Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2018

Half of Orgs Don't Change Security Strategy, Even After an Attack

Half of Orgs Don't Change Security Strategy, Even After an Attack

Almost half of organizations do not regularly make substantial changes to their security strategy, even after experiencing a cyber-attack.

That’s according to the CyberArk Global Advanced Threat Landscape Report 2018, in which the security vendor surveyed 1300 IT security decision makers to explore the current state of enterprise security practices.

The general theme of the report was that security inertia has infiltrated many organizations resulting in an inability to repel or contain attacks: 46% of respondents said their company can’t prevent attackers from breaking into internal networks each time it is attempted whilst 50% admitted their customers’ privacy or personally identifiable information could be at risk because their data is not secured beyond the legally-required basics.

What’s more, just 8% of companies perform Red Team exercises to uncover critical vulnerabilities and identify effective responses, whilst more than a quarter are failing to protect privileged accounts.

It’s impacting the cloud too, CyberArk discovered, warning that the automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate, but despite recognizing this security risk businesses still have a relaxed approach toward cloud security.

Half of those polled said their organization has no privileged account security strategy for the cloud and more than two-thirds said they defer on cloud security to their vendor, whilst 38% stated their cloud provider doesn’t deliver adequate protection.

“When target organizations haven’t moved with the times, cyber-attackers often have an easy time of it and are able to penetrate traditional perimeter defenses without undue effort,” said Rich Turner, vice-president EMEA, CyberArk. “Companies must show greater urgency to change the game, which means treating the risk associated with cybersecurity in the same way as wider business risks such as competition and the economy.

“Understanding how changing service delivery models – like cloud and DevOps – affect the attack surface is a crucial component of cyber-risk. Business leaders have a critical role to play in transforming the risk mindset and building cyber resilience across the enterprise.”

Source: Information Security Magazine

Research Finds No Guidance Results in Weak Passwords

Research Finds No Guidance Results in Weak Passwords

People with proper guidance are 40% more likely to create a secure password.

According to research led by the University of Plymouth, in one experiment 300 users creating an internet account were offered either no advice or a range of advice, including a standard password meter, emojis or an emotive feedback message. The results showed the number of choices rated "weak" falling from 75% when users received no guidance to around a third when they were shown more emotive messages.

In the second experiment, 500 participants were presented with more specific security-related advice, including suggestions of how long it would take a hacker to crack their password. Those users had a significantly greater understanding of the risks and created passwords that were longer and up to 10 times stronger as a result.

The research was conducted by the University's Centre for Security, Communications and Network Research (CSCAN), in conjunction with the Desautels Faculty of Management at McGill University and the Department of Computer Sciences at Purdue University.

Steve Furnell, professor of information security and the director of CSCAN, said: “Over the past few years, numerous cyber-attacks and security incidents have demonstrated that protecting personal and professional assets is no longer an optional duty. Yet many still occur out of unintentional mistakes, such as negligence, carelessness, and human errors.

“Despite the advance in security technology, the weakest link in the information security realm still lies in end-users so it is essential that more support is offered to try and overcome this in the future.” 

In an email to Infosecurity, security researcher Troy Hunt said that he did not feel that there was enough available guidance on how to create a secure password. “I think most people fall back to convenience at every opportunity,” he said.

“When we see data breaches and analyze password lengths, there’s always a massive skew towards the minimum allowable size; people tend to conform to the lowest common denominator because, for most, that’s the easiest thing for them to do.”

Source: Information Security Magazine

84% of Cybersec Workers Would Consider Job Switch in 2018

84% of Cybersec Workers Would Consider Job Switch in 2018

Hiring and Retaining Top Cybersecurity Talent – a new report from (ISC)2 – has found that there are high numbers of professionals in the cybersecurity workforce open to changing jobs this year.

The membership association based its findings on a blind survey of 250 cybersecurity pros within the United States and Canada. What it discovered was that only 15% of those polled said they had no plans to change jobs in 2018, while the remainder either did have plans to do so (14%) or were open to exploring new opportunities (70%).

