Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 SAP Cyber Threat Intelligence Report – April 2018 Thu, 19 Apr 2018 09:44:00 -0500 The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • This set of SAP Security Notes consists of 16 patches with the majority of them rated medium.
  • Implementation Flaw is the most common vulnerability type.
  • A security vulnerability addressing SAP Business Client received the highest CVSS base score of 9.8 this year.

SAP Security Notes – April 2018

SAP has released the monthly critical patch update for April 2018. This patch update closes 16 SAP Security Notes (12 SAP Security Patch Day Notes and 4 Support Package Notes). 5 of all the patches are updates to previously released Security Notes.

4 of all the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

One of the released SAP Security Notes was assessed at Hot News, and 4 have High priority rating.

The most common vulnerability type is Implementation Flaw.

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in April

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2622660: SAP Business Client has a security vulnerability (CVSS Base Score: 9.8). Depending on the vulnerability, attackers can exploit a Memory corruption vulnerability for injecting specially crafted code into a working memory which will be executed by the vulnerable application. This can lead to taking complete control of an application, denial of service, command execution and other attacks. This fact has a negative influence on business processes and business reputation as a result. Install this SAP Security Note to prevent the risks.
  • 2587985: SAP Business One has an Denial of Service (DOS) vulnerability (CVSS Base Score: 7.5 CVE-2017-7668). An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.
  • 2552318: SAP Visual Composer has a Code Injection vulnerability (CVSS Base Score: 7.4 ). Update 1 to Security Note 2376081. Depending on the code, attackers can perform different actions: inject and run their own code, obtain additional information that must be hidden, change or delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Cloud Security Alert – Log Files Are Not the Answer Wed, 18 Apr 2018 05:52:00 -0500 Once production applications and workloads have been moved to the cloud, re-evaluating the company’s security posture and adjusting the processes used to secure data and applications from cyberattacks are critical next steps.

Cloud infrastructure is ideal for providing resources on demand and significantly reducing the cost of acquiring, deploying and maintaining internal resources.  

In addition, organizations can quickly scale cloud resources up or down eliminating the need to over-provision—just in case. But losing control over the physical infrastructure means not being able to use familiar tools to develop insight into what is happening in that infrastructure.

Anyone responsible for IT security needs a strategy for monitoring what is happening in their company’ cloud, so they can shut down any attacks that occur and limit the damage.  

The use of log files

While users do not have direct access to public cloud infrastructure, cloud providers do offer access to logs of events that have taken place in the user’s cloud—often for an additional cost. With logs, administrators can view, search, analyze, and even respond to specific events if they use APIs to integrate the event data with a security event and incident management (SEIM) solution.  So why aren’t log files sufficient to maintain security?

First, all necessary data may not be collected through log files. While management events are automatically logged, data events are not. Some providers may support collection of custom logs, but users would need to specify and activate the logs ahead of time. This makes it difficult or sometimes impossible to go back and investigate areas that were not already being tracked.

Second, while event logs are useful for identifying when an alert was triggered, they do not provide enough information to determine what caused the alert. More detailed information is needed to perform root cause analysis and execute timely remediation. The rise of advanced persistent threats (APTs) as the most damaging type of breach cannot be stopped by merely analyzing log files. The most advanced network security solutions require detailed data in real-time to have a chance of detecting APTs. Log files are typically generated at specified intervals, depending on the level of service the user pays for. Users then need to set up a mechanism for storing log files for future analysis; this is not the default. So, while data useful in a breach investigation can be collected, it is not available in real-time and limits the speed of containment and recovery.

Third, sophisticated adversaries are increasingly adept at moving inside an organization without triggering any alerts. In many attacks, previously unseen malware enters an enterprise and lurks there undetected, exfiltrating data over a period of many months. Security today requires more rigorous oversight than log files provide.

And finally, in the long run, logs can be expensive to manage. Obtaining sufficient log data and sifting through it demands time, money, and a commitment to data integration. Existing security monitoring tools that use log data may not be sufficient to investigate new threats and investments may be required for additional tools. Security analysts could end up spending more time on complex data administration, rather than focusing on correlation analysis and incident response.  

What can packet data do?

Data packets are like nested Russian dolls with the content enclosed inside various headers that work to move the packet efficiently through the network. The headers can be very informative, but security today is dependent on what is called deep packet inspection (DPI) of the packet’s payload or content. DPI exposes the specific websites, users, applications, files, or hosts involved in an interaction—information that is not available by inspecting header data alone.

Cloud environments have many potential vulnerabilities that attackers can exploit. And attacks are frequently conducted in multiple stages that may not be caught by intrusion detection systems or next-generation firewalls. To stay ahead of would-be attackers, security analysts increasingly use data correlation and multi-factor analysis to find patterns associated with illegitimate activity. These sophisticated solutions require granular data to work effectively. Most organizations have solutions like these deployed on-premises to evaluate packet data captured from physical infrastructure.  

How to gain access to packet level data in the cloud Unlike physical infrastructure that can be tapped to produce copies of data packets, cloud architecture is not directly accessible. In the event of an ongoing attack or data breach, a user may be frustrated to learn that the data they need to isolate and resolve the issue is not included in the Service Level Agreement they have with their provider. Fortunately, there are new methods to access packet level data in clouds.  

Container-based sensors have been developed that sit inside the cloud instances and generate copies of packet data. The sensors are automatically deployed inside every new cloud that is spun up, for unlimited scalability. Because the sensors are inside each cloud instance, they have access to every raw packet that comes or goes from that instance. This cloud-native approach to data access ensures no data is missed, for strong cloud security.  

What are the benefits of a cloud visibility platform?

Of course, having access to all the packet-level data from every cloud instance presents another problem—volumes of data that can overwhelm security solutions and even lead them to drop packets. A cloud visibility platform filters the raw packets according to user-defined rules and strips out unnecessary data, to deliver only the relevant data to each security solution. This enables security solutions to work more efficiently.  

Today, there are two types of visibility platforms available for cloud workloads. One uses a lift-and-shift approach and takes the visibility engine developed for the data center and moves it to the cloud. The engine itself is a monolithic processor that aggregates and filters all the data in one location.  

The other approach distributes data aggregation and filtering to each of the cloud instances and communicates the results to a cloud-based management interface. Data can either be delivered directly from the cloud instances to cloud-based security monitoring solutions or backhauled to the data center. The distributed solution has the advantage of being highly scalable, since the data does not need to be transported to a central location for processing. And the distributed solution is more reliable, since there is no single point of failure.  

Whether responding to a security incident, data breach, or in support of litigation, an organization needs to have a highly-effective cloud visibility platform for accessing and preserving the digital traffic that impacts their business. Log files are just not able to fulfill that requirement.  


Ultimately, log files are diagnostic tools. They are not security solutions and they cannot facilitate an effective response to a security threat or breach. With the rising use of advanced persistent threats and multi-stage attacks, effective security requires detailed packet-level data, from every interaction that happens in the cloud. The cost of capturing and filtering packet data will be offset by the increased ability of the security team to detect attacks and accelerate incident response.  

About the author: Lora is a Cloud Solution Marketing Manager for Ixia, a Keysight Business, where she uses her knowledge of network test, security, and visibility to communicate how Ixia solutions address a range of pressing IT challenges. Lora has more than 20 years of experience in technology management in a variety of domains including networking and network management, cloud and virtualization, servers, data mining, and enterprise resource software, as well as alliance partner development.

Copyright 2010 Respective Author at Infosec Island]]>
Avoiding Holes in Your AWS Buckets Thu, 12 Apr 2018 06:06:00 -0500 Enterprises are moving to the cloud at a breathtaking pace, and they’re taking valuable data with them. Hackers are right behind them, hot on the trail of as much data as they can steal. The cloud upends traditional notions of networks and hosts, and it topples security practices that use them as a proxy to protect data access. In public clouds, networks and hosts are no longer the most adequate control options available for resources and data.

Amazon Web Services (AWS) S3 buckets are the destination for much of the data moving to the cloud. Given how important this sensitive data is, one would expect enterprises to pay close attention to their S3 security posture. Unfortunately, many news stories highlight how many S3 buckets have been mistakenly misconfigured and left open to public access. It’s one of the most common security weaknesses in the great migration to the cloud, leaving gigabytes of data for hackers to grab.

