Infosec Island Latest Articles https://infosecisland.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 Conflicted External Auditors at Heart of Equifax Data Breach https://www.infosecisland.com/blogview/25149-Conflicted-External-Auditors-at-Heart-of-Equifax-Data-Breach.html https://www.infosecisland.com/blogview/25149-Conflicted-External-Auditors-at-Heart-of-Equifax-Data-Breach.html Thu, 13 Dec 2018 11:49:00 -0600 The US House Committee on Government Oversight and Reform published the results of its investigation into the Equifax breach, calling it “entirely preventable.” The report highlighted multiple problems, but two issues stand out: overall incompetence by Equifax’s IT security staff, and a reliance on “legacy” systems literally from the 1970’s.

What has not been discussed, however, is the fact that since 2011 Equifax held third party certification to ISO 27001, the international standard for information security management systems. Companies typically pursue this certification in order to prove the excellence of their cybersecurity systems, and with such a certificate in hand, companies can gain the right to bid on government and industry contracts. More and more, Federal agencies require ISO 27001 certification as a minimum qualifier.

It does not seem possible that Equifax could have achieved ISO 27001 certification, given that it requires annual third-party audits of not only their documented procedures, but also their hardware and facilities. It’s not clear how auditors could have missed equipment from the 1970s and, as the House report indicated, procedures that were grossly inadequate.

It begins to make sense, however, when one examines the entire ISO certification scheme and the actors involved. Companies like Equifax pay a “certification body” (CB) to audit it every year against the given standard, in this case ISO 27001. The CB is authorized to conduct this activity on the basis of their own accreditation, granted by an “Accreditation Body” (AB). The ABs audit the CBs every year against another ISO standard, ISO 17021. The ABs get their authority through membership in the International Accreditation Forum (IAF), through which they are audited under a different standard, ISO 17011. This network of auditing bodies and standards exists to ensure the results are valid, and not corrupted by conflicts of interest.

The problem is that the scheme itself is built upon a conflict of interest: each party pays their auditor, so there’s little incentive for any auditor to actually find problems. If a CB de-certifies a client, they lose that client. If an AB de-accredits a CB, they lose that CB. And so on. Those at the top have the most to lose financially, so have the least incentive to do their job. As a result, failing an audit is very, very rare.

In the case of Equifax, the arrangement was even more conflicted. Equifax’s ISO 27001 certification body was CertifyPoint, a division of Ersnt & Young. According to CertifyPoint’s public records, they issued Equifax its ISO 27001 certificate in 2011; it now lists the certificate as expired. According to Annual Reports published by Equifax, its ISO 27001 certificate was suspended in 2017, only after the data breach. This means that from 2011 through until the breach, CertifyPoint was conducting annual IT security audits on Equifax, and awarding them a certificate each year. The certificate was only pulled after the breach was reported by news outlets.

But it gets worse. According to reporting by Marketwatch, Equifax was using accounting auditors from the financial division of Ernst & Young. That article quoted Bentley University professor Dr. Rani Hoitash who explained that while financial accountants would not directly audit IT systems, “Auditors, however, are required to look at policies and practices related to financial reporting-related information technology systems and data early in the annual audit process.”

This, then, raises serious concerns about Equifax’s external auditors. EY financial auditors would be disincentivized to raise findings regarding the company’s IT security systems because that would reflect poorly on EY’s CertifyPoint auditors, who had otherwise blessed them. The conflict extends in the opposite direction as well, as CertifyPoint auditors would be hesitant to raise any issues that might impact poorly on EY’s financial auditing team.

Ironically, Equifax hired EY after its prior auditing firm, Arthur Andersen, was indicted and eventually shut down because of auditor-related conflicts of interest discovered during the Enron scandal. That incident resulted in the Sarbanes-Oxley law, which provides legislation to control conflicts between financial auditors and financial consultants. There are currently no laws governing conflicts of interest in the ISO certification scheme, however.

To date, representatives of CertifyPoint and its accreditation body, Raad Voor Accreditatie (RvA), are not answering questions on why none of them raised any concerns regarding Equifax’s poor controls and systems, which are now a matter of public record. Also silent is the IAF, which oversees the entire scheme.

It’s likely, therefore, that more such incidents will occur despite companies holding ISO certificates that claim their systems are fully compliant to international standards. Until regulators start paying attention, or until the IAF is called before Congress to testify on just what is happening on its watch, these problems will only worsen. 

About the Author: Christopher Paris is an aerospace quality management consultant, author and industry watchdog. His company, Oxebridge Quality Resources, provides independent reporting on the ISO certification scheme and its conflicts of interest.

Copyright 2010 Respective Author at Infosec Island]]>
Chrome 71 Patches 43 Vulnerabilities https://www.infosecisland.com/blogview/25146-Chrome-71-Patches-43-Vulnerabilities.html https://www.infosecisland.com/blogview/25146-Chrome-71-Patches-43-Vulnerabilities.html Fri, 07 Dec 2018 09:43:50 -0600 Google this week released Chrome 71 to the stable channel with 43 security fixes inside, as well as with a series of additional protections to improve the overall user experience.

The new browser release completely eliminates inline installation of extensions by stripping Chrome off the inline install API method. Google set off on the path to remove the inline installation from its browser in June, when it prevented newly published extensions from accessing the option.

Chrome 71 also notifies users of unclear subscription pages, but only when it detects that the accessed page does not provide sufficient billing information. The warning will be displayed to both desktop and mobile users, and Google will also contact the affected webmasters to address the issue.

To further improve the user experience, Google has added protections from websites that employ abusing ad experiences, which are often used by scammers and phishers to steal user information. Chrome 71 will remove all ads on sites with persistent abusive experiences.

The new application release also patches tens of security vulnerabilities, including 34 issues that were reported by external researchers. Of these, 13 were rated High severity, 15 were Medium risk bugs, and 6 were considered Low severity.

Some of the most important security bugs addressed in Chrome 71 include use after free issues in PDFium, Blink, WebAudio, and MediaRecorder; out of bounds writes in V8; heap buffer overflows in Skia, Canvas, and Blink; inappropriate implementation in Extensions, and various issues in SQLite via WebSQL.

The resolved Medium risk bugs include inappropriate implementations in Site Isolation, Navigation, Omnibox, Media, and Network Authentication; insufficient policy enforcement in Blink, Navigation, URL Formatter, and Proxy; incorrect security UI in Blink; insufficient data validation in Shell Integration; use after free in Skia; and out of bounds read in V8.

The Low severity issues included inappropriate implementation in PDFium and Navigation; use after free in Extensions; and insufficient policy enforcement in Navigation and URL Formatter.

In its advisory, Google revealed it paid nearly $60000 in bug bounties to the security researchers who reported these bugs. Rated Medium, the inappropriate implementation in Site Isolation (CVE-2018-18345) was awarded the highest bug bounty, at $8000.

Related: Google Removes Inline Installation of Chrome Extensions

Related: Chrome 70 Updates Sign-In Options, Patches 23 Flaws

Copyright 2010 Respective Author at Infosec Island]]>
Trojan Horses for the Mind https://www.infosecisland.com/blogview/25145-Trojan-Horses-for-the-Mind.html https://www.infosecisland.com/blogview/25145-Trojan-Horses-for-the-Mind.html Fri, 07 Dec 2018 08:59:45 -0600 In our lives as security professionals, we worry about software acting as a Trojan Horse, sneaking malware past our system defenses and on to vulnerable devices. What if I told you that I’m a big fan of Trojan Horses? It’s true; but I’m a fan of a different kind of Trojan Horse. I’m a fan of finding Trojan Horses for the mind. Here’s what I mean: when designed well, our messaging can sneak past mental defenses and noise. In other words, the way we design and deliver our messages can become a Trojan Horse.

