Infosec Island Latest Articles https://infosecisland.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 Most SMBs Not Equipped to Handle Security Concerns: Study https://www.infosecisland.com/blogview/25095-Most-SMBs-Not-Equipped-to-Handle-Security-Concerns-Study.html https://www.infosecisland.com/blogview/25095-Most-SMBs-Not-Equipped-to-Handle-Security-Concerns-Study.html Mon, 06 Aug 2018 10:39:07 -0500 Most small and medium businesses (SMBs) are not equipped to handle IT security concerns and distribute security responsibilities across other roles, a recent survey from Untangle reveals.

Although the vast majority (80%) of SMBs do consider security as being very important to their business, 52% admitted to have distributed security responsibilities instead of hiring an IT security professional, the research reveals.

According to the survey, which includes responses from over 350 SMBs globally, only 27% of respondents have a dedicated IT security professional on staff. However, 17% of respondents said a partner takes care of their security needs.

The research has revealed that 75% of SMBs have fewer than 5 physical locations and that 60% have fewer than 100 end-user devices to manage.

When it comes to IT security, however, limited resources represent a challenge for 47% of the surveyed SMBs. In fact, more than half of respondents said they had less than $5,000 per year for IT security, while half of them had less than $1,000 per year.

Respondents also revealed that limited time to research and understand new threats (37%), and the lack of manpower to monitor and manage security (34%) are challenging as well. 29% of the respondents revealed they had to deal with employees who do not follow rules.

“Considering Gartner estimates $96.3 billion to be spent on enterprise security solutions in 2018, the small budgets SMBs are given make it nearly impossible to stay ahead of emerging threats,” the report reads.

Almost 40% of SMBs revealed they have experienced a cyber-attack over the past 12 months, most of them being hit with malware and phishing. Ransomware was also encountered.

The research also discovered that 34% of the respondents do not have a Bring-Your-Own-Device (BYOD) policy in place. While this is a security risk, a mitigating factor is the fact that over 80% of businesses either do not allow third party devices on the network or have a separate network for them.

The respondents perceive firewall and network security solutions as having the highest importance when it comes to a purchase, with anti-virus or anti-malware solutions also considered important.

Most SMBs (76%) have at least three quarters of their infrastructure deployed on premise and 82% revealed they have less than 25% of their IT infrastructure deployed in the cloud.

“SMBs will always have to face limited budgets and resources allocated to IT security. However, as hackers become more sophisticated, it is crucial organizations take a proactive approach instead of waiting to see if they become a victim. Simple steps like separating the internal network from the public or mobile devices, and educating employees on what phishing attacks look like, can be vital for SMBs,” Untangle concludes.

Related: SMBs Eye Managed Security Solutions: Survey

Related: Ransomware Targets SMBs via RDP Attacks

Copyright 2010 Respective Author at Infosec Island]]>
Cryptojacking – More than a Nuisance, It Poses a Serious Threat to Data Centers https://www.infosecisland.com/blogview/25094-Cryptojacking--More-than-a-Nuisance-It-Poses-a-Serious-Threat-to-Data-Centers.html https://www.infosecisland.com/blogview/25094-Cryptojacking--More-than-a-Nuisance-It-Poses-a-Serious-Threat-to-Data-Centers.html Thu, 02 Aug 2018 10:40:00 -0500 Cryptocurrency was among the biggest stories of 2017 when Bitcoin peaked at more than $19,000 per unit. While already popular among cybercriminal groups, especially when deploying ransomware, Bitcoin found new success in mass adoption among consumers. This catalyst was enough for cybercriminals to develop new methods to mine alternate cryptocurrencies, such as Monero, in hopes that they would become equally popular and profitable.

CoinHive – the JavaScript-based mining client that allows browsers to be used to mine cryptocurrency - is the perfect example of distributed mining using commodity CPUs – instead of GPUs – that requires no on-device client since mining takes place within the browser. Presented as JavaScript, it maintains cryptomining capabilities, while being easier to deploy, easier to weaponize, less intrusive from a security perspective, and completely legitimate if used with express permission of the web visitors.

Seemingly the Holy Grail for website owners seeking to beef up revenue and not just rely on ads, browser-based cryptomining was quickly used by threat actors to hijack computing power from victims who visited legitimate websites hosting maliciously inserted cryptomining script.

From Nuisance to Threat

At first the average user was mostly exposed to cryptojacking, when visiting an infected webpage that throttled CPU performance up to 100 percent to mine for cryptocurrency. Threat actors quickly became aware of a serious limitation that would ultimately hinder their ability to quickly generate money. While using the CPU for mining does give them access to a wider pool of potential victims, mining would become increasingly more difficult over time as they would need more and more computing power.

Consequently, turning to organizations and businesses with large data centers and infrastructures that could scale up the mining process was the next logical step for enterprising criminals. Speeding up CPU cycles heavily impacts consolidation ratios and virtualization density in data centers, but threat actors have learned to adjust resource consumption so as not to trigger alarms. Instead of 100 percent CPU consumption, they would cap it at 70 or 80 percent. Consequently, a successful cryptojacking campaign within a data center or infrastructure with automatic provisioning could remain undetected for months, potentially generating millions of dollars’ worth of crypto currency.

If getting users to mine crypto currency was just a matter of sometimes exploiting trivial XSS or unpatched vulnerabilities in popular CMS platforms, going for data centers involves advanced techniques usually associated with advanced persistent threats. Criminals are using everything from known military-grade vulnerabilities, such as EternalBlue, to fileless malware to breach data center security and deploy deceptively benign cryptojackers to steal compute power.

Sophisticated attack techniques traditionally used to drop malware payloads for data theft and exfiltration or covert surveillance tools are now used to drop cryptojackers. The fact that threat actors can manage to breach such a heavily fortified infrastructure just to deploy coin mining software is actually a serious security threat. While the payload appears benign, threat actors could have already exfiltrated data or deployed other tools, only to leave behind a crypto miner to generate extra revenue on the side.

While cryptojacking itself may not constitute a direct malicious attack, discovering such an operation within an infrastructure or data center can reveal a security blind spot that was actively exploited by threat actors. This should be of immediate concern, as the same security vulnerability could have already been used to deploy other malicious payloads aimed at cyberespionage or critical data extraction.

Impact on Data Centers

Data centers are where technology and performance meet to deliver better business scalability and low operating costs. Cryptojacking can threaten all this by throwing off performance and even increasing costs for businesses, especially those using an IaaS provider. Automated provisioning is the Achilles heel of data centers facing cryptojackers, as the threat leverages this performance optimization feature to scale its own mining operation.

For example, highly virtualized infrastructures that use VDIs or containerization tools may be altered to deploy crypto mining software whenever new instances are provisioned. If there’s no baseline performance metering for new and untampered instances, companies will have a hard time identifying a cryptomining operation hiding in their infrastructure, except though an increased monthly bill from their IaaS provider.

Securing the Data Center from Cryptojacking

Because cryptojacking attacks leverage the same advanced techniques that threat actors have used when deploying cyberespionage tools – such as fileless attacks and known or unknown vulnerabilities – securing data centers and virtual infrastructures against this new threat requires the same multi-layered security approach one would deploy to prevent, detect, and block advanced and persistent threats.

Detecting file-based and fileless cryptojackers requires layered next-generation security that can block it during various stages of the attack lifecycle, both within the data center and on endpoints. Even memory protection technologies that can identify memory manipulation techniques associated with the exploitation of known or unknown vulnerabilities can help prevent cryptojacking samples from being dropped within the virtual workload.

