Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Singapore Health Database Hit by 'Major' Cyberattack Fri, 20 Jul 2018 09:34:59 -0500 Singapore Prime Minister Lee Hsien Loong Targeted as Part of SingHealth Cyberattack

Singapore’s Ministry of Health (MOH) said Friday that a Singapore Health Services (SingHealth) database containing patient data, including personal information on Prime Minister Lee Hsien Loong, was hit by a “major” cyberattack.

According to an official statement, the breach impacted approximately 1.5 million patients who visited SingHealth’s certain clinics between May 2015 and July 2018.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” the statement said.

After detecting unusual activity on one of SingHealth’s IT databases on July 4, investigations by Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) concluded that the attack was a “deliberate, targeted and well-planned cyberattack” that resulted in data being exfiltrated from June 27, 2018 to July 4, 2018.

Data accessed in the attack include name, National Registration Identity Card (NRIC) number, address, gender, race and date of birth. 

“CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation,” the satement said. "They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration."

IHiS, the technology agency for the public healthcare sector, said steps have been taken to bolster security, including reseting user and systems accounts, temporarily imposing internet surfing separation, and placing additional controls on workstations and servers. The agency also that additional system monitoring controls have been put in place, with . similar measures being taken for IT systems across the public healthcare..

Earlier this year, the Singapore’s Ministry of Defence (MINDEF) ran a bug bounty program, which ran from mid-January to early February, after a breach last year which hackers were able to steal personal data from about 850 military servicemen and other employees from a defence ministry web portal.

In August 2014, Singapore officials announced new measures to strengthen cyber security following attacks on a section of the prime minister's website, as well the website of the presidential residence. 

Singapore is the home city for SecurityWeek’s Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region that is held each April. 

Related: Hackers Breached Non-Classified System at Singapore's Ministry of Defence

Related: Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore

Copyright 2010 Respective Author at Infosec Island]]>
Q3 Oracle CPU Preview: Fewer Java SE Patches May Not Mean Fewer Flaws Mon, 16 Jul 2018 11:54:00 -0500 The July 2018 quarterly Oracle Critical Patch Update (CPU) is expected to set a new two-year high for total Oracle product patches and a 12-month low for Java SE patches, based on a review of a pre-release statement. The Q3 release could have as many as 334 total product patches, the highest in 11 quarters. Only eight Java SE patches are expected, representing a 75 percent drop from a 30-month high set in July 2017.

Other highlights of the pre-release include:

  • 100 percent of the Java SE vulnerabilities expected to be patched can be exploited remotely without user credentials.
  • The expected patches address flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. The highest vulnerability base score among the flaws is nine on a ten point scale.
  • The Oracle Database Server may also get three patches, including to the Java Virtual Machine. The highest CVSS base score is expected to be 9.8, and one of the flaws can be exploited without user credentials.

On the surface, the downward trend of Java SE patches would appear to be positive. However, it may actually be more of a reflection of the adoption rates of Java SE 9 & 10 as the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java.

Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, July 17th.

About the author: James E. Lee is the Executive Vice President and Global CMO at Waratek. He was theformer CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair.

Copyright 2010 Respective Author at Infosec Island]]>
Memory Protection beyond the Endpoint Mon, 16 Jul 2018 11:16:00 -0500 Threat actors have been digging into an ever-growing bag of tricks to compromise endpoints:  social engineering, phishing, malware, zero-day vulnerabilities, advertising, ransomware -- even recent cryptocurrency jacking operations are just a few examples of the diversity, and even the sophistication, of some attacks. However, as different as these attacks may appear on the surface, some share similar features, and relying on a handful of the same methods for compromising endpoints and data. For instance, the use of zero day or unpatched vulnerabilities is commonplace when discussing how victims are compromised. In a way, the methods used to breach systems have remained fairly consistent – partially because they’re still very effective, regardless of the actual malware payload or the threat actor’s end goal.

Memory Manipulation – The Achilles Heel

Memory manipulation through the use of zero day or unpatched vulnerabilities is usually the weapon of choice for threat actors, as it allows them to dodge traditional in-guest security solutions and execute malicious code on the victim’s endpoint. Threat actors have long been using these vulnerabilities in compromising victims either through drive-by downloads and malicious advertisements, or even infected email attachments.  

The interesting aspect of vulnerabilities is that, at their core, when they manipulate an application’s memory, they use only a handful of memory manipulation techniques, regardless of how sophisticated or critical these vulnerabilities might seem. Unfortunately, traditional security solutions usually lack the ability to protect an endpoint’s memory space, and only focus on files stored on-disk.

This Achilles heel of traditional security solutions means that threat actors can regularly exploit the same vulnerability and constantly deliver various payloads until one of them bypasses scrutiny from the security solution. Since payloads can range from ransomware to keyloggers and even coin mining software, memory manipulation of a victim’s endpoint using vulnerabilities is extremely effective.

Worse, some threat actors rely on exploit kits – a collection of known vulnerabilities in popular applications, such as Java, Adobe Reader, browsers and even operating systems – to automatically probe endpoints for known vulnerable software to drop malicious payloads. Although some of the most popular and versatile exploit kits, such as Angler and Rig have been dismantled by law enforcement, threat actors still rely on memory manipulation vulnerabilities.

Memory Protection

The obvious question is: how do you protect the memory space from being manipulated by vulnerabilities? There are in-guest next generation layered security solutions that offer anti-exploit capabilities. Anti-exploit technologies work by watching for Return-oriented Programming (ROP) techniques usually associated with attackers trying to hijack a program’s control flow and execute already-present specific instructions. Such anti-exploit technologies can block memory execution of ROP chains as well as other stack manipulation techniques usually associated with exploit techniques employed by vulnerabilities.

However, with organizations leveraging the power of virtualization and cloud infrastructures, we’ve reached a point where multiple guests – or operating systems – can share the same host – or hardware. Some technologies can protect the memory of all guests – without impacting their performance – by sitting between the hardware and the operating system layers.

Memory introspection technology is highly effective and efficient in protecting against known and unknown memory manipulation techniques associated with vulnerabilities, as it’s entirely outside the operating system. Because it’s isolated from the guest operating system, it’s completely untouchable by any in-guest threat – regardless of how sophisticated it is – but at the same time has complete visibility into the memory of each guest virtual workload.

Leveraging bare metal hypervisors, memory introspection technologies provide an additional security layer for virtual infrastructures, offering protection against any zero day or unpatched vulnerability that threat actors are trying to exploit. Instead of focusing on the actual payload, as most traditional security technologies do, memory introspection focuses on the initial point of compromise.

For instance, if a threat actor tries to exploit a zero-day Adobe Reader vulnerability to drop coin mining software, ransomware, or keylogging malware, memory introspection would plug the attack as soon as the attacker tries to perform the memory manipulation to escalate his privileges. This means the attack kill chain would be broken long before any payload or damage to the infrastructure would even occur.

Security beyond the Endpoint

Endpoints –virtual and physical – still play a vital role in organizations, and security needs to address these infrastructures holistically, and protect them without affecting performance. Software-defined datacenters, hyper-converged infrastructures, and hybrid clouds have changed the way businesses operate and scale. But security has mostly focused on the actual endpoint (e.g. VDI, VPS).