There are several Trojan Horses that we can summon to help with our awareness campaigns. Today, let’s focus on emotion.

Emotion

People tend to make decisions based on emotion and then build a case for their decision based on logic. This is hugely important for us to keep in mind when developing security awareness messaging. People will experience emotion when interacting with messages, even if we don’t intentionally put it there. So, we are at a disadvantage when we aren’t actively engaged in bridging our audience to an emotion that will be helpful to our cause. When developing messaging, you have to develop for both the information and the emotion that we want to convey with the message.

Now, I’m not saying that I want you to make your security messages sad, or fearful, or angry. But you owe it to yourself and your people to connect your security messages with emotions that will add context to, and enrich the meaning of, the information that you are trying to get across. Once someone can intellectually and emotionally place themselves within the context of a situation, they are more likely to appreciate the meaning. And emotion allows the meaning to become rooted within the person’s memory.

Consider both the positive and negative outcomes of the security value or behavior that you are promoting. And do this across several levels. Think through (or better yet, list out) any positive and negative outcomes that someone may have if they internalize and act upon the information contained in your message. Once you’ve listed the positive and negative outcomes associated with the security value or behavior, link each of these outcomes to positive and negative emotions. What emotions can be discovered? What is the juxtaposition of emotions associated with the outcomes for someone who would follow your security message verses someone who doesn’t? What stories emerge? 

One of the most useful states we can induce within our audience is curiosity. Curiosity isn’t an emotion, it’s a feeling. Curiosity emerges when our interest is piqued by a stimulus (like a loud noise from the other room) and we lack sufficient data to fill in the knowledge gap caused by the stimulus (thus making you ask yourself what caused the noise).

You’ve probably heard the term clickbait – it refers to many of the headlines that you see in your social media and newsfeeds. The headline is often written in such a way as to hint at some bit of information that will be provided in the underlying article; but the headline intentionally leaves out a critical piece of the puzzle. After reading the clickbait headline, your mind urges you to fill in that piece of the puzzle. The only way to scratch the mental itch is to click the headline and engage with the content. An example would be:

“5 Things you Need to Know about Security Behavior. # 4 will Change Your Program Forever!”

And now your brain is drawn-in. It’s curious as to what the five things are. This mental itch is called a curiosity gap. The reason that curiosity can be useful is because, when used well, curiosity motivates a person to seek out and engage information to fill the gap in their knowledge. That volitional aspect of the engagement makes a big difference in how they internalize the content.

Copyright 2010 Respective Author at Infosec Island]]>
5 Cybersecurity Predictions for 2019 https://www.infosecisland.com/blogview/25144-5-Cybersecurity-Predictions-for-2019-.html https://www.infosecisland.com/blogview/25144-5-Cybersecurity-Predictions-for-2019-.html Tue, 04 Dec 2018 05:25:24 -0600 As we wrap up 2018, we can clearly look back on a major year for cybersecurity. “Another day, another breach” became a common phrase as attackers ran rampant, feasting on organizations of various sizes and industries around the globe.

But with the disasters came greater awareness and appreciation for cybersecurity. It’s no longer a concern confined to IT departments as governments and business leaders have realized the need to secure their data.

The year is coming to a close. Therefore, it is important to analyze developing trends and prepare for the ever-changing threat landscape. In 2019, we can expect new attackers with new techniques to join the current cybercriminal coterie, but that doesn’t mean current threats will dissipate — particularly attacks that rely on the theft of privileged credentials. We will see more action — both offensive and defensive — from governments as the political and economic climates continue to be penetrated by cybercriminals. We can also expect increased punishment, from legal and illegal actions, for organizations that fail to protect data.

As we head into 2019, here are a few cybersecurity predictions for the year to come:

Governments will launch (more) cyber offensives

Governments have been developing cyber weapons for years and many have been covertly engaging in attacks against other countries, spawning near-war scenarios. As the world has become somewhat callous to the threat of nuclear arms, cyber weapons have enabled countries to disrupt citizen societies and political stability. In 2019, we will likely see governments reveal their offensive cyber capabilities and demonstrate their power to cause social and political harm without ever even crossing borders.

Compromised privileges and individual email accounts will remain the most-targeted attack vector

In 2019, email and stolen privileges will continue to be the primary method of bypassing organizations’ security to inhibit services, disrupt productivity, steal sensitive data or conduct financial fraud. Heightening security to limit the impact and risk of emails and privileges should be the top priority for organizations to reduce their vulnerability to cyberattacks. By controlling inbound email content and implementing a least-privilege strategy, you can significantly reduce cyber risk.

Regulations get tough and the rest of the world to update laws for data protection

The world is ramping up data protection laws, continuing the mission of the EU’s GDPR and the California Consumer Privacy Act. New legislation is being written as the value of data in the global economy continues to skyrocket, now exceeding the value of oil in becoming the most valuable asset. Governments have now seen that importance of protecting their citizens’ sensitive personal data and punishing corporations for failure to protect individuals’ data., particularly organizations that are profiting from the data. In 2019, we will see the rest of the world continue to increase legislation related to personal data and IoT (Internet of Things) devices to ensure that the standards of cybersecurity in place to protect data are at a standard equal to the value of the data itself.

Hefty costs for cybersecurity deficiencies

The new data protection laws have serious financial penalties for organizations that fail to secure personal data. We also saw some serious financial fallouts from cyberattacks this year, with Uber agreeing to pay $148 million from their data breach that occurred in 2016 and both Equifax and Facebook fined £500,000 (the maximum penalty possible under the previous UK data protection law). In 2019, we are going to see some hefty financial penalties with Facebook, Google and British Airways all under to microscope, which could prompt the first billion-dollar data breach fines for failure to secure and protect personal data.

Machines to attack humans

With so many connected devices heading into 2019, we are very likely to see machines begin attacking people. Yes — machines will be used to target humans with cyberattacks and many of those machines will be controlled by other humans. Cyberattacks will start to have a direct impact on humans and possibly cause physical harm or eventually even death. You can go as far as saying we might see a vacuum cleaner chase your kids around the room, your fridge spit water in your face, a kettle boil water to extreme temperatures, or even your car crashing into another car — all resulting from malicious acts to attack humans. IoT could potentially become an assassin and attacks could easily be carried out across country borders. At least in 2019 these devices are being controlled by other humans, but with AI (Artificial Intelligence) we may lose this control to devices in the future.

About the author: Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).

Copyright 2010 Respective Author at Infosec Island]]>
OceanLotus Targets Southeast Asia in New Watering Hole Campaign https://www.infosecisland.com/blogview/25143-OceanLotus-Targets-Southeast-Asia-in-New-Watering-Hole-Campaign.html https://www.infosecisland.com/blogview/25143-OceanLotus-Targets-Southeast-Asia-in-New-Watering-Hole-Campaign.html Mon, 03 Dec 2018 12:02:00 -0600 A cyber-espionage group believed to be operating out of Vietnam has compromised over 20 websites as part of a watering hole campaign targeting users in Southeast Asia, ESET reports.

As part of the attacks, which are believed to have been active since September 2018, the websites of the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia, as well as several Vietnamese newspaper or blog websites were compromised.