Pre-execution security technologies that can detonate scripts (e.g. PowerShell, cmd and wscript) coupled with core antimalware technologies, can effectively detect and not just block the cryptojacking payload, but also prevent the attack from occurring by deploying security layers capable of breaking the attack kill chain at various stages.

Copyright 2010 Respective Author at Infosec Island]]>
Changing Security Behaviors Via a Top Down Approach https://www.infosecisland.com/blogview/25093-Changing-Security-Behaviors-Via-a-Top-Down-Approach.html https://www.infosecisland.com/blogview/25093-Changing-Security-Behaviors-Via-a-Top-Down-Approach.html Thu, 02 Aug 2018 08:40:19 -0500 In a recent article I discussed the four secrets to building a strong, intentional and sustainable security culture. One of those secrets is focused on viewing security awareness through the lens of organizational culture. As I described in that post, culture is shared, learned and adaptive, but it can be influenced. It takes a group working collectivity, and it begins with the leaders.

In this article, I’d like to go a bit deeper into the role of the leader and how a top-down approach is key when changing security behaviors within a culture.

Leaders are Cultural Beacons

The role of the leader in driving security culture should not be underestimated. When the protective mechanisms of the culture become unstable and seem to fail, people will look for new stability and certainty to hold on to. Leaders are one of the first places people look to for that. A leader that wants to steer his or her team through a period of cultural change must do so on many levels. Let’s look at how these key characteristics apply to changing security behavior via security training:

  • Explicitly: by clearly communicating the new rules, assumptions, beliefs, and expectations for the new situation. This includes the vision, the rules of engagement, the metrics, the intended outcomes—anything that helps people to create a new, consistent belief system with a clearly understood and (relatively) safe place for them as part of that culture. In security training, this begins with taking stock of what your organization has in place: Where are the weaknesses? How susceptible to social engineering are your employees? Where do you need them to be? Do they know how to report suspected security incidents? This should also include baseline testing. 
  • Implicitly: by walking the talk. Consistently act in accordance with the new cultural rules and expectations and consistently address misaligned behaviors and beliefs as they surface. Weave instruction and guidance into the culture of the company. Consider adding mini-tabletop exercises and thought experiments to team meetings where the leader outlines a situation and asks team members who they would/should respond. There are (at least) three up-sides to this approach: 1) the employees can “pre think” through the scenario in a non-emergency setting, 2) the leader can provide positive reinforcement and “light touch” corrective guidance to help steer employees into desired behaviors, and 3) the leader will get a sense of where employees are struggling to align with the desired behaviors.
  • Symbolically: the leader is not just a person, he/she is also a symbol for security, cohesion and stability. Many leaders underestimate this part of their role. It doesn't mean they must pretend to be who or what they are not, but they do have to play it “bigger than life” from time to time, as part of the symbolic role they play. One way to do this is to create executive videos, blog posts, and other social media content from the leader that will help that leader demonstrate their security decision making. For instance, the leaders simply speaks about their passion… or, even better, they can tell interesting stories about situations from their own life, the life of the company, or interesting news events that will help relate the moral that they want to convey. And, of course, the leader’s actions and life must be consistent with their message in order to maintain credibility.
  • Representationally: as a leader, your team expects you to represent them in the political arena: to procure resources, remove obstacles, and secure recognition for the work they do. How does this work with security training? 1) Get executive buy-in, speak the language of the business and tie awareness training into the way your organization views risk and opportunity. 2) A security leader must work with other departments and generate enthusiasm across an organization. From HR to compliance to marketing, everyone can play a role and can help build, enforce and celebrate good security culture.
  • Always On: for culture leadership to work, the leader must be a constant force behind it. Appearing and disappearing, jumping in and then ignoring things and unpredictable behaviors, all undermine the much-needed stability people crave from their leaders. Specifically looking at security awareness, this means ongoing simulation testing throughout the calendar year, regular (and customized) educational content and using a variety of tools. It’s important to remember that various forms of content resonate differently with different people. Individuals have unique ways of absorbing communication, from newsletters to video - options are necessary to get everyone’s attention and focus.

When it comes to changing behaviors and building better security hygiene, the role of the leader is not only critical, but it is the impetus to change. Your organization will be looking to you to steer them, motivate them and demonstrate best practices to them. It’s a big job, but one that’s a game changer for business success. 

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Amnesty International Targeted with NSO Group Spyware https://www.infosecisland.com/blogview/25092-Amnesty-International-Targeted-with-NSO-Group-Spyware.html https://www.infosecisland.com/blogview/25092-Amnesty-International-Targeted-with-NSO-Group-Spyware.html Wed, 01 Aug 2018 11:40:00 -0500 An Amnesty International staff member was recently targeted with spyware linked to the infrastructure previously associated with Israel surveillance vendor NSO Group.

The attack arrived via WhatsApp, in the form of a message containing Saudi Arabia-related bait content and carrying links that are believed to be “used to distribute and deploy sophisticated mobile spyware.”

While analysing the messages, Amnesty International found connections with a network of domains that overlap with infrastructure previously associated with Pegasus, the sophisticated spyware platform sold by NSO Group, owned by US private equity firm Francisco Partners Management.

The malware was targeting vulnerabilities in Apple software that the Cupertino-based company patched nearly two years ago.

The message was apparently sent from a virtual phone numbers management system that provides the option to send bulk SMS messages. Typically used for promotional campaigns, the platform was apparently leveraged by attackers to automate the sending of malicious messages.

The attackers attempted to trick the Amnesty International member into clicking on a link pointing to the domain akhbar-arabia[.]com, which is part of a large network infrastructure connected to the NSO Group. The domains are used to deliver exploits and malware to silently harvest data from the victims’ devices.

In late May, a Saudi activist based abroad received a similar message, containing a link to a page located at the domain social-life[.]info. The activist received two other messages, one via Twitter and one from an unknown phone number, both attempting to trick them into clicking on a shortened URL.

In a report published today, Citizen Lab revealed that the message containing the link to social-life[.]info “was widely shared across the Gulf Cooperation Council (GCC) countries in WhatsApp groups and on Twitter, along with a warning that the SMS was designed to hack phones.”

The NSO Group claims to be developing “cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots” and to prohibit the misuse of its products.

What the company provides its customers with, however, is an invasive form of surveillance. Moreover, NSO Group’s infrastructure includes a network of anonymizing nodes to hide the location of the Pegasus servers and conceal the customer’s identity or origin.

According to Citizen Lab, “reports indicate that up to 175 individuals may have been inappropriately targeted with NSO Group’s spyware in violation of their internationally-recognized human rights.”

The spyware is installed only if the link is accessed from a targeted device, otherwise the user is redirected to a legitimate website. Not only did Amnesty International observe such behaviour during their investigation, but they also connected the malicious links used in these attacks with the NSO Group’s infrastructure.

The organization also managed to identify over 600 servers showing behaviour associated with NSO-backed spyware attacks, including servers that hosted domain names already associated with the Israeli company, such as banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.

“We have also identified a set of self-signed TLS certificates, cryptographic documents that secure and identify a given website, which were shared between the infrastructure identified by Citizen Lab in 2016 and the new infrastructure we have identified with our scanning techniques,” the organization says.

Although they did not provide the entire list of suspicious domains discovered, Amnesty International published information on the domains believed to be relevant as possible threats.

“With up to 175 reported instances of abusive surveillance, it seems clear that NSO Group is unable or unwilling to prevent its customers from misusing its powerful spyware tools. […] there may be a substantial number of cases of abusive surveillance beyond what Citizen Lab and our research partners have discovered,” Citizen Lab notes.