When investigating why cloud teams were making what seemed to be an obvious configuration mistake, two primary reasons surfaced:

1. Too Much Flexibility (Too Many Options) Turns into Easy Mistakes

S3 is the oldest AWS service and was available before EC2 or Identity and Access Management (IAM). Some access controls capabilities were built specifically for S3 before IAM existed. As it stands, there are five different ways to configure and manage access to S3 buckets.

  • S3 Bucket Policies
  • IAM Policies
  • Access Control Lists
  • Query string authentication/ static Web hosting
  • API access to change the S3 policies

The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.

2. A “User” in AWS is Different from a “User” in your Traditional Datacenter

Amazon allows great flexibility in making sure data sharing is simple and users can easily access data across accounts or from the Internet. For traditional enterprises the concept of a “user” typically means a member of the enterprise. In AWS the definition of user is different. On an AWS account, the “Everyone” group includes all users (literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account. From a data protection perspective, that’s just as bad because anyone on the Internet can open an AWS account.

The customer moving from traditional enterprise - if not careful - can easily misread the meaning of these access groups and open S3 buckets to “Everyone” or “AWS authenticated User” - which means opening the buckets to world.

S3 Security Checklist

If you are in AWS, and using S3, here is a checklist of things you should configure to ensure your critical data is secure.

Audit for Open Buckets Regularly:  On regular intervals check for buckets which are open to the world. Malicious users can exploit these open buckets to find objects which have misconfigured ACL permissions and then can access these compromised objects.

Encrypt the Data: Enable server-side encryption on AWS as then it will encrypt the data at rest i.e. when objects are written and decrypt when data is read. Ideally you should enable client side.

Encrypt the Data in Transit: SSL in transport helps secure data in transit when it is accessed from S3 buckets. Enable Secure Transport in AWS to prevent man in middle attacks.

Enable Bucket Versioning: Ensure that your AWS S3 buckets have the versioning enabled. This will help preserve and recover changed and deleted S3 objects which can help with ransomware and accidental issues.

Enable MFA Delete: The "S3 Bucket" can be deleted by user even if he/she does not login using MFA by default. It is highly recommended that only users authenticated using MFA have ability to delete buckets. Using MFA to protect against accidental or intentional deletion of objects in S3 buckets will add an extra layer of security

Enable Logging: If the S3 buckets has Server Access Logging feature enabled you will be able to track every request made to access the bucket. This will allow user to ability to monitor activity, detect anomalies and protect against unauthorized access

Monitor all S3 Policy Changes: AWS CloudTrail provides logs for all changes to S3 policy. The auditing of policies and checking for public buckets help - but instead of waiting for regular audits, any change to the policy of existing buckets should be monitored in real time.

Track Applications Accessing S3: In one attack vector, hackers create an S3 bucket in their account and send data from your account to their bucket. This reveals a limitation of network-centric security in the cloud: traffic needs to be permitted to S3, which is classified as an essential service. To prevent that scenario, you should have IDS capabilities at the application layer and track all the applications in your environment accessing S3. The system should alert if a new application or user starts accessing your S3 buckets.

Limit Access to S3 Buckets: Ensure that your AWS S3 buckets are configured to allow access only to specific IP addresses and authorized accounts in order to protect against unauthorized access.

Close Buckets in Real time:  Even a few moments of public exposure of an S3 bucket can be risky as it can result in leakage. S3 supports tags which allows users to label buckets. Using these tags, administrators can label buckets which need to be public with a tag called “Public”. CloudTrail will alert when policy changes on a bucket and it becomes public which does not have the right tag. Users can use Lambda functions to change the permissions in real-time to correct the policies on anomalous or malicious activity.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries. Prior to Lacework, Sanjay was GM of the Application Services Group at Guavus, where he guided the company to market leadership and a successful exit

Copyright 2010 Respective Author at Infosec Island]]>
The Three Great Threats to Modern Civilization Thu, 12 Apr 2018 03:44:50 -0500 Throughout the history of mankind, civilizations have risen and fallen due to a variety of factors. For the most part, the collapse of a civilization wasn’t sudden, but a gradual decline brought on by multiple causes like changing culture, climate or even the introduction of a new culture (such as when Europeans came to the “new world”).

The interconnectivity and globalization of our modern society make it less likely for a civilization to collapse due to traditional factors. But the same factors that make a traditional decline less likely also mean a collapse is apt to look quite different. To start, it would be more sudden and less localized – going across multiple regions and perhaps the entire globe. What could cause such a collapse? There are three main threats to our modern civilization that could cause humanity to go the way of the ancient Mayans.

Climate Change

Human life requires a very specific set of environmental circumstances to survive. And while we can withstand some level of extreme temperatures, climate change has the potential to change, or perhaps even damage, civilizations as we know it.

Whether you believe climate change is man-made or a natural part of the earth’s cycle, it is obvious our planet’s climate is changing rapidly. We have already seen an increase in the number and severity of storms across the planet – some with devastating effects. Climate change may also be responsible for a rash of wildfires. As climate change shifts the physical landscape of our planet, the societal impacts will ripple across the globe. Some areas will become inhabitable as rising seas cause them to sink under the waves, or areas will become too hot or cold to live. The increase in temperatures may also increase insect populations and, as a result, insect-borne diseases will skyrocket. This could force people to migrate from their current locations to new locations, increasing the population in the remaining inhabitable locations, and creating a ripe environment for disease. The shifting weather patterns will also put our crops at risk, creating the potential for famine and starvation.

Environmentalist and author Bill McKibben told Business Insider earlier this year that without intervention, the world would be: "If not hell, then a place with a similar temperature."

Nuclear War

Ever since the bombs were dropped on Hiroshima and Nagasaki, the world has feared the possibility of nuclear war. The concept of mutual mass destruction caused anxiety and terrifying standoffs throughout the Cold War, but it also helped prevent the use of nuclear weapons (testing notwithstanding). Though the Cold War is over, the threat of nuclear war still looms, as more countries now have the ability to create these powerful weapons. The Doomsday clock – which signifies the potential of a man-made global catastrophe such as nuclear war – has not stood this close to midnight since 1953

Nuclear war would obviously have a devastating impact on humanity, and this is one of the major factors preventing such a war. All nations know that to use a nuclear weapon means they will become the next target of a nuclear attack. Yet the potential and the possibility for such a war still exist, in part because of unstable governments possessing such weapons.


In the past, attacks in the cyberworld only impacted our digital lives. Consequently, the threat of a cyberattack seems minimal compared to something as major as nuclear war or global climate change. However, our growing dependence on software means the consequences of a digital war could spill over into the physical world. 

There is a long history of cyberwar dating back to the early 1980s, the main difference between the cyberwar of the past and the one of today, or the future, is the world we live in. Back in the 1980s, when cyberwar became a growing concern for our government, we did not have the World Wide Web or mobile devices with the power of a super computer. Nor were our businesses, economy and even health devices tied to applications. It would only take another nation, or even a terrorist organization, to target a vulnerability in the software running the power grid, and civilization could be thrown into chaos. We are seeing this on a small scale in Puerto Rico, where power has been out for more than a month. If this were to happen on a world-wide scale, there would be mass rioting, hording of food, and commerce would cease to exist.

There is evidence that cybercriminals are testing the fences for weaknesses already. And we know from research that our software is woefully insecure. Our civilization is dependent on software that is insecure, and all it would take is a coordinated attack to change the way we live. And although we would eventually get the electric grid or other infrastructure back up and running, it could take weeks or months – what would happen to society during this time?

The thought of climate change, nuclear war and cyberwar are all terrifying, and it is tempting to not think about it in an effort to sleep better at night. But we cannot keep our heads in the sand and hope nothing will happen. By ignoring the potential threat of any of these three catastrophes, we are forgoing the opportunity to prevent them – and prevent them we can. We can change the direction of climate change with smart environmental policies and behaviors. We can tone down the rhetoric and adhere to nuclear non-proliferation agreements to lessen the potential for nuclear war. And we can create secure development standards to ensure the software running our world doesn’t have exploitable vulnerabilities. All it takes to accomplish all these things is the desire and the will.

We have the power to ensure our civilization grows, flourishes and is even better than how we found it. The advantage we have over past civilizations is the knowledge to prevent collapse. But first we must recognize the threat so that we can neutralize the risk.

About the atuhor: Jessica Lavery is Director of Corporate Communication and Content Marketing at CA Veracode. In this role Jessica is responsible for overseeing all activities associated with Public Relations, Analyst Relations, Internal Communications, Executive Communications, Content Marketing, Social Media, Visual Identity and Brand. Jessica has nearly 10 years of security experience.

