Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

#Infosec19: Mitigating Risks and Managing Third Party Threats

#Infosec19: Mitigating Risks and Managing Third Party Threats

Speaking at Infosecurity Europe 2019 on 'Effective Steps to Reduce Third Party Risk,' Scott W. Coleman, director of product management at Owl Cyber Defense, said that the average number of connections to a facility is 583. “Most are legitimate, but how many are appropriate” he asked.

He said that there are “vendors and companies and entities who need access to your plant, enterprise or base” and while many have a good reason to have access, you need to be sure that they are not presenting a risk that you don’t need.

Coleman recommended determining what you need to protect, which connectors and disaster recovery systems you need to protect, and which vendor service level agreements you need to maintain “but be subversive on what needs to have access.”

He encouraged companies to focus on the following when evaluating a third party: which products and services require access; which companies have a higher level of personnel turnover; who have been involved in breaches themselves “as a lot of the time, a company has a third party connecting” so depending on their level of cybersecurity.

Looking at strategies for mitigation, Coleman asked if many people will know who the 583 people are, and what access they have if you have a good handle on what they are doing? “Understand and measure what they are doing as it is hard to protect against them,” he said.

Next, he recommended looking at what value and risk is presented and added to you by third party access, and apply resources to the highest risk and which assets are being touched. He said you should seek to reduce your footprint and the number of things you focus your resources on, and apply this posture to things the third parties affect.

“The bottom line is segmenting and least privilege,” he said. “The biggest problem is coming in laterally and if you put in segmentation and proper privilege, prevent movement and what all have access to. “

He said that the final way to mitigate is to use a zero trust approach, and the problem is that “trust but verify” is hard to achieve in practise. “The problem is when you take your eye off it, you no longer have the trust factor.”

He concluded by pointing to the Department of Homeland Security’s strategies for mitigating risk for third parties. These are recommend as:

  • Reduce/eliminate connections in/out the network
  • Convert two-way connections to one-way out of the plant
  • Convert two-way connections to one-way into the plant
  • Secure remaining two-way connections

Source: Information Security Magazine

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Speaking at Infosecurity Europe 2019 Andrew Habibi-Parker, director – professional services, EMEA & APJ at LogRhythm, explored security risks surrounding critical national infrastructure (CNI) and outlined why the MITRE ATT&CK Framework can be pivotal in defending and protecting critical infrastructures.

Habibi-Parker explained that there are some critical elements of national infrastructure such as assets, facilities, systems and networks which, in the event of a compromise, can be targeted by attackers to effect the integrity or delivery of essential services, resulting in significant impact on national security, national defense or the functioning of the state.

He said the “UK Government’s cyber strategy and NIS Directive is playing a key role in helping improve cybersecurity in UK CNI organizations” but added that the rapid emergence of new vulnerabilities and malicious actors’ smarter tactics make it “impossible to completely secure CNI networks and systems.” A focus on reducing detection and response times is therefore crucial, Habibi-Parker explained, and that’s where the MITRE ATT&CK Framework can be very effective.

That’s because MITRE ATT&CK “uses real world intelligence on the TTPs used by APT groups.” It’s a great way to validate and improve your detection, incident handling and continuous monitoring capabilities, Habibi-Parlker said.

However, Habibi-Parker was quick to point out that MITRE ATT&CK is not “a replacement for cybersecurity best practices” nor is it a list of fully-achievable objectives. It may also not be the right choice for an organization that does not have a SOC, he added, and “implementing monitoring of endpoints and behavioral analytics is critical to success.”

Source: Information Security Magazine

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Five years from today there will be more passwords in use than at present – despite their inherent security failings – according to HaveBeenPwned founder Troy Hunt. 

Presenting the Infosecurity Hall of Fame Annual Lecture on the last day of Infosecurity Europe today, Hunt sought to dispel some common misconceptions about cybersecurity.

HaveIBeenPwned started as a “fun project” back in 2013 and the free site now has over 7.8bn compromised accounts listed, which users can check to see if they have been breached.

Unfortunately, passwords are here to stay despite the emergence of solutions like multi-factor authentication which are far more secure, Hunt warned.

“They may be good technical solutions … but every single person in this room knows how to use a password, as bad as it is security wise,” he argued.

This usability will always trump security concerns, but organizations can and should make log-ins more robust by enhancing passwords with password managers and U2F keys, he added.

The dark web is often blamed for providing a platform for cyber-criminals to trade such credentials online, but the surface web is also a major offender, Hunt claimed.

He showed a screenshot of a single Twitter account which posted MEGA links to the notorious “Collection” combo lists, publicly exposing billions of unique emails and passwords, for example.

That’s not all: YouTube is awash with “hundreds” of how-to videos, detailing the simple steps budding cyber-criminals can take to launch SQLi attacks, credential stuffing and more, Hunt claimed.

Some of those he played on stage appeared to be voiced by teens, highlighting another misconception about cybercrime: that it tends to be the work of hardened, organized gangs.

One former law enforcer was quoted following the TalkTalk attack as suggesting it was the work of “Russian Islamic cyber jihadis,” for example. In reality, the breach, which cost the telco £77m, was mainly down to a 17-year-old boy.

