with organizational leaders to see how you can help influence the larger culture, or 3) a hybrid approach where you modify some goals while also doing the work of trying to influence the larger culture.

Of these, option 1 is clearly the easiest – but has very little reward associated with it; it’s the ‘safe’ route. Options 2 and 3 will involve more work, politicking, and likely a bit of frustration, but offer the greatest long-term benefit for the organization and for you. This is also where you can begin to leverage things like security champion/liaison programs to help infuse security-related values throughout the organization to create consistency and sustainability.

Secret 3: Leverage behavior management principles to help shape good security hygiene. Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here ( and here (

I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!

Secret 4: Focus on understanding the different personalities, drivers, and learning styles within your organization. (This goes back to the Specific and Relevant attributes of the SMARTER framework I referenced). It is critically important to understand your overall organizational context, the different types of people within the organization, regional contexts, divisional and departmental contexts, and so on. This not only helps you tailor content that will best speak to each of the groups, but can also help you avoid stepping on potential landmines.

Secret 5: Be realistic about what is achievable in the short term and optimistic about the long-term payoff

So here is where the rubber meets the road. You’ve got all of the planning out of the way, created goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained!

But here’s good news, the data show that you can see dramatic behavior change in as little as 90 days if you follow a best practice of combining security awareness content (e.g. computer-based learning modules) with frequent simulated phishing testing conducted at least monthly. In a recent study, we looked at the progress of more than six million accounts across nearly 11,000 organizations over a 12 month timeframe. Organizations that followed the best practice that I just mentioned saw their employee’s Phish-prone percentage drop by 50% in just 90 days – from a 27% baseline Phish-prone percentage down to 13.3%. And consistent training brought that down even more dramatically at the 12 month mark… from that initial 27% baseline all the way to 2%.

Are you ready to make 2018 a break-out year for your security awareness program?

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Crypto-Mining Is the Next Ransomware Fri, 19 Jan 2018 05:28:48 -0600 Hackers are opportunistic creatures. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices will continue to be increasingly useful targets for botnets. What’s more, hackers will seek device vulnerabilities or exploit mobile applications and devices when a network is not secure.

Ransomware took the dark web by storm by creating such an easy way to monetize these vulnerabilities. As a side-effect, the cryptocurrency market exploded from the increased attention. Cryptocurrency mining—the process of confirming Bitcoin transactions and generating new units of digital currency—is perfectly legal. Developers are looking for ways to make money in a competitive mobile app market, and mining bitcoin via these apps has become an inviting venture. However, this method of monetization becomes a legal and ethical dilemma once users are not aware that their devices are being used to mine digital currency.

The recent lawsuits against Apple for throttling down older versions of iPhones may set a legal precedent for cryptocurrency mining lawsuits. If a user can successfully sue Apple for unknowingly slowing down a phone, developers who unknowingly install mining capabilities that affect performance and battery life could be liable as well.

Not only is this a threat that is here to stay, it is shaping up to become a threat as pervasive as ransomware. For instance, there are reliable indicators that show hackers use older vulnerabilities to mine cryptocurrency after initial infection attempts to generate bitcoins from victims without demanding a ransom. As that pool gets smaller, miners focus on extracting value in other ways, such as using the malware as a DDoS weapon.

While the maliciousness of these kinds of infected mobile apps and web browsers is subject to debate, we can say for sure we are witnessing a new birth of a new form of malware—perhaps with the impact as ransomware or adware. And without a robust security and monitoring strategy, along with network visibility to protect applications and computers, you should expect to become the next cryptocurrency mining victim.

Mining Malware for the Mobile Era

The mobile era has generated a malicious opportunity to make the most of cryptocurrency mining malware. Cryptocurrency mining latches onto as much CPU power to mine digital coins, consuming electricity, processing power and data as information is passed through the mining process — all of which cost money.

Research shows there is a plethora of malicious Android apps roaming the Internet right now, and some crypto-miners have managed to bypass filters to get into the Google Play Store. In fact, recent static analysis on mobile malware led researchers to a number of cryptocurrency wallets and mining pool accounts belonging to a Russian developer, who claims what he is doing is a completely legal method of making money.

We in the industry do not agree — cryptocurrency miners are a misappropriation of a user’s device. While it is technically legal if the extraction of cryptocurrencies is disclosed, these actions are purposefully misleading and frequently lack transparent disclosure.

We’ve witnessed the use of cryptocurrency miners embedded in legitimate applications available on the Android store, which are used to extract value from people’s phones during times when their devices are not in use. And, in recent months, there have been several cases of hackers mining cryptocurrencies even after a visible web browser window is closed.

Other methods that hackers are using to deploy cryptocurrency miners include using Telnet/SSH brute forcers attempting to install miners, along with SQL injection and direct installation of miners. Crypto-mining in browsers and mobile applications will continue to persist, so concerned companies should improve their security performance, bringing application-level visibility and context to their monitoring tools.

More devices, more mining

Since new security threats surface every week, there is a good chance that more devices will be infected with cryptocurrency mining malware in the near future. The increased presence of IoT devices will lead to create new targets for cryptocurrency miners. We may also see hybrid attacks that are ransomware-first and crypto-coin miners second, as they attempt to cash in twice on the same computer.

Most of these crypto-mining attacks occur at the edge of the network. One of the more common attacks that attempts to install crypto-miners are the EternalBlue vulnerability released this past summer, which was at the center of ransomware outbreaks like WannaCry and Not-Petya. Here’s the worst part: hackers are not using new tools or advanced methods to deploy these cryptocurrency miners, but they are still successful. As a result, companies need to have a responsive patch management strategy, make sure their IPS rules are up to date, test to make sure they can detect the vulnerabilities that cannot be patched immediately, and finally, monitor the network traffic for peer-to-peer mining traffic.

If organizations do not have insights into their networks, they are unable to tell if their endpoints are mining without permission, leaking data from a breach, or spreading malware across internal networks. Or, perhaps there is no malicious activity going on; they’ll want to see that too. Having a network monitoring solution in place will alert them early on into a compromise by showing a shift in network traffic patterns. 

About the author: Senior Director of the Application and Threat Intelligence Program at Ixia. Steve is responsible for gathering actionable, application and security, intelligence for Ixia products. Steve has more than 25 years of experience working in Computer and Network Security for companies like IBM, TippingPoint, SolarWinds, BreakingPoint, and now Ixia.

Copyright 2010 Respective Author at Infosec Island]]>