Monthly Archives: October 2018

Happy Birthday, Bill Gates!

Dear Bill,

Here's wishing you Sir, likely the most successful and influential person of not just our time, but of all time, a very Happy B'day!

Photo source and attirbution: https://mobile.twitter.com/BillGates/photo

Most of the world knows you as the Founder of Microsoft, a great philanthropist, and the world's wealthiest* person.


Based on my personal experience, I however know you to be someone who truly exemplifies the very words I strive to live by, and ideally, that we should all strive to live by, because in the grand scheme of things, we are all here for relatively little time.


Deep Gratitude for Mr. Gates

If I may, I'd like to share from my personal experience, a very small example of Mr. Gates thoughtfulness, humility and kindness.

One day back in 2004, when I was a Microsoft employee, I got a call from the Reception of Building 33, the Executive Building at Microsoft, and I was asked to come and pick something up - when I reached there, the kind lady at the reception gave me a package and said that "Bill left this for you, as he's unfortunately out of town today," and in it was a note written by Bill himself - "To Sanjay, Happy Birthday, Bill Gates" ( here.) (BTW, this is not customary at all at Microsoft; in fact, it was an absolute rarity.)

I couldn't believe it. Bill Gates, our CEO, and the world's most successful and wealthiest person, made and took the time to wish me Happy B'day, and since he was going to be out of town, he was thoughtful enough to have it be given to me on my b'day!

Since that day, for the last fourteen years I've been working tirelessly to be able to express my profound respect and gratitude to Mr. Gates, and it is for the first time, that I feel I've done my bit to be able to thank him, not just in words, but in global IMPACT.


Mr. Gates, it is your greatness, kindness and humility that inspired me to conquer proverbial mountains as I persevered against all odds to ultimately build and deliver a paramount capability needed to secure and defend the very foundation of cyber security of and across Microsoft's global organizational customer base i.e. your one little act of kindness, led to and inspired THIS.



Birthday Wishes

Mr. Gates, today, you're wished profound joy and excellent health, but above all, you're wished that which is a rarity today, and that which sometimes even all the money in the world can't buy - True Peace of Mind and Happiness in the Simplest of Things!


BillG, I thank you for the incredible human being you are, and wish you a truly wonderful year ahead.

Namaste,
Sanjay.


PS: I occasionally come across monetarily wealthy people, you know, little multi-millionaires and billionaires, and some of them exude such arrogance, that I feel like telling them that there are people out there (e.g. you) who could buy all their wealth out a hundred times over, so how about a little humility?! :-) In stark contrast, I visited the Gates Foundation website today, and it was so incredibly refreshing to see it unequivocally communicate that All Lives Have Equal Value!  You Sir, command my respect.

What Lies at the Foundation of Organizational Cyber Security Worldwide?

Folks,

In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security

Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.

Microsoft Active Directory

Today, at the very foundation of organizational cyber security worldwide, lie their foundational Active Directory deployments.

Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.

In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.

Best wishes,
Sanjay

IDG Contributor Network: Unique collaboration turned a governor’s vision of a cyber center into reality

A recent McKinsey article states that cyberattacks are costly, and they appear to be broadening in scope. Every corporate boardroom and even federal, state and local government agencies are discussing how to avert cyber threats. The State of Georgia is addressing this issue.

Governor Nathan Deal announced his vision for a Cyber Center in his State of the State Address on January 11, 2017. It was more than a vision; it became a reality in just 18 months with the ribbon-cutting ceremony on July 10, 2018. And now it is positioned to become one of the world’s leading centers for cybersecurity. Governor Deal tasked State CIO Calvin Rhodes to turn his vision into reality, and that he did. The story of how a unique collaboration among government, academia, the military and the private sector is resulting in a cyber ecosystem is truly remarkable. I had the opportunity to speak with Rhodes about the Cyber Center and following is an excerpt from our conversation.

To read this article in full, please click here

Have Network, Need Network Security Monitoring

I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company (Corelight), but I am not writing this post in any corporate capacity.

