Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for March 2019

Nation-States Have Right to Hack Back, Survey Says

Nation-States Have Right to Hack Back, Survey Says

Security professionals who attended RSA 2019 believe that the world is in the midst of cyber-war, according to a survey conducted by Venafi.

While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to "hack back" when their infrastructure are targeted by cyber-criminals.

The Venafi survey sought feedback from IT professionals on the Active Cyber Defense Certainty (ACDC) Act, which was introduced in October 2018, while keeping in mind the current prohibition on retaliatory cyber-defense methods established in the Computer Fraud and Abuse Act.

““We’re always interested in the intersection of regulation (often by politicians that don’t appear to have a basic understanding of security) and security imperatives (as perceived by the people in the trenches)," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"We’ve been seeing more stories on hacking back and thought it would be interesting to understand if most security pros really think their organization should be able to do this. We felt this was particularly interesting in light of the controversy surrounding ACDC, and the mixed results that are likely to result for offensive hacking.” 

"Cyber-war" as a term, though, is often used too loosely, according to Alex Hamerstone, GRC practice lead at TrustedSec. “War has a specific definition that involves a declaration. People often conflate offensive operations with war when they don’t really cross that line. However, infrastructure is different. Infrastructure is 100% a red line that you cannot cross without expectations of a significant response.

“I’m a bit surprised that only 72% say nations should be able to hack back. I think it’s a given that a country has the right to defend itself when it’s under attack. An attack on infrastructure can easily cross the line from digital to kinetic, putting human lives at risk both directly and indirectly."

Because the potential impact on critical services like power, transportation and healthcare are so enormous, security needs to plan for both robust deterrence and response. "The capacity of the response is the primary deterrence. There is a lot of gray area and complexity here which a nation has to consider when deciding how robustly to respond. It’s easy for a situation to escalate beyond what is necessary. That said, nations should have the ability to 'hack back' to the fullest extent needed in order to defend their infrastructure and assets,” Hamerstone said.

Private entities, though, are not the same as nation-states, a point on which Hamerstone and Jeff Bardin, chief intelligence officer of Treadstone 71, agreed. “I have been in favor of active defense since at least 2010. There should be some sort of capability to strike back at attackers with a viable and capable force,” said Bardin.

“Many organizations are not capable of doing so, nor do they wish to take the risk. I see third-party mercenary-type organizations that would take this onto their 'paid' plates to accept the risk and execute a proportional attack. You cannot win at cybersecurity if all you do is defensive. You can never win a football game if all you do is play defense. Never win a basketball game if the other team is always on offense. You lose by definition.”

Source: Information Security Magazine

FIN7 Still Active Despite Arrests

FIN7 Still Active Despite Arrests

Researchers have discovered the advanced persistent threat group (APT) FIN7 is using a new attack panel in campaigns that Flashpoint analysts have called Astra.

Despite alleged members of the group being charged with 26 felony counts in August 2018, analysts have found previously unseen malware samples, which are reportedly written in PHP and function as a script-management system. In addition, the new administrative panel, believed to be linked to the group, also has ties to Carbanak.

The group's activity dates back to at least 2015, when FIN7 targeted over 100 companies across the US, Europe and Australia, predominantly those within the hospitality, restaurant, and gaming industries. According to the US Department of Justice (DoJ), suspected members of FIN7 were arrested between January and August 2018.

According to today’s blog post, attackers access targeted machines using phishing emails with malicious attachments. “The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document,” wrote Joshua Platt and Jason Reaves.

The previously unseen malware that drops files and executes SQL scripts on the host system has been called an SQLRat, which unlike traditional malware leaves no evidence behind, analysts said. The SQLRat campaign is, however, similar to traditional phishing campaigns in that it typically involves a lure document. In the cases analyzed, the documents requested the user “Unlock Protected Content.”

“Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with Fin7. The second new malware sample discovered is a multi-protocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines.

“The campaigns maintain persistence on machines by creating two daily scheduled task entries. The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”

In addition to sharing the indicators of compromise (IoCs) and recommending the security teams look for newly added Windows tasks, Flashpoint also advised monitoring for attempts to delete the Microsoft update service.

