There are growing disparities in how CEOs and CISOs view the most effective cybersecurity path forward, according to Forcepoint. The global survey of 200 CEOs and CISOs from across industries including healthcare, finance and retail, among others, uncovered prominent cybersecurity stressors and areas of disconnect for business and security leaders, including the lack of an ongoing cybersecurity strategy for less than half of all CEO respondents. The research also identified disparities between geographic regions on … More
Despite efforts by organizations to layer up their cyber defenses, the threat landscape is changing, attackers are innovating and automating their attacks, NTT reveals. The threat landscape is changing Referencing the COVID-19 pandemic, the report highlights the challenges that businesses face as cyber criminals look to gain from the global crisis and the importance of secure-by-design and cyber-resilience. The attack data indicates that 55% of all attacks in 2019 were a combination of web-application and … More
The post With the threat landscape continuously changing, businesses must be ready for anything appeared first on Help Net Security.
Roles across software development teams have changed as more teams adopt DevOps, according to GitLab. The survey of over 3,650 respondents from 21 countries worldwide found that rising rates of DevOps adoption and implementation of new tools has led to sweeping changes in job functions, tool choices and organization charts within developer, security and operations teams. “This year’s Global DevSecOps Survey shows that there are more successful DevOps practitioners than ever before and they report … More
The post With increased DevOps adoption, roles in software development teams are changing appeared first on Help Net Security.
The digital threat landscape is always changing. This year is an excellent (albeit extreme) example. With the help of Dimensional Research, Tripwire found out that 58% of IT security professionals were more concerned about the security of their employees’ home networks than they were before the outbreak of coronavirus 2019 (COVID-19). Slightly fewer percentages of […]… Read More
The post Attacks Targeting ICS & OT Assets Grew 2000% Since 2018, Report Reveals appeared first on The State of Security.
As breaches and hacks continue, and new vulnerabilities are uncovered, secure coding is being recognized as an increasingly important security concept — and not just for back-room techies anymore, Accurics reveals. Cloud stack risk “Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Sachin Aggarwal, CEO at Accurics. … More
The post Technologies in all layers of the cloud stack are at risk appeared first on Help Net Security.
Senior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber incidents, according to Panaseer. Results from a global external survey of over 400 security leaders that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload. Issues with processes, people and technologies The results … More
The post Over half of security leaders still rely on spreadsheets appeared first on Help Net Security.
In this final article of our trilogy, we investigate how a cyber threat intelligence (CTI) analyst and associated programmes provide insight about physical and cyber threats to your organisation. The value of these insights is reflected in the wins, which come as a result of context building, holistic understanding, and enhanced awareness in order to […]… Read More
The post Winning with Cyber Threat Intelligence: Taking a More Personal View appeared first on The State of Security.
Quest Software, a global systems management, data protection and security software provider, announced new feature updates for several of its KACE solution offerings. KACE, a solution-set available from the Quest Unified Endpoint Management business, empower organizations to take control of their network-connected devices and automate endpoint management tasks to ensure license compliance and a secure network. The newest KACE offerings include KACE Systems Management Appliance (SMA) 10.2, KACE Cloud Mobile Device Manager (MDM), and KACE … More
The post Quest Software announces new KACE offerings for endpoint management appeared first on Help Net Security.
As small to mid-sized businesses use more bandwidth every year to modernize their companies, Kinetic Business is proud to announce a SD-WAN solution to help manage their usage. Kinetic Business SD-WAN is built upon VeloCloud technology from VMware, an industry leader in SD-WAN solutions. The partnership between Kinetic and VMware delivers small and mid-size businesses the same control and confidence as major corporations, and it’s easily accessible through an award-winning management portal. “Our customers are … More
The post Kinetic Business unveils SD-WAN built upon VeloCloud technology from VMware appeared first on Help Net Security.
Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.
Researchers from École Polytechnique Fédérale de Lausanne (EPFL) discovered a vulnerability in Bluetooth, dubbed Bluetooth Impersonation AttackS or BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.
The issue potentially impact over a billion of devices.
“To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).” reads the vulnerability note VU#647177.
The Bluetooth specification is affected by security flaws that could allow attackers to carry out impersonation attacks while establishing a secure connection.
For BIAS attack to be successful, the attacker has to use a device that would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker.
To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key, aka long term key.
The experts explained that the flaw results from how two previously paired devices handle the link key. The link key allows two paired devices to maintain the connection every time a data is transferred between the two devices.