The actor behind the attacks is believed to be OceanLotus, a group of cyber-spies active since at least 2012 and also known as APT32 and APT-C-00. The new campaign, ESET’s security researchers say, appears to be an evolution of a watering hole scheme documented in 2017.

The new campaign shows the use of various techniques to hinder analysis, such as public key cryptography to exchange an AES session key used to encrypt further communications, and the use of WebSocket to hide their malicious communications.

The security researchers have identified 21 distinct websites compromised in the attack, each of them redirecting to a separate domain controlled by the attackers. Most of the websites are related to news media or the Cambodian government. Although the victims were notified in October, most of the websites continue to serve the malicious script injections, ESET says.

The attackers added JavaScript code to a page of the compromised websites, to load another script from a server controlled by the attackers. The scripts are obfuscated to prevent static extraction of the final URL, which looks like a real JavaScript library used by the website. Furthermore, different scripts and domains/URI were used for each of the compromised websites.

Based on the IP address of the visitor, either a decoy script (a random legitimate JavaScript library) or the first stage script is delivered. Thus, for the servers that have a location check enabled, only visitors from Vietnam and Cambodia are targeted with malware.

The malicious script contains checks to evade detection. It waits for the victim to scroll on the page, and also checks the resolution of the window and whether the Firebug browser extension is enabled. If the checks pass, it decrypts the command and control (C&C) domain using a custom algorithm.

Next, using WebSocket over SSL, the script sends a unique string to the server and receives and executes a second-stage script, which was designed for reconnaissance purposes. The attackers use a slightly modified version of Valve’s fingerprintjs2 library, which is available on GitHub.

With all communication going through the WebSocket session opened by the first stage, traffic is difficult to detect and decrypt. The recon script builds a report and sends it to the second stage C&C server.

“The report generated contains detailed information about the victim browser and the website visited: the user-agent, the HTTP Referer, the local and external IP address, the browser plugins the browser’s configured language preferences,” ESET reports.

The server can then respond to additional JavaScript code, but the security researchers could not identify in-the-wild examples of payloads sent by the attackers, not to mention that the payloads are only delivered to specific targets. According to previous reports, however, the OceanLotus watering hole campaigns aim to phish victims, the researchers note.

To stay under the radar, the attackers registered a first stage and a second stage domain per compromised website, each hosted on a separate server with a distinct IP address. Overall, they registered more than 50 domains and 50 servers for the campaign.

“Despite being actively tracked by many researchers, the OceanLotus group is still very busy attacking targets in Southeast Asia. They also regularly improve their toolset, including their watering hole framework and their Windows and MacOS malware. The recent updates to their watering hole framework show a level of sophistication never before seen for OceanLotus,” ESET concludes.

Related: "OceanLotus" Spies Use New Backdoor in Recent Attacks

Related: Vietnamese Spies Rival Notorious Russian Group in Sophistication

Copyright 2010 Respective Author at Infosec Island]]>
Securing the BYoD Workplace https://www.infosecisland.com/blogview/25141-Securing-the-BYoD-Workplace.html https://www.infosecisland.com/blogview/25141-Securing-the-BYoD-Workplace.html Wed, 28 Nov 2018 10:27:13 -0600 Letting employees’ personal phones, tablets and laptops loose within your corporate network does not sound like a good idea. But that doesn't mean you can avoid it.

BYoD, or Bring Your own Device, refers to a policy which oversees employees using company networks and data on personal devices. IT staff are often wary of such policies, but management seem to like them as they allow for a more streamlined workflow and a reduction in the sizeable cost of buying and maintaining IT equipment.

Only 49 percent of UK organizations have installed formal BYoD policies, according to SailPoint’s most recent market survey. Of course, this doesn't mean that employees are not using company networks with their own devices; it merely means there's no policy to manage and control that process.

Fears around BYoD are not unfounded. Phishing links, bad intentions and everything in between reinforces the old cliché that humans are the weakest part of any organization. It is entirely understandable why an organization would be afraid of allowing an employee’s device as well as its applications and data onto a corporate network. Still, if you want a secure organization, they’re also a critical part of the solution.

Those fears are not doing anything to stop an increasingly mobile workforce nor the fact that network perimeters are quickly moving out of view.

A draconian ban on personal devices won't halt their use any more than unhinged allowance of personal devices will deal with threats to your network. Both extremes are childish options for a modern company and should be flatly ignored. A sensible way between means, both accepting the reality of personal devices in the enterprise environment and crafting strategies to enable this new functionality, while shielding yourself from the threats it brings. It means getting a policy in place to handle this new reality.

So what do you need to think about when coming up with a BYoD policy?

How you’re going to protect your critical data assets from mistakes, insiders and criminals is entirely dependent on what those critical data assets are. Design cars? Then you’ll need to be protecting intellectual property going in and out of your organization. Sales teams will want to protect client lists and healthcare bodies will need to keep all manner of healthcare records under lock and key. Your first task should be to find what your critical data assets are and deciding on a hygienic way to handle them on personal and corporate devices.

This matters for compliance too. Your BYoD policy will have to be structured around the specific regulatory obligations of your industry. But there is one particular regulation which everyone will have to prepare for: The General Data Protection Regulation.

In the run up to the enforcement of GDPR on May 25th 2018, some have started to view BYoD policies with suspicion. A survey from Strategy Analytics last year showed increasing fears around BYoD on the part of European businesses. Ten percent of those polled said they expected the use of BYoD enabled tablets to decrease with the advent of the GDPR.

Creating a structure for the use of home devices within an organization, some may think, opens it up to compromise when it comes to compliance. After all, what's to stop anyone from loading up their personal laptop with all the personal data they can get their hands on and making for the door?

A good BYoD policy for one.

The GDPR demands that you actively take account for the personal data that you have and how it might it be threatened, before implementing security controls and policies “appropriate to the risk.”

Aside from the personal data that might be handled by employees, you also have to account for the personal data that might be accessed on their personal devices.

Attached to those demands are fines of up to four percent of global turnover, or 20 million euros, whichever is higher. Given those figures, BYoD is an issue which you can no longer ignore.

The good news is there are a number of areas in which a good BYoD policy can ease your path to GDPR compliance. The landmark piece of regulation includes requirements about access control and breach reporting as well as the protection of personal information. A BYoD policy will help in all these areas.

You’ll need to demonstrate your compliance to regulators too, meaning that you will need to have documented policies, audits and reports that show you have an active BYoD policy.

Once you’ve thought through your compliance obligations, you’ll want to think about how you secure your network and data on personal devices. This is known as Enterprise Mobility Management.

For example, being able to remotely monitor and manage mobile sessions in the office or over secure SSL VPNs when users are out of the office is core to secure BYoD.

This matters for the everyday flow of data between personal devices and corporate networks just as much as it does for the actual physical mobility of those devices. Even in a world without hackers, users would still lose and damage their devices. It's important then that critical data is still in your hands even when the device is not.

Organizations should encrypt corporate data and consider solutions that allow you to reach in to a lost device and remotely wipe it of sensitive data, keeping it out of attackers’ hands even if it isn't in yours. Remote wipe technology can be a point of contention, considering you’re also dealing with the device owner’s data.