There is a tendency in many aspects of the security operations community to shy away from network-centric approaches. The rise of encryption and cloud platforms, the argument goes, makes methodologies like NSM less relevant. The natural response seems to be migration towards the endpoint, because it is still possible to deploy agents on general purpose computing devices in order to instrument and interdict on the endpoint itself.

It occurred to me this morning that this tendency ignores the fact that the trend in computing is toward closed computing devices. Mobile platforms, especially those running Apple's iOS, are not friendly to introducing third party code for the purpose of "security." In fact, one could argue that iOS is one of, if not the, most security platform, thanks to this architectural decision. (Timely and regular updates, a policed applications store, and other choices are undoubtedly part of the security success of iOS, to be sure.)

How is the endpoint-centric security strategy going to work when security teams are no longer able to install third party endpoint agents? The answer is -- it will not. What will security teams be left with?

The answer is probably application logging, i.e., usage and activity reports from the software with which users interact. Most of this will likely be hosted in the cloud. Therefore, security teams responsible for protecting work-anywhere-but-remote-intensive users, accessing cloud-hosted assets, will have really only cloud-provided data to analyze and escalate.

It's possible that the endpoint providers themselves might assume a greater security role. In other words, Apple and other manufacturers provide security information directly to users. This could be like Chase asking if I really made a purchase. This model tends to break down when one is using a potentially compromised asset to ask the user if that asset is compromised.

In any case, this vision of the future ignores the fact that someone will still be providing network services. My contention is that if you are responsible for a network, you are responsible for monitoring it.

It is negligent to provide network services but ignore abuse of that service.

If you disagree and cite the "common carrier" exception, I would agree to a certain extent. However, one cannot easily fall back on that defense in an age where Facebook, Twitter, and other platforms are being told to police their infrastructure or face ever more government regulation.

At the end of the day, using modern Internet services means, by definition, using someone's network. Whoever is providing that network will need to instrument it, if only to avoid the liability associated with misuse. Therefore, anyone operating a network would do well to continue to deploy and operate network security monitoring capabilities.

We may be in a golden age of endpoint visibility, but closure of those platforms will end the endpoint's viability as a source of security logging. So long as there are networks, we will need network security monitoring.

National Cryptocurrencies – A Viable State Alternative to the Established Norm?

Cryptocurrency appears to be gaining traction among governments seeking to establish their own digital currencies, despite questions regarding the potential volatility associated with it.  Currently, the countries that have already created digital currencies include China, Ecuador, Senegal, Singapore, and Tunisia, with Estonia, Japan, Palestine, Russia, and Sweden potentially following suit.  Even a small country like the Marshall Islands has announced its intent to create its own digital currency in order to boost its economy, and will be on part with the U.S. dollar as a form of payment.  What seemed like a novel thought exercise as to whether cryptocurrency could be a legitimate alternative to the established norm appears to be an option that governments are more closely considering.  In fact, some have speculated that further adoption of the country-specific cryptocurrencies could have serious implications for the established international monetary system.

Whether that transpires remains another intellectual exercise in the possibilities of what “could-be” one thing is clear – states on the receiving end of stringent economic sanctions are turning to cryptocurrency as a way to assuage these penalties.  One of these countries is Iran, who is reported to be very interested in creating a digital currency, a major shift from its initial stance on banning banks from dealing in cryptocurrency .  According to one news source, the Secretary of Iran’s Supreme Council of Cyberspace envisaged the use of cryptocurrencies to “smoothen trade” between Iran and its partners in the wake of renewed U.S-imposed sanctions.  The same individual revealed that a state-backed cryptocurrency was accepted as an industry in the government and related organizations such as the Ministry of Communications and Information Technology, the Central Bank, the Ministry of Energy, the Ministry of Industry, Mining, and Trade, and the Ministry of Economic Affairs and Finance.

