Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Only 28% of Advisories Help Mitigate Risks

Only 28% of Advisories Help Mitigate Risks

In its second annual review of vulnerabilities and threat group activity specific to industrial control systems (ICS), Dragos found that the majority of the public vulnerability advisories it tracked in 2018 were network exploitable.

The Year in Review is comprised of three parts: The Industrial Controls System Vulnerabilities Report, ICS Activity Groups and the Threat Landscape Report and, new this year, Lessons Learned from Hunting and Responding to Industrial Intrusions Reports, authored by Dragos co-founder and CEO Robert M. Lee.

Despite the finding that 68% of the advisories were network-exploitable vulnerabilities, only 28% of these network-exploitable advisories provided mitigation advice sufficient to take effective action, according to the report.

"There was a surprisingly high error rate among the advisories published by ICS-CERT,” said Reid Wightman, senior vulnerability researcher. “I think there is a public perception that the organization fact-checks advisories, but either they don't do it or aren't doing it very well. It is great to see, though, that when vendors collaborate with researchers to disclose vulnerabilities, the error rate significantly decreases. I hope we see more of that in the future."

The second report noted that threat hunters have been tracking three new ICS activity groups since 2017 and have identified a growing trend of adversaries using open source or commercially available penetration testing tools to pivot from IT networks to ICS networks.

"ICS attacks are not ‘bolts from the blue’ but the culmination of steady infiltration, data gathering and capability testing. While 2018 may have been quiet in terms of operational impacts due to malware or network intrusions, what we're seeing instead may be that preliminary period necessary before attack delivery," said Joe Slowik, adversary hunter.

Part three of the collection of reports found that in responding to industrial intrusions, in 37% of the incident response engagements, the initial vector dated back more than 365 days.

“As the threat landscape changes and activity groups increasingly adopt techniques to evade traditional antivirus detection, identifying patterns in adversary behavior and malicious activity can help defenders find and eliminate threats,” said Amy Bejtlich, senior adversary hunter.

“Cyber-threat intelligence helps augment this data collection and analysis and can help ICS entities best prioritize risk management and threat detection."

Source: Information Security Magazine

DoJ Charges US Agent, Four Iranians with Conspiracy

DoJ Charges US Agent, Four Iranians with Conspiracy

The Department of Justice (DoJ) has indicted a former US counterintelligence agent with espionage on behalf of Iran. Additionally, the Treasury Department’s Office of Foreign Asset Controls (OFAC) announced sanctions on a group of six Iranian nationals known as the Cyber Conspirators.

The DoJ indicted former US counterintelligence agent Monica Witt for “conspiracy to deliver and delivering national defense information to representatives of the Iranian government.” Witt, who is currently at large and believed to be hiding in Iran, is reported to have shared information that could be detrimental to national security with Iranian intelligence services.

According to a February 13 press release from the Treasury, OFAC issued additional sanctions against a separate Iran-based entity, which includes six individuals believed to have targeted current and former U.S. government and military personnel as part of a cyber campaign.

“Treasury is taking action against malicious Iranian cyber actors and covert operations that have targeted Americans at home and overseas as part of our ongoing efforts to counter the Iranian regime’s cyberattacks,” said Treasury Secretary Steven Mnuchin.

Four malicious actors allegedly associated with the Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF), a unit of Iran’s Revolutionary Guard, are suspected of being involved in a cyber campaign and were also indicted by the DoJ. 

The February 13 indictment included charges against four Iranian nationals, who also remain at large: Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar. These four alleged members of the Cyber Conspirators stand accused of “conspiracy, attempts to commit computer intrusion and aggravated identity theft, for conduct in 2014 and 2015 targeting former co-workers and colleagues of Witt in the U.S. Intelligence Community.”

The charges are alarming and highlight the reality of the ongoing cyber-threats from foreign adversaries. “This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them and, in a few rare cases, ultimately turn them against the nation they swore to protect,” said assistant attorney general for national security John Demers.

“When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrongdoers.”

Source: Information Security Magazine

Users at Risk of Online Scams this Valentine’s Day

Users at Risk of Online Scams this Valentine’s Day

Smartphone users could be leaving themselves vulnerable to online scams this Valentine’s Day, researchers from ESET have warned.

The firm carried out a survey into people’s resolutions for the year and discovered that whilst one in eight are looking for love in 2019, only 39% were sure they had anti-virus software on their mobile phones. That’s a concerning statistic, because those who said they were committed to finding love also stated they would consider downloading an app, entering an online competition or clicking through to a deal received via email to take advantage of limited-time offers to do so.