Related: Ex-NSO Employee Accused of Stealing Spyware Source Code

Related: Internet Provider Redirects Users in Turkey to Spyware: Report

Copyright 2010 Respective Author at Infosec Island]]>
Plug Your Cloud Cybersecurity Holes https://www.infosecisland.com/blogview/25091-Plug-Your-Cloud-Cybersecurity-Holes.html https://www.infosecisland.com/blogview/25091-Plug-Your-Cloud-Cybersecurity-Holes.html Thu, 26 Jul 2018 13:27:00 -0500 Cloud data breaches are up nearly 45% year over year and are becoming more sophisticated. Unfortunately, IT is struggling to keep up as the nuances of clouds are different. We have reached an inflection point where business as usual – throwing people and money at the problem – is not sufficient. Hybrid cloud implementations require IT to understand the operational differences between cloud providers on top of their own enterprise operations. There is a growing skills gap, and CFOs are pushing back on continued budget increases. Organizations must change their approach to match the security needs of our highly distributed, always-on digital society.

Keysight recently-published the Ixia 2018 Security Report, which highlights the biggest security findings and trends from the past year, as seen and analyzed by our Application and Threat Intelligence (ATI) Research Center.

The report revealed five trends that enterprises must address if cybersecurity is going to keep pace with new threats in the cloud.

How the Cloud Shifts Cybercrime

While 2017 was the year of ransomware, 2018 is the year of cryptojacking —hijacking user devices to mine cryptocurrencies without the owner’s consent. The targets can be anything from consumer devices, like phones and laptops, to enterprise-grade cloud servers.

Cryptojacking offers cybercriminals a high-profit return that is far stealthier than a ransom attack. Researchers have even found code on compromised websites that can secretly be transferred to a user’s device, acting as a source of further attacks.

The report indicates that half a billion people have unwittingly let their devices mine cryptocurrency for others. Critical infrastructures are also a prime target for cryptojacking. Visibility, security, and monitoring strategies need to extend beyond the enterprise or single cloud monitoring to include hybrid deployments. Without a comprehensive approach across multiple cloud providers, applications and computers are vulnerable to being assimilated into the ‘cryptojacking collective’ – unwittily becoming part of an attack army.

The Downside of Encryption

The Internet passed a significant milestone in 2017, when approximately half of all web traffic was encrypted using HTTPS. The hidden tunnels used for HTTPS, and other encrypted services, protects users, but has also become a conduit for hackers to hide malicious traffic inside legitimate looking encrypted streams. This makes detection of malware or abnormal traffic by traditional means much more complex. To combat this, network architects are looking at methods to combine continuous inspection with multi-layered security tailored to the application environment.

The Growing Gap Between Cloud and Security

On average, there were over 4.3 new data breaches every day in 2017, up nearly 45% from the previous year. Many of those attacks had common root causes, including unpatched vulnerabilities, overly permissive security policies, and misconfigurations within cloud accounts or across the organization’s supply chain, allowing access to sensitive data.  The biggest issue in the cloud, however, is matching configuration security settings.

In fact, nearly 73% of public cloud instances had one or more serious security misconfigurations. The combination of cloud growth and the high number of security misconfigurations suggests we will see more cloud breaches in 2018. The shift to hybrid cloud requires a parallel shift to multi-layer security approaches to combat the challenges of the ever-expanding attack surface.

Cloud Priorities are Security and Compliance

We love our clouds. They save us a lot in terms of operations cost and maintenance. The cloud is central to today’s IT security landscape. As we would expect, spending on cloud computing is growing, with almost all enterprises now running workloads in one or more clouds. Yet 38% of organizations have cloud users whose accounts have been compromised. It is no surprise that 93% of cloud IT managers are concerned about security.

We see the struggles IT teams face to deliver effective security in a hybrid, dynamically changing, on-demand environment. The Ixia 2018 Security Report revealed that “securing data and applications” and “satisfying compliance requirements” overtook “deploying and migrating applications” as the top public cloud priorities in 2018. Respondents admit that a visibility gap introduced by deployments in public cloud environments is also a key concern, with 88% experiencing issues related to a lack of visibility into public cloud data traffic.

Visibility and Detection an Increased Focus

Cyberattacks can impact revenue as well as reputation. And yet, in the current cyber threat landscape, it is less a case of ‘if’ an organization will be targeted, but ‘when’. Gone are the days of viewing network security as purely an on-premise challenge. The public cloud is forcing a wholesale shift in security architectures to one that must encompass both public and private clouds concurrently, providing a single, correlated view into the hybrid infrastructure.

Traditional perimeter security, including firewalls and intrusion protection, are necessary but not sufficient to protect an organization from advanced attacks designed to sidestep such systems. This drives IT teams to implement zero-trust and least privilege models where the assumption is that the intruders are already within the network.  That requires network visibility within, as well as in-and-out of, the network.

Threat detection and analytics are only as effective as the granularity the network infrastructure provides for packet access. The best security architectures offer continuous visibility and layered security that span on-premise, multiple public cloud providers, and that offer the automation and insight to address both the skills gap and the budgetary limitations. Only then, will IT have a chance of keeping pace with the changing dynamics of hybrid infrastructure.

About the author: Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets.

Copyright 2010 Respective Author at Infosec Island]]>
Criminal Cyberattacks Are Up. Can Automated Security Help Bring Them Down? https://www.infosecisland.com/blogview/25089-Criminal-Cyberattacks-Are-Up-Can-Automated-Security-Help-Bring-Them-Down.html https://www.infosecisland.com/blogview/25089-Criminal-Cyberattacks-Are-Up-Can-Automated-Security-Help-Bring-Them-Down.html Thu, 26 Jul 2018 12:26:51 -0500 One of the most cited statistics related to cyberattacks is the average cost of a data breach as calculated by The Ponemon Institute with support from IBM. The 2018 Cost of a Data Breach report, which has become an industry benchmark, also tracks the number of days it takes to identify a breach and the number of days to contain a breach among other data points.

As with past reports, this year’s average cost of a breach gets the most attention. (By the way, the average total breach cost, the average cost per record, and the average number of records lost are all up again this year on a global basis.) And, as usual, not everyone agrees with the conclusion or methodology.

However, one statistic within the report reveals the scope of the problem at hand. Another gives a glimmer of hope for those organizations that have taken the leap of faith to deploy the latest technologies and techniques that rely more on automation and less on hands on keyboards.

Ponemon reports that nearly half (48 percent) of the attacks included in the 2018 research were criminal or malicious in nature. That’s a staggering number, especially when you take into considering other findings from Ponemon that indicate criminal cyberattacks take the most amount of time to detect and remediate – a global average of 302 days – and are also the costliest. The longer it takes to stop an attack and fix the root cause, the higher the cost – as much as $1 million USD on average if the containment takes longer than 30 days.

It’s not particularly surprising that the average cost and time associated to detect and address attacks are increasing given the number and scope of data breaches. What is encouraging, though, is a first-time statistic in the Ponemon/IBM study: the impact of automated security solutions on breach costs.

Ponemon defines these new technologies and tools as “security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches.” The 15 percent of responding companies that used security automation realized a total breach cost nearly $1 million USD lower that the global average ($2.88 million USD vs $3.86 million USD). The 51 percent who had no automation or plans for adding automation saw average breach costs of $4.43 million USD, a net higher cost of $1.55 million USD.

The message from these findings is clear: companies that still rely on manual processes – security tools that require frequent tuning or manual CVE patching, for example – fare worse if they are breached. One year of data does not make a trend, but it’s reasonable to believe the number of breaches will decline, too, as more organizations deploy automated tools that address the leading cause of cyberattacks – known, but unpatched flaws in applications.  