It’s also worth considering how this fits into your offboarding processes. Similar solutions can make sure that leaving employees don't also leave with critical data and, even more importantly, access to corporate accounts

Even for current employees it might make sense to adopt a Principle of Least Privilege as a guiding reference. It states, simply, that people must be given the fewest possible rights and privileges they need to do their job. If an employee does not need access to a particular area or piece of data, then they should not have it. The proliferation of admin rights on corporate networks is still a leading cause of data breaches and privileged credentials, according to analyst firm Forrester, are misused in 80 percent of attacks. You will want to lock down access as a matter of priority.

Container security solutions can help you separate out your employees’ devices from their potentially hazardous personal data and apps. When using their device for company business, they can work inside a ‘corporate container’ which insulates both corporate and personal environments from risks to privacy and security.

Technological solutions like container security, SSL VPNs and network access controls are critical and can take a lot of the danger potential out of your users’ hands. Still, humans will always be your first line ofdefencewhen it comes to security; they are where a good deal of your efforts has to be focused. Staff must be rigorously educated on what they can and cannot do while using company networks, trained on proper onboarding and offboarding processes and updated on the best practices of cyber hygiene.

This process should ultimately be collaborative. Staff should be asked what they need, and how BYoD implementation would best fit them. Any security policy has to be tailored around those who are wearing or it will tear.

Users will have to be able to access the information and apps they need and easily reconfigure their devices so they can work safely on a corporate network. If they can’t they will find ways to which breach your security.

Gartner has predicted that 20 percent of BYoD programs will fail due to over complexity. To that end, low friction solutions are always the best choice when it comes user-facing security; one that accommodates them is less likely to be violated and more likely to result in a more secure network that works in harmony with its staff. 

BYoD will introduce a variety of unknown quantities to a network, posing a challenge to anyone who is trying to secure that network. But today’s workplace demands the kind of flexibility that BYoD brings and ignoring that fact won't make it go away. A secure organization rises to meet the challenges posed by BYoD instead of letting them fly overhead.

About the author: Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms.

Copyright 2010 Respective Author at Infosec Island]]>
Cyber Security Lessons from Abroad – Australia’s Essential Eight https://www.infosecisland.com/blogview/25142-Cyber-Security-Lessons-from-Abroad--Australias-Essential-Eight.html https://www.infosecisland.com/blogview/25142-Cyber-Security-Lessons-from-Abroad--Australias-Essential-Eight.html Wed, 28 Nov 2018 10:23:06 -0600 Cyber risk affects businesses all over the world, so it’s no surprise that countries have developed their own individual mitigation strategies to help combat this threat. But businesses can apply many of these strategies to their organisations to improve their overall cyber security posture, regardless of the geography that they are operating in.

A good example is the Essential Eight, created by the Defence Signals Directorate, the cyber security arm of the Australian Department of Defence (DoD). Designed to prevent the spread of malware, limit the extent of security incidents and support data recovery, the Essential Eight is a collection of best-practice recommendations that businesses can use to bolster their security protocols against attacks online.

The Essential Eight recommends the following actions to prevent malware from executing:

  • Application whitelisting: Creating a list of approved applications that are authorised to run within a system, automatically turning off untrusted operations.
  • Patching applications: Frequent security updates and patches to applications can prevent known vulnerabilities from causing problems, boosting overall cyber defences.
  • Disabling untrusted Microsoft Office macros: Disabling untrusted macros can prevent attackers from using them to download and use malware – a growing threat.
  • Application hardening: Uninstalling, or at least blocking access to, Adobe Flash Player, along with blocking untrusted Java code, can help prevent data and applications from being manipulated.

And the following to limit the impact of a breach and aid data recovery:

  • Backing up data on a daily basis: Regularly backing up data can ensure that important information can be restored quickly and efficiently in a worst-case scenario.
  • Patching operating systems: Operating systems can fall victim to vulnerabilities if they are not regularly patched. 
  • Restricting administrative privileges: Users should only be granted access to the data and applications that are crucial for the role that they are performing, and only those who handle tasks like system management or software installation should be granted these privileges.
  • Multi-factor authentication: Where useraccess to data or systems is subject to multiple forms of identification, such as entry of a unique code, passwords, fingerprint scans or other biometric data.

Used concurrently, these rules can help businesses prevent and mitigate the potential impact of cyber attacks. Importantly, the DoD proactively evolves the guidelines to keep pace with the ever-evolving cyber threat, ensuring that they remain applicable both now and in the future. 

Although each of these measures play important roles in helping organisations identify vulnerable assets and set appropriate defences for their networks and applications, there are two specific steps of the Essential Eight that stand out from the rest: whitelisting applications and restricting administrative privileges.

Application whitelisting

By creating a list of applications that are pre-authorised to be used on devices within a system, organisations can alleviate the potential risk of malware infecting a device, since operations that aren’t contained within the list will automatically be turned off.

Application whitelisting can be particularly useful when deployed by the users who are most likely to be the victim of a cyber attack, such as senior management, system administrators or those who have access to more sensitive data – often those who work in HR or finance departments. 

Enforcing application whitelisting across a company can seem like a daunting task, but the benefits of doing so for high-risk users far outweigh the time and effort required to do so. 

To execute application whitelisting, businesses should:

  1. Pinpoint the applications that are necessary for everyday operations and authorise these to be used across all systems.
  2. Implement a framework and rules to guarantee that only those applications which are on the pre-approved list can be executed.
  3. Maintain and update this framework regularly by using a change management programme.

Application whitelisting should not replace any antivirus or security software that is already being used within an organisation. Instead, it should complement this software by protecting data and lessening the number of vulnerabilities that may be present within the system.

Restricting administrative privileges

In addition to whitelisting, organisations can better secure their networks by restricting admin privileges solely to those who need the ability to change parts of a network or computer system. 

Company-wide admin privileges may be seen as a way of increasing user flexibility, since each individual is able to adapt their devices to suit their own needs, adding applications and changing settings as they please. 

But if this activity is left unsupervised, malicious attackers can more easily infiltrate and infect entire systems by compromising just one device, potentially causing catastrophe across a network. 

Removing this privilege from users who do not need it can bolster network security by eliminating this potential vulnerability. It can also create a more stable network environment, making problems easier to identify and fix, since only a limited number of users will be able to circumvent security settings and make changes to the system. 

Restricting admin privileges can be done by:

  1. Identifying which tasks require admin privileges.
  2. Authorising users for whom admin privileges are necessary.
  3. Creating separate accounts for those users who need admin privileges, whilst ensuring that they only have the admin privileges necessary for their roles.
  4. Regularly reviewing which accounts have access to admin privileges, updating and removing users and privileges when appropriate.

To further improve the effectiveness of removing admin privileges, those who have access to these accounts should be prevented from accessing programs which could pose a potential cyber security risk, such as web browsers or email applications. Separate accounts should always be created for these tasks. 

By following the guidance laid out in Australia’s Essential Eight, and by focusing particularly on application whitelisting and admin right restrictions, global organisations can better mitigate the risk and impact of cyber attacks. 

About the author: Kevin Alexandra is principal technical consultant in Avecto’s Boston office, where he acts as senior escalation engineer for all Avecto Defendpoint deals in North America. Kevin is also a technical account manager providing dedicated one-to-one support to a multi-national consumer goods corporation operating Avecto’s solution.

Copyright 2010 Respective Author at Infosec Island]]>
Will We Get a GDPR for the IoT? https://www.infosecisland.com/blogview/25140-Will-We-Get-a-GDPR-for-the-IoT.html https://www.infosecisland.com/blogview/25140-Will-We-Get-a-GDPR-for-the-IoT.html Wed, 28 Nov 2018 10:13:05 -0600 The General Data Protection Regulation (GDPR) breaks new ground when it comes to privacy law. After years of hidden breaches, stolen identities and negligent data handling,organizationswill finally be forced to get serious about data privacy.

