Daily Archives: September 25, 2019

How can we thwart email-based social engineering attacks?

More than 99 percent of cyberattacks rely on human interaction to work, Proofpoint recently shared. More often than not, the principal attack method is phishing emails. When hitting enterprises, attackers love to impersonate Microsoft the most, as Office 365 is increasingly the heart of companies, providing the essential services (email, chat, document management, project management, etc.) that businesses depend on to run. They also constantly refine their tools and techniques. “While one-to-one attacks and one-to-many … More

The post How can we thwart email-based social engineering attacks? appeared first on Help Net Security.

Tackling biometric breaches, the decentralized dilemma

A recent discovery by vpnMentor revealed a worst case scenario for biometrics: a large cache of biometric data being exposed to the rest of the world. In this case web-based biometric security smart lock platform, BioStar 2, was breached. This breach surfaces a common flaw that many of the established providers of biometric authentication have built into their system. Many biometric providers store biometrics in a large centralized database. To avoid a biometric dystopia, adoption … More

The post Tackling biometric breaches, the decentralized dilemma appeared first on Help Net Security.

Cybersecurity breach experience strengthens CVs

It is in businesses’ best interest to hire cybersecurity leaders who have suffered an avoidable breach, because of the way it changes how security professionals think, feel and behave, according to Symantec. The findings reveal that suffering a breach – and coming out the other side – significantly reduces security leaders’ future workplace stress levels, while improving their likelihood to share knowledge. “It might sound counter intuitive at first,” comments Darren Thomson, CTO, Symantec EMEA, … More

The post Cybersecurity breach experience strengthens CVs appeared first on Help Net Security.

EU Court Limits “The Right to Be Forgotten”

The European Court of Justice ruled that the E.U.’s “right to be forgotten” privacy law only applies within the borders of its member states.

“Currently, there is no obligation under E.U. law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,” stated the ruling.

The court’s decision stemmed from a legal battle between online search giant Google and French privacy regulator CNIL. CNIL had called for Google to remove any references containing potentially damaging or libelous information worldwide, and attempted to impose a €100,000 fine for non-compliance.

This is the first major court decision to challenge the “right to be forgotten” online since it became effective in 2014. The right, also called the “right to erasure” grants E.U. citizens the ability to have data collected about them to be deleted. Google reports that it has received over 840,000 such requests, and has removed 45% of the referenced links. 

“Courts or data regulators in the U.K., France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see,” said the executive director of privacy group Article 19 in a statement.

 

The post EU Court Limits “The Right to Be Forgotten” appeared first on Adam Levin.

Employees are mistakenly confident that they can spot phishing emails

While a majority (79%) of people say they are able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work, according to a Webroot survey. Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn’t take the basic step … More

The post Employees are mistakenly confident that they can spot phishing emails appeared first on Help Net Security.

Adopting DevOps practices leads to improved security posture

A strong DevOps culture based on collaboration and sharing across teams, leads to an improved security posture, according to Puppet. Twenty-two percent of the firms at the highest level of security integration having reached an advanced stage of DevOps maturity compared to only six percent of the firms with no security integration. Additionally, the report found that Europe is pulling ahead of the US and the Asia Pacific regions when it comes to firms with … More

The post Adopting DevOps practices leads to improved security posture appeared first on Help Net Security.

Enterprises report IT teams’ cloud skill gaps have nearly doubled

Nearly two-thirds of organizations that currently use cloud also leverage some level of managed services; with 71% of large enterprise IT pros revealing that managed services will be a better use of their money in the future, and a strong majority saying it allows their teams to focus on more strategic and productive IT projects, according to 451 Research. The report examined the significance of managed services for cloud, driven by the increasing complexity of … More

The post Enterprises report IT teams’ cloud skill gaps have nearly doubled appeared first on Help Net Security.

Best Practices for Using Tripwire Enterprise in Dynamic Environments – Part 1

Just a few years ago, most IT environments were made up of deployed servers on which personnel installed applications, oftentimes as many as that one system could handle. They then remained and ran that way for years. In the meantime, the IT team maintained the system and updated the applications as needed. Sometimes there were […]… Read More

The post Best Practices for Using Tripwire Enterprise in Dynamic Environments – Part 1 appeared first on The State of Security.

Join Tripwire VERT at SecTor 2019

For the past few years, VERT has been running an IoT Hack Lab at SecTor, a security conference in Toronto, Ontario, Canada. Interested attendees (including Expo attendees, who can get a free pass using code Tripwire2019) can visit the Hack Lab with their laptop and learn how to hack various IoT devices from routers and […]… Read More

The post Join Tripwire VERT at SecTor 2019 appeared first on The State of Security.

Innovium launches new Ethernet switch silicon family for apps ranging from 1.2 to 6.4Tbps

Innovium, a leading provider of networking switch solutions for cloud, enterprise and edge data centers, announced TERALYNX 5, a new Ethernet switch silicon family for applications ranging from 1.2 to 6.4Tbps. TERALYNX 5 features unprecedented capabilities for ToR, enterprise, edge, and 5G applications with up to 128x NRZ/PAM4 SERDES, 10GbE to 400GbE ports, the largest on-chip buffers, powerful analytics, and industry-best performance per $ and performance per watt. Data center architectures are being increasingly adopted … More

The post Innovium launches new Ethernet switch silicon family for apps ranging from 1.2 to 6.4Tbps appeared first on Help Net Security.

BigID adds new compliance capabilities to meet CCPA requirements

BigID, the leader in data-centric personal data privacy and protection, announced data-driven Third-Party Data Sharing privacy compliance capabilities to help enterprises further automate and operationalize requirements around third party data sharing under regulations like the California Consumer Privacy Act (CCPA). The new privacy compliance feature integrates with BigID’s native data at rest and data in motion scanning capabilities. The documentation of third party data sharing is required under CCPA to maintain data transparency; in particular, … More

The post BigID adds new compliance capabilities to meet CCPA requirements appeared first on Help Net Security.

Immuta’s platform enhanced with sensitive data detection and privacy-enhancing features

Immuta introduced new sensitive data detection and additional privacy-enhancing features to its leading Automated Data Governance platform. Immuta’s Fall 2019 release enables customers to automatically detect sensitive consumer data — such as first/last name, social security number and address — to build data privacy policies that ensure compliance with major data regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). As … More

The post Immuta’s platform enhanced with sensitive data detection and privacy-enhancing features appeared first on Help Net Security.

DemystData selected to help empower users on the Snowflake Data Exchange

Snowflake, the data warehouse built for the cloud, announced DemystData has been selected to help empower users on the Snowflake Data Exchange. The partnership will enable DemystData to begin to bring its massive and growing repository of 500-plus data products, including well-known providers such as Attom, Acxiom, Discover Org, Equifax, Experian, and Infogroup to Snowflake’s secure, fully-governed, and free-to-join data marketplace, the Snowflake Data Exchange. Chief Data Officers, data scientists, and those tasked with making … More

The post DemystData selected to help empower users on the Snowflake Data Exchange appeared first on Help Net Security.

Interview With the Guy Who Tried to Frame Me for Heroin Possession

In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession. But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses. That individual recently gave his first interview since finishing his jail time here in the states, and he’s shared some select (if often abrasive and coarse) details on how he got into cybercrime and why. Below are a few translated excerpts.

When I first encountered now-31-year-old Sergei “Fly,” “Flycracker,” “MUXACC” Vovnenko in 2013, he was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

Many of the heavy-hitters from other fraud forums had a presence on Fly’s forum, and collectively the group financed and ran a soup-to-nuts network for turning hacked credit card data into mounds of cash.

Vovnenko first came onto my radar after his alter ego Fly published a blog entry that led with an image of my bloodied, severed head and included my credit report, copies of identification documents, pictures of our front door, information about family members, and so on. Fly had invited all of his cybercriminal friends to ruin my financial identity and that of my family.

Somewhat curious about what might have precipitated this outburst, I was secretly given access to Fly’s cybercrime forum and learned he’d freshly hatched a plot to have heroin sent to my home. The plan was to have one of his forum lackeys spoof a call from one of my neighbors to the police when the drugs arrived, complaining that drugs were being delivered to our house and being sold out of our home by Yours Truly.

Thankfully, someone on Fly’s forum also posted a link to the tracking number for the drug shipment. Before the smack arrived, I had a police officer come out and take a report. After the heroin showed up, I gave the drugs to the local police and wrote about the experience in Mail From the Velvet Cybercrime Underground.

Angry that I’d foiled the plan to have me arrested for being a smack dealer, Fly or someone on his forum had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

The floral arrangement that Fly or one of his forum lackeys had delivered to my home in Virginia.

Vovnenko was arrested in Italy in the summer of 2014 on identity theft and botnet charges, and spent some 15 months in arguably Italy’s worst prison contesting his extradition to the United States. Those efforts failed, and he soon pleaded guilty to aggravated identity theft and wire fraud, and spent several years bouncing around America’s prison system.

Although Vovnenko sent me a total of three letters from prison in Naples (a hand-written apology letter and two friendly postcards), he never responded to my requests to meet him following his trial and conviction on cybercrime charges in the United States. I suppose that is fair: To my everlasting dismay, I never responded to his Italian dispatches (the first I asked to be professionally analyzed and translated before I would touch it).

Seasons greetings from my pen pal, Flycracker.

After serving his 41 month sentence in the U.S., Vovnenko was deported, although it’s unclear where he currently resides (the interview excerpted here suggests he’s back in Italy, but Fly doesn’t exactly confirm that). 

In an interview published on the Russian-language security blog Krober[.]biz, Vovnenko said he began stealing early in life, and by 13 was already getting picked up for petty robberies and thefts.

A translated English version of the interview was produced and shared with KrebsOnSecurity by analysts at New York City-based cyber intelligence firm Flashpoint.

Sometime in the mid-aughts, Vovnenko settled with his mother in Naples, Italy, but he had trouble keeping a job for more than a few days. Until a chance encounter led to a front job at a den of thieves.

“When I came to my Mom in Naples, I could not find a permanent job. Having settled down somewhere at a new job, I would either get kicked out or leave in the first two days. I somehow didn’t succeed with employment until I was invited to work in a wine shop in the historical center of Naples, where I kinda had to wipe the dust from the bottles. But in fact, the wine shop turned out to be a real den and a sales outlet of hashish and crack. So my job was to be on the lookout and whenever the cops showed up, take a bag of goods and leave under the guise of a tourist.”

Cocaine and hash were plentiful at his employer’s place of work, and Vovnenko said he availed himself of both abundantly. After he’d saved enough to buy a computer, Fly started teaching himself how to write programs and hack stuff. He quickly became enthralled with the romanticized side of cybercrime — the allure of instant cash — and decided this was his true vocation.