Iran is not alone in this endeavor.  Cryptocurrencies have been leveraged by some countries in order to evade sanctions imposed on them by some in the global community as such transactions may transpire without oversight or tracking.  Venezuela has been a leader in creating a government-supported cryptocurrency to accomplish this objective.  In December 2017, Venezuela created the “the Petro” – a cryptocurrency intended to supplement Venezuela’s bolivar fuerte currency and help overcome U.S. sanctions.  Another example is North Korea.  Although it has not yet created its own cryptocurrency, the North Korean regime has been accused of plundering cryptocurrency exchanges in order to steal vast sums of money to take the sting off of the sanctions that it faces.

The question remains – how successful are cryptocurrencies in achieving the goals of sanction-relief for penalized governments?  To be fair, the success or failure will largely be tied to a government’s solvency and stability and its ability to effectively be used as a positive instrument.  In the case of Venezuela, all indications point to a failure.  According to recent news reporting, the oil reserve-backed cryptocurrency is hardly used with the government showing no indication of tapping into its oil reserves as it had initially promised.  To date, the Petro wasn’t found on any major cryptocurrency exchanges and wasn’t accepted by retailers, according to the same source.  In this case, the government’s lack of follow-through on its plans has called some to question if the creation of the Petro was nothing more than a stunt or a scam.

Conversely, the announcement of a possible Iranian cryptocurrency has been met with more optimism.  The Iranian government’s announcement that it was going to legalize cryptocurrency mining led to favorable response, pushing the price of Bitcoin to more than $26,000 on a local exchange.  What separates Venezuela’s reality from Iran’s largely rests in the governments themselves and how they go about planning and executing cryptocurrency.  According to one Venezuelan businessman involved in cryptocurrency purchase, as of late August 2018, there was no evidence of the Petro in circulation, its smart contracts, rules of the token, or its blockchain.  Such developments nine months after its supposed launch is disappointing to say the least.  If Iran wants to embrace a national cryptocurrency it will have to ensure it doesn’t follow Venezuela’s footsteps.

As more states – in addition to the rogue governments already mentioned – explore the possibilities of adopting cryptocurrencies, there is much speculation as to how it will affect the international monetary system currently in place.  The current system relies on a slew of internationally agreed-upon rules, norms and institutions that let countries trade and invest in each other.  Cryptocurrencies, on the other hand, rely on decentralized control typically using blockchains that serve as a public financial transaction database.  The immediate concern is that if enough countries set up their own digital currencies, they could operate outside the existing framework of global central banks.  Some including the head of the International Monetary Fund believe cryptocurrencies will indeed replace banks and existing financial systems by eliminating the necessity for intermediaries and third party service providers in the future.  Other experts believe cryptocurrencies are going to displace roughly 25% of national currencies by 2030.

That said, cryptocurrency is susceptible to volatility and risk, and the scalability of mining cryptocurrency doesn’t seem feasible, at least for the present.  However, these challenges can and likely will be addressed over time.  For rogue states seeking sanction relief, cryptocurrency has yet to prove its ability to deliver.  And that maybe the first litmus test for other nation states – seeing if this hot new commodity is the viable alternative so many believe it is.  Venezuela’s experiment has all but ended.  Iran is next up on the block.

 

This is a guest post by Emilio Iasiello

The post National Cryptocurrencies – A Viable State Alternative to the Established Norm? appeared first on CyberDB.

MartyMcFly Malware: Targeting Naval Industry

Today I'd like to share an interesting analysis of a Targeted Attack found and dissected by Yoroi (technical details are available here). The victim was one of the most important leader in the field of  security and defensive military grade Naval ecosystem in Italy. Everything started from a well crafted  email targeting the right office asking for naval engine spare parts prices. The mail was quite clear, written in a great language within detailed spare parts matching the real engine parts. The analysed email presented two attachments to the victim:
  • A company profile, aiming to present the company who was asking for spare parts
  • A Microsoft .XLSX where (apparently) the list of the needed spare parts was available   
The attacker asked for a quotation of the entire spare part list available on the spreadsheet. In such a way the victim needed to open-up the included Microsoft spreadsheet in order to enumerate the "fake customer" needs. Opening up The Excel File it gets infected.

