Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for October 2018

#SecuringEnterprise: Old Strategies Don't Work

#SecuringEnterprise: Old Strategies Don't Work

In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.

In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of "where we need to go," the industry needs to develop a more formalized approach that combines design and analysis methods.

“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”

To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.

“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.

Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.

The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.

Source: Information Security Magazine

#SecuringEnterprise: Talking Risk to Boards

#SecuringEnterprise: Talking Risk to Boards

In a panel focused on securing the enterprise at a conference by the same name hosted by MIT CSAIL and BT Security, moderator Michael Siegel, principal research scientist, management science at MIT Sloan School of Management, talked with panel members about whether their organizations are secure.

“Rather than going out and doing some big review, we started with red teams,” said CIO and CSO of the Commonwealth of Massachusetts, Dennis McDermitt. “That was a revelatory experience. We continue to do them over and over again. We have done eight of them now, and that has really informed our answer to the question of whether we are secure or not.”

As a practitioner and vendor in the space, Debby Briggs, CSO, NETSCOUT, said, “I’m relatively secure, but it gets back to how do you quantify that. Sometimes it’s a challenge from a security perspective when you look at people, process and technology to determine how to have one message that meets everyone’s needs.”

In response to Briggs, Siegel posed to the panel the question of how to approach quantifying whether the organization is secure with the board. "I often find myself in the boardroom,” said Kathy Orner, VP, chief risk officer at Carlson Wagonlit Travel. “The number-one thing with board of directors is to educate them. Security is new to them, and the acronyms we use are foreign to them, even something like an IP address. 

“We bring in experts from the outside and inside and give them briefings. I would encourage boards to listen, to speak to the experts in their group, and to really try to understand the basics,” said Orner.

So what is the information that goes to the boards? McDermitt said the conversation needs to change. “Security is not a problem of risk transfer. Cybersecurity is akin to competition in a business. Cybersecurity is attack and defense, attack and defense, and it’s something they need to pursue actively.”

Yet some boards are having more risk-based conversations around cybersecurity. “The boards I have worked with are capable of seeing that it is a spectrum, so you can talk about how much risk are you willing to take. It’s an uncomfortable decision, but once you’ve had that conversation, it gets easier,” said Andrew Stanley, CISO, Mars.

Source: Information Security Magazine

#SecuringEnterprise: Facing Threats Then and Now

#SecuringEnterprise: Facing Threats Then and Now

At today’s Securing the Enterprise Cybersecurity Conference hosted by MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and BT Security in Cambridge, MA, industry experts joined together to discuss the challenges of the changing threat landscape. 

Moderator Andy Ellis, CSO, Akamai Technologies, noted that the things attackers do today are not fundamentally different from what they were doing two decades ago. Given that, Ellis asked panel members what advice they would give themselves now after their years of experience in the industry. 

“I was in data analytics and usability engineering when I started out in IT,” said Michael Figueroa, executive director at the Advanced Cyber Security Center. “One of the things that was most challenging in the past that many are still struggling with is that attacks haven’t changed much, but we often think that if we don’t solve ‘that’ problem today, the sky is going to fall. History has shown us that the sky isn’t falling.

“The advice I would give myself is to keep a strategic mindset of the problem of today within a broader perspective and don’t panic.”

The panel agreed that while attackers are smart and adaptive, the attacks themselves have not really changed. “We can put up huge barriers, but attackers don’t have to overcome that barrier. They can go around,” said Dr. Hamed Okhravi, senior staff, cyber analytics and decision systems, MIT Lincoln Laboratory

“We are just shifting one threat to another, but we need to understand how much gain we will have and how much we are shifting the landscape and the adversary, then look at whether it is the right type of shift.”

That not every single threat is a phenomenon seemed to be the pervading theme in response to the question. In large part, defenders can benefit from seeing their work as a game, Okhravi said.

FBI special agent Scott McGaunn said that he sees cybersecurity as a game as well, ”a very important game. The crime is all the same. We still have bank robberies, we still have wire fraud. We have ransomware instead of ransom.

“Human nature is the same, and the need to commit criminal acts is the same, but the distance to be able to reach out and touch someone has changed. Instead of nation-states and spies, they get online and leverage the internet,” McGaunn said.

In recalling a conversation with her colleague about the ways in which her own approaches have evolved, Jen Andre, senior director, orchestration and automation at Rapid7, said, “I remember my colleague saying, ‘Once Windows fixes all the bugs, we will all be out of work.’” The absurdity of the statement evoked laughter from the audience, but to Andre’s point, that was the thinking years ago. The advice she offered after having gained experience is not to focus on fixing things one at a time.