“After watching movies and reading books about hackers, I really wanted to become a sort of virtual bandit who robs banks without leaving home,” Vovnenko recalled. “Once, out of curiosity, I wrote an SMS bomber that used a registration form on a dating site, bypassing the captcha through some kind of rookie mistake in the shitty code. The bomber would launch from the terminal and was written in Perl, and upon completion of its work, it gave out my phone number and email. I shared the bomber somewhere on one of my many awkward sites.”

“And a couple of weeks later they called me. Nah, not the cops, but some guy who comes from Sri Lanka who called himself Enrico. He told me that he used my program and earned a lot of money, and now he wants to share some of it with me and hire me. By a happy coincidence, the guy also lived in Naples.”

“When we met in person, he told me that he used my bomber to fuck with a telephone company called Wind. This telephone company had such a bonus service: for each incoming SMS you received two cents on the balance. Well, of course, this guy bought a bunch of SIM cards and began to bomb them, getting credits and loading them into his paid lines, similar to how phone sex works.”

But his job soon interfered with his drug habit, and he was let go.

“At the meeting, Enrico gave me 2K euros, and this was the first money I’ve earned, as it is fashionable to say these days, on ‘cybercrime’. I left my previous job and began to work closely with Enrico. But always stoned out of my mind, I didn’t do a good job and struggled with drug addiction at that time. I was addicted to cocaine, as a result, I was pulling a lot more money out of Enrico than my work brought him. And he kicked me out.”

After striking out on his own, Vovnenko says he began getting into carding big time, and was introduced to several other big players on the scene. One of those was a cigarette smuggler who used the nickname Ponchik (“Doughnut”).

I wonder if this is the same Ponchik who was arrested in 2013 as being the mastermind behind the Blackhole exploit kit, a crimeware package that fueled an overnight explosion in malware attacks via Web browser vulnerabilities.

In any case, Vovnenko had settled on some schemes that were generating reliably large amounts of cash.

“I’ve never stood still and was not focusing on carding only, with the money I earned, I started buying dumps and testing them at friends’ stores,” Vovnenko said. “Mules, to whom I signed the hotlines, were also signed up for cashing out the loads, giving them a mere 10 percent for their work. Things seemed to be going well.”

FAN MAIL

There is a large chronological gap in Vovnenko’s account of his cybercrime life story from that point on until the time he and his forum friends started sending heroin, large bags of feces and other nasty stuff to our Northern Virginia home in 2013.

Vovnenko claims he never sent anything and that it was all done by members of his forum.

-Tell me about the packages to Krebs.
“That ain’t me. Suitcase filled with sketchy money, dildoes, and a bouquet of coffin wildflowers. They sent all sorts of crazy shit. Forty or so guys would send. When I was already doing time, one of the dudes sent it. By the way, Krebs wanted to see me. But the lawyer suggested this was a bad idea. Maybe he wanted to look into my eyes.”

In one part of the interview, Fly is asked about but only briefly touches on how he was caught. I wanted to add some context here because this part of the story is richly ironic, and perhaps a tad cathartic.

Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a nice young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.

Fly,/Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.

Mistake number two was the password for his email account was the same as one of his cybercrime forum admin accounts. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.

Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.

While it may sound unlikely that a guy so immeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.

I suspect this may be because the nature of their activities requires them to create vast numbers of single- or brief-use accounts, and in general they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.

In addition to elaborating on his hacking career, Fly talks a great deal about his time in various prisons (including their culinary habits), and an apparent longing or at least lingering fondness for the whole carding scene in general.

Towards the end, Fly says he’s considering going back to school, and that he may even take up information security as a study. I wish him luck in that whatever that endeavor is as long as he can also avoid stealing from people.

I don’t know what I would have written many years ago to Fly had I not been already so traumatized by receiving postal mail from him. Perhaps it would go something like this:

“Dear Fly: Thank you for your letters. I am very sorry to hear about the delays in your travel plans. I wish you luck in all your endeavors — and I sincerely wish the next hopeful opportunity you alight upon does not turn out to be a pile of shit.”

The entire translated interview is here (PDF). Fair warning: Many readers may find some of the language and topics discussed in the interview disturbing or offensive.

Attention YouTubers: Protect Your Account From Being Hacked

Did you know that YouTube has 23 million content creators worldwide? Well, it turns out that many of these video gurus found themselves in the middle of a cybersecurity calamity this past weekend. According to Forbes, reporter Catalin Cimpanua discovered a massive spear phishing campaign targeting YouTube content creators, tricking them into giving up their login credentials.

How are cybercriminals using this sneaky tactic to swoop victims’ logins? Cimpanua discovered that hackers leveraged a substantial database to send emails to a targeted list of YouTube influencers. These emails contained phishing links luring the victims to fake Google login pages. Once the YouTuber filled out their login credentials, the attacker gained full access to the victim’s YouTube account, allowing them to change the vanity URL. This leaves the actual owner of the channel and their subscribers believing that the account has been deleted. Additionally, some of the accounts that were successfully hacked utilized two-factor authentication (2FA) via SMS, suggesting that cybercriminals used a reverse proxy. This type of proxy server collects resources on behalf of another server, allowing a cybercriminal to intercept 2FA codes sent over SMS in real-time.

Those targeted in this phishing scheme include mostly influencers covering a variety of genres, especially technology, music, gaming, and Disney. But with millions of content creators using YouTube as a platform to share their insights with the world, it’s critical that all users follow proper cybersecurity precautions to protect their credentials. So, what are some proactive steps YouTubers can take to ensure that their accounts are kept safe and secure? Check out the following tips:

  • Be on the lookout for phishing emails. If you receive an email from a company or business asking you to confirm your credentials, be skeptical. Phishers often forge messages from legitimate companies hoping to trick users into entering their login details.
  • Think before you click. Before clicking on a link, especially one in a suspicious email, hover over it to see if the URL address looks legitimate. If the URL contains misspellings, grammatical errors, or strange characters, it’s best to avoid interacting with the link.
  • Use two-factor authentication apps. While two-factor authentication is by no means an end-all, be-all security tactic, it does provide a good first line of defense if a hacker attempts to hijack your account. For this particular scheme, cybercriminals were able to bypass 2FA via SMS and intercept security codes. Therefore, users need to look into authenticator app options rather than simply relying on a code sent over SMS.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention YouTubers: Protect Your Account From Being Hacked appeared first on McAfee Blogs.

Bandura Cyber and Anomali partnership to increase network security control effectiveness

Bandura Cyber, the leading provider of threat intelligence gateways, announced a partnership with Anomali, a provider of intelligence-driven cybersecurity solutions. As a new member of the Anomali partner program, the Bandura Cyber Threat Intelligence Gateway (TIG) is now available on the Anomali APP Store. Together, Bandura Cyber and Anomali will now empower customers to more effectively and efficiently operationalize threat intelligence to detect and block cyber threats in an easier, more scalable, and automated way … More

The post Bandura Cyber and Anomali partnership to increase network security control effectiveness appeared first on Help Net Security.

Smashing Security #147: Don’t Snapchat and drive

How is private medical data leaking onto the streets of Milton Keynes, what is widening the cybersecurity skills gap, and how is Australia controversially tackling the problem of drivers using their mobile phones?

All this and more can be heard in the latest “Smashing Security” podcast.

Coronet, Slice and AXA expand SMB resources for securing on-demand cyber insurance protection

Coronet, a world leader in security as-a-service powered by AI and cloud, announced a partnership with Slice Labs, the first on-demand insurance cloud platform provider supporting digital ecosystems, to provide the small to medium sized business market with on-demand cybersecurity insurance provided by AXA XL, a division of AXA. Through the partnership, Slice will offer on-demand cyber insurance underwritten by an AXA XL insurance company, Indian Harbor Insurance Company, to Coronet’s small business customers. Additionally, … More

The post Coronet, Slice and AXA expand SMB resources for securing on-demand cyber insurance protection appeared first on Help Net Security.

Cycode raises $4.6M to launch source code control, detection and response solution

Enterprise security startup Cycode, pioneering the first-ever solution for source code control, detection and response, announced $4.6 million in seed funding. The round was led by YL Ventures with participation from security industry leaders including Mike Fey (CEO of D2iQ and former president & COO of Symantec), Andy Grolnick (former president & CEO, LogRhythm), Justin Somaini (former CSO, SAP) and Eyal Gruner (founder & CEO, Cynet). Founded and led by former Symantec security architect Lior … More

The post Cycode raises $4.6M to launch source code control, detection and response solution appeared first on Help Net Security.

Odix receives €2M from the EU Commission to bring cybersecurity technology to SMEs

Cybersecurity firm odix recently secured a €2 million grant from the European Commission (EC) to bring their enterprise-grade cybersecurity technology to SMEs. The company was among the select ventures that were awarded funding as part of the EU’s Horizon 2020 SMEI research and innovation program. “We are very proud to be amongst the top batch of selected companies of the EC, it’s a sign of great recognition and trust in our unique technology” said Dr. … More

The post Odix receives €2M from the EU Commission to bring cybersecurity technology to SMEs appeared first on Help Net Security.

Czech Intelligence ‘s report attributes major cyber attack to China

The Czech Intelligence agency blames China for a major cyber attack that hit a key government institution in the Czech Republic in 2018.

According to a report published by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

In August, 2019, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. A government source told Reuters that Czech authorities suspected the attacks originated from Russia. The Czech experts discovered the security breach early January 2017.

Interior Minister Jan Hamacek told the CTK news agency that the government infrastructures have been dealing with the cyber attack for several months.

Czech intelligence warns of cyber attacks launched by both China and Russia threat actors.

“The Czech cabinet is due to discuss the findings on Monday.” reported the AFP press. “NUKIB spokesman Radek Holy told AFP the watchdog would not make the report public until then.”

Pierluigi Paganini

(SecurityAffairs – Czech Intelligence, hacking)

The post Czech Intelligence ‘s report attributes major cyber attack to China appeared first on Security Affairs.

What Is SIEM?

Undefined

SIEM—or security information and event management—is a software category that aims to give organizations helpful insights into potential security threats across critical business networks through data normalization and threat prioritization. This is possible via a centralized analysis of security data pulled from a variety of systems, including anti-virus applications, firewalls, and intrusion prevention solutions.

SIEM software relays actionable intelligence that enables you to manage potential vulnerabilities proactively, protecting your business and your customers from devastating data breaches. Think of it as a lens that sharpens your view across the big picture to help you focus your team’s efforts on where they can have the most impact.