Copyright 2010 Respective Author at Infosec Island]]>
2020 Vision: How to Prepare for the Future of Information Security Threats Fri, 06 Apr 2018 12:25:36 -0500 Every day, the news is full of stories describing the weighty and often overwhelming effects new technology has on the way people live and work. Terms such as Artificial Intelligence (AI) and the Internet of Things (IoT) are fast becoming everyday jargon and plans for their deployment will land high on the agenda of business leaders over the next few years – whether they like it or not.

Headlines warning of cyber-attacks and data breaches are just as frequent. Assailants are everywhere: on the outside are hackers, organized criminal groups and nation states, whose capabilities and ruthlessness grow by the day; on the inside are employees and contractors, causing incidents either maliciously or by accident.

Business leaders are left feeling uncertain about the way forward. The dilemma is often stark: should they rush to adopt new technology and risk major fallout if things go wrong, or wait and potentially lose ground to competitors?

New attacks will impact both business reputation and shareholder value, and cyber risk exists in every aspect of the enterprise. At the Information Security Forum, we recently released Threat Horizon 2020, the latest in an annual series of reports that provide businesses a forward-looking view of emerging threats in today’s always-on, interconnected world. In Threat Horizon 2020, we drew from our research to highlight the top nine threats to information security over the next two years.

Let’s take a quick look at these threats and what they mean for your organization:

Cyber and Physical Attacks Combine to Shatter Business Resilience

Physical and cyber-attacks will be deployed simultaneously, creating unprecedented damage. Many nation states and terrorist groups (or both, working together) will have the capability to bring together the full force of their armaments – both traditional and digital – to perform a clustered ‘hybrid’ attack. The outcome, if successful, would be damage on a vast scale.

Telecommunication services and internet connections will be obvious first targets, leaving individuals and organizations cut off from the outside world. Assistance from emergency response services, as well as local and central governments, will be slow or non-existent as essential physical and digital infrastructure will have broken down.

These attacks will be designed to spread maximum chaos, fear and confusion. The stricken city, or cities, will be brought to a standstill, with both lives and businesses placed in jeopardy. Those at home will be unable and unwilling to go to work, or – without power or communications – unable to work from home. Those already in the office will be trapped with nowhere to escape to, as attacks hit them from every angle. Existing business continuity plans will be useless; they will not have been prepared to cater for an eventuality when every system is down while individuals are in physical danger. People will panic. Work will be off the agenda.

Satellites Cause Chaos on the Ground

Compromised satellite signals, whether spoofed by malicious adversaries or knocked out by collisions with other satellites or space debris, will cause widespread chaos down on Earth. As satellites become cheaper and easier for national space agencies and individual businesses to launch and maintain, they will become increasingly integral to modern life. Disabled or spoofed signals will interfere with critical transport, communications systems and even financial services.

Lives will be put at risk and supply chains hampered as spoofed GPS signals are sent to aircraft, ships and road vehicles. International financial systems – from stock exchanges to ATMs – that rely on exact timestamps on digital payments will be unable to record transactions accurately. Trading algorithms that rely on data from satellites on weather or location of specific assets (e.g. to instruct which crops to buy or sell) will be misled, potentially manipulating financial markets.

In the next few years, satellites will play an increasingly crucial role in connecting Earth-based infrastructure and systems. However, organizations will need to realise what the military has known for years – that no one will be spared if attacks against satellites succeed. The potential for crippling disruption is immense.

Weaponized Appliances Leave Organizations Powerless

Attackers will find ways to access a huge proportion of the millions of connected appliances – such as heating systems and ovens – and turn them into weapons. This mass of appliances could be commandeered and misused for a number of disruptive ends, similarly to the way botnets of poorly protected home computers have been used to initiate and sustain large scale DDoS attacks. However, one threat merits specific attention – the damage they can wreak collectively on power grids.

These appliances, forming part of the IoT – many in homes but also found in offices and factories – are always powered-on and always connected to the internet. Manipulated by attackers to switch on to full power simultaneously, appliances will create a demand for power so unexpectedly high that it overloads and brings down regional electricity grids. With the grid offline or severely degraded, organizations will be weakened and struggle to function.

The underlying foundations of many business continuity plans, such as instructing employees to work from home, will be rendered useless as they will have neither power nor a means to communicate. Dependent critical services such as water supplies, food production systems and health care will be unavailable. Power rationing will affect other utilities and services, such as heating, lighting and transport. To cap it all, organizations will lose out to competitors in non-affected areas who will be quick to take advantage of the increased demand for their services.

Quantum Arms Race Undermines the Digital Economy

The next generation of computer technology – quantum computing – will be able to crack encryption that would have taken traditional computers millions of years in mere hours or minutes. As a consequence, a security mechanism that forms the bedrock of today’s digital economy will require a complete overhaul, potentially exposing organizations to millions in transformation costs and lost trade. However, the practical problems start now. In particular, various parties will pre-empt this new technology by starting to harvest gigantic pools of encrypted information, using it later when the technology is available.

National intelligence organizations will lead the charge to be the first to get their hands on this technology.  The sensitive information, communications, services, transactions and critical infrastructure of adversaries will all become an open book. The desire to be first across the line is certain to drive a digital arms race.  Who will be the quantum winner? That remains unclear.

Some nation states will want to expand their horizons and use quantum computing as an offensive weapon to undermine the digital economies of their perceived enemies – as will others who can get early access to the technology. Organizations in both the public and private sectors will then be prime targets for a range of attackers. None will be safe, even those that believe their information is secure now.

Artificially Intelligent Malware Amplifies Attackers’ Capabilities

According to many futurists, AI will bring huge benefits to society, especially in areas such as research and healthcare. However, it will also be deployed in more damaging ways, one of which will be to build computer malware that can change both its form and purpose. Attackers will use this artificially intelligent malware to find new ways to access an organization’s network and disrupt its operations. Mission-critical information assets such as trade secrets, R&D plans and business strategies will be targets for compromise – all without detection.

As it is AI-based, this new form of malware will learn from its environment, analysing applications and systems to discover and exploit new vulnerabilities in real time. It will be hard to distinguish what is safe from unauthorised access and what isn’t. Even information previously believed to be well protected will be open to compromise.

Conventional techniques used to identify and remove malware will quickly become ineffective. Instead, AI-based solutions will be needed to fight this new malware – leading to a race for supremacy between offensive and defensive AI. The eventual winners will be hard to spot for some considerable time.

Attacks on Connected Vehicles Put the Brakes on Operations

Attackers will look to remotely hack a range of connected vehicles – cars, lorries, vessels and trains – taking advantage of vulnerabilities within on-board systems to take control of them, steal them, or disable vital safety features. All forms of vehicles will be exposed. The sheer scale of targets will be dramatic: for example, the number of connected cars manufactured globally is predicted by Gartner to grow from 12.4 million in 2016 to 61 million by 2020.

The effects will be felt by various people and organizations. Individuals who travel in connected vehicles, or are in the vicinity, will have their lives put at risk. Organizations with supply chains that rely on connected vehicles to transport goods or materials will face operational disruption. Vehicle manufacturers and their subcontractors will face reputational damage, and maintenance providers will come under pressure to perform immediate software and hardware updates.

Liability for incidents – including deliberate attacks – will be a particularly hot topic. Insurance companies will be forced to rethink their strategies to take into consideration claims over incidents involving connected vehicles; organizations will wish to consider themselves blameless but may be held liable; while vehicle manufacturers are likely to face complex class action legal battles should incidents begin to fall into recognisable patterns.

Biometrics Offer a False Sense of Security

Demands for convenience and usability will drive organizations to move to using biometric authentication methods as the default for all forms of computing and communication devices, replacing today’s multi-factor approach. However, any misplaced trust in the efficacy of one or more biometrics will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

The problem will be compounded by the wide and confusing array of proprietary technologies produced by different vendors. As there are no common global security standards for biometrics, it is inevitable that some technologies will be vastly inferior to others. The question then becomes: which are secure today? And will that continue to hold true tomorrow… and the day after?

Existing security policies will fall well short of addressing the issues as new devices infiltrate organizations, from the boardroom down. Failure to plan and prepare for this major change will leave some organizations sleepwalking into a situation where critical or sensitive information is protected by a single biometric factor which proves vulnerable.

New Regulations Increase The Risk And Compliance Burden

By 2020, the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling ‘attack surface’ which must be protected fully while attackers continually scan, probe and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information – including customer details and business plans – that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties who will transmit, process and store it in multiple locations. Most organizations will see penalties for non-compliance reach material levels.