The data suggested factors such as unmet expectations between businesses and their employees, high-demands for security skills and frequent contact from recruitment firms could be playing a significant role in encouraging cybersecurity pros to consider new opportunities. 

“The cybersecurity workforce gap is growing rapidly, and turnover within cybersecurity teams makes filling those roles even more challenging,” said (ISC)² COO Wesley Simpson. “It is more critical than ever for organizations to ensure their recruitment and employment retention strategies are aligned with what cybersecurity professionals want most from an employer.”

The (ISC)2 study did shed light onto what cybersecurity pros value most from a role with regards to their personal fulfillment: 68% said they want to want to work where their “opinions are taken seriously,” 62% want to work where they can “protect people and their data” and 59% want to work for an employer “that adheres to a strong code of ethics.”

In terms of professional goals, respondents said they want to work for a company with “clearly defined ownership of cybersecurity responsibilities” (62%), that “views cybersecurity more broadly than just technology” (59%) and that “trains employees on cybersecurity” (59%).

“Armed with this insight, employers can do a much better job appealing to top cybersecurity professionals, and retaining their talent and expertise for the long-term,” Simpson added.

Source: Information Security Magazine

Researchers Warn of Mobile Blackmail Malware

Researchers Warn of Mobile Blackmail Malware

Researchers are warning of a newly-discovered mobile spyware variant designed to record victims with a view to potentially blackmailing them.

Security vendor Wandera discovered the RedDrop malware in a wide range of 53 applications including image editors, calculators and foreign language education apps.

As is the norm for Android malware, the malicious apps request invasive permissions, including one which allows the malware to be persistent between reboots.

The group behind RedDrop use over 4000 domains to distribute the malicious apps, with users redirected multiple times in order to trick security filters, the vendor explained.

Over seven additional APKs are then covertly downloaded from the C&C server and installed, including a trojan, dropper, premium SMS functionality and spyware.

“When all of the functionality is combined, RedDrop aims to extract valuable and damaging data from the victim. As soon as the information is collected, it is transmitted back to the attackers’ personal Dropbox or Drive folders to be used in their extortion schemes and as the foundation to launch further attacks,” Wandera explained.

However, other experts weren’t convinced about the sophistication of the malware.

Tripwire security researcher, Craig Young, said it looked more like “a very amateur trial run of Android malware.”

“Android users do not need to do anything more than normal to guard against this threat. Default settings on all supported releases of Android should be pretty well protected against by installing only from trusted sources and leaving Google Play Protect enabled,” he added.

“It is also of course important to be mindful about what permissions are requested by apps.”

The news comes during Mobile World Congress this week, at which Trend Micro launched its 2017 roundup report.

It revealed a 415% increase in detected new mobile ransomware samples, although the vast majority were in China, and a near doubling of iOS/Android vulnerabilities discovered and disclosed during 2017.

The vendor claims to have blocked over 58 million mobile threats last year, with mobile banking malware also on the rise.

Source: Information Security Magazine

Suspected Avalanche Mastermind Re-Arrested in Kiev

Suspected Avalanche Mastermind Re-Arrested in Kiev

The suspected mastermind of the notorious cybercrime-as-a-service network Avalanche has been arrested in Ukraine.

Gennadiy Kapkanov, 33, was cuffed in the capital Kiev and found to be carrying a false passport. A search of his rented flat yielded a laptop, flash drives and money, which police have now taken.

The suspect will now spend the next 60 days in custody with no chance of bail.

The Avalanche network was finally shuttered after seven years in 2016, when an international effort involving police from 30 countries took 221 servers offline and sinkholed or blocked 800,000 domains.

Avalanche is said to have sent over a million malicious emails per week — including spam, phishing and malware — from a network of half a million compromised computers, supporting at least 20 malware families.

Victims were identified in over 180 countries worldwide.

During that cyber-police operation, five people were arrested, 37 premises were searched and 39 servers were seized.