Let's go deep into that file and see what is happening there. As a first sight the office document had an encrypted content available on OleObj.1 and OleObj.2. Those objects are real Encrypted Ole Objects where the Encrypted payload sits on "EncryptedPackage" section and information on how to decrypt it are available on "EncryptionInfo" xml descriptor. However, in that time, the EncryptionInfo was holding encryption algorithm and additional information regarding the payload but no keys were provided. The question here was disruptive. How Microsoft Excel is able to decrypt such a content if no password is requested to the end user ?  In other way if the victim opens the document and he/she is not aware about "secret key" how can he/she get infected ? And why the attacker used an encrypted payload if the victim cannot open it ?

Stage1: Encrypted Content

Using an encrypted payload is quite a common way to evade Antivirus, since the encrypted payload changes depending on the used key. But what is the key ?

Well, on Microsoft Excel there is a common way to open documents called "Read Only". In "Read Only" mode the file could be opened even if encrypted. Microsoft excel asks to the user a decryption key only if the user wants to save, to print or to modify the content. In that case Microsoft programmers used a special and static key to decrypt the "Read Only" documents. Such a key sees the following value: "VelvetSweatshop" (a nice old article on that). Let's try to use this "key" to try to decrypt the content! The following image shows a brand new stage where a valid extracted xlsx file wraps more objects, we define it as Stage2.

Stage2: OleOBj inclusion (click to expand it)
A quick analysis on the Stage2 exposes a new object inclusion. (as shown in picture Stage2: OleOBJ inclusion). That object was crafted on 2018-10-09 but it was seen only on 2018-10-12. At this time the extracted object is clear text and not encrypted content was find at all. The following image shows the extracted object from Stage2.

Stage2: extracted Payload

It's not hard to see what the payload does (CVE-2017-11882 ), but if you run it on a dynamic engine you would probably have more chances to prove it. The Payload exploits CVE-2017-11882 by spawning the Equation Editor, dropping and executing an external PE file. We might define the Equation Editor dropping and executing as the Stage3. The following image shows the connection to a dropping website performed by EquationEditor (click to magnify it). 

Stage3: Equation Editor Spawned and connecting to Dropping URL
Evidence of what dissected is shown on the following image (Introducing Stage4) where the EquationEditor network trace is provided. We are introducing a new stage: the Stage4. GEqy87.exe (Stage4) is a common windows PE. It's placed inside an unconventional folder (js/jquery/file/... ) into a compromised and thematic website. This placement usually have a duplice target: (a) old school or un-configured IDS bypassing (b) hiding malicious software into well-known and trusted folder structure in order to persist over website upgrades.  

Introducing Stage4. PE file droppend and executed
Stage4 is pretty interesting per-se. It's a nice piece of software written in Borland Delphi 7. According to VirusTotal the software was "seen in the Wild" in 2010 but submitted only on 2018-10-12 ! This is pretty interesting isn't it ? Maybe hash collision over multiple years ? Maybe a buggy variable on VirusTotal ? Or maybe not, something more sophisticated and complex is happening out there.

Stage4: According to Virus Total

Looking into GEqy87 is quite clear that the sample was hiding an additional windows PE. On one hand it builds up the new PE directly on memory by running decryption loops (not reversed here). On the other hand it fires up 0xEIP to pre-allocated memory section in order to reach new available code section.


Stage5: Windows PE hidden into GEqy87.exe
 Stage5 deploys many evasion tricks such as: GetLastInputIn, SleepX and GetLocalTime to trick debuggers and SandBoxes. It makes an explicit date control check to 0x7E1 (2017). If the current date is less or equals to 0x7E1 it ends up by skipping the real behaviour while if the current date is, for example 2018, it runs its behaviour by calling "0xEAX"  (typical control flow redirection on memory crafted). 

For more technical details, please have a look here. What it looks very interesting, at least in my personal point of view, are the following evidences:
  • Assuming there were not hash collisions over years
  • Assuming VirusTotal: "First Seen in The Wild" is right (and not bugged)
We might think that: "we are facing a new threat targeting (as today) Naval Industry planned in 2010 and run in 2018".

