Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for October 2017

#Infosec17 Key Hiring Skills Include Problem Solving

#Infosec17 Key Hiring Skills Include Problem Solving

Reaching out to a new generation of cybersecurity professionals is as important as retaining what you have.

Speaking on a panel at Infosecurity North America on “Building a Next-Gen Security Team in a Red Hot Cyber Job Market”, the panel were asked by moderator Lauren Claypool, Director of Professional Services, Alta Associates and The Executive Women’s Forum what skills they were expecting from applicants.

Bill Hill, CISO of the MITRE Corporation, said that it is hard to “shop” for skills, and commonly a non-negotiable skill is problem solving. Commonly if people are “under-skilled but have the right attitude to solve problems”, that is enough.

Heath Renfrow, CISO of United States Army Medicine, said that you have “got to be hungry in this field”, but it is not the job of the recruiter to make it difficult. “You have got to get into the mindset that struggling to understand cybersecurity is a continuous thing, and we’re here to compliment processes and senior management will understand us better.”

Bill Newhouse, deputy director of the National Initiative for Cybersecurity Education (NICE) at NIST said that language and diversity make it more attractive, so try to find opportunities within the group and check the workforce so it can be measured. “It’s a hard thing, and it is vital that we do it,” he said.

Asked about retaining talent, Renfrow said that he had implemented an intern program to help new people get into the cyber field. He also said that he goes to colleges and schools to speak to students and get interest in a career raised in the local community.

“I’m trying to find my replacement and that is why I go to elementary schools and colleges, and for the next generation we take in 30 interns annually and put robust training in, and pay for certifications and renewals. Retaining is just as important as bringing in new people.”

Source: Information Security Magazine

#Infosec17 Insider Threat Can Be Defeated with Analytics

#Infosec17 Insider Threat Can Be Defeated with Analytics

Speaking on the keynote stage at Infosecurity North America, Professor Derek Smith, IT Program Manager at the IRS and President of Cautela Cybersecurity Solutions said that the insider continues to be the blind spot for many organizations.

In his talk “Mitigating the Insider Threat: Closing Down the Enemy Within”, Smith said that “everyone could be an insider threat”, and “you don’t know who it could be until it happens”. Identifying common factors such as people who have recently resigned or been terminated from employment, or those involved with merger and acquisitions or third parties, Smith identified that there are two types of insider: malicious or inadvertent.

Running through industry statistics, Smith said that the majority of organizations do not look at their audit trails, are not reporting on statistics on what is happening, that the majority of organizations had no idea about a rogue insider, and that 70% had trouble detecting insider threats.

Smith called it a “tool overload” as “most folks throw technology at a problem”, while Ponemon reported (PDF) that 43% take a month to detect an insider, SANS Institute said a third have no way to know, and SANS also say that 9% rank insider as ‘very effective’.

As a way to fix it, Smith recommended user behavior analytics. “To me is the key for insider threat, one of biggest things to do right now,” he said.

“It can determine a baseline of activity and identity deviations from normal activity. Using algorithms for assessment in real time, you can see who is likely to commit the crime and maybe pre-empt that.”

Smith concluded by saying that most tools analyze only system and data, not people, so for the insider threat you have got to look for anomalous behavior.

Source: Information Security Magazine

Accenture: Utility Grids Brace for Cyberattacks—with Poor Defenses

Accenture: Utility Grids Brace for Cyberattacks—with Poor Defenses

More than three-quarters of American utility execs are expecting an attack on the grid within the next five years—and are woefully unprepared to deal with it if it happens.

A fresh report from Accenture, entitled Outsmarting Grid Security Threats, included interviews with more than 100 utility executives from over 20 countries. Globally, it found that almost two-thirds (63%) of respondents said they believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years.

However, proper protection is challenging due to the complexity of distribution electric grids and increasingly sophisticated, well-funded attackers, and many distribution utilities are still under-protected and under-prepared. Only 6% felt extremely well-prepared and less than half (48%) felt well-prepared when it came to restoring normal grid operations following a cyberattack.

When it comes to the kinds of attacks in the offing, interruptions to the power supply is the most serious concern, cited by 57% of respondents. Just as worrying is the physical threat to the distribution grid. About half (53%) of executives cite employee and/or customer safety and 43% of executives cite the destruction of physical assets as their biggest concerns.

“As highly sophisticated, weaponized malware is being developed, a greater risk to distribution businesses arises from cyber-criminals and others who would use it for malicious purposes,” said Stephanie Jamison, managing director, Accenture Transmission and Distribution. “Attacks on industrial control systems could disrupt grid reliability and the safety and well-being of employees and the public. Not getting it right could be a brand killer, as well as a real threat for a country and the community.”