Interestingly, one of those arrested was Kapkanov himself, after threatening police with a gun in his home city of Poltava.

However, he was controversially released a week later after a local judge claimed police had incorrectly filed charges, according to RFE/RL. That was despite him being listed on Interpol’s most wanted.

The suspect then went to ground, until now.

Last summer, another Ukrainian man was arrested in connection with cyber-criminal activity, this time on suspicion of distributing the infamous NotPetya malware.

The Nikopol resident is not thought to have been connected to the Kremlin-linked plot to disrupt Ukrainian government and critical infrastructure organizations, but instead posted a video online explaining how to launch Petya.A, as well as linking to the download.

Source: Information Security Magazine

Consumers Falling for Fake Mobile Banking Apps

Consumers Falling for Fake Mobile Banking Apps

Fake mobile banking apps that mimic major blue-chip bank apps are having resounding success: More than one in three consumers are fooled by fraudulent versions.

According to Avast, consumers worldwide who use mobile banking apps are at a greater risk of being tricked by cybercriminals and falling victim to mobile banking theft. In a survey of 40,000 consumers in 12 countries, 58% of respondents identified the official mobile banking app as fraudulent, while 36% mistook the fake interface for the real one. In Spain, the results were similar at 67% and 27%, respectively, compared to 40% and 42% in the US.

The findings highlight the level of sophistication and accuracy applied by cybercriminals to create trusted copies designed to spy on users, collect their bank login details and steal their money.

Avast said that the banks targeted by cybercriminals and put under the microscope in the survey include Citibank, Wells Fargo, Santander, HSBC, ING, Chase, Bank of Scotland and Sberbank. Despite the banks having strict security measures and safeguards in place, their large customer bases make them attractive targets for cybercriminals to develop fake apps that can mimic their official apps.

“We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers’ phones,” said Gagan Singh, senior vice president and GM of mobile at Avast. “Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them.”

In November 2017, Avast’s Threat Labs Mobile team discovered a new strain of the BankBot Trojan in Google Play targeting consumers’ bank login details. Avast analyzed the threat in collaboration with ESET and SfyLabs. This latest variant was concealed in supposedly trustworthy flashlight and solitaire apps. Once downloaded, the malware would initiate and target the apps of blue-chip banks. If a user opened the banking application, the malware would create a fake overlay on top of the genuine app with the goal of collecting the customer’s banking details and sending them on to the attacker.

Roughly two in five (43%) survey respondents worldwide said they use mobile banking apps. In both Spain and the US, almost half (46%) said they were active users. Of the respondents that don’t bank via smartphone or tablet, almost one third (30%) pointed to a lack of security as the leading concern. This concern was shared by 21% of the respondents in Spain and 36% in the US.

The survey also found that consumers across the globe are more concerned about having money stolen from their checking accounts than losing a wallet or purse or having their social media accounts hacked and their personal messages read. Globally, 72% of respondents voiced financial loss as their primary concern. In Spain, 85% of consumers said the same, while 71% in the US said so.

“More often than not, consumers can rely on trusted app stores like Google Play and Apple’s App Store to download applications, but extra vigilance is also advised,” said Singh. “It’s important to confirm that the banking app you are using is the verified version. If the interface looks unfamiliar or out of place, double-check with the bank’s customer service team. Also use two-factor authentication if it’s available and make sure you have a strong antivirus for Android installed to detect and protect you from money-grabbing malware.”

Source: Information Security Magazine

Threat Hunting Takes Center Stage for SOCs

Threat Hunting Takes Center Stage for SOCs

Threat management continues to challenge security operation centers (SOCs); new research reveals that detection of advanced threats remains the No. 1 challenge for SOCs (55%), followed by lack of security expertise (43%).

According to Crowd Research Partners’ 2018 Threat Hunting Report, which surveyed cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, threat frequency and severity is on the rise. A majority (52%) say threats have at least doubled in the past year. Based on this trend, the number of advanced and emerging threats will continue to outpace the capabilities and staffing of organizations to handle those threats.

