Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2017

#Infosec17 IoT Testing Must Focus on the Entire Ecosystem

#Infosec17 IoT Testing Must Focus on the Entire Ecosystem

Security professionals need to evaluate entire IoT ecosystems rather than focus on individual elements if they want testing to be as accurate as possible, according to Rapid7.

The firm’s research lead, Deral Heiland, explained that the interconnected nature of separate IoT components demands a holistic approach to testing covering: embedded hardware; mobile and control applications; cloud APIs and web services; network communication; and data.

“When you want to test an IoT solution, if you test the product alone your test is insufficient, and if you test just the cloud APIs that’s not enough,” he argued.

“You’ve got to look at the entire ecosystem …What happens in the cloud can impact the hardware … and if you compromise the hardware, it could lead to a compromise of the mobile or cloud elements.”

Effective IoT testing should follow an eight-step process starting with a functional evaluation which takes the product and puts it in a “normal operating stance”. From here, its various features, functions, components and communication paths can be examined, said Heiland.

Next comes device reconnaissance; that is, finding out info including its software version, vulnerability history, whether it uses any open source tech, if it's white labelled, and so on.

Often user manuals, spec sheets and even information from regulators such as the FCC can help with intel gathering here, said Heiland.

The testing should continue on with cloud and web APIs, the mobile and control apps, and networks, looking at things like use of encryption, access controls and communication.

It’s also important to take a look inside the hardware at its chips, ports and circuit connections, and to test for physical device attacks by reverse engineering the firmware and checking configurations.

Radio RF emissions form the final component that needs evaluating, said Heiland.

“Too many products are going out with common repeatable vulnerabilities that could be easily removed with better testing,” he concluded. “[Every time I] dig into the IoT system, looking at the eight steps, I learn something new, and every time I learn something new it becomes possible to make better products for everybody.”

Heiland’s words come as new research this week highlighted the huge number of vulnerabilities in IoT systems. High-Tech Bridge claimed that 98% of web interfaces and admin panels in IoT devices have fundamental security problems.

Source: Information Security Magazine

#Infosec17 Security Teams Told to Go Back to Basics

#Infosec17 Security Teams Told to Go Back to Basics

IT security professionals must get better at doing the basics right, starting with clear communication with other teams, if they’re to effectively mitigate the risk of breaches, according to Akamai.

The vendor’s global security advocate, Dave Lewis, told attendees at Infosecurity Europe in London this morning that the majority of brach incidents still stem from basic security errors such as failure to patch promptly.

An “obsession with zero days” threatens to further derail patching efforts and other basic security steps, he warned.

Fourth quarter Akamai data shared during the presentation revealed that SQLi attacks accounted for over half of recorded threats in the period, despite this being an OWASP Top 10 threat for over a decade.

The devastating impact of the WannaCry ransomware ‘worm’ also illustrates the problem many organizations still have with patching.

IT security needs to go back to basics to reduce the chance of damaging breaches, starting with better communication, Lewis argued.

“Things can and do go wrong. As infosec professionals we tend to view things as ‘us versus them’, but if you do that you’ve lost,” he said.

“We also have a really bad habit of assuming everyone knows about security when they don’t.”

Security professionals instead need to talk in terms of business risk, so functions including procurement, HR and even developers better understand the impact of security issues, he argued.

Internal audit teams can help IT security develop more effective breach plans, while the compliance department might also be an unlikely ally, Lewis argued.

Getting the basics right is even more important when one considers the advances that cyber-criminals and nation state hackers are making all the time.

Lewis referenced a security event earlier this year in which DARPA computers used machine learning technology to independently hunt for zero day threats. The concern is that the black hats will try similar tools and techniques going forward.

Source: Information Security Magazine

More Payloads Appear for EternalBlue NSA Weapon

More Payloads Appear for EternalBlue NSA Weapon

Additional threat actors are expanding the use of the EternalBlue exploit, the NSA hacking tool that was initially used by the WannaCry ransomware and Adylkuzz cryptocurrency miner.