Source: Information Security Magazine

US Indicts Chinese Spies and Insiders for Aviation Theft

US Indicts Chinese Spies and Insiders for Aviation Theft

The US authorities have continued to step-up the pressure on China with the indictment of two intelligence officers, two insiders and six hackers, most of whom were allegedly involved in a conspiracy to steal aviation secrets.

Two intelligence officers, Zha Rong and Chai Meng, and a team of five hackers are said to have worked for the Jiangsu Province Ministry of State Security (JSSD), headquartered in Nanjing.

They allegedly took part in a five-year conspiracy beginning in January 2010 to obtain key technology used in commercial airliners in the US and Europe: namely a turbofan jet engine. A Chinese state-owned aerospace company was said to be working on a similar engine at the time for its own use.

JSSD hackers Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei and Ma Zhiqi are alleged to have conducted intrusions into suppliers that manufactured parts for the turbofan engine, including aerospace companies based in Arizona, Massachusetts and Oregon.

Their work included classic techniques such as spear-phishing, info-stealing malware and watering hole attacks. For example, LA-based gas turbine manufacturer Capstone Turbine suffered data loss and had its website seeded with malware to infect others.

However, the conspiracy went even further, with the JSSD convincing Tian Xi and Gu Gen, two insiders at the targeted French aerospace company who worked at its office in Suzhou, Jiangsu province.

Gen was the company’s head of IT and security in Suzhou, showing the alleged extent of the conspiracy. He is said to have tipped off the officers when foreign police notified the company of the existence of malware on its systems, malware that Tian had apparently installed at the direction of the JSSD.

A separate conspiracy involved Zhang Zhang-Gui and Chinese national Li Xiao, who are alleged to have used the JSSD malware developed to hack Capston Turbine to repeatedly attack a San Diego-based tech company for more than a year-and-a-half, causing thousands of dollars in damage.

Unlike the alleged MSS officer recently extradited to the US to face charges related to another conspiracy to steal aviation secrets, none of those indicted in this case are thought to be on US soil, making this more of a PR exercise.

However, given the alleged insider activity at the aerospace firm’s China office, it will be yet another compelling reason for foreign firms to start extricating key facilities from the country.

A report from CrowdStrike earlier this month identified China as the most prolific nation state threat actor during the first half of 2018.

Source: Information Security Magazine

UK Law Firm Preps Cathay Pacific Class Action

UK Law Firm Preps Cathay Pacific Class Action

UK lawyers are preparing a class action suit against Cathay Pacific, claiming that the firm is liable for compensation “under the relevant data protection laws.”

SPG Law, which claims to draw on some of America’s top class action lawyers, has already registered the cathaydatabreach.com domain and is inviting those affected to get in touch.

Explaining that its sister law firm in the US has already won over $1bn in compensation in similar cases, the firm claimed that passengers hit by the Cathay Pacific breach earlier this year could be in line for “significant compensation in the thousands, or possibly tens of thousands, depending on circumstances.”

“The breach is even more serious than that committed by BA in September 2018 in that Cathay Pacific customers like you have suffered from far more substantial personal data being leaked,” a statement on the site noted.

“You have a right to compensation from Cathay Pacific for this data leak in accordance with data protection laws. You can be compensated for inconvenience, distress and annoyance associated with the data leak. It is time to stand up to them and take action.”

However, there’s no mention of the GDPR on the site, despite previous reports claiming the firm had cited Article 82 of the new data protection law as key.

The Hong Kong carrier has been widely criticized for its handling of the breach, which it said affected 9.4 million customers. However, the incident's timing appears to fall before the introduction of the GDPR on May 25.

The firm is said to have first noticed suspicious activity in March but confirmed data had been accessed in early May.

Either way, the new action is another reminder of the potential legal costs for firms that suffer a major breach.

Source: Information Security Magazine

5 Ways The IoT Will Help Reshape Information Security Protocols

By Featured Guest Blogger:
“Lock and Security Expert, Ralph Goodman”
http://united-locksmith.net/blog

Information security protocols, or cybersecurity protocols, have been in place since it became apparent that the transmission of data could be targeted and exploited. These protocols are meant to guard the integrity of data that is being transmitted over several different networks, and they have probably never been more important than they are now.