Source: Information Security Magazine

Attacks Target AmEx, NetFlix Users with Phishing

Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using with a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Source: Information Security Magazine

BEC Gift Card Scams Go Mobile

BEC Gift Card Scams Go Mobile

Cyber-criminals are evolving their tactics with Business Email Compromise (BEC) attacks by transferring victims from email over to mobile communications channels early on in a scam, according to Agari.

Researcher James Linton described how such an attack typically takes place, with the initial spoofed CEO email containing a request for the recipient’s mobile phone number.

“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” he explained.

“A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”

If the victim hands over their number, the BEC scammer knows they have a great chance of success. In fact, the extra complexity of moving across two different comms channels may even add extra credibility to the scam, Linton claimed.

The instantaneous communication of mobile-based SMS or IM also makes it less likely that the victim will stop and think about what’s happening.

Temporary numbers can be relatively easily set up for the purpose, and can even be managed from a single desktop environment, making things easier for the scammer.

Linton explained how BEC scammers could use this tactic to trick workers into buying a set of gift cards on their behalf, scratching off the back and taking a photo of the redemption codes with the phone’s camera.

These are then swiftly laundered through online platforms, he added.

The best way of mitigating this new tactic is to check the domain on an incoming email for any red flags.

“If the email address checks out and a number is supplied, insist on a brief call before making purchases on behalf of someone else,” Linton concluded.

“As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails.”

Source: Information Security Magazine

Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab has filed an antitrust complaint against Apple in Russia, arguing that the tech giant forced it to remove two key features from one of its apps just as Apple’s released similar functionality.

The issue boils down to Kaspersky Lab’s use of configuration profiles in its Kaspersky Safe Kids app.

Removing this according to Apple’s demands would have meant disabling two “essential” features, app control and Safari browser blocking, the AV vendor claimed.

“The change in Apple’s policy toward our app (as well as toward every other developer of parental control software), notably came on the heels of the Cupertino-based company announcing its own Screen Time feature as part of iOS 12,” it continued.

“This feature allows users to monitor the amount of time they spend using certain apps or on certain websites, and set time restrictions. It is essentially Apple’s own app for parental control.”

This effectively means Apple is abusing its position as platform owner and supervisor for the only official iOS store, Kaspersky Lab argued.

“By setting its own rules for that channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” the firm concluded.

“It is precisely in this extension of its leverage through possession of so-called ‘key capacity’ over other segments, leading to restriction and elimination of competition, that we see the essential elements of antitrust law violation, which consist of erecting barriers and discriminating against our software.”

Kaspersky Lab claimed to have repeatedly tried to open dialog with the Cupertino giant, but “no meaningful negotiations have ensued.”

The move comes after Spotify filed a similar complaint against Apple in the EU, which the US firm replied to here.

Source: Information Security Magazine

10 Tips for Creating a Stand Out Information Security Resume

Let’s be honest – there are 100 million articles out there about how to write the best resume, right?  Right.  Well, after 20 years as a technical recruiter and nearly a decade of recruitment in information security, I know what makes a good resume in this industry.  Some of these tips are industry specific, some are (or should be) common knowledge.  Following these basic principles will ensure you have the right foundation to create a marketing piece (information security resume) that will catapult you into the next phase of your career. Read more

Relocation costs now a sticking point for job-hunting security managers

In an effort to cut costs, many companies hire local candidates to fill CSO positions. But are they also sacrificing quality for their security program?

By Bob Violino Follow
CSO | May 5, 2015 9:47 AM PT

http://www.csoonline.com/article/2918772/infosec-careers/relocation-costs-now-a-sticking-point-for-job-hunting-security-managers.html

IT Careers Leadership and Management
COMMENTS
With security executives and staff in such demand at many organizations today, is it possible that something like paying for relocation costs could get in the way of hiring a new employee to join the security program? Yes, according to a number of people in the industry.

“Companies are finally realizing that they need someone to lead their information security efforts. Unfortunately, [they’re] settling for available local talent instead of hiring the experienced talent they really need” because they don’t want to pay for relocation, says an information security executive who asked to remain anonymous because he’s actively looking for another job.