Smart-grid initiatives are bringing these concerns even more into focus. While the increased connectivity of industrial control systems enabled by the smart grid will drive significant benefits in the form of safety, productivity, improved quality of service and operational efficiency, 88% agreed that cybersecurity is a major concern in smart grid deployment.

Distribution utilities are also increasingly exposed by the growth of connected internet of things (IoT) domestic devices, such as connected home hubs and smart appliances. These bring a new risk to distribution companies, which is hard to quantify, with 77% of utilities executives suggesting IoT as a potential threat to cybersecurity.

In Asia-Pacific and Europe, cyber-criminals are seen as the biggest risk for distribution businesses by almost a third of respondents. However, in North America, attacks by governments are considered a bigger risk than in regions worldwide (32%).

“Deployment of the smart grid could open new attack vectors if cybersecurity is not a core component of the design,” added Jamison. “However, the smart grid can also bring sophisticated protection to assets that were previously vulnerable through improved situational awareness and control of the grid.” 

The report also uncovered that a significant number of distribution utilities have much to do in developing a robust cyber-response capability with more than four in 10 respondents claiming cybersecurity risks were not, or were only partially integrated, into their broader risk management processes.

In addition, the increasing convergence of physical and cyber-threats requires the development of capabilities that go well beyond simple security-related national compliance requirements, Accenture noted. Utilities must invest in resilience of their smart grid as well as effective response and recovery capabilities.

“Cybersecurity must become a core competency in the industry by protecting the entire value chain and the extended ecosystem end-to-end. Utilities, already well-versed in reliable power delivery and power restoration, need an agile and swift capability that creates and leverages situational awareness, and that can quickly react and intervene to protect the grid,” said Jim Guinn, managing director who leads Accenture’s security practice for resources industries. “Developing this new capability will require ongoing innovation, a practical approach to scaling, and collaboration with partners to drive the most value.”

Source: Information Security Magazine

Google Patches Open-Source Flaw, Requires TLD Encryption

Google Patches Open-Source Flaw, Requires TLD Encryption

Google has made a couple of notable moves on the security front this week: One, it has patched flaws in a DNS software package known as Dnsmasq; and two, it said it would start requiring encryption for 45 top-level domains (TLDs) that it controls as a registrar.

Dnsmasq, an open-source package, is widely installed in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. Google discovered seven distinct issues within the kit: three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5.

The vulnerabilities could lead to the remote code execution, information exfiltration and denial of service conditions, Google said. For instance, CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.

The company has worked with the maintainer of Dnsmasq, Simon Kelley, to produce patches and mitigate the issue. Android partners have received the patch as well, and it’s included in Android's monthly security update for October.

Meanwhile, the internet giant is furthering its campaign to boost ubiquitous adoption of HTTPS encryption for websites by implementing HTTP Strict Transport Security (HSTS) on 45 top-level domains, including .ads, .fly, .app and others.

HSTS, which is incorporated into all major browsers, offers a method for websites to require that browsers connect using the encrypted HTTPS protocol. This provides greater security because the browser never loads an HTTP-to-HTTPS redirect page, which could be intercepted.

The move is the latest in a long line of HTTPS-promoting moves.

“We began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default,” the company recapped, in a blog. “In 2014, we started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, we became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year we announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine.”

Under the new scheme, registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list.

Source: Information Security Magazine

#Infosec17 Understand Your Users to be More Secure

#Infosec17 Understand Your Users to be More Secure

Understanding your users is a pre-requisite for security, as users do care about security and are willing to take actions to improve security.

In the opening keynote presentation at Infosecurity North America on “Psychologist Insight: Getting to Grips with the Psychology of User Behavior”, Dr Kelly Caine, Director of the Humans and Technology Lab & Associate Professor at Clemson University, said that often users are seen as the weakest link in the security chain and executives think that human error is to blame for human issues, and usually users are blamed for systems to be insecure.

“Users do care about security, we had a huge spike in number of credit freezes and watched as a result of the 2012 credit breach in South Carolina,” Caine said. “We have data to suggest that 20% of people in South Carolina increased by 2000% after the data breach. So if we take that data and compare to Equifax, we may extrapolate that data and probably 100 million people will have a credit freeze, people are 34% more likely to freeze their credit in South Carolina and there’s no reason to think people won’t do it after Equifax.”

Caine said people do care about security and take onerous steps to protect security. She also said that users are constantly learning to act more securely, but obstacles are put in the way by technology. She also said that average privacy policy takes 10 minutes to read, meaning a day can be lost just to reading privacy policies.

Caine also challenged the audience to remove the term “user error” from vocabulary, and think about how humans behave. 