Balancing potentially conflicting demands, while coping with the sheer volume of regulatory obligations, may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Point

The relentless hunt for profits and never-ending change in the workforce will create a constant atmosphere of uncertainty and insecurity that has the effect of reducing loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from ‘cashing-in’ corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognise that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now – or in the future – face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, it is not only the organizational crown jewels that are under threat. The establishment of bug bounty and ethical disclosure programmes, together with a demand from cybercrime or hackers, puts a very high value on the most secret of secrets – the penetration test results and vulnerability reports that comprise the ‘keys to the kingdom’. Organizations reliant on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find those mechanisms inadequate.

Be Prepared

As dangers accelerate, organizations must fully commit to disciplined and practical approaches to managing the major changes ahead. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.

The nine threats listed above expose the dangers that should be considered most prominent. They have the capacity to transmit their impact through cyberspace at alarming speeds, particularly as the use of the Internet spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Why Data Loss Prevention Will Suffer the Same Fate as Anti-Virus Tue, 03 Apr 2018 04:45:56 -0500 For years, Data Loss Prevention (DLP) has been the first line of defense against data leaving an organization’s four walls. DLP solutions have been touted as having the ability to track and prevent the loss of data through unauthorized channels. However, there are challenges associated with DLP, such as solution stability, the time-consuming data classification process and ongoing maintenance, and disconnects between data owners and DLP administrators. Security teams are realizing DLP is not sufficient in keeping an organization’s critical data safe.

DLP appears to be following in the footsteps of another once-ubiquitous but now outdated technology: anti-virus. The parallels between the two technologies may not be apparent at first, but when taking another look, it is clear that DLP may suffer the same fate as traditional anti-virus.

Since 1987, the anti-virus approach has been to tag data with signatures, continuously scan systems for these signatures, and then attempt to quarantine the known bad files. In theory, this method sounds great, but in the 21st century, malware can move and morph faster than anyone ever imagined. With the dawn of malware, hackers realized how these tools operated and they customized specific ways to avoid the existing tool sets.

The dawn of DLP

Similarly, data loss prevention (DLP) tools require data classification and tagging of sensitive files, use scanning for the movement of files, and attempt to prevent these files from going places they shouldn’t be going. Since 2000, organizations implemented these tools to adhere to regulatory compliance, monitor sensitive file movement, or prevent specific files from going out specific egress points.

However, a few major factors have seriously diminished the effectiveness of data loss prevention solutions. The primary challenge being the exponential growth of unstructured and semi-structured data within organizations. To be effective, DLP tools must keep up with the constant creation and modification of sensitive data. This places a heavy burden on data owners and those that are administrating the DLP technology to stay on the on the same page. It is almost inevitable that data growth will outpace the lines of communication within the organization.

DLP and the people problem

One of the most challenging elements of DLP isn’t within the software – it is the people. It’s no secret people are the biggest challenge when it comes to implementing effective security controls. Not all users have malicious intent; they may simply be seeking to find a way to bypass existing controls to make their life easier. People are unpredictable, and ensuring organization’s have a rule for every action a person might take is hard if not impossible.

When it comes to malicious insiders operating within an organization, DLPs are notoriously ineffective at stopping data loss caused by these type of threats since DLPs are often trivial for technical users to bypass. This means if someone on the inside really wants to exfiltrate data, they will probably find a way to do it.

DLPs are incomplete as they do not offer all-in-one detection, deterrence, and mitigation of data exfiltration and insider threats. While they may catch some instances of attempted data exfiltration, they are not designed to help security teams investigate or respond effectively, and they don’t have proactive user education built in to reduce accidental misuse.

Say goodbye to traditional DLP

Traditional DLP tools have been popular given the magnitude of the data loss problem and compliance needs of some organizations. However, DLPs often fall short when it comes to preventing data loss— especially when it comes to providing visibility into user actions to detect incidents in the moment and quickly investigate them.

Instead of relying on a traditional DLP focused exclusively on data, organizations should implement a holistic people-focused strategy. Organizations should shift to an approach that enables the security organizations to have full visibility into user actions with alerts for out-of-policy actions enabling an early warning system to decrease the time to detection. This should be coupled with strong processes in place to quickly remediate incidents involving data loss and flexible prevention controls that align with the business goals, to ensure a 360-degree view. 

Now more than ever, organizations need to invest in solutions that provide full visibility into what users are doing coupled with flexible prevention policies. With this visibility, organizations are able to quickly identify risky behavior, streamline the investigation process and prevent data loss.

About the author: Mike McKee brings over 20 years of cross-functional, global experience in technology to ObserveIT. Previously, Mike led the award-winning Global Services and Customer Success organizations at Rapid7, served as Senior Vice President CAD Operations and Strategy at PTC, and Chief Financial Officer at

Copyright 2010 Respective Author at Infosec Island]]>
Unconventional Thinking — Four Practices to Help Mitigate Risk Mon, 02 Apr 2018 07:12:00 -0500 Taking a conventional approach to cybersecurity typically refers to “keeping the bad stuff out” of your network, meaning blocking any number of malicious threats such as spam, viruses, malware, and DDoS attacks. The truth is if you want your organization to be secure in today’s cyber landscape, you must proactively assess your security posture and focus on mitigating risk. This not only drastically reduces the probability of a successful attack actually transpiring, it will enable the ability to remediate and recover your business quickly in the event of exposure. How do you implement this approach?

1. Mitigate risks posed by targeted email attacks

Email is still the top threat vector used by attackers. More cunning methods such as spear phishing and business email compromise (BEC) are highly targeted and researched attempts where cybercriminals often seek to defraud individuals and lead unsuspecting employees to transfer money or willingly share credentials. The FBI estimates that upwards of $5 billion has been lost to BEC in recent years.

In these attacks, criminals engage in casual conversation with victims through email in an attempt to gain the users’ trust before actually doing anything malicious. In many cases, bad guys investigate and gather information about their targets via social media, which gives them ammunition in making their email threats more convincing. Unfortunately, traditional security solutions such as email security gateways and anti-virus solutions fail to detect these attempts, as there are no malicious attachments or links. An entirely new approach is critical, and currently the most effective technologies are artificial intelligence solutions for cyber fraud defense, domain fraud protection using DMARC authentication, and fraud simulation training for individuals of high risk within your organization.

2. Mitigate the risk posed by careless or untrained users

A significant part of mitigating the risk of targeted email attacks means having the ability to provide security training to high risk individuals. What about the mid to lower-level employees who are either careless or simply clueless? They require training just as much as high risk individuals, as attackers often begin their attack campaigns targeting these employees. Regular security and awareness training with simulation testing of their knowledge is a major key to reducing and mitigating organizational risk.

3. Mitigate the risk posed by rapid application development

Of course, risk is present in other areas beyond email and employees including websites and applications. Identifying and remediating application vulnerabilities while maintaining development agility is a challenging balance. This is particularly true when adopting cloud platforms like AWS and Azure that enable rapid application deployments. In fact, studies have shown that as many as 86 percent of websites contain at least one serious vulnerability, and the average time critical vulnerabilities remain unfixed is 300 days. This is unacceptable as vulnerabilities in websites and other public facing applications can lead to costly data breaches and infiltration. Organizations must proactively check for vulnerabilities in their sites and applications on a regular if not continuous basis.

4. Mitigate the risk of data loss

Sometimes you can do everything right in your approach to security and still have something ugly happen—such as your data getting lost or held for ransom. That’s why there is one important step to take to mitigate the risk of data loss. Protect it.

Implement a data protection strategy that not only includes a backup plan, but one that allows for easy recovery as well. The ideal solution would automatically create updated backups as files are revised, and then have the ability to duplicate them to a secure cloud or to a private off-site location. That way, if criminals encrypt your files with ransomware, you will be able to eliminate the malware, then delete the encrypted files and restore them from a recent clean backup. The whole process can take as little as an hour with the right solution, helping you to get right back to business while leaving criminals empty handed.

By taking these proactive steps to mitigate the security risks in your organization, you will greatly reduce the probability of successful attacks, and have the ability to remediate and quickly recover in the event of exposure. Being truly secure requires a lot more than just focusing on keeping the bad stuff out, but rather learning how to mitigate the potential risks before they ever come your way.

About the author: Sanjay is a 20 year veteran in technology and has a passion for cutting edge technology and a desire to innovate at the intersection of technology trends. He currently leads product management, marketing and strategy for Barracuda’s security business worldwide.