The name MartyMcFly comes pretty natural here since the "interesting date-back from Virus Total". I am not confident about that date, but I can only assume VirusTotal is Right.

For IoC please visit the analysis from here.


Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.

“Exploring the DevSecOps Toolchain”

  The authors of the SANS Institute's DEV540 Secure DevOps & Cloud Application Security course created the Secure DevOps Toolchain poster to help security teams create a methodology for integrating security into the DevOps workflow. As you can see, the poster breaks DevOps down into 5 key phases and includes a massive list of open … Continue reading Exploring the DevSecOps Toolchain

A Very Simple Trillion $ Cyber Security Multiple-Choice Question

Folks,

In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and what the world's most important Active Directory security capability is.

Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -


Q. What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run Mimikatz DCSync against an organization's foundational Active Directory deployment?

Is it -
A. The "Get Replication Changes" Extended Right 
B. The "Get Replication Changes All" Extended Right 
C. Both A and B above 
D. Something else

I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and here's why.

You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what Mimikatz DCSync is, let alone knowing the answer!

If you know the answer to this question, and care to share, please feel free to share it by leaving a comment below.

Best wishes,
Sanjay.

IDG Contributor Network: Lack of C-suite collaboration hampering cybersecurity, report finds

Today’s businesses depend on constant, intimate digital relationships with suppliers, partners, and customers to remain top of mind and competitive. Intelligent technologies and big data often play a critical role across business operations—from C-suite decision-making to generating customized offers for online shoppers. Countless terabytes of data are stored in the cloud and more work is performed online, and an unfortunate byproduct has been dramatically increased corporate vulnerability to online attacks and more – and more expensive – security breaches. These realities are outlined in Accenture’s “2018 Securing the Future Enterprise Today” report, which also highlights the fact that some organizations are responding to this reality better than others, creating large gaps in cybersecurity resilience.  

To read this article in full, please click here

The New Cyber Strategy Frees Up U.S. Cyber Muscle. How Will It Be Flexed?

The White House has recently published its new National Cyber Strategy, rescinding an Obama-era memorandum Presidential Policy Directive-20 (PPD-20) that laid forth the process by which the United States would undertake cyber attacks against cyber foes, to include foreign state actors.  The Strategy consists of four primary pillars designed to guide how the United States will undergo defensive, and perhaps more importantly, offensive actions in order to preserve its interests in cyberspace.  Per the Strategy, the four pillars are:

  • Protect the American People, the Homeland, and the American Way of Life. The themes in the first pillar focus on key aspects of U.S. homeland security to include critical infrastructure protection, securing federal networks, supply chain management, third party contractors, and improving incident reporting to mitigate the threat of cyber crime.
  • Promote American Prosperity. This pillar focuses on technology that supports the digital infrastructure.  The themes of innovation, protecting intellectual property, designing and implementing next generation infrastructure, and developing and sustaining workforce capability to support the talent pipeline.
  • Preserve Peace through Strength. The third pillar focuses on responsible state behavior in cyberspace and implementing deterrent strategies to influence state behavior. Such activities include building a credible deterrence strategy, imposing consequences to hostile actors, and countering influence operations.
  • Advance American Influence. The fourth pillar addresses collaborating with other governments in order to make the Internet safer and more reliable.  Focus in on a multi-stakeholder approach involving government and private sector to come to consensus on topics such as Internet freedom and Internet governance.

The Strategy follows in line with the President’s May 2018 Executive Order that called for government agency cybersecurity audits designed to identify “areas of improvement, or areas where specific legislation would be needed.”  The EO primarily focused on defensive aspects of the larger cyber umbrella, focusing on federal agencies need to adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, largely considered the gold standard for security guidelines.  The Government Accountability Office (GAO) has frequently given poor marks for cyber security to U.S. government agencies, and as observed in the recent U.S. State Department breach, challenges persist in improving agency cyber security postures.