This week, the vulnerability (which exists in Microsoft Server Message Block (SMB) protocol) has been observed distributing Backdoor.Nitol and Trojan Gh0st RAT.

“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” wrote FireEye researchers, in a report.

Gh0st RAT is generally used in state-sponsored APT attacks against government agencies and other political targets, and activists. Backdoor.Nitol meanwhile has been linked to campaigns involving remote code execution.

It is likely that we will see additional payloads for the tool. “The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” FireEye researchers said.

The discovery comes after other news of follow-on RAT distribution in May, and the discovery of a seven-tool worm making use of it. EternalBlue, along with other NSA tools, is part of the cache released by Shadow Brokers.

“EternalBlue is a particularly reliable exploit that gives access to execute code at the very highest privilege level so I would expect that hackers and penetration testers will get a lot of use out of it for years to come,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT). “Systems which cannot be upgraded should be discarded as safety hazards. Operating unsupported software is very much like driving a car without airbags. Patching alone however is insufficient since there is always going to be some window of opportunity for attackers before appropriate patches are installed.” 

“The broad success of the WannaCry incident demonstrates that this vulnerability is prevalent, and that’s an advantage for attackers,” said Tim Erlin, vice president of product management and strategy for Tripwire. “They will continue exploiting this vulnerability for as long as it’s productive.”

To combat the issue, patching is the ideal way to protect systems. However, there are cases where a patch isn’t possible or may be delayed. In these cases, organizations should take other mitigation steps, such as blocking network ports, disabling unnecessary services and monitoring for exploit activity.

“Users should start by identifying all their vulnerable systems and prioritizing them for remediation,” Erlin said. “Systems that can be patched, should be patched. Those systems that can’t be patched should be evaluated for other mitigation options.”

Source: Information Security Magazine

ISACA: Orgs Struggle with Resources in the Face of Ransomware, IoT

ISACA: Orgs Struggle with Resources in the Face of Ransomware, IoT

The growth in both the volume and complexity of cyberattacks is presenting unprecedented challenges for organizations, which are struggling to devote the necessary resources for keeping pace with the threat landscape.

According to the second installment of ISACA’s 2017 State of Cyber Security Study, emerging threats such as internet of things (IoT) security and ransomware attacks are often not being adequately accounted for in training budgets and security programs. This, even though more than half (53%) of survey respondents reported a year-over-year increase in cyberattacks for 2016, representing a combination of changing threat entry points and types of threats.

A full 80% of the security leaders who participated in the survey believe it is likely their enterprise will experience a cyberattack this year.

The report found that IoT overtook mobile as primary focus for cyber-defenses as 97% of organizations see rise in its usage. As IoT becomes more prevalent in organizations, cybersecurity professionals need to ensure protocols are in place to safeguard new threat entry points.

A majority (62%) reported experiencing ransomware in 2016, but only 53% have a formal process in place to address it—a concerning number given the significant international impact of the recent WannaCry ransomware attack.

Malicious attacks that can impair an organization’s operations or user data remain high in general (78% of organizations reporting attacks).

Additionally, fewer than a third of organizations (31%) say they routinely test their security controls, and 13% never test them; 16% do not have an incident response plan.

 “There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, ISACA board chair and group head of information security at INTRALOT. “Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”

The good news is that more organizations than ever now employ a chief information security officer—65%, up from 50% in 2016. However, security leaders continue to struggle to fill open cybersecurity positions.

As ISACA detailed in part 1 of this year’s State of Cyber Security report, nearly half (48%) of respondents don’t feel comfortable with their cyber-team’s ability to address anything beyond simple cybersecurity issues. Additionally, more than half of all respondents say cybersecurity professionals lack an ability to understand the business.

Though training is critically needed to address these skill shortages, a quarter of organizations have training budgets of less than $1,000 per cybersecurity team member. While overall cybersecurity budgets remain strong, fewer organizations are increasing their budgets this year. About half will see budget increases, down from 61% in 2016.