[ ALSO: IT careers: Security talent is red-hot ]

MORE ON CSO: The things end users do that drive security teams crazy
In some cases, it’s made clear that relocation compensation is not an option. “If you start looking at director or above in the job boards, few positions will state that relocation is provided and many will explicitly say that relocation is not provided,” the executive says. “Since I am looking for a new position, I have talked with several recruiters and heard the same story from them. Companies don’t want to invest in relocation and are looking at local candidates only.”

Recently, the executive talked with a large restaurant chain that is looking for a new CISO, and was told that the company liked him for the position, but did not want to deal with relocation costs. “They did finally find someone local who had one-third the experience and had never been a CISO before,” he says. “I will give them nine to 12 months—or a breach—for them to be looking again.”

It’s not unusual for employers to ask recruiters to focus on the local candidate pool so they do not have to relocate someone, says Kathy Lavinder, executive director of Security & Investigative Placement Consultants, a retained recruiting firm that finds and places security management and financial investigative personnel.

“That’s quite common in the larger metropolitan areas where the local candidate pool is likely to be sufficient,” Lavinder says. “That directive eliminates some strong non-local talent, but that appears to be a price some employers are willing to accept.”

Some of Lavinder’s clients have been trying to contain relocations costs when possible. “Some have reduced the number of house-hunting trips to the new location for the potential employee and his or her spouse,” she says. “I’ve seen them reduce the number of paid house-hunting trips to one, instead of two. I’ve also seen a few employers put a 30-day limit on the coverage of interim housing costs to spur the new employee to find permanent housing.”

Some larger companies are expressing a desire to avoid cross-country moves, Lavinder says. “In one recent instance, a multinational company headquartered in the New York metro area asked us to focus on candidates east of the Mississippi,” she says. “The company may have been concerned that someone from the western U.S. may not adapt to the New York area, but I suspect cost entered into their decision.”

Larger companies have always had more generous and comprehensive relocation packages than smaller and mid-size companies, Lavinder adds, “but even some of our larger clients are trimming relocation packages a little. In one case, the company cut out some minor things they had covered in the past, such as the cost of a new driver’s license and car registration. These are minimal costs and candidates would never know they had been covered in the past, so it’s easy for employers to make a change like that with little consequence.”

Another security executive recruiter, Wils Bell, president of SecurityHeadhunter.com, has encountered refusals by companies to cover relocation costs “on many occasions.”

One example was a larger company that was located in a big city. “Their position had been open almost a year when I was contacted about working on their search,” Bell says. “The position offered a good salary, career advancement for the right person, challenge, etc. What it did not offer was any type of relocation.”

Corporate leadership had decided that since the business was located in a larger city, it should be able to draw from the local market. “They still were holding onto this policy even after a year of searching and interviewing several candidates through numerous sources,” Bell says.

And among companies that do cover relocations costs, in many cases the offer is not as generous as in the past, Bell says.

“For the vast majority of positions, relocation has changed from years ago,” Bell says. “Getting a ‘Cadillac’ relocation package is many times being replaced by a specific dollar amount [such as] $3,000, $5,000 or $7,500, and you move yourself. Of course, you’ll need receipts to back up all expenses.”

These types of situations, with either no relocation packages or limited packages, have been on the rise, Bell says. “I don’t see it as often at the C-level as I do the mid- to senior-level positions, but it is definitely increasing,” he says.

Years ago, relocation packages and their perks were fairly standard, Bell says. “Over the years they have decreased in value,” he says. “In my opinion, money is the main driving factor. Firms could spend a great deal of money moving someone. The actual move, closing costs, house hunting trips, temporary housing, etc. all added up. It is easier for many firms to just offer a flat dollar amount.”

Some organizations are more likely to provide relocation packages only for the higher-level security jobs.

“Often, organizations see the value of finding the precise organizational and skill-set fit at or above the director level, making relocation necessary,” says Domini Clark, principal at Blackmere Consulting, which recruits information security professionals.

“Below that level, however, it is often very difficult to find organizations willing to cover the costs of relocation,” Clark says. “Unfortunately, the majority of the hiring necessary in any organization goes on at this level, which causes issues with positions being open much longer than necessary or not being filled at all.”