Re-engineering security solutions to fit the new infrastructure, performance, and scalability needs of organizations is crucial as advanced threats often exploit security blind spots. Having security technologies – both in-guest and outside the OS, as close to the hypervisor as possible – that can protect against memory manipulation techniques used to deliver anything from advanced persistent threats to coin miners and ransomware, can make a world of difference in ensuring business continuity, as well as in avoiding financial and reputational losses.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Intent Based Networking: Turning Intentions into Reality Mon, 16 Jul 2018 10:50:52 -0500 Wouldn’t it be great if IT teams and network managers could simply outline, at a high level, what they want their enterprise networks to do, and then technology would automatically implement the changes across their infrastructure to make it happen?  That’s the promise of intent-based networking (IBN):  using machine learning and automation to provision and manage networks and enforce security policies automatically – without network administrators having to perform the operational tasks of actually making it all work.

First identified as the next big thing in early 2017, the industry really started taking note when Cisco announced its IBN portfolio in summer 2017. The portfolio provides an intuitive system “that constantly learns, adapts, automates and protects, to optimize network operations”, thereby replacing traditional, manual IT processes.

Cisco isn’t the only company looking to develop IBN solutions: other vendors, including Juniper and Veriflow, are also developing IBN solutions, while a number of IBN start-ups are also emerging.

Assessing IBN maturity

As such, it’s easy to see why IBN is appealing to enterprises:  it has the potential to ensure the needs of the business are quickly translated into an infrastructure that supports its specific requirements, and thus accelerate business innovation – all while making IT processes more efficient and easy to manage.  So what intent-based networking options exist today? Let’s take a look at some of the available solutions.

Orchestration: At a basic level, it is possible to automate heterogeneous, networks without intent and understanding, using an orchestration system to automate the configuration of firewalls and routers to some degree.

Early-stage dedicated IBN solution:Organizations can utilize one of the many intent-based products offered by one of emerging IBN technologies. However, while these solutions offer more advanced IBN capabilities, in their current maturity they have limited automation capabilities.

IBN in a single vendor environment:t it may be worth considering a full IBN implementation with one specific vendor, such as VMware NSX or Cisco ACI. This will enable an organization to integrate IBN with its own network fabric.

While there are a number of options available today, IBN technology is not yet mature enough to be fully implemented across an entire enterprise network. However, it is possible to put in place the building blocks required for IBN adoption, by aligning IT more closely with the needs of the business.

Intent on security

A key example of this is in network security. Network security policy management (NSPM) solutions already deliver on IBN’s promise of enabling faster application delivery – without compromising the organizations’ security or compliance postures.

An NSPM solution can automatically discover and map applications, including the network connectivity flows that support them, as well as identify the security policies associated with the connections, across a heterogeneous enterprise environment (on-premise networks, SDN and cloud).

With this capability, the NSPM solution enables business application owners to request network connectivity for their business applications without having to understand anything about the underlying network and security devices that the connectivity flows pass through. The application owner simply makes a network connectivity request in their own application-centric language and the NSPM solution automatically understands and defines the technical changes required directly on the network security devices. As part of this process the NSPM assesses these change requests for risk and compliance with industry and corporate regulations and, if the risk is low, it automatically implements them directly on the relevant security devices, and then verifies the process – all with zero touch.

Thus, normal change process requests can zip through—from request to implementation—in minutes, with little to no involvement of the networking team. Manual intervention is only required if a problem arises during the process, or if a request is flagged as high risk. As such, from a network security perspective,the potential of IBN can already be achieved with the right security policy management solution.

The future’s bright, the future’s IBN

IBN is undoubtedly an exciting advancement in networking, enabling IT teams to provision and configure networks a lot faster and in a much more secure way, with far fewer resources.  

By utilizing an NSPM solution, which enables application owners to express the business intent and then receive a continuously maintained, end-to-end path for their application connectivity provisioning, organizations are well placed to drive IBN initiatives in their organizations. 

About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
Science Fiction Come True: Weaponized Technology Threatens to Shatter Security, Critical Systems Tue, 03 Jul 2018 01:58:37 -0500 By 2020, the very foundations of today’s digital world will shake. Nation states and terrorist groups will increasingly weaponize the cyber domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. With power, communications and logistics systems down, organizations will lose the basic building blocks needed for doing business. Heating, air conditioning, lighting, transport, information, communication and a safe working environment will no longer be taken for granted.

Let’s take a quick look at a few of the top threats to information security that are expected to emerge over the next two years, as determined by Information Security Forum research, and what they mean for your organization:

Cyber and Physical Attacks Combine to Shatter Business Resilience

Nation states and terrorists will combine traditional military force with their increasingly sophisticated cyber arsenals to launch attacks that create maximum impact. Organizations will face interruptions to business as cities become no-go zones and vital services are rendered unavailable, with governments, militaries and emergency services struggling to respond effectively to concurrent physical and cyber incidents.

Why Does This Threat Matter?

Physical and cyber attacks will be deployed simultaneously, creating unprecedented damage. Many nation states and terrorist groups (or both, working together) will have the capability to bring together the full force of their armaments – both traditional and digital – to perform a clustered ‘hybrid’ attack. The outcome, if successful, would be damage on a vast scale.

Telecommunication services and internet connections will be obvious first targets, leaving individuals and organizations cut off from the outside world. Assistance from emergency response services, as well as local and central governments, will be slow or non-existent as essential physical and digital infrastructure will have broken down.

These attacks will be designed to spread maximum chaos, fear and confusion. The stricken city, or cities, will be brought to a standstill, with both lives and businesses placed in jeopardy. Those at home will be unable and unwilling to go to work, or – without power or communications – unable to work from home. Those already in the office will be trapped with nowhere to escape to, as attacks hit them from every angle. Existing business continuity plans will be useless; they will not have been prepared to cater for an eventuality when every system is down while individuals are in physical danger. People will panic. Work will be off the agenda.

Satellites Cause Chaos on the Ground

As an integral part of almost every walk of life, satellite systems will be targeted. Organizations are more reliant on satellites than ever before, routinely using global positioning systems (GPS) and communications services. Disabling or spoofing signals from GPS will put lives at risk and impact global travel and financial markets. Attackers may also target media, communications, meteorological and military functions to further disrupt operations and trade.

Why Does This Threat Matter?

Compromised satellite signals, whether spoofed by malicious adversaries or knocked out by collisions with other satellites or space debris, will cause widespread chaos down on Earth. As satellites become cheaper and easier for national space agencies and individual businesses to launch and maintain, they will become increasingly integral to modern life. Disabled or spoofed signals will interfere with critical transport, communications systems and even financial services.

Lives will be put at risk and supply chains hampered as spoofed GPS signals are sent to aircraft, ships and road vehicles. International financial systems – from stock exchanges to ATMs – that rely on exact timestamps on digital payments will be unable to record transactions accurately. Trading algorithms that rely on data from satellites on weather or location of specific assets (e.g. to instruct which crops to buy or sell) will be misled, potentially manipulating financial markets.

In the next few years, satellites will play an increasingly crucial role in connecting Earth-based infrastructure and systems. However, organizations will need to realize what the military has known for years – that no one will be spared if attacks against satellites succeed. The potential for crippling disruption is immense.

Weaponized Appliances Leave Organizations Powerless

Enemies aiming to inflict damage will take advantage of vulnerabilities in connected appliances such as thermostats, refrigerators, dishwashers and kettles to create power surges strong enough to knock out regional power grids. This relatively unsophisticated attack will bring operations to a grinding halt for organizations in affected areas, as governments prioritize restoring vital services over trade.

Why Does This Threat Matter?