In fact, three-quarters (76%) of respondents feel that not enough time is spent searching for emerging and advanced threats in their SOC. Lack of budget (45%) remains the top barrier to SOCs that have not yet adopted a threat-hunting platform.

That said, organizations are becoming more confident in their security teams’ ability to quickly uncover advanced attacks, compared to last year. A third of respondents are confident to very confident in their team’s skills, a 7% increase over last year.

As part of this, threat hunting is gaining momentum; organizations are increasingly utilizing threat-hunting platforms (40%), up 5 percentage points from last year’s survey. Six out of ten organizations in the survey are planning to build out threat-hunting programs over the next three years.

“Following the unprecedented wave of cybersecurity attacks, threat hunting is quickly becoming a new line of defense for SOCs to proactively combat advanced security threats,” said Holger Schulze, CEO of Cybersecurity Insiders. “By pairing human intelligence with next-generation threat-hunting platforms, SOC teams can identify and resolve threats faster and more reliably.”

According to respondents’ assessments, threat-hunting tools improve the speed of threat detection and response by a factor of 2.5 compared to teams without dedicated threat-hunting platforms. The top benefits organizations derive from threat hunting include improved detection of advanced threats (64%), followed by reduced investigation time (63%), and saved time not having to manually correlate events (59%).

The most important threat-hunting capabilities for cybersecurity professionals is threat intelligence (69%), followed by user and entity behavior analytics (UEBA) (57%), automatic detection (56%), and machine learning and automated analytics (55%).

Source: Information Security Magazine

AI Emerges as a Powerful Tool for Cyber-Threat Actors

AI Emerges as a Powerful Tool for Cyber-Threat Actors

In response to cyber-defenders’ increasing use of AI technologies, malicious actors are discussing their potential application for criminal use.

Research from Control Risks, the specialist global risk consultancy, shows that cyber-threat actors are actively exploring the development of innovative new techniques to use these technologies and tools to enhance their capabilities. For instance, in the post-infection phase, clusters of compromised devices, dubbed hivenets, could develop the ability to self-learn and could be used to automatically identify and target additional vulnerable systems.

“More and more organizations are beginning to employ machine learning and artificial intelligence as part of their defenses against cyber-threats,” said Nicolas Reys, associate director and head of the Control Risk cyber-threat intelligence team. “Cyber-threat actors are recognizing the need to advance their skills to keep up with this development. One application could be to use deep learning algorithms to improve the effectiveness of their attacks. This shows that AI and its subsets will play a larger role in facilitating cyber-attacks in the near future.”

Another way AI could assist threat actors in a number of ways is in spearphishing campaigns. In the targeting of a criminal campaign, threat actors could use algorithms to generate spearphishing campaigns in victims’ native languages, expanding the reach of mass initiatives. Similarly, larger amounts of data could be automatically gathered and analyzed to improve social engineering techniques – and with it the effectiveness of spearphishing campaigns.

In another scenario, based on its assessment of the target environment, AI technology could tailor the actual malware or attack in order to be unique to each system it encounters along the way. This would enable threat actors to conduct vast numbers of attacks that are uniquely tailored to each victim. Only bespoke mitigation or responses would be effective for mitigation, rendering traditional signature or behavior-based defense systems obsolete.

Threat actors also could evade detection by developing and implementing advanced obfuscation techniques, using data from past campaigns and the analysis of security tools. Attackers may even be able to launch targeted misdirection or “noise generation”: attacks to disrupt intelligence gathering and mitigation efforts by automated defense systems.

“The use of AI is not likely to become widespread soon, given the financial investment that is currently needed,” Reys continued. “However, as more research is produced and AI technologies become more mature and more accessible to threat actors, this threat will evolve. Organizations should be aware of the potential for these types of attacks to emerge in the course of 2018. Staying informed and being able to identify relevant emerging attacks, technologies and vulnerabilities is therefore just as important as being prepared in the event of an attack.”