The experts discovered that it is possible for an unauthenticated attacker within the wireless range of a target Bluetooth device to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices without knowing the link key.
“The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment.” reads the research paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”
The researchers reported their findings to the Bluetooth Special Interest Group (SIG), in December 2019.
“The researchers identified that it is possible for an attacking device spoofing the address of a previously bonded remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth attack disclosed in 2019.” reads the advisory published by the Bluetooth SIG. “If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.”
Experts explained that combining the BIAS attack with other attacks, such as the KNOB (Key Negotiation of Bluetooth) attack, the attacker van brute-force the encryption key and use it to decrypt communications.
“The BIAS and KNOB attacks can be chained to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key” states the paper.
Experts tested the attack against as many as 30 Bluetooth devices and discovered that all of them were found to be vulnerable to BIAS attacks.
The Bluetooth SIG has addressed the vulnerability announcing the introduction of changes into a future specification revision.
The SIG recommends Bluetooth users to install the latest updates from the device and operating system manufacturers.
“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the paper concludes. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”
(SecurityAffairs – BIAS attack, hacking)
The post Bluetooth BIAS attack threatens billions of devices appeared first on Security Affairs.
Attacks targeting cloud-based data nearly doubled in 2019 as companies shifted more of their valuable information off-premises and misconfigurations and other issues made it more vulnerable, according to the 2020 Verizon Data Breach Investigations Report. Observers expect the trend to continue this year.
Fraudsters are now using numerous spoofed website templates with COVID-19 themes as part of phishing attacks designed to steal login credentials and banking data, according to Proofpoint.
The U.S. Treasury's Financial Crimes Enforcement Network is alerting financial institutions about surging COVID-19 themed scams and other illicit activities, ranging from medical-related fraud involving the sale of fake cures, tests and vaccines to price gouging and hoarding of supplies in shortages.
As many as 30 smartphones, laptops and other devices were tested – and all were found to be vulnerable
The post Bluetooth flaw exposes countless devices to BIAS attacks appeared first on WeLiveSecurity
REvil to Auction Stolen Madonna Data
A threat group that claims to have stolen nearly a terabyte of data from a prominent entertainment law firm has said it will put sensitive information relating to Madonna up for auction.
REvil allegedly made off with 756GB of data from New York lawyers Grubman Shire Meiselas & Sack in a ransomware attack earlier this month. The law firm, whose celebrity client list includes LeBron James and Mariah Carey, confirmed last week that it had fallen victim to a ransomware attack.
After their initial ransom demand for $21m in Bitcoin was not met, REvil doubled it and released 2GB of data that appeared to be taken from contracts involving Lady Gaga. But so far, the law firm has not paid the criminals a dime.
In a statement to Page Six, Grubman Shire Meiselas & Sack said: “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law.”
However, paying to retrieve the encrypted files may not have been ruled out entirely by the law firm, which told Bleeping Computer: “Unless the FBI determines the ransomware was deployed by a designated terrorist organization or nation state, the FBI treats ransomware investigations as criminal matters.”
Now the threat group, intent on monetizing their crime, has said it will auction off stolen data relating to the singer Madonna on May 25. Bidding is set to start at $1m.
The criminals claim that the auction will take place confidentially and that they will delete their copy of the data after the sale has been completed.
Earlier this week, REvil claimed to have data about Donald Trump for sale. The group said that the data was not stolen from Grubman Shire Meiselas & Sack but was "accumulated over the entire time of our activity."
Without producing any evidence to back up its claim, REvil is now conveniently saying that the data on Trump has been sold. On its Tor site, the group stated: "Interested people contacted us and agreed to buy all the data about the US president."
Commenting on the alleged sale of the Trump data, Emsisoft's Brett Callow said: "Whether they had the presidency-destroying information that they claimed to have is something we may never know. But I still think it was probably a bluff!"
What is Disk Cleanup and does it remove viruses?
It happens. You’re in the middle of a computing task, and your screen blinks. The blue screen (Stop Error) is shown with the message that your PC ran into an error and needs to restart. These hiccups occur when your computer’s software, firmware, or drivers crash due to faulty or incompatible hardware or software.
If you’re like most people, you want a computer that’s nimble enough to keep up with your life. When your computer is bogged down with outdated files, you aren’t able to work at an efficient pace.
While a new computer or external drive may give you more file storage space, there’s a faster way to gain usable storage space without straining your budget. This option is called disk cleanup, and all Windows computers come with a version of it that you can use to reclaim hard disk space gratis. Here are some things that you need to know about Microsoft’s disk cleanup tool.