The increasing popularity of the Internet of Things has led to a much more critical light being shone on information security protocols. These protocols go hand in hand with the IoT because of how much the IoT relies on the transmission of data. Homeowners are some of the leading users of the IoT because they love the efficiency that comes with it, however, many of them are not big fans of its inherent security flaws.

The need for better security is one of the main reasons why the IoT will undoubtedly help shape the type of information security protocols that we have now. And it will pave the way for the security protocols we will be using in the future. The security flaws and triumphs of the IoT will act as a bridge that helps lead to better information security protocols. Let’s take a look at some of the ways this will be accomplished:

  1. Stronger Authentication

One thing that the IoT has highlighted is the increased need for more stringent authentication methods between networks, network devices, and users. There is a lot of information that is shared between these elements, and it is important that none of these access points is left vulnerable. The key thing to keep in mind is that any access point can also be used as an intrusion point, so it is necessary to make sure that this does not happen. The future of information security protocols will most likely see an increased use of two factor authentication as well as multi-factor authentication. These authentication methods, as well as any others that might be modeled after them, make use of various elements in order to ensure a higher level of security.

  1. Closing Open Ports

The IoT is one of the main driving factors behind the current state of home automation. The Internet of things, and the home automation devices that work with it, tend to make use of Universal plug and play protocols. This feature allows different devices to discover themselves on a network, and then allows them to communicate and transmit data. However, due to the welcoming nature of this protocol, security is more lax when they are in use. This could very easily lead to hackers exploiting open ports to launch cyber attacks. The IoT has helped show how much a weak link this can be, and it will help information security protocols close off open ports across networks, preventing any of them from being exploited.

  1. Avoiding Proprietary Encryption Protocols

Encryption protocols have been one of the most popular ways to ensure that data transmission is kept secure. The reason behind its popularity is that, in most cases, it tends to work. However, with the advent of things like IoT and with the ever increasing amount of data that is shared on a daily basis, general proprietary encryption protocols are no longer the most secure way to protect data transmissions. Instead, information security protocols should focus on using proven encryption methods that can be applied to several different devices. And use them in conjunction with stringent authentication methods to provide more secure data transmission.

  1. Increased Cloud Interface Security

One aspect of information security protocol that has not been discussed, until recently, is the cloud. Cloud computing is primarily internet based, and this in itself poses many problems to the way in which information security protocols function. There are many more access points, and many more users that have to be factored in when you begin to talk about cloud interface security. This is even more important when it comes to the IoT. If hackers are able to exploit users cloud interfaces, they can gain access to troves of private information on both clients and service providers. Furthermore, there has always been some concern about the privacy issues that the cloud brings. This problem, coupled with the increased use and access of the IoT, will lead to much more stringent cloud interface security.

  1. Responsive Security Protocols

This measure is not as clear cut as some of the others. However, it is equally important. One of the biggest issues that the IoT has to deal with is the way that it handles necessary updates and firmware additions. These updates are necessary to ensure that the automation devices on the IoT network run smoothly. When it comes to information security protocol, it is important to fashion measures that are able to adapt to changes as time goes along. For instance, if someone suffers a DDoS attack on their home, which prevents them from operating their smart locks, it is important that they have some security measures in place to actively root out the cause of the intrusion. Essentially, the aim is to model security protocols after firmware updates. These responsive security protocols should ideally be delivered much in the same way that updates are, and they should be coupled with end-to-end authentication to ensure that hackers do not exploit it.

Conclusion

The Internet of Things has an amazing amount of potential, which is still yet to be fully tapped. Although, if it makes people take a closer look at the way in which Information Security protocol works, then it is already doing an amazing job. These security measures are extremely necessary because of how much data and information they help safeguard. If these protocols were not in place, privacy and data security would be compromised. In order for them to exist in the future, adequate changes have to be made in order to reshape information security protocols.

Malware Targeting Smartphones via Three DSP Providers

Malware Targeting Smartphones via Three DSP Providers

A new technique to escape malware detection has been used in a malicious campaign targeting smartphones, according to The Media Trust.

In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust, revealed that the campaign involved third-party code that enabled smart malware delivery. The malware, dubbed JuiceChecker-3PC by The Media Trust's digital security and operations (DSO) team, was able to bypass scanning using Base64 and has been seen in millions of page views over the last three weeks.

After bypassing the scanning, the malware checked to see whether the user agent was mobile specific, whether the battery level ranged between 20–76% and whether the referrer was specified. If these conditions were met, the malware triggered a redirect in which the ad viewer was delivered to a malicious site.