About the author: James E. Lee is the Executive Vice President and Global CMO at Waratek. He was theformer CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair.

Copyright 2010 Respective Author at Infosec Island]]>
U.S. Now Leads by Number of DDoS Botnet C&C Servers https://www.infosecisland.com/blogview/25090-US-Now-Leads-by-Number-of-DDoS-Botnet-CampC-Servers.html https://www.infosecisland.com/blogview/25090-US-Now-Leads-by-Number-of-DDoS-Botnet-CampC-Servers.html Wed, 25 Jul 2018 11:05:59 -0500 During the second quarter of 2018, the United States has become the top region by number of distributed denial of service (DDoS) botnet command and control (C&C) servers, accounting for nearly half of them, Kaspersky Lab reports.

Of all known C&C centers worldwide, 44.75% are located in the U.S., up from 29.32% during the first three months of the year. South Korea lost nearly 20 percentage points from the first quarter and ended Q2 on the second position, at 11.05%. Italy (6.83%), China (5.52%), and France (3.31%) round up top 5.

Another significant change observed during this quarter was a massive increase in the number of DDoS attacks from Linux botnets, which reached 94.47% of all single-family attacks, compared to 66.49% in Q1.

The swing is mainly due to a multifold drop in the activity of the Yoyo Windows botnet, paired with a decrease in the activity of Nitol, Drive, and Skill. Simultaneously, “Xor for Linux significantly increased its number of attacks,” Kaspersky reports.

China continues to lead by number of attacks with a 59.03% share, followed by Hong Kong at 17.13%, and the United States at 12.46%. During the quarter, the top 10 countries accounted for 96.44% of the attacks.

According to Kaspersky, which only counted DDoS attacks originating from botnets, China also accounted for the largest share of unique targets (52.36%), followed by the U.S. (17.5%) and Hong Kong (12.88%).

The longest attack observed during the three-month period lasted 258 hours (almost 11 days), being only slightly shorter compared to the longest attack in Q1, which lasted for 297 hours (12.4 days). The number of short attacks (up to 4 hours) dropped significantly in the quarter.

“The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%,” Kaspersky reveals.

The security firm also noticed that the average and maximum attack power of decreased slightly compared to the second half of last year, but they remained high above the levels observed in the first half of 2017, presumably because of third-party amplification.

Attackers are looking for non-standard amplification methods to increase the power of their attacks, as the recent wave of Memcached-based attacks has proved. Known since 2001, a vulnerability in the Universal Plug and Play protocol has been leveraged for amplification and obfuscation of source ports, thus bypassing existing defenses.

Some of the most significant attacks observed in the quarter include the assault on encrypted email provider ProtonMail and the charge on Mexican elections. Another important event during the timeframe, however, was the shutdown of Webstresser.org, the largest DDoS services marketplace.

Related: New DDoS Attack Method Obfuscates Source Port Data

Related: Multi-Purpose Proxy Botnet Ensnares 65,000 Routers

Copyright 2010 Respective Author at Infosec Island]]>
Singapore Health Database Hit by 'Major' Cyberattack https://www.infosecisland.com/blogview/25088-Singapore-Health-Database-Hit-by-Major-Cyberattack.html https://www.infosecisland.com/blogview/25088-Singapore-Health-Database-Hit-by-Major-Cyberattack.html Fri, 20 Jul 2018 09:34:59 -0500 Singapore Prime Minister Lee Hsien Loong Targeted as Part of SingHealth Cyberattack

Singapore’s Ministry of Health (MOH) said Friday that a Singapore Health Services (SingHealth) database containing patient data, including personal information on Prime Minister Lee Hsien Loong, was hit by a “major” cyberattack.

According to an official statement, the breach impacted approximately 1.5 million patients who visited SingHealth’s certain clinics between May 2015 and July 2018.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” the statement said.

After detecting unusual activity on one of SingHealth’s IT databases on July 4, investigations by Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) concluded that the attack was a “deliberate, targeted and well-planned cyberattack” that resulted in data being exfiltrated from June 27, 2018 to July 4, 2018.

Data accessed in the attack include name, National Registration Identity Card (NRIC) number, address, gender, race and date of birth. 

“CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation,” the satement said. "They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration."

IHiS, the technology agency for the public healthcare sector, said steps have been taken to bolster security, including reseting user and systems accounts, temporarily imposing internet surfing separation, and placing additional controls on workstations and servers. The agency also that additional system monitoring controls have been put in place, with . similar measures being taken for IT systems across the public healthcare..

Earlier this year, the Singapore’s Ministry of Defence (MINDEF) ran a bug bounty program, which ran from mid-January to early February, after a breach last year which hackers were able to steal personal data from about 850 military servicemen and other employees from a defence ministry web portal.

In August 2014, Singapore officials announced new measures to strengthen cyber security following attacks on a section of the prime minister's website, as well the website of the presidential residence. 

Singapore is the home city for SecurityWeek’s Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region that is held each April. 

Related: Hackers Breached Non-Classified System at Singapore's Ministry of Defence

Related: Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore

Copyright 2010 Respective Author at Infosec Island]]>
Q3 Oracle CPU Preview: Fewer Java SE Patches May Not Mean Fewer Flaws https://www.infosecisland.com/blogview/25087-Q3-Oracle-CPU-Preview-Fewer-Java-SE-Patches-May-Not-Mean-Fewer-Flaws-.html https://www.infosecisland.com/blogview/25087-Q3-Oracle-CPU-Preview-Fewer-Java-SE-Patches-May-Not-Mean-Fewer-Flaws-.html Mon, 16 Jul 2018 11:54:00 -0500 The July 2018 quarterly Oracle Critical Patch Update (CPU) is expected to set a new two-year high for total Oracle product patches and a 12-month low for Java SE patches, based on a review of a pre-release statement. The Q3 release could have as many as 334 total product patches, the highest in 11 quarters. Only eight Java SE patches are expected, representing a 75 percent drop from a 30-month high set in July 2017.

Other highlights of the pre-release include:

  • 100 percent of the Java SE vulnerabilities expected to be patched can be exploited remotely without user credentials.
  • The expected patches address flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. The highest vulnerability base score among the flaws is nine on a ten point scale.
  • The Oracle Database Server may also get three patches, including to the Java Virtual Machine. The highest CVSS base score is expected to be 9.8, and one of the flaws can be exploited without user credentials.

On the surface, the downward trend of Java SE patches would appear to be positive. However, it may actually be more of a reflection of the adoption rates of Java SE 9 & 10 as the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java.

Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, July 17th.

About the author: James E. Lee is the Executive Vice President and Global CMO at Waratek. He was theformer CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair.

Copyright 2010 Respective Author at Infosec Island]]>
Memory Protection beyond the Endpoint https://www.infosecisland.com/blogview/25086-Memory-Protection-beyond-the-Endpoint.html https://www.infosecisland.com/blogview/25086-Memory-Protection-beyond-the-Endpoint.html Mon, 16 Jul 2018 11:16:00 -0500 Threat actors have been digging into an ever-growing bag of tricks to compromise endpoints:  social engineering, phishing, malware, zero-day vulnerabilities, advertising, ransomware -- even recent cryptocurrency jacking operations are just a few examples of the diversity, and even the sophistication, of some attacks. However, as different as these attacks may appear on the surface, some share similar features, and relying on a handful of the same methods for compromising endpoints and data. For instance, the use of zero day or unpatched vulnerabilities is commonplace when discussing how victims are compromised. In a way, the methods used to breach systems have remained fairly consistent – partially because they’re still very effective, regardless of the actual malware payload or the threat actor’s end goal.