What is Disk Cleanup?
Disk cleanup is a maintenance utility that was developed by Microsoft for its Windows operating system. The utility scans your computer’s hard drive for files that you no longer need such as temporary files, cached webpages, and rejected items that end up in your system’s Recycle Bin. Unless you remove those files, they add up over time and begin taking a lot of space on your computer.
The utility displays the identified files and the amount of storage space that each of them uses within your hard drive. You decide which items to delete by the importance that you place on the files and the amount of hard drive space that you’ll be able to recover. In Windows 10, you can reach this utility by going to your start menu and scrolling to Windows Administrative Tools to click the disk cleanup button.
Windows also has the feature Quick Clean which lets you clean up the junk temporary files from your Windows desktop safely and quickly. It also cleans additional junk files, which the Disk Cleanup Utility does not.
What are System updates?
System updates such as major OS releases, monthly patches and emergency updates have become standard for today’s computers. Most operating systems are set to download the latest updates automatically. However, on Windows devices, the previous version of an operating system isn’t always deleted when the latest version replaces it. After years of updates, you’ll often have several versions of the OS on your computer.
The disk cleanup utility allows you to remove backup shadow copies from your computer. Programs that you download to open or edit a document take up storage space on your computer’s hard drive long after you’ve completed your project. Disk cleanup allows you to locate those programs, see how much storage space they use, and remove them to free up hard disk space. You’ll find these features by selecting the “more options” tab within the disk cleanup menu.
What is Storage Sense?
Microsoft Windows 10 comes with an upgraded disk cleanup function that’s called Storage Sense. With Storage Sense, you can set your system to automatically clean up unwanted files by setting the tab to the “on” position. You choose to allow Storage Sense to remove temporary files that your programs no longer use, files in the Download folder that haven’t changed in 30 days, and files that have been sitting in your Recycle Bin for over 30 days. You can reach Storage Sense by going to the Settings menu, clicking on the Systems button, and selecting the Storage option.
What Are the Benefits of Disk Cleanup?
While you can search for temporary files yourself and delete them manually, you save time by using the Windows disk cleanup tool. You can search your entire hard disk for specific files within a matter of seconds with the disk cleanup utility. The tool also gives you greater control over which files to delete and those to keep. When outdated application files are removed from your system, it runs more smoothly and has fewer crashes.
Does Disk Cleanup Remove Viruses?
One of the most common ways that viruses enter computer systems is through downloads. A user lands on an untrusted website and clicks on a button to get a free download. The download contains a virus that goes undetected. If the application remains untouched for longer than 30 days, you can run the disk cleanup utility to find the offending download and remove it quickly. While you shouldn’t use disk cleanup as a replacement for a robust antivirus product, the tool can work in conjunction with a trusted antivirus solution to better safeguard your computer’s system, files, and data.
The Wrap Up
Whether you use your computer to work from home or to manage your household, you’ll want it to function as it should. This includes the flexibility to download a program for a short-term project or quickly process spreadsheets to share with coworkers on an online portal. These operations are greatly impaired when your hard disk is full of unnecessary files and bloatware. Using the Windows disk cleanup tool allows you to remove these files that could contain malware and increase the capacity and safety of your computing environment.
We identified a notable lack of sophistication in this investigation such as copy/paste, unstable code, dead code and panels that are freely open.
Read more >>>
Business and security leaders accept that a hybrid workforce is the new norm - some staff members based in a central office and many others permanently working at home. But what new cybersecurity demands does this strategy present short-term and into 2021? Our expert panel shares insights.
Although FBI technicians were able to gain access to data in two iPhones belonging to a Saudi national who killed three U.S. sailors at a military base in Pensacola, Florida, the Justice Department continues to criticize Apple's refusal to offer law enforcement a backdoor to its encrypted devices.
Minnesota Sees Surge in Sex Crimes Against Minors Online
Minnesota law enforcement agencies have reported a surge in reports of sexual crimes against children online since lockdown measures were introduced to impede the spread of the novel coronavirus.
Authorities believe the jump in crime is linked to children's and predators' spending more time online as schools and businesses remain closed.
The Minnesota Bureau of Criminal Apprehension recorded more than 1,000 complaints involving child pornography or other forms of cyber exploitation of minors in March and April 2020. The disturbing statistic represents a 30% increase in complaints received over the same period last year.
Drew Evans, superintendent of the Bureau of Criminal Apprehension that operates the Internet Crimes Against Children investigative unit, said it was "very unusual to see such a large jump" year on year.