Nevertheless, the part of the Strategy that has garnered attention – and correctly so – is the language that clearly removes the tethers that has traditionally restrained the United States from engaging in offensive cyber actions.  Where PPD-20 appeared to be hindered by interagency wrangling, the new Strategy makes it clear that the United States is unburdening itself from such bureaucratic wrangling positioning itself to launch counter attacks quickly and resolutely.  This shift in U.S. cyber policy comes at a time when Russian suspected involvement in the 2016 U.S. elections failed to elicit a “forceful response” either by the then-Obama or the current Trump Administrations, a frequent criticism levied by politicians.

There have been several iterations of a national cyber security strategy over the last decade.  The Clinton Administration had its National Plan for Information Systems, the Bush Administration had its National Strategy to Secure Cyberspace, and the Obama Administration had its Cybersecurity National Action Plan.  While there have been consistent themes in these strategies (e.g., an open and free Internet, the focus on critical infrastructure protection), the latest Strategy shows a more progressive evolution of thinking on how the cyber landscape has changed and how the United States needs to adapt to it.  Noticeably absent in the title is “security”; it is only the National Cyber Strategy, which accurately conveys the fact that “security” cannot be addressed independently without addressing how offensive actions can play a supporting role.  This is not to condemn or criticize past administrations’ strategies; cyber conflict has been evolutionary, and as such, requires each subsequent administration to review the prior one to ensure that it meets the needs and conditions of its environment.

And indeed, as cyber attacks have grown more prolific and increasingly severe, trying to figure out how to use counter attacks as punishment, retaliation, deterrence, or a combination thereof, is critical for governments.  Acknowledging that cyber threats are more than just disruptive/destructive attacks, but can leverage social media platforms, as well as regular and fabricated media outlets to spread propaganda, misinformation, and disinformation to influence targets, must be considered when determining a cyber retaliatory course of action.  Adversaries have typically not suffered any official punitive cyber response from the United States, which may serve to encourage follow on activities such as cyber spying, intellectual property theft, or undue influence operations.  The Strategy clearly articulates its intention to use all of its domestic and collaborative resources with like-minded states to immediately mitigate the threat.  There is no gray area open for misinterpretation.

Unquestionably, the ability for agile actions is necessary in a domain in which attacks happen instantaneously, and in which attribution can be murky at best.  Depending on the intent for conducting a punishing cyber retaliation, the ability to respond quickly to demonstrate that cyber hostility is not tolerated is critical.  However, one big caveat is that prior to launching a counter attack, is to ensure that striking back is done in an appropriate, proportional manner.  There is little doubt that the U.S. possesses the means and resources to conduct such counter strikes.  The biggest challenge for U.S. cyber retaliation – guaranteeing that the target is viable and not hiding behind some civilian façade or operating out of a third country.  The more the U.S. counters these activities, the more adversaries will invariably learn and adjust their operations accordingly, thereby balancing the scales again.  And all eyes will be on the U.S. once more seeing how it will react.

 

This is a guest blog post by Emilio Iasiello

The post The New Cyber Strategy Frees Up U.S. Cyber Muscle. How Will It Be Flexed? appeared first on CyberDB.

Businesses Beware: Top 5 Cyber Security Risks

Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.

  1. Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
  2. Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
  3. Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
  • Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
  • Create and manage a patch management program to guard against vulnerabilities.
  • Create a process to ensure patching is completed.

Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.

  1. Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
  2. Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.

Cost for a Single Record Data Breach

The Bottom Line

You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.

I Can’t Stress It Enough

Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:

  • Define and document data security requirements
  • Classify and document sensitive data
  • Analyze security of data at rest, in process, and in motion
  • Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
  • Identify and document data security risks and gaps
  • Execute a remediation strategy

Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.

Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!

The post Businesses Beware: Top 5 Cyber Security Risks appeared first on Connected.