“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” said Dimiatridis. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cybersecurity challenges faced by all enterprises.”

Source: Information Security Magazine

Orgs Can Reduce Breach Costs by 70% with Faster Detection

Orgs Can Reduce Breach Costs by 70% with Faster Detection

The impact of “dweller time” on the cost of data breaches can be significant, according to new research: A 2X improvement in the time it takes to detect and respond to an attack translates to a roughly 70% lower business impact.

The research, from the Aberdeen Group, also found that by the time a vulnerability is disclosed, roughly 80% of relevant exploits already exist, but only 70% of vendor provided patches are available.

The analysis, based on data provided by Verizon, uncovered that in more than 1,300 data breaches, investigated between 2014 and 2016, half of detections took up to 38 days, with a mean average of 210 days. That average was skewed by the fact that some incidents took as long as four years to be uncovered.

“The business impact from a data breach is the greatest at the beginning of the exploit, when records are first compromised,” said Barbara Kay, senior director of product and solutions marketing at McAfee, which sponsored the report. “That’s logical, since attackers want to get in and out with the goods (your data) in as little time as possible. Most responders are closing the barn door well after the horse has gone, when most of the damage has already been done.”

This data shows that cybersecurity practitioners can improve their ability to protect business value if they can implement strategies that prioritize faster detection, investigation and response to incidents.

For instance, attackers have become increasingly adept at morphing the footprint of their malicious code, to evade traditional signature-based defenses. But advanced pre-execution analysis of code features, combined with real-time analysis of code behaviors, are now being used to identify previously unknown malware without the use of signatures, before it has the opportunity to execute.

On the containment front, advanced endpoint defense capabilities now allow potentially malicious code to load into memory—but block it from making system changes, spreading to other systems or other typically malicious behaviors. This approach provides immediate protection, and buys additional time for intelligence—gathering and analysis.

For data center and cloud security, some of the above endpoint tactics can be applied to server and virtual workloads to protect against both known and unknown exploits. Aberdeen Group also suggested that users can improve their results through shielding and virtual patching tactics. This concept has been around for years, but is especially helpful when assets are centralized.

Virtual patching is another strategy, the firm said. This establishes a policy that is external to the resources being protected, to identify and intercept exploits of vulnerabilities before they reach their intended target. In this way, direct modifications to the resource being protected are not required, and updates can be automated and ongoing.

And finally, security designs that use fewer policy enforcement points (i.e., at selected points in the enterprise network, as opposed to taking the time to apply vendor patches on every system) is a good best practice.

“As an industry, we are spending more and working harder to shorten the time advantage of the attacker,” McKay said. “Modern tools and thoughtful practices in endpoint and data center infrastructure complement the analytics and automation investments that are transforming the security operations center (SOC), technologies such as anomaly detection and threat intelligence correlation.”

Source: Information Security Magazine

Over Half of Firms Run Outdated Flash

Over Half of Firms Run Outdated Flash

A majority of enterprises around the world are exposing themselves to unnecessary risk by failing to stay up-to-date with the latest software and systems, according to new data from Duo Security.

The security vendor analyzed 4.6 million endpoints across multiple geographies and endpoints.

It found 13% were running unsupported versions of Internet Explorer, while the number running out-of-date Flash software increased from 42% in 2016 to 53% in 2017.

Some 21% of endpoints are running version 24.0.0.194 of Flash, which had 11 listed critical vulnerabilities published in February 2017, the report claimed.

On the plus side, the number of Windows 10 installations more than doubled, from 15% last year to 31%, although that still leaves the majority of enterprises using older versions of the OS.

Some 40% of EMEA endpoints were on Windows 10, versus 31% in North America and 37% in the UK.

However, in healthcare, the percentage of endpoints running XP actually increased from 2% to 3%, which doesn’t bode well considering the elevated risk of ransomware infections and HIPAA compliance requirements.

When it came to the mobile device sphere, Duo found that nearly three-quarters (73%) of iPhones are running the latest OS.