Sadly, the spike in reports of online child exploitation while the United States is under lockdown isn't unique to Minnesota. The National Center of Missing and Exploited Children recorded more than 6 million tips concerning online child exploitation in March and April 2020. This figure is three times higher than the number recorded over the same time period in 2019.
“That’s probably the largest number of reports in a two-month period that we’ve ever received,” said John Shehan, vice president of the center’s Exploited Children Division.
According to Shehan, child predators have openly stated on the dark web that they are taking advantage of stay-at-home orders to indulge their illegal predilections.
Shehan said that the majority of tips received by the center are reports of child pornography, but many concern sextortion incidents in which children are enticed into sharing lewd photos online, usually on social media.
Under social distancing restrictions, Minnesota has suspended the use of grand juries since March 23. Without them, federal prosecutors are struggling to indict crimes involving the sexual exploitation of children online.
“We’re not indicting cases, but they’re still coming in and we’re still working them,” said Minnesota US Attorney Erica MacDonald.
She said her office was working with county prosecutors and law enforcement to ensure “we don’t leave people in the community who are posing an imminent threat” to minors.
MacDonald anticipates a boom in indictments once the temporary suspension is lifted.
Signs Your Email Was Hacked
With the advent of #Staysafe and #Shelterinplace, the increase of personal email com-munication has skyrocketed. This increase has allowed clever hackers to worm their way into installing viruses via attachments as well as other common techniques.
You Know You’ve Been Hacked When…
Your Contacts are Receiving Messages Not Sent By You
Messages that seem to come from you to friends or business contacts must alert you to a severe problem on your computer. Friends may have the confidence to let you know about these emails, but business contacts or professional associates may not. Hackers can install malware on their computers through email attachments, and the intruder can find a password with an amazingly small amount of effort.
Your Online Password Stops Working
As a regular visitor to your favorite sites, you know the password that each one requires. While you may accidentally strike a wrong key and create a typo, the chances of doing it twice seem highly unlikely. Since you know that the password appears not to work, you may need to consider the possibility that someone has hacked your email.
Once inside your computer, hackers have almost a free reign to look for your pass-words. Many people create a list of passwords for convenience, but the benefit to a hacker who finds such a file can reach significant proportions.
Slow and Erratic Computer Performance
Unpredictable conduct by your computer can mean that a virus may have infected it. The sluggishness that replaces the usual prompt response that you expect tells you that you have a problem. Spyware, a malicious type of software, can track your online activity, tamper with your files, and even steal your private information.
When you consider the burden that spyware can place on your system, you can under-stand the reason for its lackluster speed. While you probably did not notice anything wrong when you downloaded a picture from a website or clicked on an attachment in an email, a virus could have accompanied it. Until you remove the virus, you may feel as though you have someone watching you, and you do.
Watching for Ransomware
A particularly insidious form of malicious software comes with an ability to make you pay for the privilege of controlling your computer. Ransomware can enter your system through emails, and you allow it to do so when you click on an attractive attachment from an unknown sender. Ransomware can lock your files and make them inaccessible. The troublemakers who put it there demand a fee to release its grip on your system.
Maybe more dangerous than other malicious invasions of your computer, ransomware carries a penalty that can completely deny you access to your files and cost you money to get it back. As a caution that reminds you of the hazard of opening attachments that can cause damage to your computer and your finances, an email that installs ransom-ware deserves attention immediately.
What Should I Do if My Email is Hacked?
Change your password
This is the first thing you must do to ensure that the hacker can’t get back into your ac-count. Your new password must be complex and unrelated to previous passwords. Al-ways use 8-10 characters with a mix of upper and lower case characters as well as numbers and symbols.
Reach out to your email contacts immediately
A big part of the hacker’s strategy is to ‘get their claws’ into your address book to hook others as well. Send a message to all of your email contacts as soon as possible. Let them know they should avoid opening any emails (most likely loaded with malware) that have come from you.
Change your security question
If you have security questions associated with your email account, be sure to change them too. Make them unpredictable and niche.
Enable Multi-Factor Authentication
Yes, multi-factor authentication adds another step to your login, but it also adds another layer of protection. Enabling this will mean that in addition to your password, you will need a unique one-time use code to log in. This is usually sent to your mobile phone.
Scan your computer for malware and viruses
This is an essential step. Comprehensive security software will provide you with a digital shield for your online life. McAfee Total Protection lets you protect all your devices – including your smartphone – from viruses and malware. It also contains a password manager to help you remember and generate unique passwords for all your accounts.