Memory Manipulation – The Achilles Heel

Memory manipulation through the use of zero day or unpatched vulnerabilities is usually the weapon of choice for threat actors, as it allows them to dodge traditional in-guest security solutions and execute malicious code on the victim’s endpoint. Threat actors have long been using these vulnerabilities in compromising victims either through drive-by downloads and malicious advertisements, or even infected email attachments.  

The interesting aspect of vulnerabilities is that, at their core, when they manipulate an application’s memory, they use only a handful of memory manipulation techniques, regardless of how sophisticated or critical these vulnerabilities might seem. Unfortunately, traditional security solutions usually lack the ability to protect an endpoint’s memory space, and only focus on files stored on-disk.

This Achilles heel of traditional security solutions means that threat actors can regularly exploit the same vulnerability and constantly deliver various payloads until one of them bypasses scrutiny from the security solution. Since payloads can range from ransomware to keyloggers and even coin mining software, memory manipulation of a victim’s endpoint using vulnerabilities is extremely effective.

Worse, some threat actors rely on exploit kits – a collection of known vulnerabilities in popular applications, such as Java, Adobe Reader, browsers and even operating systems – to automatically probe endpoints for known vulnerable software to drop malicious payloads. Although some of the most popular and versatile exploit kits, such as Angler and Rig have been dismantled by law enforcement, threat actors still rely on memory manipulation vulnerabilities.

Memory Protection

The obvious question is: how do you protect the memory space from being manipulated by vulnerabilities? There are in-guest next generation layered security solutions that offer anti-exploit capabilities. Anti-exploit technologies work by watching for Return-oriented Programming (ROP) techniques usually associated with attackers trying to hijack a program’s control flow and execute already-present specific instructions. Such anti-exploit technologies can block memory execution of ROP chains as well as other stack manipulation techniques usually associated with exploit techniques employed by vulnerabilities.

However, with organizations leveraging the power of virtualization and cloud infrastructures, we’ve reached a point where multiple guests – or operating systems – can share the same host – or hardware. Some technologies can protect the memory of all guests – without impacting their performance – by sitting between the hardware and the operating system layers.

Memory introspection technology is highly effective and efficient in protecting against known and unknown memory manipulation techniques associated with vulnerabilities, as it’s entirely outside the operating system. Because it’s isolated from the guest operating system, it’s completely untouchable by any in-guest threat – regardless of how sophisticated it is – but at the same time has complete visibility into the memory of each guest virtual workload.

Leveraging bare metal hypervisors, memory introspection technologies provide an additional security layer for virtual infrastructures, offering protection against any zero day or unpatched vulnerability that threat actors are trying to exploit. Instead of focusing on the actual payload, as most traditional security technologies do, memory introspection focuses on the initial point of compromise.

For instance, if a threat actor tries to exploit a zero-day Adobe Reader vulnerability to drop coin mining software, ransomware, or keylogging malware, memory introspection would plug the attack as soon as the attacker tries to perform the memory manipulation to escalate his privileges. This means the attack kill chain would be broken long before any payload or damage to the infrastructure would even occur.

Security beyond the Endpoint

Endpoints –virtual and physical – still play a vital role in organizations, and security needs to address these infrastructures holistically, and protect them without affecting performance. Software-defined datacenters, hyper-converged infrastructures, and hybrid clouds have changed the way businesses operate and scale. But security has mostly focused on the actual endpoint (e.g. VDI, VPS).

Re-engineering security solutions to fit the new infrastructure, performance, and scalability needs of organizations is crucial as advanced threats often exploit security blind spots. Having security technologies – both in-guest and outside the OS, as close to the hypervisor as possible – that can protect against memory manipulation techniques used to deliver anything from advanced persistent threats to coin miners and ransomware, can make a world of difference in ensuring business continuity, as well as in avoiding financial and reputational losses.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Intent Based Networking: Turning Intentions into Reality https://www.infosecisland.com/blogview/25085-Intent-Based-Networking-Turning-Intentions-into-Reality-.html https://www.infosecisland.com/blogview/25085-Intent-Based-Networking-Turning-Intentions-into-Reality-.html Mon, 16 Jul 2018 10:50:52 -0500 Wouldn’t it be great if IT teams and network managers could simply outline, at a high level, what they want their enterprise networks to do, and then technology would automatically implement the changes across their infrastructure to make it happen?  That’s the promise of intent-based networking (IBN):  using machine learning and automation to provision and manage networks and enforce security policies automatically – without network administrators having to perform the operational tasks of actually making it all work.

First identified as the next big thing in early 2017, the industry really started taking note when Cisco announced its IBN portfolio in summer 2017. The portfolio provides an intuitive system “that constantly learns, adapts, automates and protects, to optimize network operations”, thereby replacing traditional, manual IT processes.

Cisco isn’t the only company looking to develop IBN solutions: other vendors, including Juniper and Veriflow, are also developing IBN solutions, while a number of IBN start-ups are also emerging.

Assessing IBN maturity

As such, it’s easy to see why IBN is appealing to enterprises:  it has the potential to ensure the needs of the business are quickly translated into an infrastructure that supports its specific requirements, and thus accelerate business innovation – all while making IT processes more efficient and easy to manage.  So what intent-based networking options exist today? Let’s take a look at some of the available solutions.

Orchestration: At a basic level, it is possible to automate heterogeneous, networks without intent and understanding, using an orchestration system to automate the configuration of firewalls and routers to some degree.

Early-stage dedicated IBN solution:Organizations can utilize one of the many intent-based products offered by one of emerging IBN technologies. However, while these solutions offer more advanced IBN capabilities, in their current maturity they have limited automation capabilities.

IBN in a single vendor environment:t it may be worth considering a full IBN implementation with one specific vendor, such as VMware NSX or Cisco ACI. This will enable an organization to integrate IBN with its own network fabric.

While there are a number of options available today, IBN technology is not yet mature enough to be fully implemented across an entire enterprise network. However, it is possible to put in place the building blocks required for IBN adoption, by aligning IT more closely with the needs of the business.

Intent on security

A key example of this is in network security. Network security policy management (NSPM) solutions already deliver on IBN’s promise of enabling faster application delivery – without compromising the organizations’ security or compliance postures.

An NSPM solution can automatically discover and map applications, including the network connectivity flows that support them, as well as identify the security policies associated with the connections, across a heterogeneous enterprise environment (on-premise networks, SDN and cloud).

With this capability, the NSPM solution enables business application owners to request network connectivity for their business applications without having to understand anything about the underlying network and security devices that the connectivity flows pass through. The application owner simply makes a network connectivity request in their own application-centric language and the NSPM solution automatically understands and defines the technical changes required directly on the network security devices. As part of this process the NSPM assesses these change requests for risk and compliance with industry and corporate regulations and, if the risk is low, it automatically implements them directly on the relevant security devices, and then verifies the process – all with zero touch.

Thus, normal change process requests can zip through—from request to implementation—in minutes, with little to no involvement of the networking team. Manual intervention is only required if a problem arises during the process, or if a request is flagged as high risk. As such, from a network security perspective,the potential of IBN can already be achieved with the right security policy management solution.

The future’s bright, the future’s IBN

IBN is undoubtedly an exciting advancement in networking, enabling IT teams to provision and configure networks a lot faster and in a much more secure way, with far fewer resources.  

By utilizing an NSPM solution, which enables application owners to express the business intent and then receive a continuously maintained, end-to-end path for their application connectivity provisioning, organizations are well placed to drive IBN initiatives in their organizations. 