Copyright 2010 Respective Author at Infosec Island]]>
The Night the Lights Went out in Georgia (Almost) Thu, 29 Mar 2018 05:40:23 -0500 As I sat down on a Friday afternoon to reflect on the past week, I felt that need to comment on the fact that the City of Atlanta is facing outages that are affecting not only the internal operations of the city but also their consumers, the residents of Atlanta. On Thursday Morning, Atlanta’s systems were hit by an instance of Ransomware. Systems were affected in various areas off the cities infrastructure, initially being reported as court and bill pay systems for the city. As employees began to show up for work they were directed not to turn on computers as a method to prevent the spread of the ransomware and limit the impact. At this time the originator of the attack is unclear, but what is clear is there is at least one motive behind the attack, a monetary demand of $51,000 in Bitcoin.

While the actor is as of yet unknown the City is working with the FBI, Homeland Security, and their vendors to determine the source as well as find a solution to the issue without paying the ransom. For those who have not been involved in this ransomware space, the value might seem somewhat trivial.  $51,000? Why not just pay it, and be done? On the surface this seems like the easy solution. Its only $51,000. But the next question you should ask is what happens next time, will it only be $51,000? Will it embolden that actor to raise the stakes? What if you pay the sum only to find the systems aren’t unlocked.  More importantly who are you actually funding?

The increasing momentum of ransomware is a concerning trend. The fees to unlock a system after an incident tend to be low in order to make the decision a cut and dry one for the impacted entity. Its far easier to rationalize the payment of a relatively small sum that is only mildly painful. Often the affected individual seeks quick resolution, and those that can’t afford the ransom typically find themselves replacing a HD for less than the ransom if the value of the data isn’t very high. Situations like Atlanta start to change the dynamic; public institutions, governments, corporations, healthcare, all have more serious potential concerns. There is the damage to public perception, the impact to customers and employees, potential regulatory issues, and one can imagine the potential for injury or loss of life in the most severe cases. The trend would indicate that the problem is getting worse, especially as more potential actors see the business case behind effect campaigns. The value of demand in some cases is starting to also balloon when the potential impact is visualized, take for example the case of Equifax in September of 2017, they were served with a demand of $2.3M.

Who are the primary actors behind ransomware? What is their motivation? We can look to the ease of monetizing this type of attack to explain its increase in velocity. Criminal organizations in areas of the world where it’s easier to create a ransomware campaign then legitimately find a job certainly serves as a significant piece of the problem. Organized crime has also seen this as a new frontier to provide additional revenue, however there is an even more concerning aspect to the problem. Consider rogue nations that have come under increasing pressure from the world powers and face increasing sanctions and external pressure. Where do they find the funds they desperately need in the face of ever tightening scrutiny, look no further than an effective ransomware campaign. It quick easy money and the availability of a transaction masked by cryptocurrency makes for a too tempting than to avoid vehicle for increase their coffers.

Some are starting to ask is it really even about the money? For the vast majority it is but it also becomes a vehicle for malicious actors to start causing disruption and impact to the underlying infrastructure. It’s a way to probe and see where organizations or governments aren’t sufficiently protecting their assets. It’s a way to cause concern among consumers and citizens if they can really trust the entities they interact with.

The underlying question is what should we do? Obviously, the time is passed for not taking security seriously, unfortunately too many companies still don’t. Do you have an effective security policy, are you fully funding the controls necessary to protect your organization, does your policy cover ransomware effectively? Most importantly do you know what data is critically important, and do you have a plan for maintaining that data and recovering it? We need to look at endpoints as more than just end user workstations, they are usually the most exposed and easiest systems to breach. Look to endpoint protection products that not only alert on system exposure but offer protection against malicious use and optimally have the capability to roll back in the event of a compromise. At the end of the day it’s not about the breach but it’s about how you recover.

About the author: Ben Carr is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies. He is focused on solving security issues that address current business objectives while balancing today's operational risks. Ben has demonstrated global leadership and experience, through executive leadership roles at Tenable, Visa and Nokia.

Copyright 2010 Respective Author at Infosec Island]]>
Is Blockchain Really Disruptive in Terms of Data Security? Mon, 26 Mar 2018 10:33:00 -0500 Despite the fact that Blockchain technology is widely associated with cryptocurrency and is primarily known as the innovation pushing Bitcoin and Bitcoin price up, experts have been predicting a much longer list of industries that it will disrupt due to its features. Blockchain can provide transparency, decentralization, efficiency, security, and other benefits, revolutionizing multiple industries. In addition to predictions that Blockchain will improve the world of data security, experts have listed well over a dozen other industries it will transform, including:

  • Banking

  • Supply Chain Management

  • Insurance

  • Cloud Storage

  • Government

  • Charity

  • Online Music

  • Energy Management

  • Real Estate

  • Retail

The list goes on and on, with some even referring to Blockchain as “the most disruptive technology in decades.” With Blockchain’s potential to add to data security along with other industries, the question becomes whether the technology behind cryptocurrency is as disruptive as experts claim.

When you examine specific ways that Blockchain has changed this sector, it becomes clear that yes, it is indeed disruptive, although there are still some problems it must overcome to truly revolutionize data security.

The inherent structure of blockchain provides added security

Just the basic structure of Blockchain, without any applications or platforms built on top of it, provides added data security. In terms of security as a whole, the trustless nature of Blockchain means that users do not need to rely on a third party to complete a transaction. Most importantly from a data perspective, everything that happens on Blockchain is encrypted. There is no way for a hacker to tamper with the information stored on Blockchain and hide this action from others.

By its very concept as a highly decentralized system, Blockchain is inherently more secure than a traditional data security system. While most current data security systems are easy to find in a single location, the distributed nature of Blockchain means that it is much harder to hack. The lack of control by a single group means there is not a single point of failure.

Blockchain revolutionizes data storage via distribution

The security of data closely relates to its storage, another area that Blockchain revolutionizes. Instead of storing data in a cloud, Blockchain can take advantage of distributed storage. In this way, the system:

  • Breaks the data into smaller chunks,

  • Encrypts it so hackers cannot access the information,

  • And then distributes the files.

This process secures the data in two ways.

  1. Your data receives protection from network outages as it is stored at multiple locations across the network instead of a single point. This means users can access data even if some of the network goes down.

  2. Additionally, the encryption process provides security from those looking to access data they should not be able to. In this way, it can ensure privacy and keep sensitive or personal information out of the reach of hackers. As soon as someone alters a record, the signature becomes invalid.

With a traditional storage model, hackers must only breach a single server. By contrast, with Blockchain, you must compromise the majority of its network to make fraudulent transactions or falsify balances. Even hacking one server is challenging for experienced cybercriminals, so hacking enough to represent the majority is a nearly impossible feat. To provide even more security against this type of data risk, consider that the hackers would have to breach every node at the same time.

Blockchain can prove data is untampered

Instead of opting for distributed data storage with Blockchain, it is also possible to save a specific document’s cryptographic signature. As long as a file has this signature, users will have the assurance that no one tampered with the document. This method allows you to store the file on whatever system you typically use, whether that is cloud-based, but still receive the security of the blockchain by confirming you view the same version of the document.

Ability to store currencies offline

Data related to currency and a user’s balance becomes more secure with Blockchain due to the ability to store cryptocurrency in offline wallets. As these wallets are offline, they are nearly impossible to hack, as an attack would instead need to focus on the decentralized blockchain.

Blockchains can be public and private

When discussing Blockchain and data security, it is important to distinguish between public and private blockchains. Both have the inherent advantages of a distributed network, encrypted ledger, and other factors mentioned above. However, public blockchains allow anyone with a computer and internet to join, while private blockchains only allow specific users to join. By nature, this makes private blockchains more secure than public ones, meaning they provide a larger disruption to data security.

There are also considerations as to the type of data stored. Those who set up public blockchains typically do so to provide anonymity, while private blockchains rely on a user’s identity to confirm access privileges, meaning that information must be disclosed. In this way, the anonymity of public blockchains can provide additional data security for some.

Examples of platforms that change data security

Descriptions of how Blockchain disrupts data security are not as effective as examples in some cases. Forbes recently compiled a list of blockchains that specifically target and revolutionize data security in different ways. The blockchains listed allow their users to benefit from:

  • a keyless signature infrastructure with a certificate authority that maintains a cache with public keys and asymmetric encryption
  • elimination of passwords to mitigate the risk of breaches due to human factors and reliance on SSL certificates instead to authenticate devices, using blockchain to disrupt the way information is stored and accounts are accessed
  • messenger services that scatter communication metadata across the distributed ledger and limit the amount of information that users must provide to use the service

This are just a handful of the current blockchain platforms and applications disrupting data security, and many more are sure to arrive in the future.