Change any other accounts with the same password
This is time-consuming but a worthwhile effort. Ensure that you change any other ac-counts that use the same username and password as your compromised email. Hackers love when we use the same logins for multiple accounts.
While email can pose potential security risks, antivirus software protects your computer system from potential damage. Programs that run efficiently in the background detect and eliminate threats. Awareness and preparedness can help you thwart attempts to hack private information and let you maintain a secure environment online.
In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” A subsequent review by KrebsOnSecurity quickly determined the data was years old and merely a compilation of credentials pilfered from mostly public data breaches. Earlier today, authorities in Ukraine said they’d apprehended a suspect in the case.
The Security Service of Ukraine (SBU) on Tuesday announced the detention of a hacker known as Sanix (a.k.a. “Sanixer“) from the Ivano-Frankivsk region of the country. The SBU said they found on Sanix’s computer records showing he sold databases with “logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and for organizing distributed denial-of-service (DDoS) attacks.”
Sanix became famous last year for posting to hacker forums that he was selling the 87GB password dump, labeled “Collection #1.” Shortly after his sale was first detailed by Troy Hunt, who operates the HaveIBeenPwned breach notification service, KrebsOnSecurity contacted Sanix to find out what all the fuss was about. From that story:
“Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest’ offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.”
Alex Holden, chief technology officer and founder of Milwaukee-based Hold Security, said Sanixer’s claim to infamy was simply for disclosing the Collection #1 data, which was just one of many credential dumps amalgamated by other cyber criminals.
“Today, it is even a more common occurrence to see mixing new and old breached credentials,” Holden said. “In fact, large aggregations of stolen credentials have been around since 2013-2014. Even the original attempt to sell the Yahoo breach data was a large mix of several previous unrelated breaches. Collection #1 was one of many credentials collections output by various cyber criminals gangs.”
Sanix was far from a criminal mastermind, and left a long trail of clues that made it almost child’s play to trace his hacker aliases to the real-life identity of a young man in Burshtyn, a city located in Ivano-Frankivsk Oblast in western Ukraine.
Still, perhaps Ukraine’s SBU detained Sanix for other reasons in addition to his peddling of Collection 1. According to cyber intelligence firm Intel 471, Sanix has stayed fairly busy selling credentials that would allow customers to remotely access hacked resources at several large organizations. For example, as recently as earlier this month, Intel 471 spotted Sanix selling access to nearly four dozen universities worldwide, and to a compromised VPN account for the government of San Bernadino, Calif.
KrebsOnSecurity is covering Sanix’s detention mainly to close the loop on an incident that received an incredible amount of international attention. But it’s also another excuse to remind readers about the importance of good password hygiene. A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when available.
By far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.
And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes far more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.
If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.
Finally, if you haven’t done so lately, mosey on over to twofactorauth.org and see if you are taking full advantage of the strongest available multi-factor authentication option at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device, phone number, or security key. Not saying these additional security methods aren’t also vulnerable to compromise (they absolutely are), but they’re definitely better than just using a password.
When picking a videoconferencing platform, it’s important to find one that helps protect your security and your privacy. Here are some tips.
The post Choosing the Right Videoconferencing Platform: Third Certainty #18 appeared first on Adam Levin.
This blog describes how McAfee ATP (Adaptive Threat Protection) rules are used within McAfee Endpoint Security products. It will help you understand how ATP Rules work and how you can utilize them to prevent infections from prevalent malware families such as Emotet, LemonDuck and PowerMiner. Please read through the recommendation section to effectively utilize rules in your environment.
ATP rules are a form of Attack Surface reduction technology which detects suspicious use of OS features and applications. These rules target behaviors which are often abused by malware authors. There can be cases where legitimate applications utilize the same behavior and hence rules need to be configured based on the environment.
ATP rules within McAfee Endpoint Security (ENS) 10.5.3 and above have already detected over a million pieces of malware since the start of 2020. This blog will show you how to enable ATP rules and explains why they should be enabled by highlighting some of the malware we detect with them. We’ll also show you how to maximize detection capabilities by tweaking some specific settings.
First, let’s start with an overview. We release ATP rules in three types: Evaluate, DefaultOn and HighOn.
Evaluate rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity while not producing false positives. Once a rule has been in evaluate mode for a period of time, McAfee researchers will analyze its performance and either make modifications or promote it to DefaultOn or HighOn. ENS ATP customers connected to McAfee ePolicy Orchestrator (ePO) can manually change Evaluate rules to Enabled mode.