“Many people will be looking for love via their smartphones this Valentine’s Day, however smartphone users with no anti-virus software are opening themselves up to some serious threats,” said Branislav Orlik, product manager for mobile security at ESET. “While an email deal may seem enticing, clicking through on an unsafe link or entering your details online can make you vulnerable to hackers and leave your personal data at risk. It is crucial to consider how you can best protect your devices.”

Scammers and fraudsters often play on people’s emotions and capitalize on popular holiday seasons and specific calendar dates to maximize the effectiveness of their attacks, and the most romantic day of the year is no exception.

In fact, research from Mimecast has found the threat actors behind GandCrab, or cyber-criminals using GandCrab as Ransomware-as-a-Service, have been using the build up to this year’s Valentine’s Day to target victims.

In its Threat Intelligence Report Mimecast said that GandCrab, which has only been around for just over 12 months, has had “large success and released a number of different versions, the latest being V5.1.6.” The ransomware includes a number of interesting features, including the ability to detect a Russian victim (and stop the infection if they have a Russian configured keyboard) and individual ransom notes.

Source: Information Security Magazine

Five Billion Records Exposed in 2018

Five Billion Records Exposed in 2018

Last year was the second highest on record in terms of data breaches and leaks, with over 6500 reported, according to Risk Based Security.

The security vendor revealed that 6515 incidents were reported globally in 2018, second only in the past 12+ years to 2017’s 6728. When it came to number of records exposed, the figure of around five billion for last year came third to 2016’s 6.4 billion and 2017’s 7.9 billion.

However, the caveat is that just over a quarter of breached organizations were unwilling or unable to disclose the number of records exposed, so the figure could be much higher.

For the purposes of this study, Risk Based Security collated incidents related to traditional hacking-based breaches and increasingly common IT misconfigurations which expose records but don’t necessarily mean they’ve ended up on the dark web.

It also counted “fraud,” which is the category assigned to the Facebook-Cambridge Analytica incident which exposed 87 million social media users to the shady political consultancy.

Although hacking accounted for most breaches, the largest number of records (39%) were exposed via the web, followed by hacking (28%) and fraud (25%), highlighting just how big a problem accidental leaks are. That means insiders were responsible for way more ‘breaches’ than outsiders, roughly 2.1 versus 1.3 billion.

In terms of sectors, business accounted for the vast majority of ‘breaches’ (66%), followed by government (14%), medical (13%) and education (7%).

There were 301 incidents (5%) linked to third-party suppliers. The US accounted for the vast majority of exposed records (44%) and breaches (2264). In terms of breaches, the UK came in a distant second (144) followed by Canada (112).

Despite the advent of the GDPR, the average number of days between breach discovery and reporting did not significantly change between 2017 (48.6) and 2018 (49.6).

However, as the vendor noted, although regulators must be notified within 72-hours, the public need only be told of a breach if there is a high risk of harm, and even then “only without unreasonable delay" rather than a specified three-day window.

Source: Information Security Magazine

Dark Web Seller Remove Listings after Data Dump

Dark Web Seller Remove Listings after Data Dump

The dark web seller identified as gnosticplayers on Dream Market has removed all listings that were previously up for sale, which reportedly included upwards of 620 million account records.

“All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon,” the vendor wrote on his seller profile.

Dream Market vendor profile
Dream Market vendor profile

The data trove was reportedly the compilation of information of data that had been stolen in past data breaches. Several news outlets have reported that the data from 16 different hacked websites were part of the massive trove of account information up for sale. According to The Register, those sites include Dubsmash, Armor Games, 500px (as was reported by Infosecurity), MyFitnessPal, MyHeritage and many others.

On February 11, an exclusive report from The Register stated: “A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018.”

Infosecurity has reached out to many of the listed vendors, including MyHeritage, which has not responded. A ShareThis spokesperson stated in an email, “At this point we are investigating these claims and can come back to you once we have more facts to share.”

Armor Games Studio said, “We have started an investigation into these allegations, and we will notify users once we have confirmation and details. That’s all we have to say at this time.”

Given that 2018 was a record-breaking year for the number of records compromised, it’s not surprising that cyber-criminals are leveraging dark web marketplaces to turn a profit on all of that data.

Source: Information Security Magazine

Two in Three Orgs Not Convinced They Can Avoid a Breach

Two in Three Orgs Not Convinced They Can Avoid a Breach

A majority of organizations confessed that they are not certain whether the security strategies they have in place will be effective in preventing data breaches, according to a Ponemon Institute survey.