A Brief History of SIEM Tools

Gartner coined the term ‘SIEM’ (pronounced “sim”) in a 2005 report called “Improve IT Security With Vulnerability Management.” The term brings together the concepts of security event management (SEM) with security information management (SIM) to achieve the best of both worlds. SEM covers the monitoring and correlating of events in real time as well as alert the configuration and console views related to these activities. SIM takes this data to the next phase, which includes storage, analysis, and reporting of the findings.

Why Does SIEM Matter?

It’s no secret that security threats are increasing, and they can come from both internal and external sources. One rapidly rising concern is that of employees who accidentally misconfigure security settings in a way that leaves your data vulnerable to attack. To address these issues, IT organizations have put various systems in place to protect against intrusion and a host of different threats.

The downside of these safeguards is they generate so much monitoring data that IT teams are then faced with the problem of interpreting it all to pinpoint actual problems. In fact, the volume of security data flowing to understaffed IT security groups is largely useless unless it can be quickly analyzed and filtered into actionable alerts. Given the reams of data in question, it’s no longer possible for organizations to use manual analysis to handle this job. This is where SIEM solutions step in.

With SIEM software, IT professionals have an effective method of automating processes and centralizing security management in a way that helps them simplify the difficult task of protecting sensitive data. SIEM tools gives these experts a leg up in understanding the difference between a low-risk threat and one that could be determinantal to the business.

Data Normalization Is Key

Having security data flowing into this centralized view of your infrastructure is effective only when that data can be normalized. This means that despite thousands or millions of inputs coming from different systems and sources, everything can be put into a common format ready for the SIEM solution to conduct its analysis and correlation. This takes the workload off your team and enables them to leverage a streamlined view of activity and potential concerns.

Key Capabilities of a SIEM Solution

The SIEM solutions available today share commonalities which are important for your operations. You’ll want the ability to:

  • Centralize your view of potential threats
  • Determine which threats require remediation, and which are simply noise
  • Escalate issues to the appropriate security analysts who can take fast action
  • Include context for security events to enable well-informed fixes
  • Document detected events and how they were remedied in an audit trail
  • Show compliance with key industry regulations in an easy reporting format

 

SIEM’s Role in Regulatory Compliance

SIEM software gained popularity with large businesses working to comply with the Payment Card Industry Data Security Standard (PCI DSS). In addition, it has highly useful applications in helping you meet regulations for the EU’s General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), and others. These laws require organizations to have mechanisms in place to detect threats and resolve them quickly. This means you have to know what’s happening in a wide-reaching IT infrastructure that could span on-premises, cloud, and hybrid environments.

A SIEM solution is key to getting the right kind of insight in place to monitor data and act quickly for threats determined to be cause for alarm. When all this activity is captured in a detailed audit trail, auditors can see your organization is taking the necessary steps to protect its data.

Examples of SIEM Software in Action

SIEM tools can be used to detect any number of security threats, including the presence of ransomware, unauthorized data access, failed login attempts that fall outside standard login issues, and unusual spikes in bandwidth. Whether these threats come from internal or external sources, the software is able to send a prioritized alert notifying your team of a potential issue that should be investigated quickly.

As security threats continue to evolve, SIEM solutions will become critical components in providing organizations with a secure environment for their data. What SIEM capabilities are most important to you? Let us know in the comments below.

what-is-siem.jpg

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Want to streamline your security?

Event Manager will help pinpoint the real threats to your business. Get a personalized demonstration from a software expert.

Silencing the Bells: How a SIEM Can Prevent Alert Fatigue

Undefined

Security teams are perpetually busy protecting their organization’s data, so with the incessant pings of relentless security notifications, it’s no wonder that they feel as though their ears are ringing. As organizations grow and add more and more tools, the danger of alert fatigue grows. With hundreds of alerts pouring in, it’s difficult to discern which ones truly need attention. Worrisome vulnerabilities and dangerous malware can easily slip through the cracks, even though a security team was technically warned of the threat.

Even though alerts can be prioritized, this has done little to help in recent years. According to analyst firm EMA’s Security Megatrend Report, 95% of alerts are classified as critical. So how can security teams get some much needed quiet? Read on to find out how Security Information and Event Management (SIEM) solutions can streamline security and prevent alert fatigue.

Centralized Management to Reduce Console Fatigue

Part of the issue with alerting is the amount of places from which alerts originate. Organizations regularly add more tools, making IT environments increasingly complex. Security teams are perpetually going back and forth between screens, attempting to monitor as much as they can, as fast as they can.

A SIEM can consolidate any number of data streams, becoming your organization’s primary security monitoring tool. Some SIEM tools, like Powertech Event Manager, even allow for integration of unique or unusual data sources, like a homegrown database or third party applications. Additionally, they’ll also be able to discern new insights from a centralized spot where they can complete analysis with the added context of seeing security data pulled from a variety of systems.

Tailor Alerts to Your Organization’s Needs

A SIEM allows for much more nuance to be built into the security alert process. Each organization is different, and SIEM solutions are designed to be as adaptable as an organization requires. Below is a list of things to keep in mind when considering or deploying a SIEM solution to ensure you’re only getting the notifications you need.

Take context into account.

While set up may be quicker if you have the same alerts for each new asset, this doesn’t accurately reflect each asset’s role and function within the wider context of the environment. Invest the time up front to think through what’s most critical for the environment overall, as well as each individual device, and adjust the settings and defaults accordingly.

A SIEM solution like Event Manager allows you to easily create dashboards, altering display details and event classifications for each device. That way, if you know an action may indicate a threat on one device, where it may only be worth noting as an event on another. This allows for reduced notifications, and proper prioritization so that events that are escalated to alerts truly deserve to be marked critical.

Limit who is notified.

Without a SIEM, many times the capabilities are limited to sending out every single alert to every single admin. But it’s rare that everyone truly needs to be notified for every single event. A SIEM allows you to have different people alerted depending on the type of events or affected operating systems. This reduces redundancies and prevents an excess of alerts from building up over time as more systems are connected.

Revisit and readjust.

As you adjust to a SIEM solution, and as your organization changes, you can always make changes. If you get an alert that isn’t of significance after your initial configuration, effective SIEM software will allow you to quickly fine-tune the settings to lower the priority or filter it out for next time

An alert that you once needed may no longer be as useful. An event that is classified as a highlight may need to be upgraded to a threat. Take advantage of the flexibility of your SIEM so that you are never wasting time since there is never a lack of things to do for security teams. Maximizing the capabilities of each and every security tool at their disposal frees security teams and further ensures security against every type of threat.

Powertech Event Manager was developed with just these considerations in mind. Dashboards are powerful yet adaptable, with easy toggling and filtering so that you can quickly get to the most critical information. Event Manager also remains flexible, allowing for changes to be made on the fly. If an alert occurs that isn’t of significance after initial configuration, you can immediately modify the settings to filter it out. With centralized management, simple adjustments, and limitless integration possibilities, Powertech Event Manager can not only alleviate alert fatigue, it can also alleviate other headaches by streamlining your security.

ptx-how-powertech-event-manager-reduces-alert-fatigue.png

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to reduce the risk of insider threats in your organization?

Get a live demo of our cybersecurity solutions from one of our solution experts today.

Malicious Browser Push Notifications – HackingVision

Malicious Browser Push Notifications Browser Push Notifications: Push notifications are small permission based notification messages that notify users of new messages or updated content and have the ability to reach large audiences anywhere at any time. Desktop notifications are visual notifications that appear on your screen alerting you to new messages from visitors in an ... Read moreMalicious Browser Push Notifications – HackingVision

The post Malicious Browser Push Notifications – HackingVision appeared first on HackingVision.

SAO vs. SIEM: Not Enemies, But a Security Defending Duo

Undefined

Security Information and Event Management (SIEM) solutions have been with us for more than a decade. Recently, Security Automation and Orchestration (SAO) products have moved into the spotlight, causing many to wonder if the days of SIEM are numbered. However, as both products continue to evolve, it’s becoming clear that it is less a matter of SAO vs. SIEM, but instead SAO and SIEM.

SIEM: The Protective Wall Against Breaches

Storing, cataloging, and assigning values to activities in your server, network, and application infrastructure and their resulting logs makes a lot of sense. SIEMs allow for:

  • Data Collection and Audit Trails  – SIEMs record all data surrounding security events, allowing for detailed analysis and accurate reporting for regulation compliance. Some tools, like Event Manager, also compile data from multiple sources to provide uniform formatting, allowing for easier analysis.
  • Prioritization – SIEMs helps users determine the level of criticality of different security alerts, allowing for teams to deal with the highest threats first.
  • IT Alerts  – With prioritization protocol in place, SIEMs can alert users of critical threats faster, allowing for a more rapid response.

 

SAO: The Watcher on the Wall

While SIEM is excellent for analysis and early warning, SAO focuses more on taking immediate action through automation. For example, SAO software provides:

  • Automate investigation – SAOs can help eliminate some of the time-consuming tasks brought on by the massive collection of data that SIEMs provide. For example, a security team can create a structured way to hide or discard thousands of log messages that have no day-to-day impact on IT security and business operations.
  • Escalation of alerts – Once automation procedures are configured, this allows for team members to put more focus on critical alerts that are a higher threat to the system.
  • Automatic response – SAOs can be programmed to take pre-approved system action against a threat if a common (and well understood) alert is raised.

 

The Future of Security

Security events are no longer an occasional burden to IT teams. They are now a constant threat that grows and changes by the hour. There is no perfect catch-all software that will protect systems and their users. Instead of choosing SAO vs. SIEM, security teams must use multiple tools in order to ensure the safety of their data.

SIEMs and SAOs are not the only two pieces of software that can work in tandem to help warn and fend off security threats. For example, combining SAO, SIEM, and Privileged Access Management (PAM) software enables an organization to be alerted to a threat, manage the attack, and isolate which account was responsible for the attack. Together, security management software like SAOs and SIEMs can help create a truly robust security portfolio.

sao-vs-siem.jpg

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
What threatens your system?

Event Manager will turn data into actionable information.

GRA Quantum Named to 2019 MSSP Alert Top 200 Managed Security Services Providers List

Third Annual List Honors Leading MSSPs, MDR Service Providers & Cybersecurity Companies

Salt Lake City, UT., Sept. 24, 2019 — MSSP Alert, published by After Nines Inc., has named GRA Quantum to the Top 200 MSSPs list for 2019 (http://www.msspalert.com/top200). The list and research identify and honor the top 200 managed security services providers (MSSPs) that specialize in comprehensive, outsourced cybersecurity services.

Previous editions of the annual list honored 100 MSSPs. This year’s edition, at twice the size, reflects MSSP Alert’s rapidly growing readership and the world’s growing consumption of managed security services. MSSP Alert’s readership has grown every month, year over year, since launching in May 2017.