However, only 27% of Android owners could say the same – a fact which can partially be explained by the more complex ecosystem in which individual handset makers are responsible for issuing updates.

The report explained:

“Monthly patches for Android devices do protect against known vulnerabilities, but each new major OS version also adds security features to proactively protect users. Both are important pieces that help complete the security puzzle.”

As the recent WannaCry ransomware outbreak highlighted, prompt patching is still one of the best ways organizations can reduce cybersecurity risk.

Yet many organizations running mission critical environments can’t afford the downtime necessary to patch quickly, especially without prior testing. Embedded systems in particular can cause complications which mean many IT managers persist with out-of-date systems.

Source: Information Security Magazine

UK’s ICO Doubled Number of Data Breach Fines in 2016

UK’s ICO Doubled Number of Data Breach Fines in 2016

UK firms were among the hardest hit in Europe when it came to breach-related regulatory fines last year, as the ICO stepped its enforcement work up considerably, according to new PwC research.

The global consultancy’s analysis revealed that breaches of the Data Protection Act (DPA) resulted in 35 fines totaling £3,245,500.

That’s almost double the 18 fines issued in 2015, at a cost of around £2m, and puts the UK alongside Italy (€3.3m, £2.9m) as having one of the toughest data protection regimes in Europe.

In addition, 23 enforcement notices were issued in 2016, a 155% increase on the nine enacted in 2015. These typically require recipient organizations to take various steps to ensure compliance after a breach.

However, a PwC spokesperson told Infosecurity Magazine that not all European regulators make such data publicly available, while others have yet to release their 2016 figures, so a definitive comparison for the region is not possible.

PwC took the opportunity to warn UK firms that the forthcoming EU General Data Protection Regulation (GDPR) will bring with it even bigger potential fines when it lands on May 25 2018.

“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organizations must use the remaining time to prepare for GDPR compliance before May next year,” argued PwC’s global cyber security and data protection legal services lead, Stewart Room.

“We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programs beyond just risk reviews and data analysis to delivering real operational change.”

Rob Norris, head of enterprise & cybersecurity EMEIA at Fujitsu, advised organizations to conduct data inventory scans to first discover what they’re storing and where it’s held.

“Once that’s done they need to speak to specialists who can help them create a holistic solution that prioritizes the protection of critical data,” he added.

“On the other hand, this must work in tandem with a culture shift within organisations that prioritizes and creates awareness of protective measures against cyber-crime. Phishing attacks and human error are two of the most common causes of a breach, and the positive thing is organizations do have the power to prevent such instances from happening.”

Source: Information Security Magazine

IDC: Most Orgs Mount Ineffective Security Investigations

IDC: Most Orgs Mount Ineffective Security Investigations

Security investigations are all too often an exercise in exasperation, new research has revealed.

IDC found that half (47%) of surveyed organizations (across the US and Europe) fail to gather enough information about cyber-incidents to enable appropriate or decisive action. Firms experience an average of 40 actionable incidents per week, but only a quarter (27%) think they are coping comfortably with this workload, and a third (33%) describe themselves as “struggling” or “constantly firefighting.”

The volume of incidents is clearly challenging, and for some industries more than others: The average number of actionable security alerts per week rises to 77 for finance and 124 for telco. The survey also found that the issue is only likely to get worse. About 62% of firms are being attacked at least weekly, with 30% attacked daily and 10% hourly or continuously. Almost half (45%) are experiencing a rise in the number of security threats.

It’s no wonder that more than half (53%) of respondents claimed the biggest limitation to improving security capabilities was that resources are too busy on routine operations and incident investigation.

“The amount of time companies are spending on analyzing and assessing incidents is a huge problem,” said Duncan Brown, associate vice president, security practice, IDC. “The highest-paid, most skilled staff are being tied up, impacting the cost and efficiency of security operations. This is exacerbated when considered alongside the security skills shortage, which has most impact in high-value areas like incident investigation and response. Organizations must ensure that they are using their data effectively to gain key insights quickly to determine cause and minimize impact.”