Data loss incidents that are due to non-compliance will face fines that run as high as four percent of global turnover, or 20 million euros, whichever is higher. This will prove a threat to some, but for others, it will finally put the weight behind personal data protection that has been lacking for so long.

But there is still no specific regulation for the relentlessly growing, and fatally insecure IoT. In 2017, the European Union Agency for Network and Information Security (ENISA) found that there were no “legal guidelines for IoT device and service trust.” Nor any “level zero defined for the security and privacy of connected and smart devices.”

Today’s smart workforce are bringing in personal devices into their workplace with the endeavor to get their job done faster. Manufacturers are building connected intelligence in their products to make them stickier and more purposeful. This massive small business and consumer adoption of connected devices have unfortunately left most manufacturers in the front seat offering features and interoperability, but with security exposures buried in the trunk.

IoT is a market that doesn't show any signs of slowing down. The IDC predicts that there will be 200 billion connected devices by 2020 and if standards stay the same that could mean billions of security vulnerabilities. The Marai virus demonstrated how IoT devices with default settings can be vulnerable to infection and this malware has been used in DDOS attacks. And there are more malicious variants underway such as those that now aim to target ARC processors embedded into a broad array of Linux-based devices.

As such, it might then be a good idea to imbue IoT security with the kind of weight that the GDPR gives personal data. But why hasn't that happened yet?

While GDPR does not have much that directly confronts the problems of the IoT. It regulates the use of personal data, as it pertains to the IoT but, the GDPR still doesn’t call the problem by its name. For example, GDPR holds you accountable for your security vulnerabilities, third parties and personal data handling assets to make sure that they are also GDPR compliant. This includes IoT devices, but those specific concerns will be diluted among a mix of other security considerations.

Regulation is often slow. The last piece of EU data protection regulation came in 1995. Since then we've seen the massive exponential growth of cross border data flows, the inexorable rise of cybercrime and the appearance of multiple computing devices and high speed internet connections in European homes. The GDPR, for example, was first proposed in January 2012 and it took over four years before it was adopted by the European parliament.

The point here is that regulation can be slow to deal with change. First, lawmakers have to get wind of a problem, begin to understand it and then meticulously draft lengthy documents embattled by bureaucratic hurdles, legal considerations and competing interests.

The GDPR holds supranational legitimacy over 28 separate countries and applies not only to bodies which are based in those countries but have customers within them. Considering the EU is still the world’s largest market, this makes the GDPR not just European regulation but a global one. Unless national regulators can make foreign manufacturers do what they say, regulation on IoT security will be hard to achieve. This could be especially difficult as international supply chains will prove a problem, as many IoT devices are manufactured in countries prized for their low regulatory barriers - allowing retailers to bring in the cheap smart devices that consumers and small business crave.

There are some signs toward IoT security regulation. In April 2017, the Californian state government introduced legislation for IoT security and the French government are eyeing proposals to make IoT manufacturers liable for the security of their products. There is a great desire to install regulations of this kind among a number of sectors, public and private.

Until then, it behooves the industry to establish a commercial IoT security testing standard and share best practices for IoT risk mitigation. For example, ISCA Labs, an ISO-accredited, independent, third-party tester has published an IoT testing framework. For example, enterprises have leveraged network access control (NAC) technology to fortify IoTdefences, enforce policies for unsanctioned IoT device use, and mitigate risk of malware proliferation, network exposure, and sensitive data leakage. Means to educate the consumer and enterprise market on IoT security threats and safeguards is equally important.

About the author: Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms.

Copyright 2010 Respective Author at Infosec Island]]>
'DarkGate' Campaign Targets Europeans with Multiple Payloads https://www.infosecisland.com/blogview/25139-DarkGate-Campaign-Targets-Europeans-with-Multiple-Payloads.html https://www.infosecisland.com/blogview/25139-DarkGate-Campaign-Targets-Europeans-with-Multiple-Payloads.html Fri, 16 Nov 2018 07:28:14 -0600 A newly discovered malware campaign is targeting users in Europe with various payloads, has a reactive command and control (C&C) system and can remotely control infected machines, enSilo security researchers warn.

Spreading through torrent files, the DarkGate malware can avoid detection by several anti-virus products and is also capable of detonating multiple payloads onto the infected machines, for crypto-currency mining, stealing crypto-coins, and encrypting victim’s files (ransomware).

The campaign operators use a C&C infrastructure cloaked in legitimate DNS records from services such as Akamai CDN and AWS, thus being able to avoid reputation-based detection. Their malware can bypass User Account Control (UAC) and can also evade elimination of critical files by several known recovery tools.

Mainly focused on targets in Spain and France, the campaign uses a reactive C&C infrastructure, where human operators react to notifications from infected machines. As soon as the malware reports back activity of interest on an infected machine, such as the presence of crypto wallets, the operators install a custom remote access tool for further operations.

The malware author invested a lot of time into ensuring the threat can evade detection by anti-virus products and continues to improve their creation. The operation appears financially motivated, but, given the threat’s ability to install remote access tools, the author might have other motives as well.

The security researchers were able to link DarkGate with the Golroted password stealer, as both use the Nt* API calls for process hollowing and a SilentCleanup schedule task for UAC bypass. Moreover, there are significant code overlaps between the two malware variants.

Distributed via torrent files, the DarkGate malware has a multi-stage unpacking process that starts with an obfuscated VBScript file functioning as a dropper for several files (saved to a hidden folder “C:\{username}”).

The malware uses process hollowing to inject and execute malicious code but, if the Kaspersky anti-virus is detected, the code is loaded as part of the shellcode. The final binary copies all files from “C:\{computer_name} “ to a new folder under “C:\Program data” and also installs a new key in the registry, to achieve persistence.

As part of the initial connection made to the C&C server, the malware gets the file necessary to start the cryptocurrency mining process. The malware can also search for and steal credentials for a variety of crypto wallets.

The threat contains six hard coded domains that it attempts to connect to upon infection. It also uses DNS records that are similar to legitimate DNS records from Akamai or Amazon, which allows it to avoid unwanted attention.

The malware also includes various anti-VM and user validation techniques, and also checks the infected system for a series of anti-virus products (informing the server on their presence, with the exception of Kaspersky, Trend Micro and IOBIt) and known recovery tools.

DarkGate, the researchers reveal, uses two distinct UAC bypass techniques in an attempt to elevate its privileges. One abuses a scheduled task for DiskCleanup (cleanmgr.exe), while the other one leverages Event Viewer (eventvwr.exe).

The threat can log keystrokes, and attempts to steal passwords from various programs, using the following applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView.

DarkGate can delete all restore points on the system, and also appears capable of installing a RDP connection tool, thus providing operators with unfettered access to the infected machine. The server can request various information on the machine, such as locale, username, computer name, processor type, RAM, OS type and version, Epoch time, and installed AV type, among others.

Related: NSA Leak Fuels Rise in Hacking for Crypto Mining: Report

Copyright 2010 Respective Author at Infosec Island]]>
Facebook Patches Bug that Exposed Private Information https://www.infosecisland.com/blogview/25138-Facebook-Patches-Bug-that-Exposed-Private-Information.html https://www.infosecisland.com/blogview/25138-Facebook-Patches-Bug-that-Exposed-Private-Information.html Thu, 15 Nov 2018 12:46:00 -0600 Facebook recently addressed a vulnerability that could have allowed anyone to access private information about users and their contacts.