“There is a buzzword of 'behavior change' and how to change users’ behavior, and before we change users’ behavior from a security perspective, we need to understand existing behaviors to change behavior as we need to know what they are doing, and why they are doing what they are doing.”

Concluding, Caine said that understanding users is “key to information security, and experts are here to help you and help you understand how to design systems and train users”, and every interaction with users is training users to behave more or less securely, “there’s no middle ground”. 

“Also usability is a pre-requisite for security, you cannot have a secure system without it being a usable system.”

Source: Information Security Magazine

Enterprises Grow Bullish on Artificial Intelligence

Enterprises Grow Bullish on Artificial Intelligence

Artificial intelligence (AI) for cybersecurity is already making a significant positive impact in the enterprise, with 64% of IT decision-makers expecting to see ROI from their investments in AI in fewer than two years.

That’s according to Cylance’s report, Artificial Intelligence in the Enterprise: The AI Race is On, which polled 652 IT decision-makers in the US, UK, Germany and France. It found that optimism about the value of AI-powered solutions in the enterprise is high and that there are widespread plans to continue investment in the technology.

Nearly all of those surveyed said they are either currently spending on AI-powered solutions or planning to invest in them in the next two years; 60% already have AI in place. Additionally, 79% say AI is a top priority for their boards and C-suite executives.

AI is moving the needle for security teams too, according to the survey results: About three-quarters (77%) have prevented more breaches following their use of AI-powered tools and 81% said AI was detecting threats before their security teams could. Furthermore, another three-quarters (74%) said they won’t be able to cope with the cybersecurity skills gap if they don’t adopt AI.

AI is seen as a competitive advantage as well: About 87% of IT decision makers see AI-powered technology as a competitive advantage for their IT departments and 83% are specifically investing in AI to beat competitors. Also, a full 86% said that the AI that they have used so far has lived up to its promises.

Ancillary opportunities stemming from AI investment are on the radar screen as well, and about 93% say it will create new job opportunities, and 80% said AI will lead them to hire new workers and retrain existing employees.

“Executives who were first to make the leap of faith in AI have been the first to begin experiencing the rewards, particularly in the prevention of cyberattacks,” said Daniel Doimo, president and COO at Cylance. “Over the next year, I only expect to see this trend accelerate.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine

Banking Trojan Exploits Chain of Trust to Deceive Security Tools

Banking Trojan Exploits Chain of Trust to Deceive Security Tools

A fresh iteration of a banking trojan has been uncovered that exploits an authentic VMware binary to deceive security tools into accepting errant activity.

Cisco Talos first uncovered it being used in a campaign specific to Brazil. The bad actors focused on various South American banks in an attempt to steal credentials from users; they found that the code attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques, and the final payload was written in Delphi, which Talos said is quite unique to the banking trojan landscape.

Further analysis showed that the campaign uses spam messages written in Portuguese, purporting to offer a Boleto invoice, which is akin to the PayPal of Brazil. The invoice is of course a malicious file that kickstarts a process that ends with the installation of the banking Trojan.

“Java code sets up the malware and establishes a link to a remote server to download a range of supplementary files,” IBM explained in a blog taking a closer look at the campaign. “The code then renames the previously downloaded binaries and starts a genuine binary from VMware with a digital signature. This legitimate binary, known as vm.png, fools security programs into trusting the subsequent activities of the trojan.”

What’s really notable is that the cyber-criminals are exploiting a chain of trust.

“If an initial binary, such as vm.png, is accepted, then it is assumed that subsequent libraries will also be trustworthy. Fraudsters can use this strategy to bypass security checks,” it explained. “In the case of this newly identified banking trojan, the executed binary includes a dependency known as vmwarebase.dll. This dependency is a malicious file that allows the injection of prs.png code across explorer.exe or notepad.exe.”

The Talos team reported that one of the other binaries the Trojan uses is packed with the software protection tool Themida, which makes it tricky for experts to unpack the threat.

“Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking,” Talos researchers said. “This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.”

Overall, the latest threat represents a fresh attack vector, IBM said: “IT managers should add this risk to an ever-growing list of malware dangers and be sure to follow security best practices for protection. These practices include cautiously opening links and attachments, not downloading files from unfamiliar websites and installing antivirus software.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine

Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output.

According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said.

“A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.”

Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

“We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.”

Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data.

In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet.

“There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best.

Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter.

“The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”

For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.

In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter.

“This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.

Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.

In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter.

In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.

Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit


Source: Information Security Magazine

NCSC Tackles Nearly Two Cyber-Incidents Per Day

NCSC Tackles Nearly Two Cyber-Incidents Per Day

The UK government’s National Cyber Security Centre (NCSC) dealt with over 1100 reported incidents in its first year, more than half of which were classed as “significant”, according to a new report.