The Top 200 MSSP rankings are based on MSSP Alert’s 2019 readership survey combined with aggregated third-party research. MSSPs featured throughout the list and research proactively monitor, manage and mitigate cyber threats for businesses, government agencies, educational institutions and nonprofit organizations of all sizes.

“We’re honored to be recognized in MSSP Alert’s Top 200 MSSPs list after having only launched our Security Operations Center and Managed Security Services in 2018,” said Tom Boyden, President, GRA Quantum. “We pride ourselves in our dedication to offer comprehensive, enterprise-level MSS solutions to small and mid-sized firms.”

“Our technology-agnostic approach sets us apart from most MSS vendors,” added Jen Greulich, Director, Managed Security Services, GRA Quantum. “This allows us to select the best tools for our clients and seamlessly integrate into their existing technologies.”

“After Nines Inc. and MSSP Alert congratulate GRA Quantum on this year’s honor,” said Amy Katz, CEO of After Nines Inc. “Amid the ongoing cybersecurity talent shortage, thousands of MSPs and IT consulting firms are striving to move into the managed security market. The Top 200 list honors the MSSP market’s true pioneers.”

Learn more about GRA Quantum’s Managed Security Services.

 

MSSP Alert: Top 200 MSSPs 2019 – Research Highlights

The MSSP Alert readership survey revealed several major trends in the managed security services provider market. Chief among them:

  • The Top 5 business drivers for managed security services are talent shortages; regulatory compliance needs; the availability of cloud services; ransomware attacks; and SMB customers demanding security guidance from partners.
  • 69% of MSSPs now run full-blown security operations centers (SOCs) in-house, with 19% leveraging hybrid models, 8% completely outsourcing SOC services and 4% still formulating strategies.
  • The Top 10 cybersecurity vendors assisting MSSPs, in order of reader preference, are Fortinet, AT&T Cybersecurity, Cisco Systems, BlackBerry Cylance, Palo Alto Networks, Microsoft, SonicWall, Carbon Black, Tenable and Webroot (a Carbonite company).
  • Although the overall MSSP market enjoys double-digit percentage growth rates, many of the Top 200 MSSPs have single-digit growth rates because they are busy investing in next-generation services – including managed detection and response (MDR), SOC as a Service, and automated penetration testing.

The Top 200 MSSPs list and research are overseen by Content Czar Joe Panettieri (@JoePanettieri). Find the online list and associated report here: http://www.msspalert.com/top200.

About After Nines Inc.

After Nines Inc. provides timeless IT guidance for strategic partners and IT security professionals across ChannelE2E (www.ChannelE2E.com) and MSSP Alert (www.MSSPAlert.com).  ChannelE2E tracks every stage of the IT service provider journey — from entrepreneur to exit. MSSP Alert is the global voice for Managed Security Services Providers (MSSPs).

  • For sponsorship information contact After Nines Inc. CEO Amy Katz, Amy@AfterNines.com
  • For content and editorial questions contact After Nines Inc. Content Czar Joe Panettieri, Joe@AfterNines.com

The post GRA Quantum Named to 2019 MSSP Alert Top 200 Managed Security Services Providers List appeared first on GRA Quantum.

Cleverly Faked Website Targets US Veterans

Cleverly Faked Website Targets US Veterans

American military veterans on the hunt for a new job are the latest group to be targeted by bold new threat group Tortoiseshell.

The group, which was discovered earlier this month by researchers at Symantec, has been active since July 2018, primarily targeting IT providers in Saudi Arabia with a mix of customized and "common or garden" malware.

New intelligence published yesterday by Cisco Talos reveals that Tortoiseshell has refocused its criminal campaign to strike at targets in the United States. Talos discovered that team Tortoiseshell was behind a malicious website that has been cleverly crafted to resemble a legitimate recruitment site for US military veterans.

Users of the site hxxp://hiremilitaryheroes[.]com were prompted to download an app that in reality was a malware downloader that deployed malware and spyware. 

Warren Mercer, technical leader at Cisco Talos, told Infosecurity Magazine that the nature of the attack indicated that Tortoiseshell was hoping to ensnare active military personnel in addition to former servicemen. 

"As it seems they were targeting HR/recruitment efforts, it's possible they hoped to attack current military servicemen as well as current veterans."

Talos would not confirm or deny whether reports that Tortoiseshell is based in Iran are correct. However, what is clear is that should Tortoiseshell get its claws into active members of the military, the outcome could be potentially devastating. 

Mercer told Infosecurity Magazine: "Depending on the victim they are successful compromising, the level of detail/information they [Tortoiseshell] can obtain is very varied. 

"If Tortoiseshell successfully targeted a currently enlisted military professional with access to potentially confidential information, this could become very damaging to the parties involved."

Close attention had been paid to every detail of the malicious website to ensure that it closely mimicked a genuine site in its choice of name, imagery, and the style of language used. However, Mercer said that what might appear to be sophisticated actions by the group were more probably evidence of their dogged resolve. 

Commenting on the site's seemingly genuine appearance, Mercer told Infosecurity Magazine: "This isn’t suggestive of a sophisticated actor; it’s more indicative of a determined actor. They want to ensure that they remain as aligned as possible to their fake website, and the text, images, and domain name help with that."

In carrying out this latest attack, Tortoiseshell used the same backdoor method employed against its targets in the Middle East. Perhaps this reliance on the same tactics, techniques, and procedures (TTPs) will be the group's downfall. 

Open Source SIEM vs. Enterprise-Level SIEM: Which Is Right for You?

Open source SIEM solutions provide basic functionality that can be great for smaller organizations that are just beginning to log and analyze their security event data. But over time, many IT pros find that open source SIEM software is too labor-intensive to be a viable option as the organization grows.

In short, many organizations simply outgrow their open source solution.

Recent changes in regulations like PCI-DSS and the European Union’s GDPR have made it essential that system and application log events are extracted from individual servers or virtual machines and stored securely for analysis and action. This is no longer an option—it’s a must-do activity to protect your business.

As technology has advanced, SIEM solutions have mainly consisted of high-end software aimed at enterprises. These solutions have a robust set of features, but the complexities of implementing and maintaining them tend to turn off smaller organizations.

If you’re not looking for an enterprise-level SIEM, you might be considering and comparing open source SIEM tools, such as Nagios Core or Alien Vault’s OSSIM. These solutions are great for experimentation—to figure out what you really need to monitor and track, and take action when you identify suspicious behavior.

This comes with a warning, though. Starting a purely open source project can take six to 12 months to set a baseline for your operational and security alert needs. Few organizations can spare the headcount for this type of project.

However, if your organization is currently looking at implementing a SIEM solution, you have a few different options to consider.

Upgrade Your Open Source SIEM Tool

Wrap the open source solution in an integrated service. A service provider will bugfix (essential), pre-build integration (a major time saver), and provide consulting to get you live as quickly as possible.

This is particularly useful if you are chasing a drop-dead compliance date. For example, GroundWorks Software wraps Nagios with other tools into Groundwork Monitor, and AlienVault provides its commercial edition of its solution.

Invest in an Enterprise-Level SIEM

A small number of enterprise-level SIEM solutions now offer cloud-hosted editions that may suit your budget. Keep in mind you may have data privacy issues with moving data to the public cloud. Check with your auditors before you select a vendor. Some major players do not provide cloud editions, but in certain geographies licensed service providers do package a solution for use this way.

Try Out a Mid-Market SIEM

Look at the latest generation of mid-market SIEM solutions that are advanced yet lightweight. This type of project is ideal for organizations that don’t have the manpower or the budget for a full SIEM. There are a variety of mid-range SIEM solutions on the market that are easy to use and provide better value than some of the heavy-weight options—and without the complexity.

One option to consider is Powertech Event Manager, a SIEM solution that’s easier to implement than an enterprise-level option. Powertech Event Manager escalates critical events in real time, separating them from the ones that don’t require attention. Data from different sources is translated into a common format, which accelerates response and resolution time. Powertech Event Manager also provides a complete audit trail of security events, investigations, closed cases, and reported incidents.

See for yourself if Powertech Event Manager is right for your organization. Request a live demo today.

Undefined

ptx-open-source-v-commercial-blog-1920x744.jpg

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
See Powertech Event Manager in action with customized demo.

IDG Contributor Network: Have you dusted off your incident response plan?

As a CIO or senior technology leader for your organization, it is important that you are the champion for ensuring the company’s security posture is solid. You may have a CISO at your organization, depending on the size of the company and your CISO may be very much on top of this. However, it is key that your incident response plan is solid, tested, trained and socialized with all those that would be involved when your plan is activated. 

Every week (more like daily) we see headlines about a financial institution, local government or large school system that is hacked or has become the latest victim of ransomware. In many of these cases these companies find out that their Incident Response Plan was never tested, or worse—it didn’t exist. Many organizations that have a security team and the latest SIEM (Security Information and Event Management) or other security technology, get complacent and put too much emphasis on these tools. A good security program takes a layered approach to security and looks at the organization holistically, from the firewall, to end user education.

To read this article in full, please click here

Access Rights Not Updated for 45% of Employees Who Change Roles

Access Rights Not Updated for 45% of Employees Who Change Roles

Almost half of employees who switch roles within a company retain unnecessary network access rights, according to the results of a new survey by IT software company Ivanti.

The online survey questioned 400 people, of whom 70% were IT professionals, about what happened in their company when new staff were onboarded and when current employees switched roles or were deprovisioned. 

Asked whether unnecessary access rights are removed when employees change roles, 45% of the respondents said "no." This statistic swells in importance when paired with the knowledge that more survey respondents worked for the government (14.5%) than for any other industry. 

When it came to the access rights of employees leaving for new pastures, 13% of those surveyed said that they were not confident that the last person to exit their organization no longer had access to the company's critical systems and information. Only 48% said they were "somewhat confident" that access had been blocked. 

Given what respondents thought their former coworkers might get up to, it's surprising that closer tabs weren't being kept on their access rights. When asked what security risks were a concern in relation to improperly deprovisioned employees, 38% said a leak of sensitive data, 26% feared a cybersecurity hack through an unmanaged account, and 24% were concerned about malicious data detection/theft. 

Perhaps the survey's most worrying finding was that 52% of respondents admitted that either they or somebody they knew still had access to a former employer’s applications and data.

Most of the respondents (84%) were based in the US, but the online survey was also completed by people in the Netherlands, the UK, and Canada. 

Senior director of information technology at Ivanti, Adam Jones, told Infosecurity Magazine: "If you don’t know where you are vulnerable, it creates big issues and problems, especially when people can access privileges they shouldn’t. It creates an opportunity for exploitation by cyber-criminals or disgruntled employees (malicious insiders)."