Attackers will find ways to access a huge proportion of the millions of connected appliances – such as heating systems and ovens – and turn them into weapons. This mass of appliances could be commandeered and misused for a number of disruptive ends, similarly to the way botnets of poorly protected home computers have been used to initiate and sustain large scale DDoS attacks. However, one threat merits specific attention – the damage they can wreak collectively on power grids.

These appliances, forming part of the IoT – many in homes but also found in offices and factories – are always powered-on and always connected to the internet. Manipulated by attackers to switch on to full power simultaneously, appliances will create a demand for power so unexpectedly high that it overloads and brings down regional electricity grids. With the grid offline or severely degraded, organizations will be weakened and struggle to function.

The underlying foundations of many business continuity plans, such as instructing employees to work from home, will be rendered useless as they will have neither power nor a means to communicate. Dependent critical services such as water supplies, food production systems and health care will be unavailable. Power rationing will affect other utilities and services, such as heating, lighting and transport. To cap it all, organizations will lose out to competitors in non-affected areas who will be quick to take advantage of the increased demand for their services.

It's Past Time to Begin Preparation

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The themes listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant.

The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Navigating Dangerous Waters: the Maritime Industry’s New Cybersecurity Threat as Technology Innovation Grows Tue, 03 Jul 2018 00:29:00 -0500 The rapid evolution of technology and, in particular, the Industrial Internet of Things (IIoT) is transforming critical environments, bringing benefits such as optimised processes, reduced costs and energy efficiencies. The maritime industry, which forms part of our critical infrastructure, is adapting to access many of the benefits that innovation in technology can offer. By the end of the decade, for example, a new era of shipping will have started with the world’s first autonomous container ship transporting goods around the coastline of Norway.

Although such advances are to be applauded, they bring with them a high element of risk. Security researchers have been warning for many years that the shipping industry is a ‘low hanging fruit’, due to the fact that high-value goods are transported by ships with legacy systems and poor cybersecurity practices to safeguard from malicious attacks. This is leaving vessels at risk of a wide range of threats from live location tracking, to the loss of critical function such as power and navigation.

The dangers of Operational Technology at sea

A concerning problem encountered within maritime is a lack of recognition that a container ship is a critical environment, warranting robust protective systems like any other Operational Technology (OT) environment e.g. a utility. Once connected to a network, this technology risks being targeted by hackers. The threat is a real one; researchers have demonstrated proof of concept cyber-attacks against many of the most common maritime systems, and there’s evidence of incidents at sea in which navigational computers were infected with malware on a USB stick being used for upgrades.

A one-size-fits-all approach to cybersecurity won’t be an effective solution, as the shipping industry presents a unique challenge for hardening cybersecurity; that is, every ship is different. A lack of standardisation across vessels means a vast mix of legacy OT has been deployed, much of which was not designed with security in mind, as well as further networked technologies which have been added over time.

A major vulnerability is the lack of cybersecurity skills, knowledge and focussed training among many of the crew members to recognise, understand and address incidents. On the most part, the person responsible for IT combines the role with another, leaving little time to monitor, respond to or rectify a cybersecurity breach. In this circumstance, remote monitoring for such issues is also problematic due to a shortage of reliable bandwidth while at sea.

A change in approach – the importance of risk management

These challenges are not unsolvable and for those that get it right, cybersecurity will be a powerful enabler in the world of more automated shipping. Adopting a risk management approach – where risk appraisal is used to identify, evaluate and prioritise risks in order to control the probability or impact of an incident – will be key to the maritime sector’s future. A risk management approach begins with identifying which systems, data and interfaces are unprotected and pose the greatest risk to operations if compromised. In a maritime context, this should involve the frequent testing and hardening of systems, as well as securing devices and networks by closing unused data ports and ensuring full network segregation between OT and IT systems.

Better staff training is also a must for all those working on a vessel. For example, crew systems, such as terminals for entertainment or personal email, should be kept isolated from other systems as one of the primary threats remains inadvertent infection via a flash drive or mail attachment. Crew members should be able to utilise such technology in a secure manner and be trained to avoid suspicious email links.

But effective cybersecurity must also be business efficient cybersecurity. The maritime industry will need to adapt to access the many benefits of technological innovation but do so in a safe and secure way. Learning the lessons of other industries, it is clear that one of the best ways to improve resilience to cyberattacks and harden maritime networks is to build a cyber secure supply chain. Working with suppliers whose products are demonstrably secure, and partners whose knowledge is advanced in existing maritime systems will be fundamental to robust OT security and a safer future for asset transport at sea.

About the author: Jalal Bouhdada is Founder and Principal ICS Security Consultant at Applied Risk.

Copyright 2010 Respective Author at Infosec Island]]>
Is User Training the Weakest Link for Your Email Security Approach? Thu, 28 Jun 2018 01:41:22 -0500 The days of only deploying an email security gateway to block viruses, spam and other threats from reaching user email accounts are gone. Even though gateways no doubt have their place in a comprehensive security strategy, in most cases they are paired with supplementary technologies to ensure the most effective layered email protection. This is critical because gateways aren’t designed to sniff out attacks such as social engineering, phishing, spear phishing, and business email compromise (BEC). There is also the constant possibility of users being phished on personal email accounts that aren’t controlled by gateways at all. There are technologies to accompany gateways such as AI powered email security solutions, which offer the best hope to stop spear phishing, impersonation and BEC attacks.

But, let’s say you are well informed and have already deployed extra security layers to protect against sophisticated email-borne data theft, malware, phishing and other threats. Perhaps you even have a comprehensive backup and recovery strategy to combat ransomware attempts that could hold your data hostage? From a technology standpoint you’ve thought of everything, but the problem is—your users probably have not. This could be especially true for mid to low-level employees including sales or customer service teams where being security aware just isn’t at the top of their to-do list. Ultimately, these folks could be part of the problem without even know it.  

That’s because end users frequently receive messages containing links to spoofed websites where criminals intend to steal their credentials in order to gain entry and launch attack campaigns. These employees are also the unlucky recipients of numerous social engineering attacks, including fraud attempts that could result in wire transfers to cybercriminals. What’s more alarming, is that these attacks avoid traditional security technologies, making the actions users take more important than ever. In order to shed a bit more light on this piece of the email security puzzle, Dimensional Research recently collected data from over 630 participants located around the globe who all had some level of responsibility for email security within their organization. Let’s take a deeper look at some of the points covered in the research:   

User behavior and security risks

One of the points that really stands out to me, is that effective security these days isn’t just about security tools and technology, but that employee behavior is actually a greater concern. 84 percent of the respondents attributed security concerns to poor employee behavior while 16 percent cited inadequate tools as the culprit.

It was also interesting to see that there is no real consensus on the level of employee or title that is most likely to fall for an attack. This is proof that cybercriminals are balancing their attacks across organizational levels and not targeting any particular level of employee.

The reasoning for this is that like with any scam, email attacks are typically a numbers game. The more attempts made, the better success rate criminals have, which is one of the reasons they continue to go after individual contributors—there are just more targets available. Alternatively in targeting executives, the payoff is much greater as they have access to more sensitive and critical information. This supports the idea that criminals are operating just like a business—they make good risk versus reward decisions.

Finance is considered the most vulnerable

It probably isn’t surprising to anyone that finance employees are thought of as being the most vulnerable, as they usually have access to the company’s crown jewels. 24 percent of respondents believe that finance departments are the most vulnerable to an attack. What might be surprising about this set of findings is that the respondents believe that legal departments are of very little risk. Perhaps legal teams are just viewed as being more aware of the consequences or less likely to act on an attempted attack?