About the author: Mary Callahan is an expert on Bitcoin-related topics. She has published articles on blockchain security, bitcoin purchase guides, and bitcoin regulations in different countries.

Copyright 2010 Respective Author at Infosec Island]]>
Half-Baked Security Approaches: What Cybersecurity Can Learn from Legal Weed Mon, 26 Mar 2018 10:13:00 -0500 There are plenty of examples of behaviors in everyday life that can be either legal or illegal. An easy example is marijuana. To determine whether or not somebody is illegally using the substance in the United States, you’d have to know (at least) which state they’re in, potentially their medical status, potentially their age, and the policies of their current specific location. Context matters tremendously, and just knowing that a person is using the drug is definitely not enough information.Others are likely not going to report the incident if they don’t have most or all of the information, as their information is of low confidence. Imagine if every time somebody observed a person using marijuana, they immediately called the police?

Given this physical world example, why is it acceptable that the digital world—specifically detecting security incidents—is full of low-confidence reporting? In just about every way we have a more complete picture of the environment, but yet we still spew half-baked (no pun intended) low-confidence alerts as fast as we can. It should be obvious that in order to deal with this scenario, a huge amount of effort should go into providing higher-fidelity alerts contextualized across multiple facets of a system.

Relating back to the original concept, alerts that only look at an event (whether network, endpoint, or interaction) in isolation are much less likely to be high-fidelity. For example, if Joe gets access to a new source of highly-restricted data at work (for a new project he’s on), systems that look at that event in isolation will notice it as an anomaly and immediately alert. However, simply accessing something new is not interesting in isolation. If, instead, Joe transfers that data to his work phone via Bluetooth, takes it home, and uses Gmail to send it to a competitor, that isinteresting. It’s the connection of these separate concepts that—in isolation—should not be that interesting where things start to become clear.

Therefore, we need ways to identify these behaviors as related, even though they’ll potentially be across different platforms, data sources, and devices. In addition, such information requires us to have either temporal or—much better—content-based knowledge about the content of such isolated behaviors. If we identify that Joe accessed Gmail on his work phone on the same day that he had access to new highly-restricted data on his work computer, it’s likely that we’ll have identified Joe simply sending an email in his personal time. However, if we can identify that it is the same data (or even—since it’s likely to be encrypted—roughly the same size of content being transferred) in this chain of events, then our alert is much more promising. Better yet, if we can identify metadata about the file being sent from the phone—through antivirus, perhaps—our fidelity increases even more.

So where does this leave us? Context is everything. Connecting the dots between indicators of interesting activity across different aspects of an environment—from external to intra-network to device—is the way to provide unparalleled alert fidelity. Interoperability between products is extremely important to getting to the next level of security capability. Will the first company that nails cross-technology integration, contextualization, and interrogation win the day?

About the author: Having used Wireshark ever since it was Ethereal, David has been analyzing network traffic for well over a decade. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake Security. David holds computer security degrees from the Rochester Institute of Technology (BS) and Carnegie Mellon University (MS).

Copyright 2010 Respective Author at Infosec Island]]>
4 Ways Every Employee Can Play a Role in Their Company’s Security Fri, 23 Mar 2018 06:10:31 -0500 With what seems like a constant stream of data breach headlines, security is top of mind for many companies, some of which are having to think about it for the first time. The truth is, it’s a company-wide commitment to ensure overall security. While you might ask what role you could play in that world, there are a number of steps you and your fellow employees can take to help keep threats at bay. 

1. Get familiar with your company’s Chief Information Security Officer (CISO) 

It’s obvious but bears repeating: it is the Chief Information Security Officer’s job to ensure the security of the company and its employees. Too often, employees feel the security team is an entirely separate entity, but this is the type of culture that needs to be addressed and unified. Security is one aspect that touches every part of a company, and only by hearing concerns from employees at every level and in every sector can a CISO effectively develop a strategy that addresses every facet of a company. Perhaps you recently encountered something that you feel could be a good learning opportunity for others in the company, or you have questions about how to properly apply the security procedures in some particular situation. The constantly evolving nature of security means that a CISO can use all of this information to build a security strategy that better educates and protects the employee and the company as a whole. Whatever is may be, those doors should always be open for discussion.

2. Actively participate in ongoing security trainings

Just as a company would perform drills to prepare for potential disasters, it also needs to train for security threats. Keeping a steady drumbeat of these drills will pay off in the event of a potential attack. Each employee should have a general understanding of where these risks lie and should be well versed in things like avoiding phishing attacks, creating a secure password, and properly protecting equipment like laptops and USB drives.

These types of drills might include deploying a company-wide “friendly” targeted phishing attack using publicly available information. The key point of this exercise is to create a level of exposure in a safe and secure environment, as opposed to trial by fire. Human error is unavoidable, but by simulating an attack, employees can learn how to quickly and effectively respond as a unified team.

3. Speak up before it’s too late

This is where every single employee in a company needs to take accountability. No one security agent can oversee every person and every process in a company, and individuals may even be more aware of potential gaps in their department than the security team. Being proactive and raising the concerns you have about the security of your immediate work environment, team, or department helps the security team address threats before they evolve into something worse. This brings me back to point number one. Establish that relationship with your CISO so when you do recognize a potential threat, those conversations are more likely to happen before it’s too late.

4. Understand that you are critical to your company’s security

Everyone in the company can be a security agent for their company. However, the further an employee is from the core business functions of the company, the less aware they tend to be of the critical role they play in company security. Someone in HR scanning new hire documents for employee folders might consider themselves fairly removed from security procedures, even though they’re handling documents that may contain highly sensitive information like salaries, social security numbers, or other important data. A breach that targets this information could be catastrophic and would put the company in violation of strict regulatory requirements like HIPAA and GDPR.

While I do understand that learning these measures can feel like an entirely new job in and of itself, by taking these small and manageable steps, you can help build and maintain a security system that is intact from end to end. By keeping these things top of mind, you and your fellow employees can help your company avoid catastrophic data breaches and protect your own personal data more effectively.

About the author: Tomáš Honzák serves as the head of security, privacy and compliance at GoodData, where he built an Information Security Management System compliant with security and privacy management standards and regulations such as SOC 2, HIPAA and U.S.-EU Privacy Shield, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem.

Copyright 2010 Respective Author at Infosec Island]]>
The Soaring Success of Cybercrime as a Company Thu, 22 Mar 2018 08:13:00 -0500 At the start of the 1992 movie Sneakers, Robert Redford is shown as a youthful hacker, breaking into computer networks and stealing money to give to liberal causes. He avoids being captured and sent to prison only because he is out picking up a pizza. For years, this stereotype of the messy-haired, pizza-eating, solo hacker who often has idealistic motives, prevailed in the media. 

My, how cybercrime has grown up. In 2017, cybercrime cost the world $600 billion and business is booming. Some bad actors are working the low end, such as launching ransomware, which cost Merck $300M last year or using synthetic identities to commit financial fraud.

Meanwhile, well-organized criminal gangs and nation-states are working the high end, financing cybercrime networks and investing tens or hundreds of millions and years in attacking top targets including federal agencies, major companies, world leaders and other public figures. A recent long-format piece by Bloomberg provided riveting insights into the North Korean cybercrime operation, as described by an overworked, semi-starved conscripted hacker working offsite in China. 

So, what do we know about cybercrime that can help CISOs strategize a strong offense? 

Cybercrime, Inc. is big business: Cybercrime syndicates are increasingly run like companies, with strategic direction from a “CEO,” such as a national security agency, criminal head or attack leader. They provide regular working hours and office space and even offer online and call centers for technical support. They’re still anonymously successful in a world of web fingerprints. Infraud, a Dark Web black market, was able to operate undetected for nearly a decade, causing more than $530M in damages to companies and individuals

The rewards are plentiful: Cybercriminals can make their mark in a growing industry and take home hefty payments. With annual cybercrime revenues soaring to $6 trillion by 2021, there is no shortage of job opportunities for self-motivated top talent. While fat salaries and bonuses are nice, some cybercriminals have other job goals, such as embarrassing and discrediting public figures, revealing corporate secrets, sabotaging political strategies and gaining valuable IP to accelerate copy-cat innovation in national industries.  