It isn't clear from the survey whether access rights are being mismanaged due to the absence of proper assignment and management processes or because the trouble isn't being taken to regularly monitor permissions and update them as necessary. 

"Essentially, manually monitoring these processes is a productivity vampire," said Jones. "People often fail to complete their manual checklists, and we’ve even heard of instances where HR terminates an employee and forgets to tell their IT team.  

"Make sure you have the tools to automate manual tasks, so that you can monitor just the exceptions for when something doesn’t go right." 

Top Content in Review: 2018’s Most Read Cybersecurity Information by IT and Security Professionals

Undefined

As each year draws to a close, the temptation is always to wipe the slate clean, put the past behind us, and have a fresh start come January. However, for most things, and particularly when it comes to cybersecurity, the best way to ensure a successful year ahead is to utilize what we learned over the past year as a foundation to build on.

Read on as we revisit pieces from the past year that will remain relevant into 2019 and beyond.

Lesson 1: While the cloud is great for business, misconfiguration issues can lead to disaster.

While the cloud has enabled businesses to expand their capabilities via cloud servers or a hybrid approach of on-premise and cloud environments, many organizations have developed a blind spot when it comes to cloud security, creating an opening for cyberattacks and data leaks. A simple misconfigured security setting can expose sensitive data to attackers or wayward employees. This guide gives an overview of the most common cloud security issues and advises how best to secure your data.

[READ THE TRUTH ABOUT CLOUD SECURITY]

Lesson 2: Passwords are no longer enough to block out threats.

Security experts are in general agreement that passwords will simply no longer suffice when it comes to system security. Granular access control, a key feature in certain identity and access management solutions, is one way organizations are tackling this challenge. This article takes a closer look at why granular access control is so effective—by placing limitations on who can get into your organization’s system, where, when and how they can access it, and what they can do with it.

[READ THE SIX Ws OF GRANULAR ACCESS CONTROL]

Lesson 3: Even before an attack hits, insufficient protection of your organization is beginning to result in long term consequences.

Moody’s, one of the U.S.’s largest credit rating companies, has decided to incorporate cyber risk into their credit rating system. This decision should prompt organizations to ask themselves, “how would we stack up if our security environment were evaluated tomorrow?” This blog discusses four types of cyber threats that endanger organizations (and their ratings), and how to avoid them.

[READ THE CYBER RISK RATINGS: HOW WOULD YOUR IT ENVIRONMENT SCORE?]

Lesson 4: Organizations are targets not only for their data, but for their processing power.

Cryptomining malware, also known as cryptojacking, infects a computer system like a parasite, sucking the processing power to use it to mine for cryptocurrency. This blog covers the rise of cryptocurrency and cryptojacking, and how organizations are at risk. 

[READY WHY CORPORATE NETWORKS ARE KEY TARGETS FOR CRYPTOJACKING]

Lesson 5: Each operating system has its own set of unique security challenges.

All operating systems, including AIX,  are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DDoS to malware, attackers have many strategies at their disposal—and common cybersecurity mistakes make their attacks much easier. This webinar discusses effective security strategies like strong password settings and configuration policies, as well as how to avoid AIX security mistakes.

[WATCH EXPERT TIPS FOR AVOIDING AIX SECURITY MISTAKES]

Lesson 6: Expert advice can help organizations know what to prepare for and prioritize.

This webinar features Bob Erdman, Security Product Manager, and David Dingwall, Senior Cybersecurity Strategist, as they count down the top cybersecurity trends of 2018 and make their predictions for what’s to come in 2019.

[WATCH CYBERSECURITY TRENDS IN 2018 AND PREDICTIONS IN 2019]

 

1200x628.png

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Want to learn more about keeping your organization safe?

Contact us to learn more about our innovative solutions.

The Lifecycle of a Security Event

Undefined

As a syslog server incessantly pings with every security notification, security teams can feel as though they are drowning in a sea of security warnings. Without a SIEM, it’s difficult to know which events are truly critical and which can be ignored. However, when a SIEM has been implemented, security teams get a much clearer picture of their environment’s security. There could truly be no threats, or multiple incidents may be occurring that simply have not yet affected performance.

But how exactly does a SIEM isolate the true threats from the general noise? This article seeks to illustrate the contrast between stagnant security events at an organization without a SIEM, and the distinct life cycle of events when a SIEM is streamlining security risks.

Threat Detection

ptx-lifecycle-of-a-security-event-threat-detection-01-01_0.jpg

Without a SIEM

A syslog server may constantly be churning out notifications, but the majority of hunting for potential threats is left to security teams.

With a SIEM

SIEMs are constantly processing event data and looking for threats from a variety of assets within an IT environment—networks, applications, devices, user activity logs, different operating systems, databases, firewalls, or network appliances.

Translation

ptx-lifecycle-of-a-security-event-translation-01-02-02.jpg

Without a SIEM

Custom configuration is needed to capture raw data of events that admins deem suspicious. This data can be in various formats, in distributed locations, with content that is relevant to each particular asset.

Translation and interpretation of this data is typically where a bottle neck occurs. It becomes virtually impossible to effectively sort through numerous logs and be knowledgeable about the various formats and messages produced by different sources. For example, if a database admin was reviewing multiple logs, it would be immensely difficult for them to discern or highlight activity in webserver logs that may be suspicious or need further review. This allows threats to progress much further before they are eventually caught.

With a SIEM

When a security event occurs, SIEMs like Powertech Event Manager immediately flag the event and capture all relevant raw data.  This raw data is then translated into a common format, where the SIEM can then automatically interpret and classify how critical the risk is.

Prioritization

prioritization-03.jpg

Without a SIEM

Classification is left to the security teams to assign, with no additional guidance on which events hold the biggest potential for harm to the IT environment.

With a SIEM

A SIEM provides built-in guidance for which events need to be dealt with immediately. However, all events can be classified in a variety of ways. A SIEM is highly configurable and can indicate how serious the event is to varying degrees of specificity. For example, it may be tied to a specific regulatory framework or placed into general categories of severity, such as:

  • Highlighted Event – An event noted only for its irregularity. May or may not need further action depending on further analysis.
  • Security Threat – A security threat is an event that may not be posing immediate risk but should be investigated as soon as possible.
  • Security Incident – A security threat that indicates an imminent threat, or an attack that is taking place. Requires immediate action.

 

Escalation

ptx-lifecycle-of-a-security-event-escalation-04.jpg

Without a SIEM

While a syslog server can send out alerts, they are typically sent for every event of a certain type (e.g. WARNING), to everyone. Response time is delayed as issues are parsed out and assigned to the appropriate team members.

With a SIEM

A SIEM will generate alerts and send out notifications to exactly the right security team members when a threat requires action. These real time alerts allow staff to act quickly to prevent or neutralize risks.

For example, if a SIEM sent out an alert that a virus has been detected on a Linux server, endangering sensitive data, an alert would be sent to the Linux admin who is best equipped to quarantine the server to prevent further infection until the virus is removed.

Alternately, a SIEM could launch an alert if someone was attempting to access a privileged account with multiple password guesses. A security admin or an automated response could lock out the account until additional verification was made, or security analysts made further investigations.

Analysis

ptx-lifecycle-of-a-security-event-analysis-04-05.jpg

Without a SIEM

While some analysis can be completed, the time spent working to interpret, assign, and handle the threat often leaves fewer resources for analysis. Security teams in these environments have to develop a mindset of putting out fires, with no time or personnel left to investigate the cause.

With a SIEM

Security teams can use a SIEM to complete a thorough examination and analysis. As discussed above, raw data is stored from an event, and a SIEM can also generate reports with varying degrees of detail that document the lifecycle of an event. Security teams can annotate these reports with notes that record their investigation, as well as recommendations on actions to take for similar events. These reports become critical documentation that demonstrates an overall picture of an organization’s cybersecurity.

Compliance

ptx-lifecycle-of-a-security-event-compliance-06-06.jpg

Without a SIEM

Security teams often struggle to maintain compliance, since maintaining records and logs is a manual, and therefore much more tedious venture. As mentioned above, time and resources are scarce, and regulations may not be as heavily prioritized.

With a SIEM

Raw data flagged when a security event occurs is kept on record for a given period of time to maintain compliance for retention regulations. Reports generated by SIEMs create a complete audit trail, keeping an organization compliant with little effort.

While SIEMs provide a clear path to dealing with security threats, saving time is the biggest advantage that a SIEM solution provides. Security Teams are perpetually busy protecting their organization’s data, and time spent on tasks that could be automated is time wasted. Not only that, it is time that is often desperately needed to prevent or battle harmful threats that could cost an organization time, money, and even their reputation.

hero-image.jpg

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Ready to see Powertech Event Manager in action?

Watch a short demo to learn more about our SIEM solution and its features.

Malicious RDP Behavior Detected in 90% of Organizations

Malicious RDP Behavior Detected in 90% of Organizations

A new study has found that hackers are exploiting a popular remote working tool to attack almost all the companies that use it. 

The Remote Desktop Protocol (RDP) has become a virtually indispensable part of modern business operations, as it allows users to control systems from afar without losing any functionality. 

Research published today by Californian tech firm Vectra has revealed suspicious RDP behaviors in 90% of companies using RDP, with organizations in the manufacturing, finance and insurance, retail, government, and healthcare industries identified as being most at risk of attack.

Researchers used Vectra's Cognito platform to monitor metadata collected from network traffic between more than four million workloads and devices in customer cloud, data centers, and enterprise environments between January and June 2019. 

During the six-month period, the platform detected 26,800 suspicious RDP behaviors. However, more could have occurred, since Cognito was set up to spot only two specific incidences. The first is repeated failed attempts to establish an RDP connection to a workload or host, and the second is a successful connection with unusual characteristics; for example, a connection normally established via an English-character keyboard being made instead with a French keyboard. 

Manufacturing organizations had the highest rate of dodgy RDP detections, with mid-sized operations showing a detection rate twice as high as the industry's average, which was 10 detections per 10,000 workloads and devices.

Together, the finance and insurance, manufacturing, and retail industries accounted for 49.8% of all suspect RDP detections. 

Alarming as the findings are, they come as no surprise to Vectra's head of security, Chris Morales, who told Infosecurity Magazine: "RDP is so widely used in different organizations that a high rate of misuse is inevitable. It's used in multiple forms of attacks as attackers look to hide from detection.

"The rate of detection in the six-month period is consistent with what Vectra has monitored over an extended period of time. RDP is a regular occurrence in attacks and a staple tool of the attackers' toolkit."

Despite the cybersecurity risk posed by RDP, Morales foresees no sunset on the tool's use. He told Infosecurity Magazine: "The business value delivered by RDP will ensure its continued use, and it will therefore continue to represent significant risk as an exposed attack surface."