On the other side of the office, we have the sales and customer service departments, who according to respondents—were the most likely to put their organization at risk. This could be simply because these teams communicate heavily over email at a rapid pace, which could open the door for attacks. Regardless of the reason, if the belief is true—organizations may want to take the necessary steps to make sure these teams are aware of the possible threats that could be lurking in their inboxes.  

End user training is essential, but a better offering is needed

100 percent of the respondents said that end-user training is important to their email security posture. It is great to see that training is recognized as an important cog rather than labeling it as a “nice to have” piece of the strategy.  

We also learned that organizations are offering more than just a traditional classroom style approach to education for their users. In our experience, the most effective programs are able to scale, move quickly, and offer the flexibility to work into and around busy schedules. Offering training at the convenience of each individual’s schedule makes all the difference in retention of information and employees’ willingness to participate. With that said, it’s essential to test if these training programs are making an impact. This could mean testing employees on their knowledge with simulated email attacks, or even tracking behavior to help security teams drill down on weaknesses in their organization.

Who actually trains their users?

We’re seeing that all organizations have good intentions, but according to the data, only 77 percent of the respondents said they are actually training their employees. Not a terrible number by any means—but there’s definitely still a gap, and room to improve.

The reported data also shows that organizations with over 1000 employees are more likely to implement training. This isn’t uncommon or too surprising as large businesses have more resources and are typically early adopters of new technologies and trends. Smaller organizations usually follow proven practices, but are forced to make the most of their available budgets.

Ideally, every organization regardless of the size should be exploring new technologies and practices to adapt to the evolving threats in the wild. Employees of any level or title should be trained regularly and tested on their security knowledge.

So, is end-user security training and awareness the missing link to your complete email security strategy? The data shown suggests that it is definitely a clear concern, and if you consider the amount of attacks happening daily—almost every incident involves human interaction.

Malicious links must be clicked for cybercriminals to gain initial entry. Attachments must be downloaded and money has to be willingly transferred by an unsuspecting employee for these attacks to be successful. Putting training at the top of your layered security strategy alongside your technology stack will ensure that your employees are less of a liability, and the risk of a breach will be significantly lower.

About the author: Dennis is responsible for entire business lifecycle of the PhishLine product family at Barracuda Networks, including product strategy, product design, sales, onboarding, support, and renewals.

Copyright 2010 Respective Author at Infosec Island]]>
Least Privilege Access – Still at the Front Lines of Security Wed, 27 Jun 2018 07:33:00 -0500 Ever since authentication and authorization became the norm for access to computer systems, the principle of least privilege (POLP) has been the de-facto baseline for proper security. At its very core, least privilege access means granting a user just enough permissions (authorization) to access the data and systems in their company’s enterprise necessary to do his or her job – nothing more, nothing less. In theory, adhering to the POLP sounds like the perfect identity and access management strategy, but often implementing least privilege is easier said than done.

Why is it so hard?

There are a number of factors to consider. First, in order to implement least privilege, there needs to be a clear understanding of what the right access actually is for each user and their role. Second, in order to enforce the defined level of access, there has to be some sort of enforcement tool. And third, the definition and enforcement of granting access should be executed in a way that doesn’t get in the way of users doing their jobs. While least privilege is of value for securing all types of access, it is most critical when managing administrator access.

Some systems make it easy with well-defined roles and granular definitions of the permissions associated with those roles. But other systems aren’t as cooperative, with no native utilities to define and enforce what right actually means. For those systems, organizations are often left to their own devices relying on tribal knowledge to define right and have limited tools to enforce it. The result is many organizations deeply wanting to enforce least privilege but, in practice, finding themselves only successful on a very limited scale.

From an administrative access standpoint, many organizations take the easy way out by sharing administrative (or “superuser”) credentials among all individuals who might require them for their role, giving many more employees more access to data and systems than may be necessary to do their job – the polar opposite of POLP.

The classic example of least privilege for administrative access is an open source utility available for Unix and Linux systems called sudo (short for “superuser do”), which allows an organization to define a role with a certain subset of the all-powerful root credential in a sudoer file. When an administrator logs on, they must preface the command with “su.” If the command in question is allowed in the sudoer policy, the user will be allowed to execute it – if not access will be denied.

Sudo works great in many instances. However, when a Unix/Linux environment hits a certain size, the fact that sudo runs independently on each Unix/Linux server makes its execution of least privilege unruly, error-prone, and counterproductive. Consequently, there are whole categories of privileged access management (PAM) solutions that either replace sudo with a single solution that covers the entire environment with one policy and enforcement set along with keystroke logging, or augment sudo with centralized policy across all instances (as opposed to multiple islands of sudoer files).

When looking at PAM, Unix/Linux is typically only a part of the overall PAM picture. There are other systems where unchecked administrator access can be just as damaging, if not worse, than Unix/Linux. For example most organizations have a significant investment in Microsoft Active Directory (AD) and Azure Active Directory (AAD) with those systems being the primary front door for the majority of end user access needs. This makes the AD/AAD Admin critical in any PAM program. The POLP should extend to these administrators as well.

The reality is that beyond the Unix/Linux and AD/AAD platforms, POLP is extremely difficult to enforce consistently in the modern heterogeneous enterprise. Some applications have the capability built in, while others make no attempt to enable the practice. It becomes a crapshoot – but is a practice that needs to be run as much as possible through all PAM programs. Here are a few tips to help you get the most from the POLP in your PAM program:

  • Make the most of what you can control: within Unix/Linux look for opportunities to improve on the native sudo capabilities to eliminate weaknesses and improve operational efficiency in executing least privilege. Simply augmenting or replacing sudo with a commercial solution yields significant security gains. Similarly, with the status AD/AAD enjoys it only makes sense to seek third-party assistance in removing the all-or-nothing default of administrator access.
  • Use a vault: privileged password vaults are a great alternative to shared administrative passwords when least privilege is not an option. With day-to-day Unix/Linux and AD/AAD admin access delegated in a least privilege model, placing security, policy, and automation around the issuance, approval, and management of other privileged passwords makes sense. It removes the anonymity that is so dangerous with unchecked administrative access and provides controls around the whole process. Vaults also provide a viable alternative to issuing the entire permission set of a delegated admin account to a single user. Delegate the day-to-day activities and vault the superuser access for firecall and other critical tasks.
  • Audit activities: no PAM program is complete without the ability to close the loop on what administrators actually do with their permissions. Employ session audit and keystroke logging to augment delegated administrator access, allowing you the visibility to know what is actually done with the permissions in question.
  • Implement analytics: the final piece of the PAM puzzle is to implement analytics. Privileged behavioral analytics will help detect anomalous and dangerous activities, while identity analytics will evaluate the rights associated with an individual administrator’s permissions in both the vault and the least-privileged model. Analysis of rights and permissions across administrators in similar roles can help organizations identify weak spots in your least privilege model.

The POLP is a critical component to any effective PAM program, but it is not the only principle. A well-rounded program will also augment with POLP with vaulting, session auditing, and analytics to truly deliver on the security objectives for which the program is designed.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
"Can you Hear Me Now?” - Security Professionals Warn about Who May Be Listening Wed, 27 Jun 2018 06:32:00 -0500 In light of the recent move by Verizon to stop sharing location data with third parties, companies need to rethink strategies for data gathering from users.