The targets included three global demand-side platform (DSP) providers, all of which traditionally see checks for similar conditions, with the exception of the battery-level range.

“In this incident, the malware was inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US. The Media Trust digital security and operations (DSO) team was able to identify the malicious code and work with the DSPs to shut down the malware sources," Bittner wrote.

“Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online."

Whether those attacks can be mitigated is questionable, though, according to a recent post on Cell Phone Security and Heads of State by Bruce Schneier. Using malware to attack the phone itself is one of two ways to eavesdrop, a technique that is favored by nation-state actors with less-sophisticated intelligence capabilities, Schneier explained.

“These attacks generally involve downloading malware onto a smartphone that then records calls, text messages, and other user activities, and forwards them to some central controller. Here, it matters which phone is being targeted,” Schneier wrote.

“Unfortunately, there's not much you can do to improve the security of your cell phone. Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others. You're at the mercy of the company that makes your phone, the company that provides your cellular service, and the communications protocols developed when none of this was a problem. If one of those companies doesn't want to bother with security, you're vulnerable.

“This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important.”

Source: Information Security Magazine

Cyber Is a Boardroom Issue in 2018

Cyber Is a Boardroom Issue in 2018

Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.

While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.

Not surprisingly, the report found that many organizations lack a formal cyber-risk appetite. Years of data breach headlines increase awareness, but less than half of respondents could describe their organization’s cyber-risk appetite quantitatively. This gap revealed why leaders second-guess and struggle to effectively weigh risks of new technologies, supply chains and other change factors.

In addition, metrics reportedly muddy what matters when it comes to boardroom reporting. Security leaders continue to share statistics like “compliance status” and “security program maturity.” Despite the need for decision makers to act swiftly with regard to risks from third parties and supply chains, those topics are less frequently included in the stats shared with the board.

As a result, the report found that finding the balance of topic coverage that yields the necessary return on reporting remains a problem. To fix the metrics puzzle, boards are pressing CISOs to find new reporting metrics that spur the most strategic, valuable returns in resourcing and evolving cybersecurity.

“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national cybersecurity practice leader, in a press release.

“The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”

Source: Information Security Magazine

States Average a C- in Election Security

States Average a C- in Election Security

Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.

In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.

According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.

In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.

In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."

Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.

CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure. 

"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”

Source: Information Security Magazine

UK Construction Firms Hemorrhage Log-Ins to Dark Web

UK Construction Firms Hemorrhage Log-Ins to Dark Web

Over 600,000 breached corporate log-ins belonging to staff at the UK’s leading construction, architecture and property firms are available for sale on the dark web, according to RepKnight.

The cyber intelligence firm used its BreachAlert dark web monitoring tool to locate the credentials. Over 450,000 were from construction firms, 110,00 were from architecture practices and just over 47,000 were linked to property developer businesses.

A spokesperson confirmed to Infosecurity that most of these likely found their way onto the dark web via breaches of third-party sites employees had signed up to using their corporate email.

As RepKnight warned, these log-ins could be used by hackers to access a trove of sensitive corporate IP including tenders, proposals, plans and client data.

There’s also a risk that attackers could locate stores of customer data, representing a risk to GDPR compliance.

One strategy highlighted by RepKnight was for attackers to use the log-ins to covertly access the corporate email accounts of targeted individuals, selected perhaps after some LinkedIn-based research because of the role they have with the company.

They could then set-up redirects to accounts under their control. The vendor claimed to have recently discovered a client who had over 5000 emails re-directed to a malicious third-party in just a five-day period.

“With the growth in digital information sharing across the construction project lifecycle, the possibility of a data breach occurring at some stage becomes ever more real,” argued RepKnight cybersecurity analyst, Patrick Martin.

“Because of this, these firms must ensure that they have ‘high visibility’ of their data at all times and have safety measures in place to protect it — especially because most of their sensitive data often lives outside the firewall. Monitoring for cyber-attacks or data breaches inside their corporate network is no longer enough, as it is possible that a breach can happen anywhere across the entire supply chain of your business.”

The findings call to mind separate research from the firm in January this year which revealed over one million corporate email addresses belonging to 500 of the UK’s top law firms, 80% of which had an associated password.

Alongside multi-factor authentication, use of password managers and strong authentication security policies, firms can consider dark web intelligence services to scan for compromised credentials.

Source: Information Security Magazine