“The damage [kids] can do is massive. So many children have access to this [hacking] information that anyone can use it without knowing the problems it can cause,” he argued. “We’ve got to do more to set kids back on the right path.”

The National Crime Agency’s Cyber Choices campaign highlights the scale of the problem, and the need to raise awareness among parents of what their kids may be up to.

Source: Information Security Magazine

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Governments and industry need to “focus on fixes, not fear,” and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).

NCSC boss, Ciaran Martin, told attendees on day three of Infosecurity Europe this morning that the next generation of network infrastructure can be architected in a way that mitigates risks posed by vendors.

Referring to a tabloid headline which claimed Huawei could theoretically turn off all the household appliances in UK smart homes if allowed to build 5G, he argued: “We don’t have to build 5G networks that way and I’d argue we shouldn’t.”

Martin added: “We have to get 5G network security right, and that is a much bigger issue than the national identity of suppliers.

“It would be a real shame if we allowed fear back into cybersecurity. People need to understand the risks, and we, as experts, need to understand and explain how network security can be [implemented] to give a satisfactory level of assurance.”

The UK government has worked hard over the past few years to move from a fear-based approach to cybersecurity to a pragmatic one, he claimed.

Part of the journey towards a more mature approach to cybersecurity means promoting pragmatic ways to tackle threats rather than glamorizing attacks.

“Cybersecurity is not something we should be scared of and not something we should scare people about,” argued Martin. “The first step is to understand that and the diversity of it and [not promote] cybersecurity as a big technical ball of risk that non-technical people can’t understand.”

To help in this, the NCSC has produced a “five questions for boards” document, so that business leaders are better equipped to discuss issues in-depth with CISOs.

“You don’t all have to be cyber experts, but you need to know how to talk to cyber experts,” Martin added.

Quick wins could be had from focusing on improving baseline security, he added, claiming that the notorious state-sponsored Cloudhopper attackers managed to infect some victims using a 19-year-old virus because they were running outdated systems and flat networks.

Martin concluded on a note of optimism, claiming that, unlike the start of the digital revolution 20 years ago, industry experts can see a lot of what’s coming down the road. By working “seriously, dispassionately and transparently,” progress can be made to eradicate structural vulnerabilities, he argued.

Source: Information Security Magazine

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in people’s homes, according to Craig Young, principal security researcher at Tripwire.

Young was speaking in the Geek Street Theatre on day three of the Infosecurity Conference at London’s Kensington Olympia.

During the session, Young explained the impact of the threat – which turns a victim’s browser into a proxy for attacking private networks – within IoT. “Over the years, I have found countless vulnerabilities in IoT products,” he said.

This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.

“The problem is, defenders seem to discount this as a real threat, but in the future, someone might want to create a botnet and there will be more hosts to target,” he said.

During his research, Young found devices including the Google Home smart speaker were vulnerable to DNS rebinding attacks. “I was able to ask the Google Home to give me IP addresses of nearby access points so I could tell where devices were,” he explained.

Another class of devices vulnerable to DNS rebinding are IoT units using standards-based web services access protocol SOAP. “You can use this to steal data, disable devices and brick them,” he said.

Young said vulnerable IoT devices included the Belkin Wemo smart outlet and the Sonos connected speaker – the latter of which allowed him to play false content and rename or reset the device.

In order to prevent DNS rebinding attacks, Young advises mitigation at the DNS layer, segmenting networks, using the NoScript extension for Firefox or “various adblockers.”

At the same time, Young said: “Devices and everything else should be using HTTPS – which is not affected by DNS rebinding. All apps need authentication: Even if it’s a home network, it should have some kind of credential mechanism.”

Source: Information Security Magazine

Tennessee Valley Authority Isn't Compliant with Federal Directives

Tennessee Valley Authority Isn't Compliant with Federal Directives

The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General's Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites. 

The review was part of an annual audit plan to ensure that the TVA was compliant with two federal directives that require website and email security controls. These controls had to comply with the Office of Management and Budget’s (OMB) memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, and DHS's binding operational directive (BOD) 18-01, Enhance Email and Web Security, regarding website and email security practices.

According to David Wheeler, the assistant inspector general for audits and evaluations, the TVA was found not to be compliant with OMB A-15-13 and DHS BOD 18-01. "In addition, we found that TVA's web site inventory was incomplete." These findings were formally communicated to TVA management on March 26, 2019.

The fieldwork for the audit was carried out from November 2018 to March 2019.  The team obtained and reviewed TVA's website inventory from the TVA's cybersecurity personnel and compared it to the population of identified publicly accessible websites, according to the memo from Wheeler. Internet domain listings were also collected. These findings were then scanned using tools to determine compliance with OMB A-15-13 and DHS BOD 18-01 requirements. Out of 116 domains, 115 did not meet requirements, with encryption requirements inadequate on 20 out of 55 TVA websites. 

This left TVA emails and websites open to attacks, such as phishing. Research by IRONSCALES found that secure email gateways (SEG) failed to 99.5% of all nontrivial email spoofing attacks. A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis. 