While in the past, companies and app makers used different technologies on mobile devices in order to gather more and more data it is becoming more attractive for unethical hackers to find a way in for malicious purposes.

In one case, the company ‘La Liga’ disclosed to the user about what the microphones will be used for and how they’re used. Malicious app developers are not always so kind, and ignorant app developers put people at risk without realizing it.

La Liga wants to collect user locational data to track down unlicensed broadcasts of soccer games at sports bars and clubs. This activity is for their own interests without consideration for the user. Of course, there are likely other ways to approach this problem that don’t require utilizing their customers' mobile devices as their own personal eavesdropper, but this is the route they undertook. And to top it all off, they had enough courage to openly disclose this to their userbase, perhaps because they hope there will not be any huge any significant user backlash. While this approach will likely be successful, due to a prevailing lack of information to end users in many countries about data privacy, the rights to information privacy, and inappropriate sharing.

The tradeoff here with trying to stop someone from misusing a service is opening up a new potential attack scenario for the bad guys.  As we have seen with other apps that drive voice-enabled technology, how it is intended to work, and how it may be used or misused are two very different things.  

Don Green, Mobile Security Manager, WhiteHat Security, shared his thoughts on a few items that might have a bad guy smiling, including:

  • “The mobile device microphone and geolocation will only be activated during the time slots of matches in which La Liga teams compete.”

The Bad Guy perspective is the first thing I am going to do is try to abuse the match time slot data to have listening and geolocation occur 7x24.   If I’m after you, I want to make sure I’m hearing everything you say all the time and know where you are at all times.

  • “La Liga will periodically remind users that it can activate their microphones and GPS and will ask them to reconfirm consent.”

“Periodically” is a term hackers just love, while for users it’s a nightmare.   Oh here’s a notice to reconfirm consent…is it really? For bad guys, this is the perfect scenario set up to send users fake notices and get them to download malware.

While it is a good practice for businesses who are fighting against fraud, extreme caution must be used with the approach. There’s a fine line between protecting the business and putting business at risk by passing additional risks to customers.  For example, courts want to track the phones of criminals and inmates on parole and Apple recently started cracking down on geolocation apps especially since GDPR views location and personally identifiable information (PII) with a broad spectrum.

Application designers and sellers need to be able to scan the apps and determine whether they are accidentally releasing this kind of information, versus making a deliberate decision based on business need to broadcast where each cell phone user is. Ultimately, customers define what is an acceptable level of risk and privacy.

About the author: Jeannie currently serves security manager at WhiteHat Security. She believes application security is the Next Big Thing in the security space.

Copyright 2010 Respective Author at Infosec Island]]>
Every Business Can Have Visibility into Advanced and Sophisticated Attacks Mon, 18 Jun 2018 01:15:20 -0500 Years ago, senior managers of large organizations and enterprises were primarily preoccupied with growing their businesses, forming strategic alliances and increasing revenue. Security, mostly left to IT departments, was usually regarded as a set-and-forget solution that was in place for either compliance purposes or to prevent permanent damage within the organization’s infrastructure.

Fast forward several years, and organizations have woken up to the cold reality of data breaches, malware outbreaks, and hefty financial penalties because of increased sophistication of threats and inadequate security measures implemented by organizations. Since 2013, hacks and data breaches have not only flooded the main stream media, but have also shown just how ill-prepared organizations really are when dealing with them.

Equifax, Yahoo, the US and French election scandals, Wannacry, NotPetya, BadRabbit, and Uber are among the most memorable events in recent cybersecurity history. Equifax lost over 30 percent of its market value, which is about $5 billion. Verizon saved $350 million when buying Yahoo, because of the massive data loss scandal. Cyberattacks are bad for businesses, and their consequences bring cyber risk to the top of the minds of senior executives.

Quantifying the impact of cyberattacks

While decision makers and senior executives prefer hard numbers when quantifying the impact of a cyberattack, it’s worth noting that the traditional method of assessing breaches is somewhat flawed. Simply looking at the direct costs associated with the theft of personal information is no longer enough, especially with GDPR threatening heavy penalties for the breach of customer or employee records.

For a complete view on the impact of cyberattacks, organizations need to look beyond the theft of intellectual property, the disruption of core operations, and the destruction of critical infrastructure. They need to start factoring in hidden costs that revolve around insurance premiums, lost value of customer relationships, value of contract revenue, devaluation of brand, and the loss of intellectual property.

Understanding the Change

To understand how things have changed, organizations need to look at the cyberattack kill-chain that most advanced and targeted attacks employ to breach an organization’s infrastructure.

Reconnaissance, the first stage, involves threat actors selecting a target, researching it, and attempting to identify vulnerabilities in its infrastructure. Weaponization is the process in which threat actors create or repurpose malware and exploits to breach the target organization. Delivery and exploitation involve transmitting the cyber weapon to the target, either via email attachments or infected websites, and exploiting a vulnerability in a target program on the victim’s endpoint. The last three stages usually involve the installation of access tools that allow the malware to connect to a C&C (Command and Control) server to let the intruder gain persistency into the targeted infrastructure, and conclude with data exfiltration, data destruction, or whatever actions on objectives threat actors had in mind when targeting the organization.

The obvious goal is to break the attack kill-chain before it reaches the actions on objectives phase. As such, endpoint protection platforms (EPPs) have predominantly focused on disrupting the first four steps of the kill chain, preventing threat actors from installing malware on the targeted endpoint. However, prevention is never 100% bulletproof.

The most radical change companies have made in recent years to address this, is implementing solutions that improve the ability to quickly detect and effectively respond to these types of targeted attacks. This is where the Endpoint Detection and Response solutions (EDR) come in.

Breaking the Unbreakable Shield

In recent years, EPPs were commonly regarded much like Captain America’s shield -- one of the Marvel Universe’s most resilient and almost invulnerable objects. However, on rare occasions, the shield—though it was designed to be indestructible—has failed to protect Captain America. Even though villains with such powers are few and far between, it can happen, just like with an advanced, targeted cyberattack breaking through an EPP.

Similarly, no matter how seriously a company takes security and regardless of what state-of-the-art tools it’s using to prevent cyber-attacks, prevention doesn’t work 100% of the time, especially for sensitive industries or high-profile organizations which are targets of very advanced and persistent attacks. The attacks that manage to elude prevention are typically very insidious, incredibly difficult to detect, and highly damaging to organizations.

Companies need to improve their ability to quickly detect and effectively respond to these types of attacks, investigate incidents for scope and impact, limit damages, and fortify themselves with an enhanced security posture against future attacks.

EDR tools help companies achieve these objectives and are focused on detecting security-related events and incidents, while providing strong instruments for investigation, and capabilities to appropriately respond to incidents. Therefore, in context of the increasing number and sophistication of attacks, the importance of EDR solutions for companies is growing quickly.

Building a Security Ecosystem

Building a strong security ecosystem is about having both the shield and the sword working together to increase the overall security posture of the organization. Integrated EPP and EDR means evolved security over time. A strongly integrated platform will enable security teams to incorporate the threat intelligence into improving the security posture of the organization, by adapting security policies to block identified threats or by eliminating vulnerabilities through security patching. A platform developed from the ground up as an integrated solution enables superior operational effectiveness. It’s faster and cheaper to acquire, easier to deploy, consumes less endpoint resources and saves time for the security team.

Having all these built into a single platform can help provide enterprises with prevention, detection, automatic response, threat visibility and one-click resolution capabilities to accurately defend against even the most sophisticated cyber threats and to be prepared even if their virtually invincible shield cracks.