Asked if we should all ditch the internet and go back to using fax machines, Morales said: "I do not think so. We just need to be more diligent in how we use services and thoughtful in their implementation."

Top 5 use cases to help you make the most of your Cloud Access Security Broker

The number of apps and the flexibility for users to access them from anywhere continues to increase. This presents a challenge for IT departments in ensuring secure access and protecting the flow of critical data with a consistent set of controls.

Cloud Access Security Brokers (CASBs) are a new generation of security solutions that are essential to any modern security strategy. CASBs provide a centralized experience that allows you to apply a standardized set of controls to the apps in your organization. The term Cloud Access Security Broker was first introduced by analyst firm Gartner and has since been one of the fastest growing security categories and is considered one of the top 10 security projects for companies to implement by 2020.

Microsoft Cloud App Security is a CASB that allows you to protect all apps in your organization, including third-party apps across cloud, on-premises, and custom applications. Powered by native integrations with Microsoft’s broader product ecosystem, Cloud App Security delivers state-of-the-art security for multi-cloud environments.

Due to the fast pace of the market, the capability set of CASBs continues to grow, making it increasingly challenging for customers to decide how to get started.

Today, we explore five of the top 20 use cases for CASBs we identified as giving you an immediate return on your investment with very little deployment effort needed before moving on to more advanced scenarios.

Use case #1: Discover all cloud apps and resources used in your organization

No matter where you are in your cloud journey, many of your users likely started leveraging cloud services a long time ago and have stored corporate data in various cloud applications.

A CASB provides you with full visibility over all data stored in sanctioned and connected cloud apps. It gives you deep insights about each file, allowing you to identify if it contains sensitive information, the owner and storage location, as well as the access level of the file. Access levels distinguish between private, internal, externally shared, and publicly shared files, allowing you to quickly identify potentially overexposed files putting sensitive information at risk.

Cloud App Security gives you multiple options to get started with Cloud Discovery. You can leverage firewall logs, an existing Secure Web Gateway, or the unique, single-click enablement via Microsoft Defender Advanced Threat Protection (ATP).

To learn how to get started with app discovery, read Discover and manage shadow IT in your network.

Use case #2: Identify and revoke access to risky OAuth apps

In recent years, OAuth apps have become a popular attack vector for adversaries. Hacker groups such as Fancy Bear have leveraged OAuth apps to trick users into authorizing the use of their corporate credentials, for example by duplicating the UI of a seemingly trustworthy platform.

A CASB enables you to closely monitor which OAuth apps are being authorized against your corporate environment and either manually review them or create policies that automatically revoke access if certain risky criteria are met. Key threat indicators are the combination of an app that has requested a high level of permissions, while having a low community use status, indicating that it’s not commonly found in other organizations and therefore more unlikely to be trustworthy.

Once you’ve enabled app discovery, all you need to do is connect the relevant apps like Office 365, Salesforce, or G-Suite to the service. You’re then alerted when new risky OAuth apps are authorized, so you can start managing them.

To learn more about how to get started with app discovery, read Manage OAuth apps.

Use case #3: Identify compromised user accounts

Identity attacks have increased by more than 300 percent over the past year, making them a key source of compromise and the number one threat vector for organizations.

A CASB learns the behavior of users and other entities in an organization and builds a behavioral profile around them. If an account is compromised and executes activities that differ from the baseline user profile, abnormal behavior detections are raised.

Using built-in and custom anomaly detections, IT is alerted on activities, such as impossible travel, as well as activities from infrequent countries, or the implementation of inbox forwarding rules where emails are automatically forwarded to external email addresses. These alerts allow you to act quickly and quarantine a user account to prevent damage to your organization. All you have to do is connect the relevant apps to Cloud App Security and activate our built-in threat detection policies.

To learn how to get started, read Monitor alerts in Cloud App Security.

Use case #4: Enforce DLP policies for sensitive data stored in your cloud apps

Cloud services such as Office 365 or Slack are key productivity solutions in many organizations today. Consequently, sensitive corporate data is uploaded and shared across them.

For existing data, a CASB solution can help you identify files that contain sensitive information and it provides several remediation options, including removing external sharing permissions, encrypting the file, placing it in admin quarantine, or deleting it if necessary.

Additionally, you can enforce data loss prevention (DLP) policies that scan every file as soon as it’s uploaded to a cloud app, to alert on policy violations and automatically apply data labels and relevant restrictions to protect your information. These policies can be created using advanced techniques such as data identities, regular expressions, OCR, and exact data matching.

To learn how to get started with a centralized DLP strategy across your key apps, read File policies.

Use case #5: Enforce adaptive session controls to manage user actions in real-time

In a cloud-first world, identity has become the new perimeter—protecting access to all your corporate resources at the front door.

Cloud App Security leverages Azure Active Directory (Azure AD) Conditional Access policies to determine a user’s session risk upon sign-in. Based on the risk level associated with a user session, you can enforce adaptive in-session controls that determine which actions a user can carry out and which may be limited or blocked entirely. This seamless identity-based experience ensures the upkeep of productivity, while preventing potentially risky user actions in real-time. The adaptive controls include the prevention of data exfiltration by blocking actions such as download, copy, cut, or print, as well as the prevention of malicious data infiltration to your cloud apps by preventing malicious uploads or pasting text.

You can apply a standardized set of controls to any app in your organizations, whether it’s a cloud app, on-premises app, or a custom application, giving you a consistent set of controls to protect your most sensitive information.

To get started with our built-in templates for inline controls, read Deploy Conditional Access App Control for featured apps.

Starting a CASB project can be daunting given the breadth of capabilities and possibilities of configuration. The five use cases outlined above, and the focus on simple deployment and optimization of UI in Cloud App Security, will ensure that you can make the most of your investment and get started quickly. For more use cases, download our Top 20 CASB use cases e-book.

Learn more and provide feedback

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our TechCommunity page.

The post Top 5 use cases to help you make the most of your Cloud Access Security Broker appeared first on Microsoft Security.

How to Strike the Right Balance Between Prioritizing Security and Increasing Efficiency

Part 1 of the Improving Your Security-Efficiency Balance Series:  

Organizations of all sizes today face a unique balancing act when it comes to user access. Employees require access to multiple organizational systems, applications, and data to successfully do their jobs—from human resource information systems (HRIS) and customer relationship management (CRM) platforms to accounting software, patient care systems, or collaboration tools. Yet granting user privileges to these systems inherently creates risk to the organization. Data can be misused either accidentally or maliciously. For example, accidental breaches can be caused through inadvertent insider attacks that arise from malicious activities like social engineering attacks from phishing emails in attempt to gain access to privileges that have already been granted. Organizations can also be directly targeted by hackers attempting to gain credentials to penetrate the organization. However, access to these systems is paramount for enabling the business and for achieving the level of operational efficiency that is necessary to compete in today’s business environment.

Identifying how much your company should lean toward organizational security versus user efficiency requires a thorough understanding of the most pressing issues associated with managing user access. Organizations must determine whether to prioritize security concerns at the cost of the user experience or emphasize the ease of the user experience in accessing company systems at the expense of security. In Part 1 of the Security-Efficiency Balance Series, we examine essential identity governance challenges that companies face and explore why achieving this balance is crucial within organizations today.

Critical Identity Governance Challenges Organizations Face Today

One of the primary challenges that result when a company emphasizes security over efficiency is that employees struggle with accessing company systems or are required to jump through multiple security hoops each time they want to access business applications. On the opposite spectrum, companies may focus too much on creating an easy user experience or increasing employee productivity so that organizational security suffers. Too often, organizations lean more heavily on one side or the other. But the optimal solution is to treat both security and user efficiency equally and to look for Identity Governance and Administration solutions that take both of these elements into account.

For example, companies that implement multi-factor authentication (MFA) programs, which require more than a single identifier for identification verification, like a password, push notification to a mobile device, and a voiceprint or fingerprint ID, may overwhelm users with access restrictions. These policies can potentially become excessive in requiring users to perform MFA each time they want to access a business system or application. While this process is highly secure, it will likely start to affect employee efficiency and productivity. As an alternative, organizations could consider combining multi-factor authentication policies with adaptive authentication, which allows some of the security checks to be bypassed depending on a user’s risk profile and tendencies—adapting the type of authentication required. So in this case, if a user had logged into the device earlier in the day, then he or she could skip a subsequent MFA step since it was already verified in an earlier request.

The Frequency of Privileged Access Violations and Other Access Challenges

When users have access privileges that they shouldn’t have as a result of overprovisioning, it creates unwelcome opportunities for potential risks within organizations. According to a recent report from EMA titled ‘Responsible User Empowerment: Enabling Privileged Access Management (PAM),’ 76 percent of organizations reported a violation of privileged access policies within the last year. This means that users had accessed a system or application where they were not supposed to. These types of incidents create a big threat for companies, particularly when it comes to regulatory compliance. As part of increasing regulations today, including GDPR, SOX, HIPAA, and PCI-DSS, which require organizations to limit user access, the reality for companies is that there are so many systems with so many access privileges that it’s extremely difficult to understand what privileged access employees need and then control that access without the right identity governance solutions.

Research from Cybersecurity Insiders also supports the complexity of access challenges today. According to its 2019 Identity and Access Management Report, more than 70 percent of users have more access privileges than required for their job. When employees have more access than they need, hackers have the opportunity to target users with elevated access levels and the risk of insider threats is increased. One particular issue is that employees don’t always know or understand what access they need. And they may end up asking for and being approved for more privilege than they require. This risk is even higher if these excess privileges are unused because nefarious access can go undetected.

Another access challenge within organizations includes underprovisioning employees. While it is better to err on the side of giving users too little access than too much, and to maintain a policy of ‘least privileged access,’ underprovisioning can lead to a lot of frustration internally, especially for roles that require greater levels of access. When you do not provide enough access, it can disrupt productivity for the entire team, and it means specific users do not have the right access to do their jobs. For example, if a senior accountant does not have the right access levels to approve purchase orders, projects can be delayed, other employees may be tasked with approving, or in some cases, the approval may be skipped. Lacking enough access privilege also leads to increased helpdesk requests, tying up IT resources that should be spent on more important projects. Underprovisioning can also lead to increased risk. Even if an employee lacks necessary access to effectively do their job, the business needs to move forward, and this often results in credential sharing throughout the organization.