About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
Science Fiction Come True: Weaponized Technology Threatens to Shatter Security, Critical Systems https://www.infosecisland.com/blogview/25084-Science-Fiction-Come-True-Weaponized-Technology-Threatens-to-Shatter-Security-Critical-Systems.html https://www.infosecisland.com/blogview/25084-Science-Fiction-Come-True-Weaponized-Technology-Threatens-to-Shatter-Security-Critical-Systems.html Tue, 03 Jul 2018 01:58:37 -0500 By 2020, the very foundations of today’s digital world will shake. Nation states and terrorist groups will increasingly weaponize the cyber domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. With power, communications and logistics systems down, organizations will lose the basic building blocks needed for doing business. Heating, air conditioning, lighting, transport, information, communication and a safe working environment will no longer be taken for granted.

Let’s take a quick look at a few of the top threats to information security that are expected to emerge over the next two years, as determined by Information Security Forum research, and what they mean for your organization:

Cyber and Physical Attacks Combine to Shatter Business Resilience

Nation states and terrorists will combine traditional military force with their increasingly sophisticated cyber arsenals to launch attacks that create maximum impact. Organizations will face interruptions to business as cities become no-go zones and vital services are rendered unavailable, with governments, militaries and emergency services struggling to respond effectively to concurrent physical and cyber incidents.

Why Does This Threat Matter?

Physical and cyber attacks will be deployed simultaneously, creating unprecedented damage. Many nation states and terrorist groups (or both, working together) will have the capability to bring together the full force of their armaments – both traditional and digital – to perform a clustered ‘hybrid’ attack. The outcome, if successful, would be damage on a vast scale.

Telecommunication services and internet connections will be obvious first targets, leaving individuals and organizations cut off from the outside world. Assistance from emergency response services, as well as local and central governments, will be slow or non-existent as essential physical and digital infrastructure will have broken down.

These attacks will be designed to spread maximum chaos, fear and confusion. The stricken city, or cities, will be brought to a standstill, with both lives and businesses placed in jeopardy. Those at home will be unable and unwilling to go to work, or – without power or communications – unable to work from home. Those already in the office will be trapped with nowhere to escape to, as attacks hit them from every angle. Existing business continuity plans will be useless; they will not have been prepared to cater for an eventuality when every system is down while individuals are in physical danger. People will panic. Work will be off the agenda.

Satellites Cause Chaos on the Ground

As an integral part of almost every walk of life, satellite systems will be targeted. Organizations are more reliant on satellites than ever before, routinely using global positioning systems (GPS) and communications services. Disabling or spoofing signals from GPS will put lives at risk and impact global travel and financial markets. Attackers may also target media, communications, meteorological and military functions to further disrupt operations and trade.

Why Does This Threat Matter?

Compromised satellite signals, whether spoofed by malicious adversaries or knocked out by collisions with other satellites or space debris, will cause widespread chaos down on Earth. As satellites become cheaper and easier for national space agencies and individual businesses to launch and maintain, they will become increasingly integral to modern life. Disabled or spoofed signals will interfere with critical transport, communications systems and even financial services.

Lives will be put at risk and supply chains hampered as spoofed GPS signals are sent to aircraft, ships and road vehicles. International financial systems – from stock exchanges to ATMs – that rely on exact timestamps on digital payments will be unable to record transactions accurately. Trading algorithms that rely on data from satellites on weather or location of specific assets (e.g. to instruct which crops to buy or sell) will be misled, potentially manipulating financial markets.

In the next few years, satellites will play an increasingly crucial role in connecting Earth-based infrastructure and systems. However, organizations will need to realize what the military has known for years – that no one will be spared if attacks against satellites succeed. The potential for crippling disruption is immense.

Weaponized Appliances Leave Organizations Powerless

Enemies aiming to inflict damage will take advantage of vulnerabilities in connected appliances such as thermostats, refrigerators, dishwashers and kettles to create power surges strong enough to knock out regional power grids. This relatively unsophisticated attack will bring operations to a grinding halt for organizations in affected areas, as governments prioritize restoring vital services over trade.

Why Does This Threat Matter?

Attackers will find ways to access a huge proportion of the millions of connected appliances – such as heating systems and ovens – and turn them into weapons. This mass of appliances could be commandeered and misused for a number of disruptive ends, similarly to the way botnets of poorly protected home computers have been used to initiate and sustain large scale DDoS attacks. However, one threat merits specific attention – the damage they can wreak collectively on power grids.

These appliances, forming part of the IoT – many in homes but also found in offices and factories – are always powered-on and always connected to the internet. Manipulated by attackers to switch on to full power simultaneously, appliances will create a demand for power so unexpectedly high that it overloads and brings down regional electricity grids. With the grid offline or severely degraded, organizations will be weakened and struggle to function.

The underlying foundations of many business continuity plans, such as instructing employees to work from home, will be rendered useless as they will have neither power nor a means to communicate. Dependent critical services such as water supplies, food production systems and health care will be unavailable. Power rationing will affect other utilities and services, such as heating, lighting and transport. To cap it all, organizations will lose out to competitors in non-affected areas who will be quick to take advantage of the increased demand for their services.

It's Past Time to Begin Preparation

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The themes listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant.

The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Navigating Dangerous Waters: the Maritime Industry’s New Cybersecurity Threat as Technology Innovation Grows https://www.infosecisland.com/blogview/25083-Navigating-Dangerous-Waters-the-Maritime-Industrys-New-Cybersecurity-Threat-as-Technology-Innovation-Grows.html https://www.infosecisland.com/blogview/25083-Navigating-Dangerous-Waters-the-Maritime-Industrys-New-Cybersecurity-Threat-as-Technology-Innovation-Grows.html Tue, 03 Jul 2018 00:29:00 -0500 The rapid evolution of technology and, in particular, the Industrial Internet of Things (IIoT) is transforming critical environments, bringing benefits such as optimised processes, reduced costs and energy efficiencies. The maritime industry, which forms part of our critical infrastructure, is adapting to access many of the benefits that innovation in technology can offer. By the end of the decade, for example, a new era of shipping will have started with the world’s first autonomous container ship transporting goods around the coastline of Norway.

Although such advances are to be applauded, they bring with them a high element of risk. Security researchers have been warning for many years that the shipping industry is a ‘low hanging fruit’, due to the fact that high-value goods are transported by ships with legacy systems and poor cybersecurity practices to safeguard from malicious attacks. This is leaving vessels at risk of a wide range of threats from live location tracking, to the loss of critical function such as power and navigation.

The dangers of Operational Technology at sea

A concerning problem encountered within maritime is a lack of recognition that a container ship is a critical environment, warranting robust protective systems like any other Operational Technology (OT) environment e.g. a utility. Once connected to a network, this technology risks being targeted by hackers. The threat is a real one; researchers have demonstrated proof of concept cyber-attacks against many of the most common maritime systems, and there’s evidence of incidents at sea in which navigational computers were infected with malware on a USB stick being used for upgrades.

A one-size-fits-all approach to cybersecurity won’t be an effective solution, as the shipping industry presents a unique challenge for hardening cybersecurity; that is, every ship is different. A lack of standardisation across vessels means a vast mix of legacy OT has been deployed, much of which was not designed with security in mind, as well as further networked technologies which have been added over time.

A major vulnerability is the lack of cybersecurity skills, knowledge and focussed training among many of the crew members to recognise, understand and address incidents. On the most part, the person responsible for IT combines the role with another, leaving little time to monitor, respond to or rectify a cybersecurity breach. In this circumstance, remote monitoring for such issues is also problematic due to a shortage of reliable bandwidth while at sea.