The stakes are getting higher: With a myriad of well-financed operations around the world, cybercriminals are competing against each other – and time. It’s harder than ever to spoof websites, commit credit card fraud and launch zero-day attacks. The race is on to use AI and machine learning to increase the speed, scope and sophistication of attacks. A recent report forecasts the use of AI for automatically detecting software bugs, selecting individuals for financial crime schemes and sharpening social engineering attacks.  

Collaboration is the name of the game: Cybercriminals use the Dark Web to share strategies, post files and pay each other using bitcoin. However, anonymity is everything, and revealing networks or strategies, accidentally or otherwise, is a fast path to ending collaboration or getting killed. 

Job resources abound: Cybercriminals have rich treasure troves of personal data they can consolidate, thanks to the Anthem, Equifax, Uber and Yahoo hacks. Spear phishing and social engineering will likely be much easier in the coming years, due to these companies’ information breaches. Bad actors also can rent cybercrime toolkits, such as ransomware kits by the month for $1,000 or Russian DDoS booters for $60 a day or $400 a week. Vendors offering test drives and discounts may also be provided, mirroring enterprise software sales strategies.  

Talent development is on the job: Hacking offers abundant freelance opportunities, with no college degree required. While skills development is self-driven, there is no glass ceiling and payments can scale with the complexity of the target or size of the financial takedown. When hackers work for nation-states, the pesky prospect of legal action and jail time also disappears. 

CISOs should take note that cybercriminals have co-opted the best of corporate life, while also avoiding its limitations. While enterprise cybersecurity teams must “play by the rules,” reviewing strategies and programs with senior leaders; protecting consumer and public data and making sure initiatives pass muster with regulators and auditors, cybercriminals have no such restrictions. 

To mount a stronger defense, CISOs should learn from cybercriminals and push for stronger partnerships with competitors, vendors and public agencies. Companies also need to overcome the shame game and participate in public forums and create online mechanisms for data sharing. While it is understandable that companies want to protect their reputations and programs, they can share information about successful attack strategies to prevent others from being similarly hacked. This isn’t just common courtesy and a civic duty, it’s also good business. Companies are increasingly connected to each other in the digital “platform economy,” while many also use the same vendors. 

Similarly, companies must harden and integrate technology. Cybersecurity is too important to be handled by piecemeal solutions, which force analysts to aggregate insights and sometimes mean they miss attacks because they are bombarded by a flurry of security alerts. Co-managed security information and event management (SIEM) systems allow enterprises to see the forest for the trees, providing proactive threat hunting, better threat blocking, automated incident response and expert threat investigation and analysis services to bolster their own services. Cybercriminals have great tools, but enterprises have more: they can actively partner with co-managed SIEM providers to deliver the cybersecurity strategy. Partners can provide people, process and yes, market-leading platforms to help enterprises evolve at the speed of new threats.  

In a raging cyber war, it pays to think like cybercriminals and understand how they are organizing and operating as corporations. While enterprises won’t resort to cybercrime, we need to understand, outthink and outplay our adversaries at a strategic, not just tactical, level.

About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.

Copyright 2010 Respective Author at Infosec Island]]>
A Siri for Network Security: How Chatbots Can Enhance Business Agility Mon, 19 Mar 2018 11:43:48 -0500 Interacting with computers and robots using normal, everyday language has been a mainstay of sci-fi moves since the 1950s. However it’s only been in the last five years or so that it has become an everyday reality, thanks to innovations such as Apple’s Siri, Amazon’s Alexa, and the widespread rollout of web-based instant messaging ‘chat’ platforms.

These platforms connect people to chatbots – computer programs that can mimic human conversations using artificial intelligence – to handle a range of interactions between people and software, from following simple instructions to maintaining a quasi-conversation. Chatbots have been widely deployed in consumer-facing business sectors such as retail, insurance and financial services, providing additional support to call centre staff to reduce enquiry resolution times and deliver cost savings.  Indeed, recent research from analyst Juniper estimates that in some business sectors, chatbots can deliver average time savings of around 4 minutes per enquiry. 

The potential of chatbots

In addition to this successful implementation, I believe that there’s also tremendous potential using chatbots in enterprise applications. Enterprises could utilize chatbots to accelerate and automate information-sharing across areas of the business in which data has traditionally been siloed and hard to get access to – such as between IT and security teams, and business application owners.

For example, getting an answer to the simple question “Is network traffic currently allowed from this specific server to another specific server?” can be complicated.  If the enterprise does not have a Network Security Policy Management (NSPM) solution that can automatically discover and map network flows, getting a definitive response would be a laborious process, involving several different stakeholders and using multiple firewall and device management consoles.

Furthermore even if the organization uses a NSPM solution, a user might not get an immediate answer. They would have to either access the NSPM system and know how to use it, or request the information from a member of the IT or security team – which may take time and interrupt more pressing tasks.

Making network security accessible

So, imagine if it was possible to have access to expert security knowledge about the enterprise network – such as the status of a business application’s connectivity, which firewalls protect that application, or whether traffic is being allowed to certain servers – without needing to have expertise in using security management tools, or distracting busy networking or security staff?

A chatbot can make this a reality across the organization, enabling users outside the network and security teams – such as application owners, developers or other roles who may not have access to, or permissions, to use an NSPM system – to obtain the answers they need about network and application flows. This will help break down siloes of information, and democratizes access to critical network and security data to non-specialist users, in non-technical language (based on access rights of course).

Accelerating the business

By making important network and security information accessible to a wide range of internal stakeholders, chatbots enable faster decision-making and speed up processes.  This in turn will accelerate business productivity, by helping to ensure that security processes don’t unnecessarily delay new initiatives and innovations.

About the author: Professor Avishai Wool is the co-founder and CTO of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
Centering Your Security Strategy on Leadership, Resilience and Fundamentals Fri, 16 Mar 2018 08:40:00 -0500 Cyber security technology solutions continue to advance, as do cyber-attack methods. Cisco is tracking this phenomenon in malware development by measuring Time To Evolve (TTE) — essentially the time that lapses between distinct changes in evasive file and delivery tactics. Malicious hackers’ inventiveness and sophistication has allowed six malware families to continue creating havoc over an extended period of time.  These strategies only partially explain why we see the same vulnerabilities being exploited year after year. If we worry too much about sophisticated zero-day attacks or become distracted by the overblown promises of the latest software package, we continue to neglect the elements that are proven to protect or expose us.

Verizon’s 2017 Data Breach Investigations Report highlighted that, yet again, it’s the fundamentals that will be our undoing —but they could also be our saving grace. A vast majority of breaches (88%) fall into one of nine attack patterns – the same nine patterns Verizon identified three years ago. Phishing is still among the most prevalent attack vectors, and lots of people are still falling for it: the report found one in 14 users had opened a phishy link or attachment, and a quarter of them did it more than once. Two-thirds of malware is installed via malicious attachments; likewise, ransomware and web application attacks frequently use phishing emails, texts, and calls to initiate access. Finally, the password plague continues to sicken security programs – 81% of hacking breaches used stolen or weak passwords to gain a foothold.

The bad news is that we don’t seem to be learning from our mistakes as quickly as we should. The good news is, raising security awareness across the enterprise doesn’t require capital investments or complex upgrades. It requires diligence, leadership, and contextual threat intelligence — and it starts in the C-suite.

Reducing the Risk of Attack

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience in order to manage, respond and mitigate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Cyber resilience is all about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.

Focus on the Fundamentals

Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do is ensure they have standard security measures in place. This means going well beyond implementing the latest security tools.

Cisco’s 2017 survey of security capabilities found that while CSOs and SecOps managers are confident they have the best technologies available, they are much less certain that, in the face of skills and budget shortages, they are making the best use of these tools. Such fundamental shortcomings are a good place to start if you’re looking to fortify your existing defenses.

Every type and size of organization is vulnerable to cyber-attacks. To control risk and damage, each organization has to develop and maintain a thorough understanding of its particular weak points, targeted mission-critical information assets and industry-specific threat vectors. Executives who leverage threat intelligence, maintain strong contextual awareness, and stay committed to managing insider threats help their organizations develop a deeper culture of defense, injecting security throughout the enterprise.