Source: Information Security Magazine

#CyberThreat18: NCSC on Threats and Attribution

#CyberThreat18: NCSC on Threats and Attribution

There is a need to understand adversaries, be able to track and defend against their actions, and be able to tell and share learned intelligence.

Opening the SANS Institute’s Cyber Threat 2018 conference in London, National Cyber Security Centre director of operations Paul Chichester said that he wants cybersecurity to an enabler rather than a hindrance for the UK economy, especially as it had seen more “disruptive and destructive” styles of attacks.

“A lot of what keeps us awake are things that are going to harm critical infrastructure,” he said. “A lot has happened over time, and we have looked at it from a UK point of view, such as the Ukrainian power outage and be sure that they can be defended against in the UK. A key part of what we do is take the knowledge of those threats and make sure we turn them into useful and practical guidance.”

Looking at the current threat landscape, Chichester said that a focus for the NCSC is not on what it knows, but on what it tells and shares, which is a key difference from what was being done before the formation of the Center. This included its first report on Turla in January: Chichester said that this is the kind of thing that the NCSC needs to do more, and within a couple of weeks of publishing the report the adversary changed their tactics, so it put another report out.

He added: “The plan is to really scale this out. As we see an adversary changing we will share our knowledge.”

On attribution, he said that this was being done when it was in the national interest to do so. “While attribution will always be a ministerial and political decision, the work that we do in the NCSC will enable that, and analysis and assessment goes into that,” he said.

He said that the NCSC enabled government to centrally manage cybersecurity since its opening a year ago, and “provides a step change in the way we manage cybersecurity” as different government departments did parts of cyber, and as a key tier one threat it wanted to bring all of that intelligence together.

“It was complicated for business and industry [to know] who to go to, and we knew that when we had a major cyber event we needed a single place to bring that together and to coordinate our answer,” he said. “We didn’t want to have to worry about who was going to be responsible for playing that scenario out.”

Concluding with comments on community and diversity, Chichester said that participating in a SANS event was a “key moment for us [NCSC] and it is about us working with the community and creating a community in the UK that works on this topic and that we can share into, and for this is really groundbreaking”.

Source: Information Security Magazine

Crypto-Biz CoinDash Handed Back $17m from 'Hacker'

Crypto-Biz CoinDash Handed Back $17m from 'Hacker'

Crypto-currency start-up CoinDash is set to officially launch today with an unexpected gift from a hacker, after it was handed back 20,000 Ethereum (ETH) stolen last year.

The Israeli company lost what amounted to around $7m worth of Ethereum at the time, after hackers changed the firm’s wallet address on its website to one they owned.

That led to more than 2000 investors sending Ethereum to the malicious address, resulting in losses totaling 37,000 ETH.

The firm promised to reimburse those duped investors, but with CoinDash Tokens (CDTs) “reflective of each contribution.”

However, last week, the firm claimed to have received 20,000 ETH from an anonymous source it believes to be the July 2017 hacker.

The virtual currency was sent from the FAKE_CoinDash account.

CoinDash CEO, Alon Muroch, said the Israeli Counter Cyber Terrorist Unit had been notified, and that the hacker’s Ethereum address will continue to be monitored for suspicious activity.

“Similar to the hack itself, the hacker’s actions will not prevent us from the realizing our vision, CoinDash product launch will take place next week as originally intended,” he added in a statement.

The news follows a similar transfer of funds from the same FAKE_CoinDash account to one of CoinDash’s ETH accounts back in September last year. On that occasion the firm received 10,000 ETH.

It’s even more perplexing considering the soaring value of Ethereum. The value of the total returned funds at today’s prices amounts to over $26m.

Although CoinDash seems to have been spectacularly lucky, most firms in its situation are not.

Ernst & Young claimed last month that crypto-ICOs typically lose 10% of their funds to hackers, with $400m already stolen.

Source: Information Security Magazine