Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

#CyberSecuredForum: Answers to Security Questions

#CyberSecuredForum: Answers to Security Questions

At the final day of the Cyber: Secured Forum in Dallas, moderators hosted a series of discussions in which attendees played a crucial part in putting forth solutions to some of the the most pressing cyber–physical topics facing the security industry.

Attendees were divided into four different groups to collaborate on responses to some of the biggest cyber–physical challenges, including:

  • The Tenants of a Cybersecurity Hardening Guide
  • Privacy in the Age of Connected Devices
  • Show Me the Money: The Considerations for Monetizing Cybersecurity as an Integrator
  • Gap Analysis – How the Security Industry Should Address Cybersecurity

In coming together to share their responses, attendees expressed their collective ideas. One of the key concerns for integrators is understanding how to monetize cybersecurity. In order to do this successfully, integrators need to acquire an array of skill sets that they might not have. For those that are looking to grow and be the experienced industry provider, they need to rely on the skills of others while they themselves grow and learn.

While it’s not all about the money, business is all about the money. Unfortunately, connectivity has opened up a Pandora’s box of opportunity and challenges for the physical security industry. Integrators are seeking to monetize cybersecurity services while ensuring new threats to their customers are mitigated in the systems they deploy.

In looking at privacy in the age of connected devices, attendees recognize that the lack of security in the internet of things poses not only digital but also physical privacy vulnerabilities. As such, solutions providers are working to ensure that their connected products are hardened out of the box and that the folks deploying them have the guidance to ensure that they provide customer value, not cybersecurity headaches.

The security industry needs to shift its siloed thinking order to really address cybersecurity. One overarching theme of the Cyber: Secured Forum was that the lines between physical and cybersecurity are slowing disappearing. The vulnerabilities are overlapping, the risks are expanding and the ability to mitigate risks is hampered by an ever-growing skills gap. Collaboration, now more than ever, is key.

Source: Information Security Magazine

#CyberSecuredForum: Physical, Cyber Unite

#CyberSecuredForum: Physical, Cyber Unite

Physical and cyber are two sides of the same “security industry” coin, said George Finney, CISO, Southern Methodist University, in his keynote speech on the closing day of the Cyber: Secured Forum.

“There’s not really a difference from the hacker perspective. They are trying to use whatever avenue they can to exploit your company,” Finney said. Where once penetration testers might have only tested the network, now Finney has pen testers come to campus and try to break into the wireless network or use social engineering methods to access areas of campus where they aren’t supposed to be.

While the university is charged with protecting student data, Finney said, “We also want to protect them, wherever they are.”

The security industry is made up of people. In physical and cybersecurity, “both of us make our spouses sit with their backs to the restaurant so that we can see all the exits. We both integrate highly complex technologies, and we both know that the bad guys are going to figure out what our defenses are,” Finney said.

For years, it was believed that you couldn't have cybersecurity without physical security, but today, Finney said, the opposite is also true.

Finney shared lessons he learned as the CISO of Southern Methodist University, which has integrated support for physical security technologies and cybersecurity on the same team, promoted by a major event on campus.

The opening ceremony of the George W. Bush Presidential Library and Museum was planned on the SMU campus, and Finney explained that the Secret Service told him that the event would be the biggest security event because five living presidents would be in attendance.

Finney said that his team has completed a campus-wide lock-down initiative, centralized support and increased response time to improve security for the event with the help of an integrator. The initiatives then had the lingering effect of improving the student experience, which has successfully helped to reduce crime on campus – all while hardening systems against hacking.

Source: Information Security Magazine

We Must Weaken Encryption, Say ‘Five Eyes’ Ministers

We Must Weaken Encryption, Say ‘Five Eyes’ Ministers

Senior ministers from the UK, Australia, Canada, New Zealand and the United States have announced their support of weakening encryption, essentially asking tech companies to install backdoors in encrypted communications.

The news comes following a two-day security summit in London, where home affairs, interior security and immigration ministers of the ‘Five Eyes’ countries discussed current and emerging threats which could undermine national and global security.

As detailed in the an official UK government release, “During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.”

Home Secretary Priti Patel said: “The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.

“We heard today about the devastating and lifelong impact of child sexual exploitation and abuse, and agreed firm commitments to collaborate to get ahead of the threat.

“As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.”

Also speaking at the conclusion of the two-day conference was United States Attorney General William P. Barr. Barr said that encryption presents a unique challenge and the Five Eyes partnership has a duty to protect public safety, including those related to the internet.