The Challenge Will Continue to Grow Without the Right Approach

With a growing number of systems, devices, applications, employees and even non-employees to manage as part of a contingent workforce, the complexity of identity and access management will only continue to increase for organizations that do not have a solid approach to identity governance and administration or access management. Manual provisioning processes, insufficient visibility into existing accounts, and lack of automation significantly contribute to these challenges, magnifying the time and resources required to oversee and manage user access. Because many organizations still lack a centralized process to manage and audit user accounts, companies often have very little visibility into the actual access levels users possess. Combined together, these factors make it very difficult to limit risk within the business, especially as new employees join or leave the organization. 

Strategic, intelligent identity governance and administration truly improves and enhances the way organizations approach access management. IGA creates the right balance between security and user efficiency, allowing companies to do more with less. In Part 2 of the Improving Your Security-Efficiency Balance Series, we will provide six specific ways to ensure that your organization is giving the right access to the right people at the right time.

Undefined
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to strike the right balance between security and efficiency in your organization?

Get a live demo of our IGA solutions from one of our experts today.

Evaluating Security Information and Event Management (SIEM) Solutions: The Pros and Cons of Freeware

Undefined

With data breaches causing seemingly endless damage, from record breaking numbers of exposed records to millions spent on remediation, it’s clear that organizations must build stronger security portfolios than ever before. Security Event and Information Management (SIEM) solutions enable you to manage potential vulnerabilities proactively using centralized security management and real-time information, making it a vital tool in avoiding devastating data breaches caused by both insider risks and external threat actors.

But with so many different types of SIEM solutions out there, how do you know which one to choose? When evaluating your options, perhaps the question you should start with is whether you should even pay for a SIEM. Read on to find out the differences between free solutions, their pros and cons, and considering enterprise options.

Evaluating Your Requirements

Before you get too far, create a requirements list. This might include the number of assets you need monitored, what compliance requirements you have, and the types of assets your environment has and would like integrated.

Additionally, consider your budget. Organizations have to focus on creating a robust security portfolio, so exploring free options can oftentimes be the only option. Enterprise SIEM solutions are primarily designed with large organizations in mind, so it’s important to find options available for every size organization and price point.

What Do You Mean by Free?

Simply calling a tool “free” does not provide enough information. There are several types of free tools, including:

  • Always free: These tools are created with no intention of having a paid version. This means you will get the complete version of the product.
  • Open source: Open source solutions come from source code that is made available for users to adopt and modify as they wish.
  • Free but limited: You have access to a modified version of the enterprise version that does not have all of the same features. The product can be used throughout the environment, but you’ll need to upgrade to the paid version for added functionality.
  • Free for a set number: Like our free version of Event Manager, this tool provides access to the enterprise version for a limited number of assets or set capacity. You will have all of the features of the enterprise version, but will need to upgrade to monitor more or an unlimited amount of assets

 

Free SIEM Tools: Pros and Cons

Pros: Of course, the greatest advantage of free tools is the obvious one—getting a security event management tool without having to pay for it safeguards your environment from damaging, costly breaches without even affecting your budget.

Each type of free solution has advantages. Always free SIEM solutions can be straightforward, simple, and provide exactly what an organization—particularly small businesses or startups—needs from a SIEM.

Open Source solutions take a decentralized approach which allows for community driven development and often results in multiple versions and independent add-ons.

Free but limited tools–which are free for a set number of systems or have a limited amount of functionality—provide you with solutions from reputable companies that heavily invest in their tools. Some of these free tools offer sufficient coverage and functionality that you won’t need to upgrade. Other times, using free tools, especially those that give you full functionality for a set capacity provide a good opportunity to evaluate if the tool is a good fit. At the very least, you can make sure the tool meets your IT requirements.

Cons: Since there are several types of free software, each type has slightly different disadvantages as well. Tools that are always free may or may not offer the kind of stability and functionality you need. Even if you like how the tool works, there is no opportunity to upgrade for additional features. These free SIEM tools often don’t come from well known providers, so CISOs or other decision makers may be uncomfortable implementing a solution that is difficult to validate.

Open source solutions may not technically cost anything, but that doesn’t really make it free. They require a heavy time investment from security teams and sys admins. Additionally, they don’t offer centralized, full time support, and often their documentation is not centralized or complete.

Software that’s free but limited, or free for a set number of devices can be great for smaller environments, but as organizations grow quickly, their security needs grow with them. Further devices will need coverage, and more robust features start to become more of a necessity. Additionally, support is usually very limited. Having someone to call to troubleshoot any issues, and answer questions can save enough time and hassle that it can be more financially savvy to find a solution that provides these benefits.

Considering Enterprise SIEM Tools

Robust features, ease of use, and support are the standard items that make enterprise solutions stand apart from their free SIEM solution counterparts. However, enterprise SIEM solutions can be very different from one another and tend to prioritize different needs or audiences, so conducting a SIEM software comparison is always necessary.

Since SIEM solutions focus on streamlining alerts, many SIEM solutions are complex tools intended to suit the needs of massive organizations that get thousands, even millions of notifications daily. Many of these organizations never bother with free versions, since they could never fit their needs.

Others, like Powertech Event Manager, focus on scalability and evolving with an organization. Using the free version can help acclimate and train security teams about using SIEM tools. The free version of Powertech Event Manager can provide plenty of security while it remains small, as well as the ability to integrate third party and home-grown applications common in small to medium sized businesses. From there, a business can smoothly transition into the enterprise edition, providing ample features and unlimited capacity without overwhelming you with more functionality than you need at a price point that you can’t afford.

Of course, deciding on an enterprise SIEM requires just as much research as finding a free security management tool, making it all the more important to take advantage of a free-to-get-started solution, so you can get a feel for how the tool works.   

Ultimately, finding a product that meets your IT requirements is what’s most important. Taking the time to research, evaluate, and even implement some free solutions is worth the time that it takes in order to feel confident in the SIEM solution that you choose.

SIEM Solution Checklist

Choose it when...

FreeSIEMvsPaidSIEM.PNG

evaluating-security-information-and-event-management-siem-solutions-pros-and-cons.png

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to reduce the risk of insider threats in your organization?

Get a live demo of our cybersecurity solutions from one of our solution experts today.

Scientists invent new technology to print invisible messages

Messages can only be seen under UV light and can be erased using a hairdryer

Forget lemon juice and hot irons, there is a new way to write and read invisible messages – and it can be used again and again.

The approach, developed by researchers in China, involves using water to print messages on paper coated with manganese-containing chemicals. The message, invisible to the naked eye, can be read by shining UV light on the paper.

Continue reading...

Heyyo dating app left its users’ data exposed online

Another day, another embarrassing data leak made the headlines, the online dating app Heyyo left a server exposed on the internet.

The online dating app Heyyo left a server exposed on the internet without protection, data were stored on an Elasticsearch instance.

The exposed data included personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users.

The detailed data exposed left online included:

  • Names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Gender
  • Height
  • Profile pictures and other images
  • Facebook IDs for users who linked their profiles
  • Instagram IDs for users who linked their profiles
  • Longitude and latitude
  • Who liked a user’s profile
  • Liked profiles
  • Disliked profiles
  • Superliked profiles
  • Blocked profiles
  • Dating preferences
  • Registration and last active date
  • Smartphone details

The news was first reported by ZDNet who was informed about the incident by security researchers from WizCase.

“Avishai Efrat, Wizcase leading hacktivist, discovered a severe data leak on Heyyo, a relatively new mobile dating app. Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine.reported WizCase. “The majority of affected users are based in Turkey, but there’s also a significant number from the US and Brazil, which is over ⅕ of their user base. “

ZDNet verified the authenticity of the data and contacted the Turkey-based company behind Heyyo to notify it of the leak, but the company did not reply for a week.

While waiting for a reply from the development team, the experts noticed that the number of registered users grew from 71,769 to 71,921. Experts also registered an account ad verified that associated data were leaked online. This circumstance suggests that the server was a live production system.

The server was taken down today after ZDNet contacted Turkey’s Computer Emergency Response Team (CERT).

Clearly, the exposure of this type of data poses serious risks, including the extortion, to the users’ privacy.

At the time of writing is unclear if anyone else had access to the exposed database.

Unfortunately, other dating platforms suffered similar incident in the past, including Ashley MadisonGrindr, 3Fun, and Luscious.

WizCase also has its own report on the leak, for additional reading.

Pierluigi Paganini

(SecurityAffairs – Heyyo, hacking)

The post Heyyo dating app left its users’ data exposed online appeared first on Security Affairs.

Investing in Enterprise security is a necessity, not a luxury

Estimated reading time: 3 minutes

In the current ‘digital-first’ environment that organizations and businesses operate nowadays, success and failure can often depend on enterprise security solutions. Businesses operate in an environment where the threats from the digital sphere can often outweigh the threats from a physical sphere. The list of threats is huge and ever-expanding – malware, phishing, ransomware, cryptojacking, data breach, hacks, financial fraud, password loss and a lot more.

Neglecting cybersecurity has both financial and reputational damages. A study estimated that the average cost of a data breach rose 12% over the last few years to a staggering $3.92 million. And as some of the biggest organizations in the world like Equifax, Marriott International and Yahoo realized, threats have repercussions on brand value as well, affecting customer trust and reputation in a way that may not be possible to value monetarily but certainly leave a lasting impact.

That is why an increasing amount of organizations are waking up to the fact that enterprise security is no longer just an investment – it is a necessity and a requirement in today’s day and age.

Global research and advisory firm Gartner estimated that worldwide information security spending would exceed $124 billion in 2019.

How does treating enterprise security help benefit an organization? There are many ways but some of the most important ones are:

  1. Your data is substantially safer

No organization is completely safe – cybersecurity is one of those sectors where every second, there are new threats to the organization. Such an environment demands to have a strong enterprise security framework to keep organizations safe.

Most cybercriminals use basic tools and strategies which are already identified and blocked by most enterprise security solutions helping your data, your businesses and your employees stay safe from cybercrimes. In fact, Seqrite’s range of enterprise security solutions allows administrators to see the number of breach attempts and different cyber threats repelled to understand how the enterprise is staying better protected.

  1. Helps to meet compliance and regulatory requirements

For any organization operating in the digital world, there are various regulations, depending on where the enterprise is operating from and which countries its customers are based in, that one needs to comply to.

Non-compliance with these regulations (GDPR, HIPAA, PCI DSS, etc.) can result in hefty fines – in extreme cases even destroy businesses. But enterprises who have utilized a cybersecurity solution will be in a much better position to meet compliance and regulatory requirements.

  1. Build cyber trust

The impact of cyber attacks can be disastrous – affected reputation, decrease in customer base, legal liabilities etc. are all by-products that can undo the great work done by SMBs, SOHOs & enterprises and possibly floor these businesses.