The vulnerability, Imperva security researcher Ron Masas explains, was found in Facebook’s online search function. He discovered that the HTML code for every search result contained an iframe element that could be exploited maliciously.

The issue is that the endpoint that expects a GET request with a number of search parameters is now cross-site request forgery (CSRF) protected. This allow users to share the search results page via a URL, but most users won’t take action, which makes it a non-issue.

When it comes to the Facebook online search, however, the problem is that the CSRF bug can be combined with the fact that iframes are exposed in part to cross-origin documents.

An attacker looking to abuse the vulnerability would need to trick a user into opening their malicious website and click anywhere there. The malicious site would only need to be running JavaScript.

The user interaction triggers a popup or a new tab to the Facebook search page, and the attacker forces the user to execute any search query they want.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” Masas explains.

The security researcher, who published a proof-of-concept video, notes that he was able to extract a variety of private user data by exploiting the issue.

Such information included details on whether the user had friends from Israel or friends named “Ron,” whether the user had taken photos in certain locations/countries, if they had Islamic friends or Islamic friends living in the UK, and even if the user or their friends wrote a post containing a specific text.

The process, the researcher explains, can be repeated without the need for a new popup or tab, as the attacker has control over the location property of the Facebook window through running a specific snippet of code.

“This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” the security researcher says.

The attacker doesn’t even need a Facebook account to extract said information, Imperva told SecurityWeek in an email. The security firm also said that Facebook, who was alerted on the bug in May, issued two bounties (mobile and desktop), for the total amount of $8,000.

Related: Facebook Says 50M User Accounts Affected by Security Breach

Related: Facebook Asks Big Banks to Share Customer Details

Copyright 2010 Respective Author at Infosec Island]]>
A Human-Centered Approach to Building a Smart, Satisfied Information Security Team https://www.infosecisland.com/blogview/25137-A-Human-Centered-Approach-to-Building-a-Smart-Satisfied-Information-Security-Team.html https://www.infosecisland.com/blogview/25137-A-Human-Centered-Approach-to-Building-a-Smart-Satisfied-Information-Security-Team.html Thu, 15 Nov 2018 07:27:45 -0600 With limited personnel to manage the rising risk, the difficulty attracting, recruiting and retaining an appropriately skilled workforce has become a significant risk. 

Shortfalls in skills and capabilities are manifesting as major security incidents damage organizational performance and reputation. Building tomorrow’s security workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age. Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is clearly in need of new tactics and fresh ideas.

Consider, for example, that new research by Cybersecurity Ventures finds that only 20% of the global cybersecurity workforce is comprised of women. On its face, this statistic proves that there are large, untapped pools of talent. Looking deeper, there are lessons to be learned about what organizations must do differently to attract bright prospects from a wider spectrum of education, experience, and expertise. And of course, it goes way beyond gender diversity — organizations must figure out how to recruit effectively from younger and older age groups, underprivileged districts, liberal arts colleges, and other atypical populations.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g. security software platforms, patching and configuration practices, analytics, and machine learning) become more complex.

The Evolution of the Security Workforce

The security workforce, typically defined as the personnel responsible for an organization’s information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as: risk, technical IT operations, legal and or audit. It can be identified as information, cyber, assurance, or operational security. It can also report into various business units, including finance, risk, governance, or IT.

Over the course of its evolution, the lack of a consensus definition of the information security function has allowed numerous, disparate components to form an organization’s security workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.

Supply and Demand

Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture. It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies.

But is this inevitable? Are hiring managers so inflexible in requiring candidates to have specific skills, qualifications, and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organizations are urgently seeking a solution to the perceived crisis around hiring information security professionals.

To address the growing demand, organizations should broaden their approach, and work purposefully to recruit security professionals from a diversity of backgrounds, disciplines and skill sets. Focus on the aptitude and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that would eliminate a large portion of current and prospective information security professionals.

Human-Centric Security

As vendors and tools saturate the market of security solutions, potential employees have come to perceive information security as deeply technical, leaving recruiters struggling to identify and appeal to candidates with a less traditional mix of education and experience. Organizations are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that is capable of meeting the challenges presented by digital risk.

To help achieve a human-centric approach, the information security function should collaborate with HR and take advantage of well-established HR practices to build a diverse workforce of capable individuals. A human-centric approach supported by HR provides the structure for a strong workplace culture characterized by proficient and satisfied information security professionals.

Building a Sustainable Security Workforce

Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organization’s survival. But for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.

Organizations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organization’s security objectives.

As the security workforce matures and finds innovative ways to embrace the vast resources of untapped talent, the exaggerated myth of a looming crisis in the global security workforce. A robust and diverse security workforce will empower organizations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing. ISF Members are already demonstrating success at cultivating teams with the necessary skills and expertise in progressive and engaging environments.

A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Addressing the CISO’s Key Challenges in 2018 and Beyond with Endpoint Detection and Response https://www.infosecisland.com/blogview/25136-Addressing-the-CISOs-Key-Challenges-in-2018-and-Beyond-with-Endpoint-Detection-and-Response.html https://www.infosecisland.com/blogview/25136-Addressing-the-CISOs-Key-Challenges-in-2018-and-Beyond-with-Endpoint-Detection-and-Response.html Mon, 12 Nov 2018 09:17:00 -0600 IT security leaders face more hurdles today than ever. From the growing threat landscape to the increasing regulation of the digital economy, information security officers have their work cut out for them.

Research indicates that CISO responsibilities are growing faster than their ability to address security issues. Some of their biggest troubles include evolving threats, tight budgets, lack of skilled staff, complex environments to protect, and even more complex solutions that do little to ease the IT department’s load. Coupled with the increasing compliance burdens of GDPR and other regulations like it, CISOs need to meet their responsibilities by working smarter, not harder. One such smart approach includes leveraging effective Endpoint Detection and Response (EDR.)

While there is no shortage of EDR solutions, an evaluation of efficacy among top providers shows these solutions vary widely. But why? Most EDR solutions are: too complex and noisy, they trigger too many false alarms (alert fatigue), offer little to no visibility into the detection and remediation process, and/or lack analytics to automate core processes.

An effective EDR solution should reduce alert fatigue by limiting the number of incidents requiring human analysis, enabling IT departments to focus security resources on real threats, and should never overburden staff or infrastructure resources.

Moreover, IT departments need a security solution that is operationally effective. Instead of piling on disparate solutions from different vendors and achieving inferior results, organizations today have access to technologies that give them the option to deploy a single-agent, single-console solution that greatly reduces the effort to install and manage endpoint security.

An integrated, full-spectrum solution

Combating modern threats requires modern weapons. Traditional security solutions are no longer enough—they only display a warning that a threat was blocked, end of story. They offer no visibility into what happened before, during, and after the attack. This lack of insight does little to prepare security teams for similar attacks in the future.

What IT departments need is integrated EDR and EPP (endpoint protection platform), which offers both protection and visibility across all malicious/suspicious activities throughout the infrastructure, as well as alert triage to let them focus on real threats. This integrated solution also offers effective incident response workflows that help reduce resource requirements.