“We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.”

However, Javvad Malik, security awareness advocate at KnowBe4, said that calls to weaken encryption, or to place backdoors in, are periodically made by ill-informed politicians.

“No matter how hotly this is debated, it can't change the maths behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic,” he argued.

Source: Information Security Magazine

Criminals Target FinServ With Layered Attacks

Criminals Target FinServ With Layered Attacks

Organizations in the financial services sector have repeatedly been impacted by attackers leveraging credential stuffing and unique phishing attempts, according to newly released data in Akamai’s 2019 State of the Internet/Security Financial Services Attack Economy Report.

The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.

Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.

“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”

Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.

While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.

“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”

Source: Information Security Magazine

UK Firms Move Operations as Brexit Data Fears Grow

UK Firms Move Operations as Brexit Data Fears Grow

UK businesses are stepping up their preparations for a potentially tortuous split from the EU, with a third moving some operations to the continent to avoid data privacy regulatory issues, according to new research.

Business process outsourcer Parseq polled 500 decision makers in businesses with 250+ employees about how Brexit might impact their current data privacy obligations.

Although the GDPR is technically transposed into UK law, the country will require an “adequacy decision” from the European Commission to ensure unhindered data flows after it leaves the trading bloc – something that is certainly not guaranteed.

That’s why the vast majority (89%) of firms polled by Parseq said they’d taken proactive measures.

Around a third (35%) said they’d refocused their client base to the UK, while a similar number (32%) had transferred operations to the EU.

Nearly two-fifths (37%) said they have audited data flows to and from the EU and even more (42%) have sought advice from regulator the Information Commissioner’s Office (ICO).

Craig Naylor-Smith, managing director at Parseq, argued that UK firms are currently operating on shifting sands given the lack of clarity over post-Brexit data transfer arrangements.

“The Data Protection Act (2018) transposed the GDPR into UK law, but if the rules in Europe diverge once we leave the EU it could make transferring personal data to and from the continent more difficult — a vital consideration for businesses in our increasingly connected, digital world,” he added.

“With this in mind, it’s encouraging to see so many firms take proactive steps to prepare for the prospect of regulatory changes. However, with an even proportion of firms increasing their European presence and refocusing their position to the UK, it’s clear the best course of action will depend on individual strategies.”

The bottom line is: UK businesses must consider how Brexit could impact data privacy regulations as a matter of urgency, he said.

Source: Information Security Magazine

Sephora Warns Users of Data Breach

Sephora Warns Users of Data Breach

Sephora has notified customers in the Asia-Pacific region who have online accounts that the cosmetics and beauty products retailer suffered a data breach, according to Malay Mail.

Customers reportedly received an email in which the company explained that an unauthorized third party had gotten access to the personal information of “some customers,” reportedly those in Australia, Hong Kong, Indonesia, Malaysia, New Zealand, the Philippines, Singapore and Thailand.

The exposed information included the users’ first and last name, date of birth, gender, email address, encrypted password and data related to “beauty preferences,” according to what Alia Gogi, managing director of Sephora Southeast Asia, reportedly wrote in an email.

Additionally, Gogi added that no credit card information was accessed and the company has “no reason to believe that any personal data has been misused,” the report said.

"It is a great challenge for many organizations to standardize their cybersecurity operations globally. Varying regulations for both security and privacy come into play, especially when dealing with an enterprise that operates around the globe,” said George Wrenn, founder and CEO of CyberSaint Security.

“This breakdown is why we see many large organizations flock to an integrated risk management (IRM) approach. IRM is allowing organizations to aggregate risk and compliance data from all business units and make smarter and more informed decisions. With the patchwork of regulations that are emerging around the world, cybersecurity leaders must be prepared to integrate their organizations to stay wholly aware of the posture of their organization."

Fraudsters and cyber-criminals have easy access to customer data given the mega breaches of the past few years, and Kevin Gosschalk, CEO, Arkose Labs, said that each subsequent breach only adds to the available information on the dark web, creating a paradigm of fraudulent activity.

“These types of incidents provide cyber-criminals with the incentive and tools they need in order to commit ongoing, lucrative and easy fraud. In this case, the information hackers had access to, including encrypted passwords and email addresses, can now be weaponized in future account takeover (ATO) attacks. While Sephora has cancelled all existing passwords as an immediate first step, customers are inherently still at risk,” Gosschalk added.