Copyright 2010 Respective Author at Infosec Island]]>
4 Cybersecurity Tips for Staying Safe During the World Cup Wed, 13 Jun 2018 04:20:00 -0500 The World Cup is only days away and everyone is on their way to Russia or simply planning when they will stream the games they care most about online.

When it comes to traveling, it is critically important to know how cyber criminals target their victims, what travelers can do to reduce the risk, and ways to make it more challenging for attackers to steal their important company or personal information, identity or money.

As the first games approach, here are four cybersecurity best practices that you can use to stay safe during the 2018 World Cup.

1.  Don’t lose your data, stay protected and relax.

While on vacation or at the World Cup, it is a common place for things to get lost, misplaced or stolen. It can happen in an instance by simply forgetting your laptop on the bus or the taxi, or by being distracted chasing after your children – all while someone else walking away with your tablet or laptop. Whether it’s your personal or company laptop this can lead to major security risks, compromising your data. Realistically, this is the last thing you want ruining your trip.

Tip: Backup, update and encrypt. Before you leave for the World Cup, make sure you back up all devices and data. Double check that all security updates are applied, and finally check your security settings. For example, ensure your sensitive data is encrypted. 

2. Beware of social logins and limit the use of application passwords.

Almost every service you sign up for while on such trips now requests you connect using your social media accounts to gain access to whatever it is you are trying to do. The problem with using your social media account for these services is that you are providing and sharing personal details about yourself. This means you are giving these services the ability to continuously access your location, updates and personal information. 

Tip: Use unique accounts, rather than social logins as those accounts get compromised, and cyber criminals could cascade to all the accounts using the social login.

3. Beware of what you do over public Wi-Fi.

Always assume someone is monitoring your data over public Wi-Fi. Do not access your sensitive data, such as financial information over public Wi-Fi. Do not change your passwords and beware of entering credentials while using public Wi-Fi.  If you have a mobile device with a personal hotspot function, use this over public Wi-Fi. During vacations, it can be expensive if you decide to use the highly expensive data roaming options from telecommunication companies, so when using public Wi-Fi during vacation always make sure to use it with caution, securely and with the following tips in mind. 

Tip: Do not use a public Wi-Fi network without a VPN. Instead, use your cell network (3G/4G/LTE) when security is important.  When using public Wi-Fi, ask the vendor for the correct name of the Wi-Fi access point and whether it has security. It is common for cybercriminals to publish their own Wi-Fi SID with similar names. Disable Auto Connect Wi-Fi or Enable “Ask to Join Networks.” Many cybercriminals will use Wi-Fi access points with common names like “Airport” or “Cafe” so your device will auto connect without your knowledge. Do not select to remember the Wi-Fi network.  Use the latest web browsers as they have improved security for fake websites. This prevents someone from hosting their own websites, like Facebook, waiting for you to enter your credentials. Do not click on suspicious links - even via social chats like videos that contain your photos - and beware of advertisements that could direct you to compromised websites. Use a least privileged user or standard user while browsing, as this will significantly reduce the possibility of installing malicious malware. 

4. Before “clicking,” stop, think and check if it is expected, valid and trusted.

We are a society of clickers; we like to click on things (like hyperlinks for example). Always be cautious of receiving any messages with a hyperlink. Before clicking, ask yourself – “Was this expected?”, “Do I know the person who is sending this?” On occasion, check in with the actual person if they sent you an email before you aimlessly click on something in which might be malware, ransomware, a remote access tool or a virus that could steal or access your data. Nearly 30 percent of people will click on malicious links and we need to be more aware and cautious.    

Tip: Before clicking, stop and think. Check the URL, make sure the URL is using HTTPS. In addition, check if the URL is coming from a legitimate source. Discover where the hyperlink is taking you before you click on it as you might get a nasty surprise.       

The World Cup is a time to relax and enjoy the amazing games. It can be a great experience as long as you stay safe while attending (or watching online). If followed, these best practices will help you avoid becoming the next victim of cybercrime.

About the author: Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).

Copyright 2010 Respective Author at Infosec Island]]>
Machine Learning vs. Deep Learning in Cybersecurity – Demystifying AI’s Siblings Wed, 13 Jun 2018 00:19:52 -0500 Beginning in the 1950s, artificial intelligence (AI) was used as an umbrella term for all methods and disciples that result in any form of intelligence exhibited by machines. Today, nearly all software in every industry – especially in security – use at least some form of AI, even if it is limited to basic manually coded procedures. ESG research found that 12 percent of enterprise organizations have already deployed AI-based security analytics extensively, and 27 percent have deployed AI-based security analytics on a limited basis. It is expected that these implementation trends will only gain momentum in 2018.

During the past few years, the major subsets of AI – machine learning and deep learning – have progressed, transforming nearly every field they touch. Nowadays the terms “artificial intelligence, “machine learning,” and “deep learning” are used widely, however differentiating between the three, and knowing which is best for your business goals, can be confusing. To fully understand each term and what they mean, it’s worth taking a look at each subfield’s advantages and limitations.

The Challenges of Machine Learning

For the last 25 years, machine learning was the leading sub-field within AI. The technology allows computers to learn without being explicitly programmed and in the 2000s, machine learning methods completely dominated AI by outperforming all non-machine, learning based results.

Despite its success, the technology comes with obstacles, especially when applied to security. One of the major limitations of traditional machine learning is its reliance on feature extraction, a process through which human experts dictate what the important features (i.e., properties) of each problem are. This means that in order for a machine learning solution to recognize a malware, experts need to manually program the various features that are associated with a malware. For the cybersecurity field in particular, this means that solutions are limited in detecting unknown attacks. Due to the need for humans to define specific features, the features of attacks that haven’t been revealed yet still need to be analyzed, leaving them unable to be detected.

However, this reliance on human involvement introduces one of the biggest challenges of machine learning – the potential for human error. Given feature engineering requires a human domain expert to define features – features can often be overlooked. In thinking about the example of the malware given above, if during programming certain characteristics are omitted, the system breaks down. In order for a machine learning system to be accurate, human domain experts must be methodological in defining features, and continuing to define them. This is because machine learning is a linear based model, meaning the features selected by a human domain expert can only lean on simple linear properties. Given these confines, companies have been shifting to deep neural networks (DNN) to better secure their infrastructures and prepare for impending attacks.

Deep Learning Evolves

Deep Learning, also known as deep neural network, is a sub-field of machine learning, and takes inspiration from how our brains work.The big conceptual difference between deep learning and traditional machine learning is that deep learning is capable of training directly on raw data without the need for feature extraction. For example, when applying machine learning to face recognition, the raw pixels in the image cannot be fed into the machine learning module, but instead they must first be converted into features such as distance between pupils, proportions of the face, texture, color, etc. On the other hand, deep learning is capable of training directly on the raw data without any need for feature extraction.Additionally, deep learning scales to hundreds of millions of training samples, and continuously improves as the training dataset becomes larger and larger.

Over the past few years, deep learning has reached a 20-30 percent improvement in most benchmarks of computer vision, speech recognition, and text understanding – the greatest leap in performance in the history of AI and computer science. This is in part due to deep learning’s ability to detect non-linear correlations between data that are too complex for humans to define. Unlike traditional machine learning, deep learning supports any and new file types and has the ability to detect unknown attacks, a huge benefit to cybersecurity.