Also, most firms only surface a breach to the board at the last possible moment. Asked when they report a security incident to the board, the top triggers were sensitive data breach (66%), compromised customer data (57%), and a mandated notification to a regulator (52%). Only 35% of firms have breach reporting to the board built into their defined incident response processes.

“It’s time to change how we approach incident response,” said Haiyan Song, senior vice president, security markets at Splunk, which sponsored the report. “As attacks become more advanced, frequent, and take advantage of IT complexity, we must become proactive in our approach to security—how else will we know we have been breached? As demonstrated by the swift, global spread of WannaCry, it has never been more important for organizations to proactively monitor, analyze and investigate to verify whether there are real threats, then prioritize and remediate the most critical. By taking an analytics-driven approach, and increasingly automating when possible, security teams can shorten investigation cycles, respond quickly and appropriately in the event of a compromise, free up resources to focus on more strategic initiatives and ultimately improve security posture.”

Source: Information Security Magazine

Putin: "Patriotic" Hackers May Have Meddled with US Election

Putin: "Patriotic" Hackers May Have Meddled with US Election

Russian President Vladimir Putin says that “patriotically minded” private Russian hackers may have been behind the election-season hacking in the United States last year.

Speaking to reporters in St. Petersburg, Russia, and reported by the New York Times, his comments contradict previous statements from the Kremlin that Russia—either from a state-sponsored perspective or in terms of its private citizens—had absolutely no role in the hacking of the Democratic National Committee and other actions.

With rumors swirling around possible Russian targeting of the German election, Putin compared hackers to “artists”—creatively minded types that follow their hearts.

Their attacks depend on how they feel that day, he said. If “they wake up and read that something is going on in interstate relations,” they may decide to act, he added. “If they are patriotically minded, they start making their contributions—which are right, from their point of view—to the fight against those who say bad things about Russia.”

The comments come after Donald Trump’s administration has been placed in the crosshairs of a special prosecutor who is looking into possible collusion or ties between members of Trump’s inner circle and the Russian state and Russian oligarchs.

Putin reiterated that his government had no hand in the hacking, which has been widely attributed to the Kremlin-tied APT group known as Fancy Bear or APT28 by security researchers. “We’re not doing this on the state level,” he said.

Source: Information Security Magazine

Jaff Ransomware Tied to Extensive Data Harvesting Operation

Jaff Ransomware Tied to Extensive Data Harvesting Operation

The Jaff ransomware, one of the newest and fast-rising strains in the category, turns out to be linked to an extensive cybercrime marketplace.

Heimdal Security has uncovered that the operations behind Jaff run much further than malicious data encryption.

The code was first found last month spreading rapidly and infecting millions of targets within just a few days. Jaff has been observed to be nearly identical to Locky in many ways, including using a PDF that opens up a Word document with a macro. It also uses a similar payment page. That said, a big difference is that Jaff is asking for an astounding 2 BTC (about $3,700 at the time of writing)—well above the typical ransom demand.

While analyzing a recent variant of Jaff, Heimdal researchers have uncovered that Jaff shares server space with a refined cybercrime web store that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.

“Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more,” said security evangelist Andra Zaharia, in a security alert. “Prices per item vary from under a dollar to several Bitcoins. Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.”

The shop also includes filters, so the buyer can find the targets with the most lucrative potential. One search turned up a cache of compromised accounts from New Zealand bank ASB that are listed as being worth up to $275,241.

“Banks from all over the world are listed,” Zaharia said. “Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.”

It’s likely that what’s on offer has been gathered via weak or re-used passwords, rather than actual compromises of the ecommerce sites themselves.

The server used for these criminal operations is located in St. Petersburg, Russia, and is part of the infrastructure that fuels the Jaff ransomware. The two types of activity together can be especially dangerous.

“By combining these informational assets, cyber-criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,” Zaharia explained. 

Source: Information Security Magazine