DefaultOn rules are created when McAfee has high confidence that no legitimate applications will be impacted. These rules are then enabled by default in all McAfee Endpoint Security rule groups.
HighOn rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules are set to Observe mode for systems in the “Balanced” rule group, but act as DefaultOn for systems in the “Security” rule group. Later in this blog, we cover how to change the rule group in Endpoint Security products to enable HighOn rules.
How to enable ATP rules in ENS 10.5.3 and above
By default, many ATP rules are set to Observe mode. To enable these rules in an active-blocking mode, login to the ePO Console and go to Menu->Configuration->Server Settings.
Figure 1. Rules in the Balanced rule group.
Select Adaptive Threat Protection and select the required rule group (Productivity, Balanced, or Security).
As seen in Figure 1, Rule 329 is in Observe mode in the Balanced rule group and, in Figure 2 below, you can see it is Enabled by default in Security rule group.
Note: As mentioned previously, we analyze rules from time to time and make modifications so you may have different settings in your environment, depending upon the content version.
Figure 2. Rules in Security rule group.
To enable a rule click on Edit below the rules and Select the rule you would like to change, then select the desired state – Disabled, Enabled, or Observe. Figure 3. shows how we can change the state of Rule 256 which helps in detecting Emotet and Trickbot downloaders.
Figure 3. Changing the Rule State.
Click on Save and the rule should be enabled on the clients within a few minutes. Here you see that Rule 256 blocks malicious file JTI/Suspect.131328 by default.
Figure 4. Evaluate Rule blocking after Enabling.
Change the assigned rule group to use HighOn rules in ENS 10.5.3 and above
In this section, we will step through how you can change the rule group to “Security” which will enable all the HighOn rules in block mode by default. We recommend you check the logs to see if the HighOn rules have detected clean activity within your environments before changing to this rule group.
To change the rule group, login to the ePO console and go to Menu->Systems->System Tree
Figure 5. Selecting the group of systems to modify Policies for ENS.
Select a group and go to the Assigned Policies tab. Select ‘Endpoint Security Adaptive Threat Protection’ from the product dropdown.
Figure 6. Selecting policies to modify the assigned rule group.
Click on ‘My Default’ policy under the ‘Options’ category.
Figure 7. Changing the rule group to Security.
Scroll down to Rule Assignment. From the Rule Assignment drop-down list, select Security and click Save. This will update all the clients with ‘My Default’ policy to the Security rule group.
Enable HighOn rules in MVISION Endpoint
To enable HighOn rules, MVISION Endpoint policy needs to be set to ‘High Protection’ if it is not already set by default. Follow these steps:
Login to the ePO console and go to Menu->Systems->System Tree
Figure 8. Selecting the group of systems to modify policies for MVISION Endpoint
Select a group and go to the Assigned Policies tab. Select ‘MVISION Endpoint’ from the product dropdown.
Figure 9. Selecting the policies to change the Protection mode.
Click on ‘Edit Assignment’ under General Category.
Figure 10. Changing MVISION Endpoint to High Protection.
Change ‘Inherit from’ to ‘Break Inheritance and assign the policy and settings below’. Also, change the ‘Assigned policy’ to ‘High Protection’ from the dropdown list and click on ‘Save’. This will enable all the HighOn rules.
ATP Rules in the Wild
This section highlights three prevalent threats which ATP rules detect. We highlight one rule for each DefaultOn/HighOn/Evaluate to demonstrate the importance of monitoring rule updates and enabling more aggressive rules if they are suitable for your environment.
PowerMiner (DefaultOn example)
The PowerMiner malware is a cryptocurrency malware that has been prevalent since 2019. We have discussed this malware before in a previous blog on AMSI detection. The purpose of PowerMiner is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once run, this batch file will execute a malicious PowerShell script that will then begin the infection process.
ATP DefaultOn Rule 263 “Detect processes accessing suspicious URLs” and Rule 262 “Identify suspicious command parameter execution for Security rule group assignments” blocks this threat once PowerShell is executed by the Dropper.bat and it attempts to download the malicious PS1 file.
This is shown by the red cross in the flow chart above. As mentioned in the AMSI blog, this threat is also covered by our AMSI signatures but as we do with several threats, we have different forms of detection in case the malware authors modify their code to attempt to bypass one of them.
The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rules mentioned above.