While these advantages surpass those of machine learning based solutions, deep learning does face some challenges. Researchers work with a very large data sample of millions of files to train the neural network and are dealing with highly complex algorithms. In many cases, deep learning is an “art” that relies on scientist’sexperience and knowhow, and unfortunately there is a scarcity of experts available.

The Impact of Deep Learning on Security

Deep learning has been implemented across a variety of industries making a big impact, especially in cybersecurity. The biggest malware attacks of 2017 – think WannaCry, NotPetya, DDoS incidents – made companies rethink their security strategies and reactive approach to future attacks. Throughout the cybersecurity industry, there is an ongoing need to respond to cyberattacks in real-time with minimal human interaction. As a result, organizations are turning to deep learning-based solutions due to the fact that eliminates human interaction.

Deep Learning’s ability to prevent new, never before seen malware in real-time without any human involvement, all while maintaining low false positive alerts, is a huge benefit to securing enpoint, mobile devices, data and infrastructures. After the malware is prevented, deep learning technology helps companies understand what kind of malware it is i.e. ransomware, backdoor or spyware to take further security actions needed. In most cases this takes experts to properly analyze the information, however deep learning software identifies and analyzes the data automatically, without any need for human involvement.

Similarly, the technology can be leveraged to determine where a specific attack originated from. In the past, this has been a difficult task for IT and Security teams to do for a variety of reasons. For example, each nation-state has usually more than one cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. In addition, APT’s use state-of-the-art evasion techniques. However, DNN has the ability to learn high level feature abstractions of the APTs itself.

It will be exciting to observe deep learning’s continued success in security throughout 2018, and it won’t stop there. Beyond security, deep learning is revolutionizing many other industries, from climate mapping to combatting aging and disease – the implications of the technology are far reaching.

About the auyhor: Mr. Caspi is a seasoned CEO and leading global expert in cybersecurity, big data analytics and data science. A pioneer technologist by the world economic forum in Davos.

Copyright 2010 Respective Author at Infosec Island]]>
Building a Strong, Intentional and Sustainable Security Culture Sun, 10 Jun 2018 23:42:00 -0500 Here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will “win out” over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture. But how do you achieve this to ultimately build a strong, intentional and sustainable security culture? There are four secrets to success.

1.Take stock of where you are and where you are going

Without a plan and a path, you are sure to get lost! The key to implementing secret #1 is to leverage a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework – one I recommend is the Michael Hyatt version– a bit more on the topic can also be found here. (SMARTER = Specific, Measurable, Actionable, Risky, Time-keyed, Exciting, Relevant.)

2. View security awareness through the lens of organizational culture

Organizational culture and security culture are not one in the same. However, they need to be closely knit.   

Organizational culture is not the sum of roles, processes and measurements; it is the sum of subconscious human behaviors that people repeat based on prior successes and collectively held beliefs. Similarly, security culture is not (just) related to "awareness" and "training"; it, too, is the sum of subconscious human behaviors that people repeat based on prior experiences and collectively held beliefs.

Culture is shared, learned and adaptive, but it can be influenced. It takes a group working collectivity and it begins with the leaders.

To impact change and behavior, you must be aware of, and work from within, the existing culture. Does your organization have a marketing organization that helps with internal communications? If so, understand how they leverage the communication methods, formats, and branding. It’s so important that *your* communications speak with the established voice/tone of the company so that you aren’t seen as un-connected and (worst of all) irrelevant. You also need to get an idea of where there divisional, departmental, and regional nuances. Work within the specific cultural frameworks within each of these segments. And, always be on the lookout for existing communication channels that you can plug-into (e.g. existing meetings, executive videos, etc.) so that you message is interwoven with the other company-centric messages.

3. Leverage behavior management principles to help shape good security hygiene

Let’s start by recognizing that just because you’re aware, doesn’t mean that you care!  

Security awareness and security behavior are not the same thing. Your security awareness program shouldn’t focus only on information delivery. There are plenty of things that people are aware of but may just not care about – we need to make people care. 

Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices.

The idea is that we need to create engaging experiences for users to drive specific behaviors. (Check out BJ Fogg’s work for more on great examples of behavior model and habit creation).

An example of this would be simulated phishing platforms. These distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change. 

4. Be realistic about what is achievable in the short-term and optimistic about the long-term payoff

Be a realistic optimist within your organization. What can you impact today? Know your place and your scope of influence and remember that culture starts at the top.

Understand the foundation of your culture and then create a customized roadmap for security culture management. To do so, you must evaluate four areas: 

  • "How we make decisions" outlines the general leadership style and how this affects the outcomes of the organizational culture.
  • "How we engage" focuses on how people collaborate internally and with external stakeholders to deliver on their goals.
  • "How we measure" describes organizational performance metrics, and how they affect organizational achievements.
  • "How we work" defines the working style of teams, how solutions are created, and problems are solved, which affects organizational outcomes.

By understanding these four attributes of organizational culture, security leaders and corporate leaders can make informed choices when trying to change cultures and improve an organization’s overall defense.  

Here is where the rubber meets the road. You’ve got all of the planning out of the way, created SMARTER goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained.

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
The 3 Must Knows of Sandboxing Mon, 04 Jun 2018 05:48:53 -0500 Sandboxes have been touted as a high-ranking method to prevent a cyber-attack on organizations because they allow you to test everything before it can affect your production environment. But does that come with a cost and are they as effective as vendors would like us to believe?

Play Time in the Sandbox?

Most of us know a sandbox as a fun place that children play in at the playground. Similarly, for IT professionals, sandboxes have often been considered a safe place to develop and test code before it’s launched into production environments. For security professional though, sandboxing has been seen as a way to spot zero-day threats and stealthy attacks. However, as the “arms race” between invader and defender continues, malware authors have continuously found clever ways to evade sandbox detection.

Many IT security professionals and CISOs continue to rely too heavily on a sandboxing strategy alone to protect their resources. Meanwhile, the bullies of the cyber world are continuously finding new ways to “play” in the sandbox.

Myth vs. Reality

While sandboxes do provide a layer of prevention in your cyber threat prevention strategy, they come with a tax that may be too high for most organizations to pay. The three myths commonly associated with a sandbox technology for your cyber threat prevention strategy include:

Myth: Sandboxes are Fast

Reality: Sandboxes are slow: By definition of how sandboxes operate, all data that enters your operating system, network or application will need to pass through the sandbox and detonated to determine if any malware is hidden. This can add significant delays in communication, especially in organizations with tens of thousands to millions of emails and files transferred daily.

Myth: Sandboxes are Cost Effective

Reality: Sandboxes are resource intensive (read it’s expensive): The necessary hardware to create a secure sandbox is directly dependent on your application environment as you will have to duplicate every scenario in order to test for the possibility of a cyber breach. This can be expensive from a hardware and software perspective, but also the human resources necessary to keep those environments current with latest updates is also not insignificant.

Myth: Sandboxes Alone are Fool-Proof

Reality: Sandboxes can be spoofed: Sometimes a belief in a fool-proof method to prevent cyber-attacks are too good to be true. So much so that hackers even publish methods to crack sandbox vulnerabilities.                      

Today’s enterprise networks are no longer defined by its perimeters, with services that span public and private environments, diverse infrastructure underlays, and a growing number of application options and sources.

The Sandbox Alternative

Businesses truly looking to prevent –  and not remediate – cyber-attacks need to consider a platform with an evasion-proof approach that does not require sandboxing. By doing so, the customer will be empowered with the right degree of flexibility to deliver end-to-end security across a changing threat landscape.