More than 600 cybersecurity leaders and professionals who are responsible for evaluating, selecting and/or implementing security solutions took part in the survey. Based on the survey results, Balbix published a new report, The Challenging State of Vulnerability Management Today, which found that only one in three organizations are confident they can avoid data breaches.

Vulnerability management, particularly those vulnerabilities in unseen or unpatched systems is an issue for many organizations, with 69% of respondents identifying delayed patching as an issue and 63% admitting that they are not able to respond to alerts.

“We are not surprised by these findings from Ponemon Institute’s research,” said Gaurav Banga, founder and CEO of Balbix.

“While respondents’ confidence levels in their ability to avoid a breach is obviously troubling, it is clear that most understand the reasons why – alert volume, limited team resources, lack of visibility across assets and very limited contextual risk. On the positive side, respondents cite a clear list of capabilities that can help them better see and manage their vulnerabilities, which will eventually improve their overall security posture.”

With regard to mitigating vulnerabilities and patching, 68% of respondents said staffing is an obstacle that stands in the way of their organizations having a strong cybersecurity posture, while only 15% reported that patching is highly effective. The results are indicative of a lack of resources, leaving security teams unable to identify and patch vulnerabilities, as 67% of participants said they lack the time and resources needed for vulnerability management.

In addition, 63% say “inability to act on the large number of resulting alerts and actions” is problematic. Nearly half (49%) of organizations said they do complete, up-to-date patching, yet 49% also said that they scan only quarterly or on an "ad hoc" basis. Another 69% admitted to scanning only once a month or less frequently.

“From this research, it is clear that most enterprises recognize not only are they under-resourced in finding and managing their vulnerabilities, but they also have gaps around assessing the risk and getting full visibility across their IT assets,” said Larry Ponemon, founder and chairman of Ponemon Institute, “which no doubt led to that low confidence vote in their ability to avoid a data breach.”

Source: Information Security Magazine

DoJ Charges Hackers with Staging Computer Attacks

DoJ Charges Hackers with Staging Computer Attacks

Federal authorities have arrested two alleged members of a hacking group known as the Apophis Squad on charges of making false threats of violent attacks and staging attacks on multiple computer systems.

According to an announcement from the Department of Justice (DoJ), the two defendants, Timothy Dalton Vaughn, 20, of Winston-Salem, North Carolina, and George Duke-Cohan, 19, of Hertfordshire, United Kingdom, are allegedly part of a global group of hackers suspected of wreaking havoc on the internet for the better part of 2018, including launching distributed-denial-of-service (DDoS) attacks.

Duke-Cohan, who is already serving a three-year sentence in the UK for threatening an airline, which turned out to be a hoax, is believed to go by the names DigitalCrimes and 7R1D3N7 online.

The defendants face multiple charges, including conducting cyber- and swatting attacks against individuals, businesses and institutions in the US and the UK, according to the DoJ.

“Members of Apophis Squad communicated various threats – sometimes using 'spoofed' email addresses to make it appear the threats had been sent by innocent parties, including the mayor of London," the announcement stated.

“They also allegedly defaced websites and launched denial-of-service attacks. In addition, Vaughn allegedly conducted a DDoS attack that took down hoonigan.com, the website of a Long Beach motorsport company, for three days, and sent extortionate emails to the company demanding a Bitcoin payment to cease the attack.”

If convicted of all charges in the 11-count indictment, Vaughn could be sentenced to a maximum of 80 years in prison. Duke-Cohen, who is facing nine charges, would be sentenced to a maximum of 65 years if found guilty.

“The Apophis Squad also took credit for hacking and defacing the website of a university in Colombia, resulting in visitors to the site seeing a picture of Adolf Hitler holding a sign saying 'YOU ARE HACKED' alongside the message ‘Hacked by APOPHIS SQUAD,’” the DoJ wrote.

Source: Information Security Magazine

#TEISS19: Deliver Your Security Message at an Understandable Level

#TEISS19: Deliver Your Security Message at an Understandable Level

Speaking at The European Information Security Summit 2019 in London, Condé Nast International CISO Nick Nagle said that threat intelligence is easily collected, but it can also be translated across the business.

In his talk 'Effective threat intelligence communication strategies: Upwards, downwards and outwards' Nagle explained that threat intelligence is readily available, but turning it into actionable awareness points for the business requires another level of capability.