A proper EDR implementation augments protection, detection and response by working together with the security solution in order to provide a complete picture of how threats target organizations, while also allowing IT and security teams to focus on relevant security incidents. At the same time, a successful EDR/EPP implementation eliminates the need for multiple agents, as everything is delivered under a single solution, manageable from a single centralized console. This simplifies deployment and operations across all enterprise endpoints and operating systems, in complex infrastructures both physical and virtual, and across data centers and public cloud environments.

Furthermore, integrated EDR and EPP provides stack and on-execution detection capabilities, which prevents and stops advanced threats from being executed on enterprise infrastructure, while also helping IT and security teams with forensics and investigations into potential security incidents.

The Best of Both Worlds – Security, Visibility

The evolution of cyberattacks has made anomaly detection an imperative and integral part of EDR. Leveraging Machine Learning, EDR solutions can offer suspicious activity detection that helps with investigation and response, by performing fast security alert triage and focusing on truly relevant security events, usually associated with potential breaches and cyberattacks. Once a potential threat is detected, automatic response kicks-in, enabled by the integrated EPP solution, blocking lateral movement, killing suspicious or malicious processes, and automatically remediating any malicious changes performed by the threat. Finally, pre- and post-compromise forensics, offer by EDR capabilities, provide visibility into past actions covering the entire lifecycle of the attack and creating a full picture of the attacker’s objective.

Keeping imminent cyber threats at bay may sound complicated, but it really boils down to just a few key aspects: reducing the attack surface, automating detection and response, gaining insight to mitigate future threats, and avoiding loss of business by rapidly containing and remediating an attack.

Today more than ever, incident response teams need to be given the tools to analyze and investigate suspicious activities, and adequately respond to evolving threats.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Fight Fileless Malware on All Fronts https://www.infosecisland.com/blogview/25135-Fight-Fileless-Malware-on-All-Fronts.html https://www.infosecisland.com/blogview/25135-Fight-Fileless-Malware-on-All-Fronts.html Tue, 06 Nov 2018 08:44:00 -0600 Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.

The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.

Cyber Criminals Love Fileless

The recent trend of fileless malware is part of a larger cybercrime story, that of attackers using a variety of scripts to introduce malware or command and control capabilities into an enterprise. PowerShell, for example, is mainly used to automate administration tasks, including managing configurations of systems and servers. It has been exploited by scripting malware families like W97/Downloader, Kovter fileless malware, Nemucod and other JavaScript downloaders.

One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.

Why Fileless Works so Well

Fileless malware has become the darling of cyber criminals because, quite simply, it’s a no-brainer. Rather than wait for some human to open a phishing email or inadequately encrypted application, fileless malware works on what is already in your network, i.e., the day-to-day scripts enterprises use, like PowerShell, VBScript or JavaScript. It is easier to conduct an exploit and harder to detect. The malware can be executed entirely from the command line and with capabilities such as executing commands written in base 64 encoding, it may be very difficult to see the malware running. Fileless malware typically does not require downloading additional malicious files – the hacker simply executes a command with arguments on the command line. These commands however, are capable of stealing data and credentials, spying on IT environments, and leaving back doors open to further exploits. Another tactic is to exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behavior.

A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.

Fighting Back against Fileless

Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.

How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.

Here are recommended practices for a unified IT approach to fighting back against fileless malware:

  1. Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities:  CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
  2. Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
  3. Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
  4. Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
  5. Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
  6. Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
  7. Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
  8. Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.

What’s Next?

“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.

The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.

The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance - is the only way to fight back against fileless malware!

About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

Copyright 2010 Respective Author at Infosec Island]]>
How to Protect SMBs Against Phishing Attacks via Social Engineering https://www.infosecisland.com/blogview/25134-How-to-Protect-SMBs-Against-Phishing-Attacks-via-Social-Engineering-.html https://www.infosecisland.com/blogview/25134-How-to-Protect-SMBs-Against-Phishing-Attacks-via-Social-Engineering-.html Tue, 06 Nov 2018 07:23:00 -0600 Social engineering and artificial intelligence (AI) are bringing about a new golden age of hacking for criminals. They are capitalizing on common online habits of everyday people to tempt them to click on or install harmful applications – in the guise of browser extensions, clickbait and more – each specifically targeted to the individual user’s online habits using AI.

Most breaches occur when employees make common, seemingly harmless mistakes. Now, this goes beyond forgetting to install updates or using overly simple passwords.  In fact, due in part to the rise of social engineering, employee mistakes account for the vast majority of breaches. Hackers are catching on fast, capitalizing on human nature and using AI and social engineering to target unsuspecting employees. Clickbait isn’t just about articles and pageviews – it’s about getting a backdoor into your network through unsuspecting employees.

These increasingly sophisticated attacks might look like a harmless browser extension or an article in a social media feed. Employees will likely assume they are legitimate (haven’t we all downloaded a music app or other favorite tool?). Unfortunately, behind these many commonly installed applications, lurks a more sinister motive: a hidden phishing device.

Varying Risk Factors

While training may be effective, it is unlikely to stop all employees from putting themselves unwittingly at-risk (particularly on their mobile devices over work networks). Small to medium businesses are especially vulnerable when it comes to these highly sophisticated attacks, so what do they need to know to safeguard against these threats?

First, organizations need to understand the types of phishing attacks. Spear phishing, for example, is a phishing attack targeted at specific individuals and can present a substantial risk to organizations. Spear phishing attacks pinpoint persons in the company with access to sensitive and/or valuable data. This could be anyone from a sales executive to an engineer on a specific project to the chief financial officer. While most phishing attacks broadly target employees with the hopes of catching just one, spear phishing is intended to focus on extracting data or credentials from specific individuals. We are seeing this increasingly as hackers become more aware of the value of specific targets and go after them.

Next, organizations need to understand basic prevention techniques. Phishing requires constant training, since humans are the targets, rather than computer systems. Phishing works because someone takes an action to provide access to cybercriminals, unlike other types of attacks. This element of social engineering requires organizations to train employees not once, but on a recurring basis. Many organizations are seeking hands-on training through simulations after finding that prior measures weren’t effective. Training employees how to inspect email header information and identify malicious “spoof” websites can help safeguard organizations against many common threats.

Mobile Devices in the Workplace

Mobile devices are increasingly becoming the vector through which hackers target employee networks. According to a recent report, the rate at which users are falling for attacks on mobile devices has increased 85 percent each year since 2011. Mobile devices are growing in popularity for attacks because they often lack endpoint security and have access to a wide variety of mobile applications and messaging services. This provides more opportunities for hackers to target employees, who may assume their personal device isn’t a threat to their employer’s network. New attacks use popular apps such as WhatsApp and Facebook to lure victims to download malware, which can expose data stored on these devices.

Having a bring-your-own-device (BYOD) policy is not without risks.  For example, the device may be taken to offsite for personal use where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Additionally, devices, especially mobile phones and tablets, can easily be lost. If the device contains sensitive business information, or can connect to a corporate network to access such data, these behaviors seriously increase the risk of compromising company data.

Training Isn’t Always Enough

When the best training isn’t enough, SMBs should put technology in place to back up these efforts. People are human, and as such, they will often make judgement calls that may put them at risk despite the best intentions and training. To supplement training, technology that can identify threats where people might not even think to look is critical. A layered security approach that combines the use of technology, policy and training will be the most effective. Solutions like next-generation firewalls, endpoint protection, behavioral heuristics and more should all be explored when architecting the right strategy for your organization.

Ultimately, phishing attacks rely on social engineering, with the goal of putting something in front of an employee that will entice them to click (or download) without thinking about the consequences.