In his memo, Wheeler recommended that email security policies for domains needed to be updated to meet requirements, reviewing them on a periodic basis for compliance. He also wrote: "Update websites that were not compliant with OMB M-15-13 and DHS BOD-18-01 requirements, and review on a periodic basis for compliance" as well as review website inventory.

TVA management agreed with the audit findings and recommendations in this report, according to the memo. 

Source: Information Security Magazine

UK Hasn't Made Sufficient Progress for National Security Strategy

UK Hasn't Made Sufficient Progress for National Security Strategy

The Commons Select Committee (CSC) has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today by the CSC, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1,100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9 billion funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169 million) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the CSC. Some £69 million of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made by the CSC include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

Source: Information Security Magazine

SentinelOne Secures $120 Million Series D Funding

SentinelOne Secures $120 Million Series D Funding

SentinelOne has raised $120 million in Series D funding, bringing its total funding to over $230 million. 

According to the press release, the funding will be used to accelerate the company's "rapid displacement of legacy and next-gen competitors" in endpoint, cloud and internet of things (IoT) protection. It is led by Insight Partners, with participation from Samsung Venture Investment Corp., NextEquity and previous investors, including Third Point Ventures, Redpoint Ventures, Granite Hill and Data Collective (DCVC), among others. 

The company's patented behavorial artificial intelligence (AI) provides real-time prevention and ActiveEDR in the edge and the cloud. It does this through a cloud-native platform with no reliance on connectivity or updates. 

“We’ve built a team and technology to disrupt and broaden the endpoint space: as the network perimeter is drastically changing, so does the notion of the endpoint,” said Tomer Weingarten, CEO and co-founder of SentinelOne. “Endpoints are everywhere today, from classic laptops and desktops to workloads in the cloud and the data center and all IoT devices – the network edge is the real perimeter. 

"We were the first to unify EPP [endpoint protection platform] and EDR [endpoint detection and response] – prevention, detection, response and hunting – in a single autonomous agent; we were the first to stand behind our product with a cyber warranty; now we are the first to take AI-based device protection to the edge, covering IoT endpoints and workloads in the cloud."

SentinelOne said in its press release that it is the fastest growing endpoint security company on the market, achieving 217% year-over-year (YoY) growth in annual recurring revenue and 140% YoY growth in Fortune 500 bookings. Teddie Wardi, managing director at Insight Partners, said that endpoint security is at a "fascinating point of maturity…Attack methods grow more advanced by the day and customers demand innovative, autonomous technology to stay one step ahead." 

"We recognize SentinelOne’s strong leadership team and vision to be unique in the market," he continued, "as evidenced through the company’s explosive growth and highly differentiated business model from its peer cybersecurity companies.”

“As an investor, SentinelOne’s combination of best-in-class EPP and EDR functionality is a magnet for engagement, but it’s the company’s ability to foresee the future of the endpoint market that attracted us as a technology partner,” said a representative from Samsung. “Extending tech stacks beyond EPP and EDR to include IoT is the clear next step, and we look forward to collaborating with SentinelOne on its groundbreaking work in this area.”

Source: Information Security Magazine

#Infosec19 Identify and Protect your Very Attacked People

#Infosec19 Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul Down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people-centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

Source: Information Security Magazine

#Infosec19: Complex Legacy IT Problems Can't Be Solved with Simple Solutions

#Infosec19: Complex Legacy IT Problems Can't Be Solved with Simple Solutions

“Complex problems cannot be solved with simple solutions.” These were the words of Bobby Ford, VP & Global CISO at Unilever, speaking at Infosecurity Europe 2019.

Ford said that the complex challenge of the security risks posed by legacy systems exists in all industries.

He added that a big part of the problem is that we cannot simply decommission legacy IT systems because they support “some critical business processes, and because of that, we can’t just get rid of them.”

“Our systems are ageing and our ability to replace them is slowing down. As these systems age, the threat increases for them. We can’t update the systems fast enough to stay in front of the threat.”

If you look back at some of the biggest recent cyber-attacks, Ford continued, you will see that legacy systems were at the heart of most of them.

“It’s a complex problem and it’s not going away anytime soon,” he said. “These legacy IT systems equate to business risk, and it’s important that we understand that when we are talking about patching we are talking about business risk. Business risk isn’t a system going down; business risk is an inability to ship a product, business risk is saying ‘I can’t manufacture goods,’ business risk is being unable to invoice a customer.”

So when we talk about dealing with the risk of legacy IT systems, it’s important we do so in business risk language, Ford said, and solving the problem comes down to having “engaging conversations with our business partners to understand our most critical business systems.

“We can’t define what’s most critical, only the business can define what’s most critical.”

To conclude, Ford explained that the key to succeeding with dealing with the risks surrounding legacy systems is prioritization. “I’ve said this my entire career; if we are going to be successful as professional security risk managers, we have to be able to prioritize. We cannot do everything and we can’t secure all systems. We have to work with the business to identity the most critical systems, and then try to secure them.”

Source: Information Security Magazine