A change in approach – the importance of risk management

These challenges are not unsolvable and for those that get it right, cybersecurity will be a powerful enabler in the world of more automated shipping. Adopting a risk management approach – where risk appraisal is used to identify, evaluate and prioritise risks in order to control the probability or impact of an incident – will be key to the maritime sector’s future. A risk management approach begins with identifying which systems, data and interfaces are unprotected and pose the greatest risk to operations if compromised. In a maritime context, this should involve the frequent testing and hardening of systems, as well as securing devices and networks by closing unused data ports and ensuring full network segregation between OT and IT systems.

Better staff training is also a must for all those working on a vessel. For example, crew systems, such as terminals for entertainment or personal email, should be kept isolated from other systems as one of the primary threats remains inadvertent infection via a flash drive or mail attachment. Crew members should be able to utilise such technology in a secure manner and be trained to avoid suspicious email links.

But effective cybersecurity must also be business efficient cybersecurity. The maritime industry will need to adapt to access the many benefits of technological innovation but do so in a safe and secure way. Learning the lessons of other industries, it is clear that one of the best ways to improve resilience to cyberattacks and harden maritime networks is to build a cyber secure supply chain. Working with suppliers whose products are demonstrably secure, and partners whose knowledge is advanced in existing maritime systems will be fundamental to robust OT security and a safer future for asset transport at sea.

About the author: Jalal Bouhdada is Founder and Principal ICS Security Consultant at Applied Risk.

Copyright 2010 Respective Author at Infosec Island]]>
Is User Training the Weakest Link for Your Email Security Approach? https://www.infosecisland.com/blogview/25080-Is-User-Training-the-Weakest-Link-for-Your-Email-Security-Approach.html https://www.infosecisland.com/blogview/25080-Is-User-Training-the-Weakest-Link-for-Your-Email-Security-Approach.html Thu, 28 Jun 2018 01:41:22 -0500 The days of only deploying an email security gateway to block viruses, spam and other threats from reaching user email accounts are gone. Even though gateways no doubt have their place in a comprehensive security strategy, in most cases they are paired with supplementary technologies to ensure the most effective layered email protection. This is critical because gateways aren’t designed to sniff out attacks such as social engineering, phishing, spear phishing, and business email compromise (BEC). There is also the constant possibility of users being phished on personal email accounts that aren’t controlled by gateways at all. There are technologies to accompany gateways such as AI powered email security solutions, which offer the best hope to stop spear phishing, impersonation and BEC attacks.

But, let’s say you are well informed and have already deployed extra security layers to protect against sophisticated email-borne data theft, malware, phishing and other threats. Perhaps you even have a comprehensive backup and recovery strategy to combat ransomware attempts that could hold your data hostage? From a technology standpoint you’ve thought of everything, but the problem is—your users probably have not. This could be especially true for mid to low-level employees including sales or customer service teams where being security aware just isn’t at the top of their to-do list. Ultimately, these folks could be part of the problem without even know it.  

That’s because end users frequently receive messages containing links to spoofed websites where criminals intend to steal their credentials in order to gain entry and launch attack campaigns. These employees are also the unlucky recipients of numerous social engineering attacks, including fraud attempts that could result in wire transfers to cybercriminals. What’s more alarming, is that these attacks avoid traditional security technologies, making the actions users take more important than ever. In order to shed a bit more light on this piece of the email security puzzle, Dimensional Research recently collected data from over 630 participants located around the globe who all had some level of responsibility for email security within their organization. Let’s take a deeper look at some of the points covered in the research:   

User behavior and security risks

One of the points that really stands out to me, is that effective security these days isn’t just about security tools and technology, but that employee behavior is actually a greater concern. 84 percent of the respondents attributed security concerns to poor employee behavior while 16 percent cited inadequate tools as the culprit.

It was also interesting to see that there is no real consensus on the level of employee or title that is most likely to fall for an attack. This is proof that cybercriminals are balancing their attacks across organizational levels and not targeting any particular level of employee.

The reasoning for this is that like with any scam, email attacks are typically a numbers game. The more attempts made, the better success rate criminals have, which is one of the reasons they continue to go after individual contributors—there are just more targets available. Alternatively in targeting executives, the payoff is much greater as they have access to more sensitive and critical information. This supports the idea that criminals are operating just like a business—they make good risk versus reward decisions.

Finance is considered the most vulnerable

It probably isn’t surprising to anyone that finance employees are thought of as being the most vulnerable, as they usually have access to the company’s crown jewels. 24 percent of respondents believe that finance departments are the most vulnerable to an attack. What might be surprising about this set of findings is that the respondents believe that legal departments are of very little risk. Perhaps legal teams are just viewed as being more aware of the consequences or less likely to act on an attempted attack?

On the other side of the office, we have the sales and customer service departments, who according to respondents—were the most likely to put their organization at risk. This could be simply because these teams communicate heavily over email at a rapid pace, which could open the door for attacks. Regardless of the reason, if the belief is true—organizations may want to take the necessary steps to make sure these teams are aware of the possible threats that could be lurking in their inboxes.  

End user training is essential, but a better offering is needed

100 percent of the respondents said that end-user training is important to their email security posture. It is great to see that training is recognized as an important cog rather than labeling it as a “nice to have” piece of the strategy.  

We also learned that organizations are offering more than just a traditional classroom style approach to education for their users. In our experience, the most effective programs are able to scale, move quickly, and offer the flexibility to work into and around busy schedules. Offering training at the convenience of each individual’s schedule makes all the difference in retention of information and employees’ willingness to participate. With that said, it’s essential to test if these training programs are making an impact. This could mean testing employees on their knowledge with simulated email attacks, or even tracking behavior to help security teams drill down on weaknesses in their organization.

Who actually trains their users?

We’re seeing that all organizations have good intentions, but according to the data, only 77 percent of the respondents said they are actually training their employees. Not a terrible number by any means—but there’s definitely still a gap, and room to improve.

The reported data also shows that organizations with over 1000 employees are more likely to implement training. This isn’t uncommon or too surprising as large businesses have more resources and are typically early adopters of new technologies and trends. Smaller organizations usually follow proven practices, but are forced to make the most of their available budgets.

Ideally, every organization regardless of the size should be exploring new technologies and practices to adapt to the evolving threats in the wild. Employees of any level or title should be trained regularly and tested on their security knowledge.

So, is end-user security training and awareness the missing link to your complete email security strategy? The data shown suggests that it is definitely a clear concern, and if you consider the amount of attacks happening daily—almost every incident involves human interaction.

Malicious links must be clicked for cybercriminals to gain initial entry. Attachments must be downloaded and money has to be willingly transferred by an unsuspecting employee for these attacks to be successful. Putting training at the top of your layered security strategy alongside your technology stack will ensure that your employees are less of a liability, and the risk of a breach will be significantly lower.

About the author: Dennis is responsible for entire business lifecycle of the PhishLine product family at Barracuda Networks, including product strategy, product design, sales, onboarding, support, and renewals.

Copyright 2010 Respective Author at Infosec Island]]>
Least Privilege Access – Still at the Front Lines of Security https://www.infosecisland.com/blogview/25079-Least-Privilege-Access--Still-at-the-Front-Lines-of-Security.html https://www.infosecisland.com/blogview/25079-Least-Privilege-Access--Still-at-the-Front-Lines-of-Security.html Wed, 27 Jun 2018 07:33:00 -0500 Ever since authentication and authorization became the norm for access to computer systems, the principle of least privilege (POLP) has been the de-facto baseline for proper security. At its very core, least privilege access means granting a user just enough permissions (authorization) to access the data and systems in their company’s enterprise necessary to do his or her job – nothing more, nothing less. In theory, adhering to the POLP sounds like the perfect identity and access management strategy, but often implementing least privilege is easier said than done.