Some recruiters, however, say they’ve not encountered any major issues regarding relocation costs.

“We have filled some of the most prestigious CISO roles as well as companies hiring first-time CISOs, and for the most part they understand the demand for these executives is very high and are providing relocation packages,” says Joyce Brocaglia, founder of Alta Associates, an executive search firm specializing in information security and IT risk.

“We have filled over 20 information security positions in the first quarter, and the majority of companies were willing to relocate candidates,” Brocaglia says. “The only times we see companies not wanting to fund relocation expenses are for junior level to entry level manager roles that they believe they can find local talent. Even in those cases, the majority of companies are willing to provide some type of sign-on to defer expenses.”

As the demand for talent has increased the past few years, “I’ve had more companies offering relocation packages than I did in the 2008 to 2011 timeframe,” adds Jeff Snyder, president of SecurityRecruiter.com.

[ The CSO Security Career Survival Guide ]

“It is safest for a job candidate today to be prepared for reimbursement for a pack and move where the company will pay for a rental truck and maybe packing and a month or two of storage on the destination end of the relocation,” Snyder says. “If a company offers a relocation package that includes assistance with selling a home or even outright buying a candidate’s home, this is what I would consider to be a package with gravy.”

Nevertheless, containing relocation costs now appears to be a reality that recruiters, candidates and hiring managers must acknowledge and in most cases accept, Lavinder says. “This trend began during the recession and is ongoing,” she says.

Unrealistic expectations by candidates

The unwillingness of many companies to pay for relocation costs when hiring security executives and staff is having an impact in several ways, according to recruitment experts.

“This can make the jobs of recruiters and internal talent acquisition personnel more difficult,” Lavinder says.

“Candidates can have some fairly unrealistic expectations around relocation,” Lavinder says. “They’ve heard stories from peers about deluxe relocation packages and do not realize those are the exception, not the norm. Managing the expectations of candidates, as well as the relocation discussion and process, is how a good recruiter can add value and help the employer find the talent needed.”

One major effect of the decrease in relocation package offerings is that company’s limit their choices and might not be able to hire the best candidate for the position, Bell says.

“This is especially true at senior leadership levels,” Bell says. “When you consider what even a small breach can cost a firm in lost profits, reputation damage, loss of client’s, remediation efforts, etc., then hiring the best candidate, regardless of relocation, just makes good business sense.”

The trend means recruiters in some cases have to work harder to get companies to be more flexible if they want to bring in people with the needed security experience.

“Nobody ever wants to back off of their list of wants, needs and desires, but depending on the size of the local market a [company is] in, I have to convince employers that they have to find flexibility somewhere or lower their standards,” Snyder says.

“The types of roles I work on are not roles where companies can afford to lower their standards,” Snyder says.

Another consequence of the hesitance to pay relocation costs is that more and more work is being done remotely, Clark says.

“In many cases, the technology is there to make this effective,” Clark says. “However, leadership is often uncomfortable with this shifting tide. It ‘feels’ less like they have the control they need to know what’s happening with their department if they can’t do a walk through or hold an in-person meeting. If companies are unwilling to assist the right talent with meaningful relocation offerings or remote work possibilities, their positions will remain open or they will compromise on candidate quality.”

US Orgs Not Ready to Comply with CCPA

US Orgs Not Ready to Comply with CCPA

Protecting consumer privacy has become a top priority for legislators as candidates launch their 2020 campaigns and try to win over voters. According to research findings revealed in the new CCPA and GDPR Compliance Report, however, US companies haven't made privacy regulations a top priority.

The online survey, conducted by TrustArc, reflects responses from 250 IT professionals who represent a wide spectrum of industries and company sizes. Of all the participating organizations, half were impacted by both General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), while half were impacted only by CCPA. The report found that 88% of companies need help complying with California’s new privacy regulations.

According to the findings, only 14% of companies are currently compliant with CCPA, despite its deadline being less than 10 months away. Additionally, survey results revealed that 84% of respondents have started the CCPA compliance process, though only 56% have moved forward to the implementation stage.