Companies that prioritize well-equipped security programs and widespread security awareness are more prepared to grow, innovate and compete.  In order to consistently make better decisions about how to align business and security objectives to manage risk, protect brand reputation, and respond effectively to incidents, boards and senior executives have to remain steadfastly engaged.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
An Open Letter to AWS CEO Andy Jassy on Cloud Security Innovation Fri, 16 Mar 2018 07:40:27 -0500 Dear Andy,

Congratulations to you and the entire Amazon team on your latest quarterly results. Your team’s contribution continues to be impressive. I was particularly excited to hear that AWS’ expanding partner base continues to be an important driver of your growth.

From where I sit, your commitment and focus on fueling the ecosystem has never wavered. It once took a few hours to walk the partner expo at re:Invent and the AWS Summits; now it takes a day or more. So, every time I read a media report that says you have partners in the crosshairs, I ask myself the same question: Did I miss the memo advising all small, innovative startups that it’s time to close their doors because you’re investing in technology and companies to make AWS better and more secure?

The focus of late has been on cloud security and rightfully so. Organizations of all sizes are migrating to the cloud to take advantage of cost savings, efficiency gains, and the flexibility to scale. Of course, fraud, hacking and malware are proliferating just as quickly as the good kind of cloud technology, so security is becoming the top priority for organizations that want to stay protected while taking full advantage of the benefits of running in the cloud. 

I will always maintain my steadfast perspective that collaboration of innovators, regardless of size, is essential in helping businesses of all sizes and cyber sophistication to reduce their cyber risk.

It is true that cybersecurity startups do not have as loud a voice as AWS and other large cloud providers. Their greatest asset is the ability to innovate, attract passionate and high-intellect employees looking to do meaningful and impactful work without the bureaucracy, traditional process and politics of the larger, more established companies.

While the story of AWS being a threat to companies like ours may get a lot of clicks and shares (I can attest to this first-hand), it distracts the community from the bigger story about the magnitude of the cybersecurity challenge. The reality of the cybersecurity market is that the sophistication of the attacks and the implications of lengthy times to detect, understand and remediate put businesses of all sizes at risk.  

The role of cybersecurity providers is to provide businesses with security context as a means of reducing the “mean time to know” and accelerate actions to remediation. 

The bigger story is about how continued investments, organic or inorganic, strengthen security context for businesses of all sizes. The more security signals, the more security context; the more context, the more accelerated “mean time to know”; the faster “mean time to know,” the faster the actions to remediate security risk. 

The objective of every startup should be to provide world-class solutions that ingest security indicators that Amazon and numerous partners across the AWS ecosystem make available. This provides correlated security context and reduces business resource requirement to quickly address the growing cyber threats businesses face every day.   

We are not threatened by the actions of AWS but instead are encouraged by it. We welcome the additional security indicators you are making available through your tools and services. I strongly feel that “us vs. them” is not a vendor vs. vendor discussion. Rather, “us vs. them” is the collaboration of innovative cyber companies of all sizes “versus” those that are motivated by widespread global economic, public safety and national security disruption.

The collaboration of innovative cyber security companies is a win-win for all. We are not willing to close our doors at the “threat” of larger companies investing in the cyber market, but instead, we use it as fuel to further our passion and conviction for our defined mission.

This is what is in the best interest of our mutual customers. I encourage you to maintain your commitment to the ecosystem and for my fellow partners to work together to help customers defend and protect themselves from the increased assault on the data companies are moving to the cloud.

Best regards,

Brian Ahern

CEO & Chairman, Threat Stack

Copyright 2010 Respective Author at Infosec Island]]>
Beat Them at Their Own Game: Understanding and Neutralizing Evasive Malware Tactics in the Face of Rising Attacks Fri, 16 Mar 2018 07:34:23 -0500 Chasing malware developers through their cyber rabbit holes might be a fun challenge for security researchers, but for the rest of us, the effectiveness of modern attack methods is frustrating and alarming. Incidents that involved evasive malware, and in particular fileless techniques for bypassing endpoint security measures, were prevalent in 2017. They are set to be even more damaging, costly, and exasperating in 2018.

It’s an old story by now — the more security pros learn about protecting their organizations against malware, the more wily and sophisticated the adversaries get. The adversaries will always have the incentive and the ability to bypass detection-based technologies. In order to protect their nefarious creations (and their investments), attackers will try everything they can in order to evade detection.

The ability for attackers to avoid being detected isn’t as simple as it sounds when an entire world’s worth of security experts, artificial intelligence systems, and endpoint protection software vendors are focused on doing just that. And the stakes are getting higher. Experts predict that this year, state-sponsored hackers, hacktivists, and crime syndicates will leverage and target major events like the Olympics and U.S midterm elections. Even more alarming, it is expected that ransomware attacks on hospitals and IoT devices will turn deadly, as attackers extort money and power by hijacking control of pacemakers and other critical equipment.

Malware developers use a number of techniques to ensure that their malicious code runs even on endpoints that use a variety of products dedicated to identifying, detecting, and eradicating malware. These techniques are well documented, can be understood by day-to-day attackers, and are increasingly offered as an easy-to-deploy service by cybercrime syndicates. Common evasive techniques include:

Refusing to Infect in “Hostile” Environments

Malware developers want to avoid having their code fingerprinted, which subsequently makes their malware known to antivirus solutions (and therefore readily blocked). Such malicious software is constructed to avoid virtualization environments, sandboxes, and antivirus solutions by shutting itself down and leaving no trace through artifacts or executed processes.

Using Memory Injection

Malicious code injects itself into trusted processes on the system, abusing the legitimate capabilities of the operating system or software to avoid solutions that look for new and unwanted files and processes. Malicious code is concealed in a file using a packer or other technique, so it arrives looking normal, injects itself into other legitimate applications, and gains a foothold. Such techniques are used in the fileless attacks mentioned above. One of these schemes recently made headlines by targeting organizations providing critical support to the Olympics. The attack combined a phishing email, a weaponized Word file, and a hidden PowerShell script. Using native PowerShell functions to evade pattern-matching solutions and other defenses, attackers are able to establish a link to a remote server, possibly with the intention of downloading more malware.

Using Document Files

Malware hides in documents (Word, Excel, PDF) using macros, website links, and exploits to bypass defenses. This type of attack can also be complex to detect. Consider, for example, a PDF file that contains an embedded Word document, which includes a macro that downloads and executes additional malicious code on an endpoint. These evasive tactics make it difficult for both traditional and next-gen AV solutions to separate malicious from non-malicious files.

Evasion techniques allow adversaries to get past even modern endpoint security solutions, regardless whether they’re based on signatures, behavioral monitoring, file reputation, machine learning, or heuristics. Besides being complex and creatively manipulative, there are several reasons why these evasion techniques work,even against modern AV defenses:

  • All forms of AV are based, at least some extent, on historical information (signatures, behavior patterns, etc), even if this information is used to develop a machine learning model. If there are no fingerprints or historical threat artifacts to “convict” for detection, the malware is invisible to these solutions.
  • Malware gets regular updates. The adversaries are motivated to keep their attack tools fresh and unknown.
  • Malware is often purpose-built to avoid detection and tested against current implementations of defense solutions. Adversaries ensure that their attacks will be invisible to traditional as well as next-gen AV solutions by devising software that differs from expected patterns and adding combinations of obfuscation tactics.

Evolving Your Endpoint Protection Strategy

Baseline AV products, be they traditional or next gen, play an important role in safeguarding the endpoint, but attackers will always find ways around their detection-based approaches. That’s why such technologies aren’t sufficient by themselves to secure laptops, workstations, servers or other devices in the modern enterprise. To block attacks, security teams need to better understand the mechanics of evasion and the limits of signature, pattern, and behavior-based security solutions.

Mind the gap created by your security tools’ ability to detect and block malicious code and the hackers’ ability to evade detection — you can be sure they are well aware of it. Augment baseline AV with anti-evasion solutions designed to stop this kind of malware by blocking its attempts to bypass detection. In other words, focus on breaking or otherwise negating the evasive techniques themselves, rather than solely detecting the malicious software. By “attacking” attempts to evade your security solutions, you will force the adversaries to pick their poison: Implement evasion tactics and be stopped because of them, or don’t evade and be stopped by your baseline security controls.

If there is any hope of disarming modern and well-equipped attackers, we have to beat them at their game. Increasingly, that means outmatching them in a battle of wits by devising creative dodges, artful illusions, and cunning counter maneuvers.

About the author: Eddy Bobritsky is Co-Founder and CEO at Minerva Labs, a leading provider of anti-evasion technology for enterprise endpoints.

Copyright 2010 Respective Author at Infosec Island]]>