Why is it so hard?

There are a number of factors to consider. First, in order to implement least privilege, there needs to be a clear understanding of what the right access actually is for each user and their role. Second, in order to enforce the defined level of access, there has to be some sort of enforcement tool. And third, the definition and enforcement of granting access should be executed in a way that doesn’t get in the way of users doing their jobs. While least privilege is of value for securing all types of access, it is most critical when managing administrator access.

Some systems make it easy with well-defined roles and granular definitions of the permissions associated with those roles. But other systems aren’t as cooperative, with no native utilities to define and enforce what right actually means. For those systems, organizations are often left to their own devices relying on tribal knowledge to define right and have limited tools to enforce it. The result is many organizations deeply wanting to enforce least privilege but, in practice, finding themselves only successful on a very limited scale.

From an administrative access standpoint, many organizations take the easy way out by sharing administrative (or “superuser”) credentials among all individuals who might require them for their role, giving many more employees more access to data and systems than may be necessary to do their job – the polar opposite of POLP.

The classic example of least privilege for administrative access is an open source utility available for Unix and Linux systems called sudo (short for “superuser do”), which allows an organization to define a role with a certain subset of the all-powerful root credential in a sudoer file. When an administrator logs on, they must preface the command with “su.” If the command in question is allowed in the sudoer policy, the user will be allowed to execute it – if not access will be denied.

Sudo works great in many instances. However, when a Unix/Linux environment hits a certain size, the fact that sudo runs independently on each Unix/Linux server makes its execution of least privilege unruly, error-prone, and counterproductive. Consequently, there are whole categories of privileged access management (PAM) solutions that either replace sudo with a single solution that covers the entire environment with one policy and enforcement set along with keystroke logging, or augment sudo with centralized policy across all instances (as opposed to multiple islands of sudoer files).

When looking at PAM, Unix/Linux is typically only a part of the overall PAM picture. There are other systems where unchecked administrator access can be just as damaging, if not worse, than Unix/Linux. For example most organizations have a significant investment in Microsoft Active Directory (AD) and Azure Active Directory (AAD) with those systems being the primary front door for the majority of end user access needs. This makes the AD/AAD Admin critical in any PAM program. The POLP should extend to these administrators as well.

The reality is that beyond the Unix/Linux and AD/AAD platforms, POLP is extremely difficult to enforce consistently in the modern heterogeneous enterprise. Some applications have the capability built in, while others make no attempt to enable the practice. It becomes a crapshoot – but is a practice that needs to be run as much as possible through all PAM programs. Here are a few tips to help you get the most from the POLP in your PAM program:

  • Make the most of what you can control: within Unix/Linux look for opportunities to improve on the native sudo capabilities to eliminate weaknesses and improve operational efficiency in executing least privilege. Simply augmenting or replacing sudo with a commercial solution yields significant security gains. Similarly, with the status AD/AAD enjoys it only makes sense to seek third-party assistance in removing the all-or-nothing default of administrator access.
  • Use a vault: privileged password vaults are a great alternative to shared administrative passwords when least privilege is not an option. With day-to-day Unix/Linux and AD/AAD admin access delegated in a least privilege model, placing security, policy, and automation around the issuance, approval, and management of other privileged passwords makes sense. It removes the anonymity that is so dangerous with unchecked administrative access and provides controls around the whole process. Vaults also provide a viable alternative to issuing the entire permission set of a delegated admin account to a single user. Delegate the day-to-day activities and vault the superuser access for firecall and other critical tasks.
  • Audit activities: no PAM program is complete without the ability to close the loop on what administrators actually do with their permissions. Employ session audit and keystroke logging to augment delegated administrator access, allowing you the visibility to know what is actually done with the permissions in question.
  • Implement analytics: the final piece of the PAM puzzle is to implement analytics. Privileged behavioral analytics will help detect anomalous and dangerous activities, while identity analytics will evaluate the rights associated with an individual administrator’s permissions in both the vault and the least-privileged model. Analysis of rights and permissions across administrators in similar roles can help organizations identify weak spots in your least privilege model.

The POLP is a critical component to any effective PAM program, but it is not the only principle. A well-rounded program will also augment with POLP with vaulting, session auditing, and analytics to truly deliver on the security objectives for which the program is designed.

About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

Copyright 2010 Respective Author at Infosec Island]]>
"Can you Hear Me Now?” - Security Professionals Warn about Who May Be Listening https://www.infosecisland.com/blogview/25081-Can-you-Hear-Me-Now-Security-Professionals-Warn-about-Who-May-Be-Listening.html https://www.infosecisland.com/blogview/25081-Can-you-Hear-Me-Now-Security-Professionals-Warn-about-Who-May-Be-Listening.html Wed, 27 Jun 2018 06:32:00 -0500 In light of the recent move by Verizon to stop sharing location data with third parties, companies need to rethink strategies for data gathering from users.

While in the past, companies and app makers used different technologies on mobile devices in order to gather more and more data it is becoming more attractive for unethical hackers to find a way in for malicious purposes.

In one case, the company ‘La Liga’ disclosed to the user about what the microphones will be used for and how they’re used. Malicious app developers are not always so kind, and ignorant app developers put people at risk without realizing it.

La Liga wants to collect user locational data to track down unlicensed broadcasts of soccer games at sports bars and clubs. This activity is for their own interests without consideration for the user. Of course, there are likely other ways to approach this problem that don’t require utilizing their customers' mobile devices as their own personal eavesdropper, but this is the route they undertook. And to top it all off, they had enough courage to openly disclose this to their userbase, perhaps because they hope there will not be any huge any significant user backlash. While this approach will likely be successful, due to a prevailing lack of information to end users in many countries about data privacy, the rights to information privacy, and inappropriate sharing.

The tradeoff here with trying to stop someone from misusing a service is opening up a new potential attack scenario for the bad guys.  As we have seen with other apps that drive voice-enabled technology, how it is intended to work, and how it may be used or misused are two very different things.  

Don Green, Mobile Security Manager, WhiteHat Security, shared his thoughts on a few items that might have a bad guy smiling, including:

  • “The mobile device microphone and geolocation will only be activated during the time slots of matches in which La Liga teams compete.”

The Bad Guy perspective is the first thing I am going to do is try to abuse the match time slot data to have listening and geolocation occur 7x24.   If I’m after you, I want to make sure I’m hearing everything you say all the time and know where you are at all times.

  • “La Liga will periodically remind users that it can activate their microphones and GPS and will ask them to reconfirm consent.”

“Periodically” is a term hackers just love, while for users it’s a nightmare.   Oh here’s a notice to reconfirm consent…is it really? For bad guys, this is the perfect scenario set up to send users fake notices and get them to download malware.

While it is a good practice for businesses who are fighting against fraud, extreme caution must be used with the approach. There’s a fine line between protecting the business and putting business at risk by passing additional risks to customers.  For example, courts want to track the phones of criminals and inmates on parole and Apple recently started cracking down on geolocation apps especially since GDPR views location and personally identifiable information (PII) with a broad spectrum.

Application designers and sellers need to be able to scan the apps and determine whether they are accidentally releasing this kind of information, versus making a deliberate decision based on business need to broadcast where each cell phone user is. Ultimately, customers define what is an acceptable level of risk and privacy.

About the author: Jeannie currently serves security manager at WhiteHat Security. She believes application security is the Next Big Thing in the security space.

Copyright 2010 Respective Author at Infosec Island]]>