Even though fewer than half (44%) have not yet started the implementation process, 64% of companies said they need help developing their CCPA privacy plan. However, compliance readiness varied depending on whether companies have already worked on GDPR compliance.

Responses from those companies that were not impacted by GDPR showed that 79% will need to spend more than six figures to comply with CCPA, while only 61% of companies that have worked on GDPR compliance will need to spend as much.

“At TrustArc, we’ve seen a significant increase in the number of customers coming to us for support to comply with CCPA,” said CEO Chris Babel. “Companies that took the steps to comply with GDPR are already ahead of the game and will have an easier path to meet the requirements of CCPA. The companies that did not work on GDPR compliance will be under the gun to implement scalable compliance processes by the January 1, 2020, deadline.”

Source: Information Security Magazine

Consumers Donate Data with Recycled Electronics

Consumers Donate Data with Recycled Electronics

With the rapid turnover of technology, many consumers willingly trade in, sell or donate their old electronics, often times without ensuring that all of their data has been wiped clean, according to new findings from Rapid7.

In a recent experiment conducted by Rapid7’s Josh Frantz, nearly every device he analyzed contained some form of personally identifiable information (PII) left over from its previous owner. Over the span of six months, Frantz looked at a collection of recycled consumer electronics, including laptops, smartphones and external drives. Even though many thrift shops claimed to wipe devices before reselling them, the devices contained such information as passwords, social security numbers and banking information.

In total, Frantz found 41 social security numbers, 19 credit card numbers and two passport numbers among a trove of additional PII. Additionally, he extracted 147,000 emails and 214,000 images. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs. I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here,” Frantz wrote in today’s report.

According to the findings from Frantz’s months-long experiment, not only are the thrift shops not holding up their end of the bargain, but consumers are also turning in devices without wiping them clean, an obvious recipe for disaster. Of the 85 devices analyzed, only two of them were properly erased and a mere three were encrypted.

Given the ease with which these types of data can be accessed and sold, Frantz found that the value of the data itself has dropped to less than $1 per record on the dark web.

“Realistically, unless you physically destroy a device, forensic experts can potentially extract data from it. If you’re worried about potential data exfiltration, it’s best to err on the side of caution and destroy it. However, wiping your device is usually enough, and can be a very easy and relatively painless process,” Frantz said.

Source: Information Security Magazine

Apple, Microsoft Top Orgs Used in Spear Phishing

Apple, Microsoft Top Orgs Used in Spear Phishing

As spear-phishing tactics continue to evolve, attackers are using these threats with greater frequency and severity, making spear-phishing attacks the top threat vector for many organizations, according to a new report from Barracuda Networks.

Despite increased awareness of the types of threats they face, companies continue to fall victim to spear-phishing campaigns because attacks are becoming more tailored, with malicious actors leveraging social engineering tactics such as urgency and brevity, the report found.

The email threat report analyzed 350,000 spear-phishing emails and discovered that brand impersonation schemes – most notably Apple or Microsoft – account for 83% of spear-phishing attacks. “These types of spear-phishing attacks, designed to impersonate well-known companies and commonly-used business applications, are by far the most popular because they are well designed as an entry point to harvest credentials and carry out account takeover. Brand impersonation attacks are also used to steal personally-identifiable information, such as credit card and Social Security numbers.”

Attackers often exploit zero-day vulnerabilities in brand-impersonation attacks, which makes it easier to bypass traditional email security because they come from reputable senders and are typically hosted on domains that weren’t previously used as part of any malicious attack, the report said.

The attacks are not randomly deployed, as the report found that cyber-criminals carefully time their attacks, with one in five emails delivered on Tuesday. In addition, cyber-criminals also take advantage of the holiday season, knowing that there is a greater likelihood of security weaknesses.

The report found that the week before Christmas saw a 150% spike in spear-phishing attacks.

“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” said Asaf Cidon, VP, content security at Barracuda Networks, in a press release. “Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion.”

Barracuda will discuss findings from this research in the Infosecurity Magazine Online Summit keynote, next Tuesday, 2:30–3:00 pm GMT. Register to attend at https://www.infosecurity-magazine.com/online-summits/online-summit-emea-2019-1-1-1-1-1/.

Source: Information Security Magazine