Network Security Monitoring vs Supply Chain Backdoors

On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” From the article:

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

Companies mentioned in the story deny the details, so this post does not debate the merit of the Bloomberg reporters’ claims. Rather, I prefer to discuss how a computer incident response team (CIRT) and a chief information security officer (CISO) should handle such a possibility. What should be done when hardware-level attacks enabling remote access via the network are possible?

This is not a new question. I have addressed the architecture and practices needed to mitigate this attack model in previous writings. This scenario is a driving force behind my recommendation for network security monitoring (NSM) for any organization running a network, of any kind. This does not mean endpoint-centric security, or other security models, should be abandoned. Rather, my argument shows why NSM offers unique benefits when facing hardware supply chain attacks.

The problem is one of trust and detectability. The problem here is that one loses trust in the integrity of a computing platform when one suspects a compromised hardware environment. One way to validate whether a computing platform is trustworthy is to monitor outside of it, at places where the hardware cannot know it is being monitored, and cannot interfere with that monitoring. Software installed on the hardware is by definition untrustworthy because the hardware backdoor may have the capability to obscure or degrade the visibility and control provided by an endpoint agent.

Network security monitoring applied outside the hardware platform does not suffer this limitation, if certain safeguards are implemented. NSM suffers limitations unique to its deployment, of course, and they will be outlined shortly. By watching traffic to and from a suspected computing platform, CIRTs have a chance to identify suspicious and malicious activity, such as contact with remote command and control (C2) infrastructure. NSM data on this C2 activity can be collected and stored in many forms, such as any of the seven NSM data types: 1) full content; 2) extracted content; 3) session data; 4) transaction data; 5) statistical data; 6) metadata; and 7) alert data.

Most likely session and transaction data would have been most useful for the case at hand. Once intelligence agencies identified that command and control infrastructure used by the alleged Chinese agents in this example, they could provide that information to the CIRT, who could then query historical NSM data for connectivity between enterprise assets and C2 servers. The results of those queries would help determine if and when an enterprise was victimized by compromised hardware.

The limitations of this approach are worth noting. First, if the intruders never activated their backdoors, then there would be no evidence of communications with C2 servers. Hardware inspection would be the main way to deal with this problem. Second, the intruders may leverage popular Internet services for their C2. Historical examples include command and control via Twitter, domain fronting via Google or other Web sites, and other covert channels. Depending on the nature of the communication, it would be difficult, though not impossible, to deal with this situation, mainly through careful analysis. Third, traditional network-centric monitoring would be challenging if the intruders employed an out-of-band C2 channel, such as a cellular or radio network. This has been seen in the wild but does not appear to be the case in this incident. Technical countermeasures, whereby rooms are swept for unauthorized signals, would have to be employed. Fourth, it’s possible, albeit unlikely, that NSM sensors tasked with watching for suspicious and malicious activity are themselves hosted on compromised hardware, making their reporting also untrustworthy.

The remedy for the last instance is easier than that for the previous three. Proper architecture and deployment can radically improve the trust one can place in NSM sensors. First, the sensors should not be able to connect to arbitrary systems on the Internet. The most security conscious administrators apply patches and modifications using direct access to trusted local sources, and do not allow access for any reason other than data retrieval and system maintenance. In other words, no one browses Web sites or checks their email from NSM sensors! Second, this moratorium on arbitrary connections should be enforced by firewalls outside the NSM sensors, and any connection attempts that violate the firewall policy should generate a high-priority alert. It is again theoretically possible for an extremely advanced intruder to circumvent these controls, but this approach increases the likelihood of an adversary tripping a wire at some point, revealing his or her presence.

The bottom line is that NSM must be a part of the detection and response strategy for any organization that runs a network. Collecting and analyzing the core NSM data types, in concert with host-based security, integration with third party intelligence, and infrastructure logging, provides the best chance for CIRTs to detect and respond to the sorts of adversaries who escalate their activities to the level of hardware hacking via the supply chain. Whether or not the Bloomberg story is true, the investment in NSM merits the peace of mind a CISO will enjoy when his or her CIRT is equipped with robust network visibility.

This post first appeared on the Corelight blog.

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.