The organization’s Annual Review 2017 revealed that the center, spun out of GCHQ last year, tackled 590 serious incident reports, over 30 of which required a “cross-government response process” coordinated by the NCSC.

The report highlighted the WannaCry ransomware blitz in May and coordinated attacks on parliamentary accounts in June as typical of the incidents the NCSC is called on to help address.

It also trumpeted the organization’s outreach to industry: via a Cyber Security Information Sharing Partnership (CiSP) which has seen its community grow by 43% over the year; the NCSC website, which has become a valuable resource in its own right and the Active Cyber Defence program.

The latter is designed to improve cybersecurity across the public sector. In the past year there have been moves to: implement anti-phishing standard DMARC across government, block users from following malicious links, roll-out a Web Check vulnerability scanning service and introduce a phishing/malware reporting service with Netcraft.

The NCSC claimed the above initiatives have helped to prevent nearly 80,000 phishing attacks and block over 20,000 malicious domains in August alone.

The center also claimed to have helped secure the UK’s armed forces via its UK Key Production Authority, a world-leading resource on cryptography.

The NCSC is now a key part of the UK’s response to ever-evolving cyber-threats, according to GCHQ boss, Jeremy Fleming.

“It is a critical component not only of GCHQ, where it benefits from the data and expertise it has access to as part of the intelligence community, but of how the government as a whole works to keep the UK safe,” he said in a statement.

“The NCSC has brought together unparalleled skills, capabilities and partnerships and in its first year has made enormous strides in increasing and improving our cyber capabilities. It is in the front line in protecting the UK against a growing number of cyber-attacks.”

However, some commentators argued that there’s still some way to go, especially on intelligence sharing.

“In our recent survey with Ponemon Institute, we found just 35% of UK organizations share intelligence with government associations. More needs to be done to promote the sharing of intelligence, as it improves visibility for better data analysis and delivers stronger defenses optimized against observed and perceived threats,” said Jamie Stone, VP EMEA at ‎Anomali.

“Pushing out cyber-attack details quickly could mean the difference between someone else getting breached and being able to stop it quickly. As well as faster answers to incident response challenges thanks to the additional resources, adding skills and expertise to the event.”

Source: Information Security Magazine

Fake News on Vegas Shooter Embarrasses Google and Facebook

Fake News on Vegas Shooter Embarrasses Google and Facebook

Fake news is back in a big way and threatening to distort the official version of events in Las Vegas, after Facebook and Google both promoted fallacious online stories that the shooter was an anti-Trump ‘liberal’.

The death toll has now risen to 59 with over 500 injured after suspected lone gunman Stephen Paddock opened fire from a hotel room window.

Police are still trying to work out what the 64-year-old Nevada man’s motives were, but that hasn’t stopped right-wing trolls making up and disseminating their own ‘alternative’ facts.

Many opined that the shooter’s name was “Geary Danley”, claiming he was a registered Democrat, with message board site 4chan yet again proving to be a hotbed of alt-right untruths, according to the Guardian.

Unfortunately, some of the world’s biggest tech platforms initially seemed to promote such fake stories.

Facebook’s Safety Check page allows those caught in such situations to connect with friends and family. However, the page briefly displayed a story claiming the shooter was a Trump-hating fan of liberal TV host Rachel Maddow, among other hoaxes.

Various reports have suggested that Facebook’s over-reliance on algorithms to differentiate between real and fake news has been its undoing. It reportedly fired a team of human editors working on its Trending Topics site in 2016, with their automated replacement apparently surfacing fallacious stories.

A Facebook statement had the following:

“Our Global Security Operations Center spotted these posts this morning and we have removed them. However, their removal was delayed, allowing them to be screen captured and circulated online. We are working to fix the issue that allowed this to happen in the first place and deeply regret the confusion this caused.”

Google was also found wanting during the crisis, with its search results promoting at one point a 4chan thread filled with lies about 'Geary Danley'.

“Within hours, the 4chan story was algorithmically replaced by relevant results. This should not have appeared for any queries, and we’ll continue to make algorithmic improvements to prevent this from happening in the future,” a spokesperson told Bloomberg.

The incidents come at a time when social and internet platforms are coming under immense pressure for their role in disseminating fake stories, which may impact political outcomes.

Senators heavily criticized Twitter for failing to dig deep enough in its investigation into Russian activity on the site prior to the US presidential election, while Facebook is expected to share thousands of divisive ads bought between 2015 and 2017 by Russia-linked accounts.

A ground-breaking Trend Micro report from June revealed the true scale of the fake-news-as-a-service marketplace on the cybercrime underground, claiming a 12-month campaign to manipulate an election can cost as little as $400,000 (£301,000).

Source: Information Security Magazine