Attackers are constantly changing tactics, so ensuring that you are armed against the latest threats is critical. Look for solutions that automatically update in addition to training your employees at regular intervals to understand the latest threats. Creating a culture of security awareness is an important first step for any organization. 

About the author: Timur Kovalev serves as the CTO at Untangle and is responsible for driving technology innovation and integration of gateway, endpoint, and cloud technologies. Timur brings over 20 years of experience across various technology stacks and applications.

Copyright 2010 Respective Author at Infosec Island]]>
DDoS Disruption: Election Attacks https://www.infosecisland.com/blogview/25133-DDoS-Disruption-Election-Attacks.html https://www.infosecisland.com/blogview/25133-DDoS-Disruption-Election-Attacks.html Mon, 05 Nov 2018 10:08:00 -0600 In an increasingly politically and economically volatile landscape, cybercrime has become the new geopolitical tool. Attacks on political websites and critical national infrastructure services are ever more frequent not only because the tools to do these are simpler, cheaper and more widely available, but also due to desire and capabilities of attackers to impact real-world events such as election processes, while staying undiscovered. Not surprisingly, a third of respondents to NETSCOUT’s latest Worldwide Infrastructure Security Report saw political or ideological disputes as motivation for DDoS attacks.

As such, we are reminded that cyberattacks against elections are a major concern for the US—recall the recent DDoS attack that crashed a Tennessee county's website on election night in May. The Department of Homeland Security has warned against voting machine hacks and targeted attacks against campaigns. The agency said that in 2016, hackers targeted election systems in 21 states.

Election officials are on high alert for future DDoS attacks and the risk they pose to availability of systems, and more importantly, to confidence in the entire system, which hangs in the balance as we consider the integrity, sanctity and validity of election results overall. Moreover, DDoS attacks on election night pose risk to the availability of information. Imagine if the AP suffered an outage due to a DDoS attack on election night?

The Risk of Volumetric Attack

The sudden emergence of MemcacheD as an attack vector earlier this year certainly brings the possibility of a massive DDoS attack into focus for election officials. The reality is that while 2018 has ushered in an era of terabit DDoS attacks, with the largest one clocking in at 1.7Tbps, we’ve seen evidence that it will also prove to be a year faced with application-layer attacks as well.

Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, application-layer attacks are more subtle and insidious – and much more difficult to detect and block. The application-layer attack, sometimes called a Layer 7 attack, targets the top layer of the OSI model, which supports application and end-user processes. In these outbreaks, attackers pose as legitimate application users, targeting specific resources and services with repeated application requests that gradually increase in volume, eventually exhausting the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack and often fueled by botnets such as Mirai and it’s many successors, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional ISP or cloud-based monitoring solutions. They have a singular goal: take out a website, application or online service. While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data center.

Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, and HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications.

Best Practice DDoS Defense

To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defense strategy combining cloud-based and on-premise mitigation. An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, and early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defenses through cloud signaling. Deploying any widely available on-premise component of a hybrid DDoS defense solution, including those from NETSCOUT, can mitigate the vast majority of application-layer attacks before they can do damage. For organizations facing budget and resource constraints, managed DDoS service options provide them with a means to save money, amplify in-house resources and reduce risk. Outsourced or in-house, a hybrid DDoS defense ensures detection and mitigation across the full spectrum of DDoS risks while protecting availability.

About the author: Hardik Modi is Senior Director, Threat Intelligence at NETSCOUT|Arbor. He is responsible for the Threat Research and Collections teams, ASERT and ATLAS, respectively. In this role, he drives the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes.

Copyright 2010 Respective Author at Infosec Island]]>
Buy, Rent, or Uber Your Security Operations Center https://www.infosecisland.com/blogview/25132-Buy-Rent-or-Uber-Your-Security-Operations-Center.html https://www.infosecisland.com/blogview/25132-Buy-Rent-or-Uber-Your-Security-Operations-Center.html Mon, 05 Nov 2018 04:08:00 -0600 We all know that data breaches cost a lot—an average of $3.6M per organization.

For cyber criminals, everyone’s a target—and perfect prevention isn’t practical. We must assume that, at some point, every organization’s IT infrastructure will be breached. That’s why we need to continuously monitor, investigate and respond to cyber threats 24/365 if we are to avoid costly breaches and the potential impact to reputation, revenue and customer confidence.

What better way to provide continuous monitoring and analysis than through a security operations center (SOC)? With the people, processes and platform to continuously look across the entire organization’s networks, servers, endpoints, applications and databases, a SOC applies expert knowledge to detect and dig into potential threats. One of the key benefits of a SOC is preventing the devastating impact of a breach by reducing the dwell time (the time between when an attacker compromises a network—minutes—and when the organization discovers the threat—typically months!)

Cost and complexity are roadblocks

Any way you look at it, a SOC is complex and expensive. It requires a lot of specialized hardware and software to generate events and alerts, which must be examined by highly skilled security analysts who can determine which ones represent real threats.

The platform is costly.

You need a well-tuned SIEM (security information and event management) to provide the visibility foundation, along with firewalls, IPS/IDS, vulnerability assessment tools, endpoint monitoring solutions and more. All of this must be fed by threat intelligence that is specific to your organization’s goals and risk tolerance, and the results need to be augmented by machine learning and fine-tuned by human experts.

Processes are costly as well.

Detailed organization-specific playbooks need to be written, spelling out what should happen when ransomware, malware infections, distributed denial of service attacks or other threats are seen. They specify how to investigate, what evidence to gather and when and how to escalate.

Perhaps the most expensive component is people.

It’s difficult enough to hire a team of highly skilled security analysts with the bandwidth and expertise to perform continuous monitoring, while we are experiencing a worldwide shortage. It’s even harder to retain them in the face of stiff competition for scarce talent.

The Complete SOC: Platform. People. Process.

/uploads/remoteimg/c01aefaee2df8a03a902e5bd99a156ab.jpg

Finding the best route

Reaching the goal of continuous coverage is not a simple make/buy decision: it’s more of a buy/rent/co-manage decision: should you build your own SOC, outsource your SIEM (or SOC) platform, or leverage a co-managed SOC solution.

1. Building your own SOC is akin to buying a car to get from Point A to Point B.

You incur all the platform, process and people costs – but you are in total control over where you are going and how to get there (i.e. what your organization sees as risks, threats, and responses). Of course, the cost and complexity could be prohibitive.

2. Outsourcing your SIEM or SOC platform is like renting a car.

You don’t have to make the capital outlay for hardware, but you still need to carry out all the processes—and you must hire, train and retain your own SOC team. It’s less expensive than building your own SOC, but still quite pricy.

3. Leveraging a co-managed SOC solution is like using Uber to get to your destination.

You augment your own internal team with seasoned security experts with mature processes driving a powerful SIEM platform, yet you remain in control of the ultimate destination. A co-managed SOC ensures that the collective team is operating in concert to reach your organization-specific goals.

Uber your way to a SOC

The goal is to get from Point A (your organization’s current security and compliance posture) to Point B (stronger security posture, compliance confidence and incident readiness). Clearly, the most cost-effective way to reach that goal is via a co-managed SOC – the Uber approach. You get the best of both worlds: the best people, processes and platform, at the lowest cost. Not only do you avoid the people and process costs, you retain control over the aspects that are specific to your organization: your risk tolerance, your market realities and your definition of what’s most important to you.

About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.

Copyright 2010 Respective Author at Infosec Island]]>