"There is an ongoing onus on Sephora to safeguard its customers against future cybercrime associated with their password vulnerabilities. Our reality is that cybercrime is a well-funded and connected business where fraudsters have access to sophisticated tools and resources to launch attacks. This breach is yet another incident that provides them with the exact ammunition they need. The longer-term solution will come from eliminating the economic incentives behind these attacks through the use of integrated strategies that detect fraud in real time and block attacks from being successful.”

Source: Information Security Magazine

#CyberSecuredForum: A View From the CISO

#CyberSecuredForum: A View From the CISO

Enterprises in the midst of digital transformation are finding that physical security and its convergence with cyber and information security requires that they consider new approaches to risk management, according to a panel of industry leaders at today’s Cyber: Secured Forum in Dallas.

The panelists represented an array of industries from companies such as Southern Methodist University, Glasswing Ventures, McAfee, Comcast Cable and Booking Holdings, all sharing “A View from the CISO’s Office.”  

Concerns range from active shooters and the physical safety of students to how to secure the critical data sources that more and more employees within the organization are accessing.

The challenge with cybersecurity in some organizations is that they have to sell cyber within the organization because of existing cultures, but integrating and blending IT and physical security has the potential to bring everything together in a single pane of glass, said Mark Weatherford, global information security strategist at Booking Holdings.

Technology can solve some of the physical and IT integration issues, including those related to the provisioning and de-provisioning of employees. The pace of innovation is accelerating, and the longer you put off a focus on cybersecurity, the greater the challenge will be when you finally address it, according to the panelists.

Security orchestration is an issue that is improving, according to the panelists, which helps organizations manage and identify in order to mitigate risk. In the IT culture, there’s long been a habit of getting rid of products that don’t work, which hasn’t always been the case in the physical security world. “They don’t integrate as fast,” Weatherford said. “In the physical security world it’s been a different culture with respect to buying things.”

The panelists speculated on how convergence and integration will continue to play out over the next several years, and one panelist said there is a great opportunity for physical security companies to acquire cybersecurity providers in order to converge capabilities. The very definition of physical devices is changing, which has created a lot of opportunity for the physical feature set moving forward, one panelist noted.

Source: Information Security Magazine

#CyberSecuredForum: Dealing With Convergence

#CyberSecuredForum: Dealing With Convergence

The biggest challenges in dealing with the convergence of physical and cybersecurity are culture, language, perception and budget, according to Mark Weatherford, global information security strategist at Booking Holdings, who delivered the keynote speech at today’s Cyber: Secured Forum in Dallas.

Weatherford shared an anecdote of a story from a few months ago when he came to realize that “sometimes we get so wrapped up in technology and thinking about how we can solve the world’s problems that we don’t realize the issue is really about money.”

Admittedly hyperbolic, Weatherford said he sees some truth in a quote from Allan Schiffman, who said, “Amateurs study cryptography; professionals study economics.”

The adversary’s goals are about money, which is why the providence of the supply chain is critically important. “Cybersecurity can now interrupt that supply chain in a variety of different ways,” Weatherford said.

Because organizations depend on a vast and complex supply chain ecosystem, the industry is facing a perfect storm in which the internet of things (IoT) is innovating faster than the speed of security. “Laws and law enforcement are limited, inconsistent and unenforced,” Weatherford said.

Despite the rapid pace of innovation, cybersecurity has no national boundaries and no international norms of behavior and is complicated further by the reality that everyone can have anonymous access to vast resources and information. Some companies still rely on 30- to 40-year-old protocols with little to no security.

“The security community hasn’t down ourselves any favors,” said Weatherford. “When a naïve user can take down an entire company by clicking on a bad link, face it, our security stinks.”

Still, businesses are integrating technologies faster than they can keep up with it. “There are three basic components that we always talk about: people, processes and technology. But it is harder to hire people and develop processes, so they buy technology,” said Weatherford.

The good news is, according to Weatherford, that the industry is starting to see a trend where companies that are spending money are having a positive effect on the security of their organizations. Still, insider threats remain the number-one vector into companies today.

“Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises. Both are integral parts of any coherent risk management program,” Weatherford said.

The value proposition in convergence is that it helps eliminate silos, provides situational awareness and more unified and strategic security governance, eliminates duplicate processes, allows for more distributed resources and guides strategic planning, Weatherford said.

Source: Information Security Magazine

95% of Pen Test Problems Can Be Easily Resolved

95% of Pen Test Problems Can Be Easily Resolved

The most common configuration problems found in the majority of penetration tests can be easily resolved with straightforward fixes.