Whether on-premise or in the cloud, the platform should operate consistently, totally separating environment variables from security logic. Similarly, the platform should be agnostic to the underlying infrastructure implemented and able to protect in hybrid environments – including a mix of virtual, hardware, and XaaS-consumed infrastructure. To provide true end-to-end security, the platform needs to provide customers the flexibility and consistency that is not restricted to a certain vertical.

While sandboxes do provide a layer of prevention in a cyber threat prevention strategy, they come with a tax that may be too high for most organizations to pay.

About the author: Boris Vaynberg co-founded Solebit LABS Ltd. in 2014 and serves as its Chief Executive Officer. Mr. Vaynberg has more than a decade of experience in leading large-scale cyber- and network security projects in the civilian and military intelligence sectors.

Copyright 2010 Respective Author at Infosec Island]]>
Valve Patches 10-Year Old Flaw in Steam Client Thu, 31 May 2018 11:42:32 -0500 A remote code execution (RCE) vulnerability that existed in the Steam client for at least 10 years was fully patched only in March this year, according to security firm Context Information Security.

In July last year, Valve added modern exploit protections (Address Space Layout Randomisation – ASLR) to the Steam client, thus partially patching the RCE. According to Context senior researcher Tom Court, exploitation following this patch would have simply crashed the client.

Before that, however, all of the 15 million active Steam clients were vulnerable to RCE, the researcher claims.

The flaw was essentially a remotely triggered heap corruption within the Steam client library. The bug resided in “an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets,” Court explains.

The Steam client communicates using a custom protocol that uses UDP and the bug resulted from the lack of a check to ensure that “for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length.” The check, however, was present for all subsequent packets carrying fragments of the datagram.

Because the steam client had a custom memory allocator and lacked ASLR on the steamclient.dll binary, the bug could have been abused for remote code execution.

An attacker looking to exploit the issue would first have had to learn the client/server IDs of the connection, along with a sequence number. Next, the attacker would have had to spoof the UDP packet source/destination IPs and ports, as well as IDs, and increment the observed sequence number by one.

Steam uses a custom memory allocator that divides the large blocks of memory requested from the system allocator and then performs sequential allocations with no metadata separating the in-use chunks. Each large block has its own freelist, implemented as a singly linked list, the researcher explains.

Depending on the size of the packets used to cause the corruption when the buffer overflow occurs in the heap, the allocation is controlled by either Windows or Steam, with the latter found to be much easier to exploit.

“Referring back to the section on memory management, it is known that the head of the freelist for blocks of a given size is stored as a member variable in the allocator class, and a pointer to the next free block in the list is stored as the first 4 bytes of each free block in the list,” the researcher explains.

The heap corruption allows an attacker to overwrite the next_free_block pointer if a free block exists next to the block where the overflow occurs. If the heap can be controlled, the attacker can set the overwritten next_free_block pointer to an address to write to, and all subsequent allocation will be written to this location.

Because packets are expected to be encrypted, “exploitation must be achieved before any decryption is performed on the incoming data,” Court says.

This is achievable by overwriting a pointer to a CWorkThreadPool object stored in a predictable location within the data section of the binary, which allows the attacker to fake a vtable pointer and associated vtable, thus gaining execution, and a ROP chain can be created to execute arbitrary code.

“This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections. The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts,” the researcher notes.

Court also points out that developers should periodically review aging code to ensure they conform to modern security standards, even if they continue to function.

Valve was alerted on the bug on February 20 this year and addressed it in the beta branch in less than 12 hours, but the patch landed in the stable branch only on March 22.

Related: Vulnerability Allowed Hackers to Hijack Steam Accounts

Related: Details of 34,000 Steam Users Exposed During DDoS Attack

Copyright 2010 Respective Author at Infosec Island]]>
Infrastructure Under Attack Thu, 31 May 2018 01:25:23 -0500 What makes a DDoS attack different from an everyday data breach? The answer is embedded in the term: denial of service. The motive of a DDoS attack is to prevent the delivery of online services that people depend on. Financial institutions, gaming and e-commerce websites are among the top targets of DDoS attacks, as are cloud service providers that host sites or service applications for business customers. Even a brief disruption of service delivery can cost an enterprise millions in lost business, not counting the after-effects of alienated customers and reputational damage.

Because DDoS attacks and data breaches are so different in nature, conventional security infrastructure components used to combat breaches – perimeter firewalls, intrusion detection/preventions systems (IDI/IPS) and the like – are comparatively ineffective at mitigating DDoS attacks. These security products certainly have their place in a layered defense strategy, serving to protect data confidentiality and integrity. However, they fail to address the fundamental issue in DDoS attacks, namely network availability.

In fact, these components themselves are increasingly the target of DDoS attacks aimed at incapacitating them. The 13th annual Worldwide Infrastructure Security Report (WISR), NETSCOUT Arbor’s annual survey of security professionals in both the service provider and enterprise segments, uncovered a significant increase in DDoS attacks targeting infrastructure over the previous year. Among enterprise respondents, 61% had experienced attacks on network infrastructure, and 52% had firewalls or IPS devices fail or contribute to an outage during a DDoS attack. Attacks on infrastructure are less prevalent among service providers, whose customers are still the primary target of DDoS attacks. Nonetheless, 10% of attacks on service providers targeted network infrastructure and another 15% targeted service infrastructure.

Meanwhile, data center operators reported that 36% of inbound attacks targeted routers, firewalls, load balancers and other data center infrastructure. Some 48% of data center respondents experienced firewall, IDS/IPS device and load-balancer failure contributing to an outage during a DDoS attack, an increase from 43% in 2016.

Infrastructure components are particularly vulnerable to TCP State Exhaustion attacks, which attempt to consume the connection state tables (session records) used by load balancers, firewalls, IPS and application servers to identify legitimate packet traffic. Such attacks can take down even high-capacity devices capable of maintaining state on millions of connections. In the latest WISR, TCP State Exhaustion attacks accounted for nearly 12% of all attacks reported.

In spite of their vulnerability, firewalls, IPS and load-balancers remain at the top of the list of security measures organizations say they employ to mitigate DDoS attacks. Among service providers, firewalls were the second most reported DDoS mitigation option, while on the enterprise side, firewalls were the first choice of 82% of respondents. It is somewhat discouraging that some of the most popular DDoS mitigation measures are also the least effective, given the ease with which a state-based attack can overwhelm them.

On a positive note, however, the increased frequency of DDoS attacks reported in our 2016 survey appears to have driven wider adoption of Intelligent DDoS Mitigation Systems (IDMS) in 2017. About half of respondents indicated that an IDMS was now a part of perimeter protection, a sharp increase from the previous year’s 29%.

Any organization that delivers services over the web needs strong, purpose-built DDoS protection. Security experts continue to recommend as best practice a hybrid solution combining on-premise defenses and cloud-based mitigation capabilities. Specifically with regard to attacks on network infrastructure, a dedicated DDoS on-premise appliance should be deployed in front of infrastructure components to protect them from attacks and enable them to do their job unimpeded.

About the author: Tom has worked in the network and security industries for more than 20 years. During this time, he has served as a Network Engineer for large enterprises and has had roles in Sales Engineering /Management, Technical Field Marketing and Product Management at multiple network management and security vendors. Currently, as Director of DDoS Product Marketing at NETSCOUT Arbor he focuses on Arbor’s industry leading DDoS Protection Solutions.

Copyright 2010 Respective Author at Infosec Island]]>