LemonDuck (HighOn example)
LemonDuck, like PowerMiner, is a coin mining malware. It spreads via various methods such as the Eternal Blue exploit and Mimikatz. Once a machine has been infected, LemonDuck will create several scheduled tasks to download various components which include the coin mining functionality. The flow chart below shows the Lemon Duck infection process:
ATP HighOn rule 329 “Identify and block suspicious usage of Scheduled Tasks in high change systems” blocks LemonDuck at the schedule task creation stage. Again, like PowerMiner, McAfee also has an AMSI signature which detects this threat as LemonDuck!<partial_hash>.
The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rule mentioned above.
Emotet Downloader (Evaluate example)
Emotet is a Trojan which is responsible for downloading and executing several high-profile malwares including Trickbot, which is turn has been known to download and execute the Ryuk ransomware. Emotet is usually downloaded and executed on the victim’s machine by malicious documents which are sent out via email spam. The malicious document will use PowerShell to download the Emotet executable and execute it. The flow is shown below:
McAfee ATP rule 256 ‘Detect use of long -encoded command PowerShell’ and rule 264 ‘Inspect EncodedCommand Powershell’ will detect this behavior if enabled. This is not enabled by default as this behavior can be legitimate, so we recommend checking the detections in Evaluate mode and, if no false positives occur, then turning it on. This rule will also block other malware which performs the same activity as Trickbot. The IP Map below shows the detections Rule 256 has had between October 2019 and January 2020. This will include all threats detected by this rule, not just Emotet.
By now you are likely asking yourself which rules you should turn on. Firstly, it should be noted that enabling ATP Rules will have no performance impact however, as highlighted in the first section, they can sometimes cause false positives.
From the collection of ATP rules, we recommend turning on the ‘Observe’ mode rules mentioned in this blog.
In addition to the rules mentioned for each threat, the following rules can be turned to ‘Enabled’ mode from the EPO console as we described. As mentioned, there is continuous evaluation of these rules by McAfee researchers which can result in rules moving to a different rule group or merging into other existing rules.
- Rule 238– Identify abuse of common processes spawned from non-standard locations.
- Protection from files being executed from suspicious locations which are often used by attackers.
- Rule 309 – Block processes attempting to launch from Office applications.
- Office documents are the main vectors used to deploy malware. This rule prevents Office applications from being abused to deliver malicious payloads.
- Rule 312 – Prevent email applications, such as Outlook, from spawning script editors and dual use tool
- Spam emails are common initial attack vectors being utilized by malware authors. This rule will help to detect suspicious use of email applications by preventing the launch of uncommon processes.
- Rule 323 – Prevent mshta from being launched as a child process.
In general, we recommend looking through your ATP logs and checking to see if any ‘Observe’ mode rules are causing detections. If you find any rules that are not detecting legitimate use cases, we advise changing them to ‘Enabled’ mode.
We advise using ePO groups for a small number of machines and then monitor the changed environment for any false positives. If there are no false positives, you can then deploy the changes to a broader group.
KB Article KB82925 shows all the available ATP rules. You can also refer to the ATP Rules Release Notes which are updated when new rules are created, or existing ones are modified.
We hope that this blog has helped highlight how ATP rules protect your environment against a variety of threats and, by combining this technology with others like AMSI, we reinforce protection.
This blog continues a series which help showcase our technology, so we also recommend reading the following:
All testing was performed with the JTI Content Version 1134 and MVISION Endpoint Version 18.104.22.168 (in High Protection)
The post How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner appeared first on McAfee Blogs.
Phishing is one of the oldest cyberthreats in the book, and yet still one of the most effective. As people across the globe find themselves taking to the internet more than ever before, criminals see this as an opportunity to release phishing attacks on unsuspecting users. In fact, Security Boulevard found a 600% rise in phishing campaigns in the last month. So, as users leverage the World Wide Web to stay connected with friends and loved ones, it’s imperative that they remain wary of scammers looking to exploit our need to virtually communicate. With that, let’s take a look at why phishing is so effective even in 2020 and explore what actions users can take to stay protected.
What is Phishing?
Phishing attacks occur when scammers attempt to trick users out of money or personal information, usually by email, phone, or text. With so many avenues for criminals to hook victims, phishing is one of the most prevalent threats we see today. As part of their phishing schemes, scammers often use something called social engineering to manipulate users into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business. Through these phishing attacks, criminals can spread malware and other malicious content.
The Evolution of Phishing
As new technology and circumstances arise, scammers find new ways to evolve the age-old technique of phishing. What originated as email and instant messages attempting to steal users’ credentials has since taken on new forms like SMiShing or adapted its content to hook the victim with a shocking subject line.