He said: “Know your audience, who are you trying to translate it to? What is the culture of the organization? How is the message going to land? What is the best way to send that message out? What is really going to grab people’s attention? Everyone has email overload, so how do you get that threat intel out there?”

Nagle recommended getting the basic points across, and to avoid “a condescending explanation” as executives often know the basics, but give them the option to learn more. 

To deliver successful communications, Nagle suggested using the “AIM” structure of audience, intent and message, and ask yourself questions as you structure your message based on those three factors

He gave the example of communicating with the board: detailing an active attack, what existing technology the company has in place and a request for budget for what else is needed.

“That works, but it is a bit dull, a bit dry, but if that is what the board want that is what they will respond to,” he said, recommending using a threat radar or even using the threat intelligence in your email signature or an instant message.

This was part of moving it “away from text and boring” and into a PowerPoint template to highlight the issue, so it gives you a feedback loop, and you know the employee has read it.

He concluded by saying that building this sort of material gives you a toolkit for education and awareness, and “one that you can use internally, externally and across any other interested parties.”

Source: Information Security Magazine

#TEISS19: Consider Psychology of Staff to Meet Data Protection Ambitions

#TEISS19: Consider Psychology of Staff to Meet Data Protection Ambitions

Speaking at The European Information Security Summit 2019 in London, Matthew Kay, group data protection officer at Balfour Beatty, said that organizations “are very different” in how data protection and risk is approached, and it is up to the data protection team and board-level executives to dictate the right direction.

“In our organization we have four pillars: to lead, being experts, being trusted and being safe, and it is really important to align your work with the wider strategy of the organization as you’re likely to get more buy-in,” he said. “In terms of data protection, we want to be trusted in terms of how we process people’s information.” 

Kay encouraged delegates to consider drivers for individuals, as not everything works the same for every person, and to consider the psychology of people and what motivation and coaching you have to do. 

Looking at how to overcome internal challenges of employee and board-level buy-in, Kay recommended the following:

  • Clear direction and strategy
  • Policy framework
  • User-friendly approach
  • Context
  • Contingency
  • Budget
  • Resource

He admitted that we’re all guilty of not reading policies, but it is about having a user-friendly approach because if you make a policy simple and just deliver the key points, you will get better buy-in and this can lead to better budget allowance.

“A lot of the time, if you cannot put it in language that individuals understand and appreciate, they are not going to respond to it as they cannot draw the line on how it relates to them in terms of data protection and security, so you have to bring it to life,” he said.

In terms of how to ensure individuals are aware of their data protection responsibilities, Kay said this can work both inside and outside the office:

  • Senior leadership engagement – if they lead from the front the rest will follow
  • Technology – there are so many tools that can be used to your benefit
  • Trust – if you cannot trust people to work remotely why employ them in the first place? 
  • Communications plan and training – keep it to the point on what they need to know
  • Incentivize – encourage and engage individuals who want to do the right thing

He concluded by encouraging regular and refresher training to ensure employees remain engaged, and an openness towards staff and partners. “If they are happy with what you are doing they are not going to complain, and if they are not going to complain, they will hopefully not go to the regulator and if they do, manage that complaint on a regular basis.”

Source: Information Security Magazine

Phishing, Humans Root of Most Healthcare Attacks

Phishing, Humans Root of Most Healthcare Attacks

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information and Management Systems Society (HIMSS).

The study, which surveyed 166 qualified information security leaders from November to December 2018, found that there are particular patterns of cybersecurity threats and experiences distinctive to healthcare organizations.

“Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging email as a means to compromise the integrity of their targets,” the survey said.   

Nearly half (48%) of all respondents identified two different categories of major threat actors, which included online scam artists (28%) and negligent insiders (20%). The hospitals that participated in the survey said that when looking at the security incidents that occurred in the last 12 months, the initial point of compromise for 69% of the attacks was the result of phishing emails.

Not all healthcare organizations are hospitals, though. Among all the survey participant, 59% said that the most commonly cited point of compromise was email and 25% were human error.

“There are certain responses that are not necessarily 'bad' cybersecurity practices, but may be an 'early warning signal' about potential complacency seeping into the organization’s information security practices,” the report said.

“Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.”

The potential complacency is particularly concerning given that the healthcare industry as a whole is making positive advances in cybersecurity practices.

“Healthcare organizations appear to be allocating more of their information technology ('IT') budgets to cybersecurity," according to the report. "Complacency with cybersecurity practices can put cybersecurity programs at risk.”

Source: Information Security Magazine