Analysis from more than 50 engagements in the first half of 2019 by Lares, shared exclusively with Infosecurity, found that the top five penetration test discoveries are:

  • Brute forcing accounts with weak and guessable passwords
  • Kerberoasting 
  • Excessive file system permissions
  • WannaCry/EternalBlue
  • Windows Management Instrumentation (WMI) lateral movement

Chris Nickerson, founder of Lares, said that these top five findings were common in “95% of the tests.”

Specifically, Lares confirmed that in three of the five most common findings, security basics including password, privilege and patch management could resolve the issues and that “every single vulnerability can be avoided or eliminated through better cybersecurity hygiene practices.”

In the case of brute forcing accounts, this can be resolved with the use of multi-factor authentication or with account lockout policies, while 'kerberoasting' can be managed with strong passwords, both in terms of length and complexity.

Meanwhile, “excessive file system permissions” can be mitigated with tools to detect file permissions abuse, enabling installer detection for all users and limiting the privileges of user accounts and groups.

Also, while they were publicly disclosed in 2017, the EternalBlue vulnerability can be mitigated by applying the Microsoft patch, disabling SMBv1 and blocking inbound SMB at your perimeter.

The only one of the top five which is not resolved with standard 'basics' is WMI lateral movement, which Lares said can be mitigated by disabling WMI or RPCS, restricting non-administrator users from connecting remotely to WMI, and preventing credential overlap across systems of administrator and privileged accounts.

In an email to Infosecurity, Nickerson said that WMI is rarely protected or restricted, so it tends to be a widely used vector for access/execution. “For instance: the most common way we bypass 2FA logins in RDP is using WMI directly,” he explained.

Asked if he felt that this shows a lack of network visibility, or whether that is not really possible as lateral movement is a common issue, he agreed saying “there are ways to correlate logs of using WMI on a host to detect spraying or one to many/many to one execution, so there is opportunity to pick up its use and artefacts of its execution on the host.”

He also said that east/west traffic analysis is lacking in many environments, and “the most optimal solution is to ‘chain’ the detection techniques to correlate UBA, network traffic analysis and host based execution.”

Infosecurity asked Nickerson if he felt that four of the top five most common findings being fixed with common techniques was a positive thing, or if it was demoralizing that basic securty is proving to be so difficult?

Nickerson said: “It seems to me that these techniques are not only the basics, but they have been a common way to compromise enterprises for years. It indicates to me that we are still stuck in the ‘buy a thing to make us secure’ mentality versus ‘tune what we have to work better.’

“The good part is that these techniques are addressable with fairly simple configuration. I think the industry is starting to catch on to the fact that they need to constantly tune their environment and not just buy ‘x’ new product.”

Nickerson praised the work of “purple team” type engagements that focus on defensive improvement, rather than the “traditional hack and report.

“Many teams are still operating from a ‘vulnerability focused perspective,’ the shift to including techniques in their protection/detection strategy is the next evolution of the defensive program and will be a major change in measuring the effectiveness of their controls,” he said.

“Testing for vulnerabilities and techniques (like integrating testing and tuning based on the descriptions provided by Mitre's ATT&CK framework) will help programs stay ahead of the curve and begin tracking how their defenses improve over time, opposed to the never ending vulnerability tail chase.”

Source: Information Security Magazine

LAPD Breach Exposes Thousands of Officers

LAPD Breach Exposes Thousands of Officers

Personal information on thousands of Los Angeles Police Department (LAPD) officers and applicants appears to have been stolen in a breach of local government security.

The suspected hacker claims they have their hands on the data of 2500 LAPD officers, trainees and recruits, and around 17,500 police officer applicants.

Reports suggest the City of LA was contacted by the individual last week, and its IT Agency has been forced to apply extra security around its IT systems. Those affected by the breach are said to have been contacted.

It’s not 100% clear if the hacker has access to all of the data they claim, although officer names, dates of birth, Social Security numbers, emails and passwords could be part of the trove.

The LA Police Protective League, a police officers’ union, issued a strongly worded statement in response.

“The data breach that exposed personal information of Los Angeles police officers and those applying to become police officers is a serious issue for our members. We urge the City of Los Angeles to fully investigate the lapse in security and to put in place the strongest measures possible to avoid further breaches in the future,” it said.

“We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence so that they may restore their credit and/or financial standing.”

Source: Information Security Magazine