Enterprises need to work hard to avoid this kind of a situation and win the trust of their users and stakeholders by ensuring them that they are taking the best possible measures to keep data safe. Once stakeholders and customers are convinced that the organization they are interacting with and entrusting with for their valuable data are serious about keeping it safe with the help of enterprise security, it helps to build trust and can be a key differentiator in customer loyalty.

  1. Preventing the loss of business

An enterprise that suffers a data breach or cyber attack suffers a loss in business. Client data is compromised, confidential data may be leaked and the data, if backed up, may take months to recover. In the worst-case scenario, if data is not backed up, it may be irretrievable.

All these contribute to a major loss of business for an enterprise which they can avoid to a certain extent by investing in an enterprise security framework.

Organizations can consider solutions like Seqrite’s Endpoint Security, a simple and comprehensive platform to protect enterprise networks from advanced threats, and Unified Threat Management, a one-stop solution for all enterprise security needs.

The post Investing in Enterprise security is a necessity, not a luxury appeared first on Seqrite Blog.

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the launch of its global open call for its fourth cohort of cyber-scaleups.

LORCA, launched in June 2018 and hosted at Plexal, an innovation center located in the Here East campus in London’s Queen Elizabeth Olympic Park, aims to bolster the UK’s cybersecurity sector and make the internet safer for everyone by supporting the most promising later-stage companies.

LORCA offers 12-month programs from which companies can benefit from a collaborative ecosystem of academia, innovators, government, investors and industry.

It has already welcomed three cohorts of companies into its previous programs, which have gone on to raise over £58m in investment and won 514 contracts.

LORCA is now inviting new applications based on three innovation themes, after consulting with industry leaders from various sectors about their most pressing cyber-challenges and the types of solutions they need from the market in the future.

The three themes are: connected economy, connected everything and connected everyone.

The latest cohort will receive bespoke support with scaling in the UK and abroad, as well as access to commercial and engineering experts through delivery partners Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

Saj Huq, program director, LORCA, said: “As technology increasingly impacts all aspects of business and society, it’s clear that a cybersecurity paradigm shift is needed. Now more than ever, we need to support the development of cutting-edge innovations across the board to help us lead safer digital lives, keep our infrastructure secure and protect our digital economy from complex and evolving cyber threats. Given its increasing significance within a world that is more connected by the day, cybersecurity has to be everywhere – and serve everyone.”

The deadline for applying is Monday November 4 2019, with full details available here.

Free Decryptors Released for Two Ransomware Families

Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families. In its analysis of the first threat, the Russian security firm found that Yatron derived much of its code […]… Read More

The post Free Decryptors Released for Two Ransomware Families appeared first on The State of Security.

Experts Question ECJ’s Right to be Forgotten Ruling

Experts Question ECJ’s Right to be Forgotten Ruling

Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.

The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.

French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.

Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.

“Since 2014, we've worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people's rights of access to information and privacy,” the search giant said of the result. "It's good to see that the court agreed with our arguments."

However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.

“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.

“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any 'right to be forgotten' decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”

Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.

“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.

EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.

Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.

“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.

“Today’s decision of the EU court does not address these broader territorial issues.”

LookBack in Anger: 17 US Utilities Firms Targeted by RAT

LookBack in Anger: 17 US Utilities Firms Targeted by RAT

An APT campaign targeting US utilities firms with a remote access trojan (RAT) has now hit at least 17 firms, according to a new report from Proofpoint.

The security vendor first spotted phishing emails sent to three utilities providers in late July, although the campaign now appears much wider in scope after the discovery of more in August.

It begins with reconnaissance scanning for SMB over port 445, perhaps to identify targets with vulnerabilities in the protocol that could be exploited later on to help attackers spread laterally.

Then comes the delivery of the phishing email itself, using as a lure an invitation to take an exam run by licensing body Global Energy Certification (GEC), administered by the Energy Research and Intelligence Institution.

Emails include the subject line “Take the exam now” and a malicious Microsoft Word attachment named “take the exam now.doc” alongside a legitimate PDF for exam preparation hosted on the real GEC site. This helps to add legitimacy to the spoofed message.

“The attachments titled ‘take the exam now.doc’ contained VBA macros to install LookBack. The macros were mostly the same as those first observed in July and were similarly obfuscated with concatenation commands that made the macros difficult to detect with static signatures,” explained Proofpoint.

“When a user opens the malicious attachment and enables macros, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files on the host.  When decoded, we found these to be both malware modules and macro variables.”

The ultimate aim of the macro execution is to download LookBack, a modular RAT designed to find, read and delete files, start and delete services, take screenshots, and even move or click the victim’s mouse.

“The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset,” warned Proofpoint.

Andrea Carcano, co-founder of Nozomi Networks, argued that cyber-criminals will often look to exploit human weaknesses to reach targeted systems.

“Therefore, utility providers need to take the time to teach staff to recognize phishing emails and not to click on links or open attachments from unknown sources,” he said.

“In addition, the implementation of advanced cybersecurity technologies, such as machine learning and artificial intelligence, is a critical step towards safe and reliable critical infrastructure. These technologies provide utilities with the ability to jump start their visibility, situational awareness, and their capacity to detect and mitigate cyber-attacks.”

vBulletin zero-day exploited in the wild in wake of exploit release

An anonymous bug hunter has released a working and elegantly simple exploit for a pre-authentication remote code execution flaw (CVE-2019-16759) affecting vBulletin and it didn’t take long for attackers to start using it. About vBulletin vBulletin is the most popular internet forum software in use today. W3Techs says that around 0.1% of all internet sites run a vBulletin forum, though only 6.4% of these use vulnerable 5.x versions. MH Sub I, the company that develops … More

The post vBulletin zero-day exploited in the wild in wake of exploit release appeared first on Help Net Security.

Microsoft Issues Emergency Patch for Critical IE Bug

Microsoft Issues Emergency Patch for Critical IE Bug

Microsoft has issued an emergency out-of-band patch for a critical remote code execution vulnerability in Internet Explorer.

CVE-2019-1367 is a bug in the browser’s scripting engine which affects how it handles objects in memory. Specifically, it could corrupt memory so as to allow an attacker to execute arbitrary code, according to a security update.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”

Redmond’s patch modifies how the scripting engine handles objects in memory, in order to fix the issue.

The vulnerability affects Internet Explorer versions 9-11.

The critical bug represents another good reason why IE users should migrate to a modern browser. Yet although Microsoft has been trying to push them towards its Edge offering, the latest stats show it trailing Internet Explorer, with less than half of the legacy browser’s 5.87% market share.

Trustwave’s director EMEA of SpiderLabs, Ed Williams, said the emergency update underlines the importance of good patch management.

“It also highlights the importance of regular asset identification and vulnerability scanning of environments, for example, knowing what to patch once a vulnerability has been identified. We know that attackers are flexible and dynamic and will be looking to further leverage this vulnerability to suit their needs, be it financial or otherwise,” he added.

“While Internet Explorer isn’t as popular as it once was, it is still a rich target for attackers, and with the release of this patch, further emphasizes why it is a business risk when compared to other browsers.”

US Utilities Targeted with LookBack RAT in a new phishing campaign

Security experts at Proofpoint observed a new wave of phishing attacks aimed at US Utilities in an attempt to deliver the LookBack RAT.

Security experts at Proofpoint have discovered a new series of phishing attacks targeting entities US utilities in an attempt to deliver the LookBack RAT.

In early August, the expert reported that between July 19 and July 25, 2019, several spear-phishing emails were identified targeting three US companies in the utility sector. The phishing messages were impersonating a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. Threat actors weaponized Word documents used to download and execute the LookBack RAT, a new remote access Trojan (RAT).

Now ProofPoint experts warn of a new wave of attacks carried out between August 21 and August 29, the threat actors targeted other organizations in the same sector. This time the attackers used phishing emails impersonating a licensing body related to the utilities sector.

The experts reported that at least 17 entities in the US utilities sector have been targeted by these attackers from April 5 through August 29, 2019.

“The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector.reads the post published by Proofpoint. “In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack.”

The tactics, techniques, and procedures (TTPs) observed in these attacks are consistent with phishing campaign reported in early August.

The analysis of the attacks allowed the researchers to uncover a reconnaissance activity conducted prior to the launch of the phishing campaigns. The attackers used a staging IP, the scanning targeted SMB over IP via port 445 for up to two weeks prior to the sending of the phishing emails.

“This is a newly identified TTP not disclosed in our initial publication regarding LookBack.” continues the post. “Observed scanning IPs in some instances have also hosted phishing domains prior to their use in phishing campaigns.”

The phishing messages were sent from an email address at the domain globalenergycertification[.]net in the attempt to trick victims into believing that they were sent by the official GEC website. The malicious messages invited recipients to take the GEC exam administered by the Energy Research and Intelligence Institution.

The weaponized attachments titled “take the exam now.doc” contained VBA macros to install LookBack, the macro is quite similar to the one involved in the previous campaign. The phishing emails also had a legitimate and benign PDF file attached. Designed for exam preparation, the PDF was hosted on the legitimate GEC site.

Once the victim opened the attachment, the macro installs several privacy-enhanced mail (PEM) files on the host that are both malware modules and macro variables.

The macro drops a version of certutil.exe on to the victim’s machine , and leverages it to decode the following initial files:

  • Pense1.txt contains variables specific to the creation of the GUP proxy tool
  • Pense2.txt pertains to the libcurl.dll downloader
  • Pense3.txt appears to be run alongside pense2.txt.

Experts observed that threat actors modified the macros in the recent attacks, they added additional variables likely in the attempt obfuscating the code. The C&C server used in this campaign was 103.253.41[.]45, that is the same used by the threat actors in the previous attacks.

“The evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups. However, at the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – LookBack RAT, hacking)

The post US Utilities Targeted with LookBack RAT in a new phishing campaign appeared first on Security Affairs.

Cybersecurity automation? Yes, wherever possible

There was a time when companies were hesitant about their IT and security teams using automation to discharge some of their duties. “I think much of that was due to the feeling that if a task was automated and something went wrong, IT was not in control and did not have as much visibility,” Candace Worley, Chief Technical Strategist at McAfee, told Help Net Security. But the increasing quantity and sophistication of threats, the massive … More

The post Cybersecurity automation? Yes, wherever possible appeared first on Help Net Security.

How can small companies with limited budgets win at security?

Securing data and systems is a must for every modern organization, but smaller ones often have to deal with budget and workforce limitations that make that goal harder to achieve. We’ve asked Chris Wysopal, CTO at Veracode and well-renowned security expert who is scheduled to hold a keynote at HITB+ CyberWeek on the topic of distributing security more evenly across all technology, to offer some advice for under-resourced organizations. Zero Trust Wysopal advises opting for … More

The post How can small companies with limited budgets win at security? appeared first on Help Net Security.