Why has this technique continued to plague users since its inception? Hackernoon argues that it’s because phishing doesn’t require in-depth networking knowledge or even basic programming skills. It simply relies on human error and the lack of online security awareness, manipulating human psychology just as much as technological tools.
Phishing Capitalizes on Emotion
Let’s face it – we’re all human. Our inherent psychology makes us quick to act on emotion. However, this is much of the reason why phishing has forged on as a favorite among hackers. Unfortunately, criminals tend to capitalize on bad or shocking news to grasp the victim’s attention, leading them to click on malicious links or give up personal data all too eagerly. Take today’s environment, for example. As businesses are faced with budget cuts and organizational restructuring, many users might be uncertain about their job security – an opportunity that scammers are eager to exploit. In fact, some organizations have recently observed phishing emails with subject lines reading “HR Termination List.” Through these malicious attempts, fraudsters use fear tactics to tempt recipients into clicking on links in emails or downloading dangerous content.
With millions of users suddenly out of work, a lot of people have found themselves desperately looking for new job opportunities or seeking financial help. However, users should not let their guard down while job hunting, as this could prevent them from noticing the tell-tale signs of phishing. According to The Motley Fool, some phishing emails and text messages claim to offer work-from-home job opportunities, information about health insurance or Medicare, or loans or other forms of financial relief. In fact, the Federal Communications Commission (FCC) reported that many Americans have received texts from the “FCC Financial Care Center” offering $30,000 in relief for those who have recently been laid off or furloughed. While this might appear to be a saving grace, it’s a stealthy demise to trick users into giving up their credentials.
Act Now to Stay Protected
So, whether you’re working from home, participating in distance learning to complete college courses, or video chatting with loved ones, there will always be fraudsters looking to exploit your online activity. However, there are proactive measures you can take to help ensure your security. First and foremost is using comprehensive security software. If you’ve never been targeted by a phishing scam, it might be difficult to envision the benefit of installing a security solution. You might even be convinced that if you haven’t been targeted yet, then you won’t be in the future. However, there’s no off-season when it comes to security. As fraudsters continue to evolve their techniques, employing the help of security software will act as an added safety net in the event that a phishing email appears in your inbox.
Aside from using comprehensive security software, here are some other tips to help protect your online security.
Go directly to the source
Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or with information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service.
Be cautious of emails asking you to act
If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.
Hover over links to see and verify the URL
If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.
The post Protect Yourself Against Phishing Scams With These Security Tips appeared first on McAfee Blogs.
Over the past few years we’ve seen threats on the web becoming increasingly sophisticated. Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users. We’ve realized that to combat these most effectively, security cannot be one-size-fits-all anymore: That’s why today we are announcing Enhanced Safe Browsing protection in Chrome, a new option for users who require or want a more advanced level of security while browsing the web.
Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account. In other words, we’re bringing the intelligence of Google’s cutting-edge security tools directly into your browser.
Over the next year, we’ll be adding even more protections to this mode, including tailored warnings for phishing sites and file downloads and cross-product alerts.
Building upon Safe Browsing
Safe Browsing’s blocklist API is an existing security protocol that protects billions of devices worldwide. Every day, Safe Browsing discovers thousands of new unsafe sites and adds them to the blocklist API that is shared with the web industry. Chrome checks the URL of each site you visit or file you download against a local list, which is updated approximately every 30 minutes. Increasingly, some sophisticated phishing sites slip through that 30-minute refresh window by switching domains very quickly.
This protocol is designed so that Google cannot determine the actual URL Chrome visited from this information, and thus by necessity the same verdict is returned regardless of the user’s situation. This means Chrome can’t adjust protection based on what kinds of threats a particular user is seeing or the type of sites they normally visit. So while the Safe Browsing blocklist API remains very powerful and will continue to protect users, we’ve been looking for ways to provide more proactive and tailored protections.
How Enhanced Safe Browsing works
When you switch to Enhanced Safe Browsing, Chrome will share additional security data directly with Google Safe Browsing to enable more accurate threat assessments. For example, Chrome will check uncommon URLs in real time to detect whether the site you are about to visit may be a phishing site. Chrome will also send a small sample of pages and suspicious downloads to help discover new threats against you and other Chrome users.
If you are signed in to Chrome, this data is temporarily linked to your Google Account. We do this so that when an attack is detected against your browser or account, Safe Browsing can tailor its protections to your situation. In this way, we can provide the most precise protection without unnecessary warnings. After a short period, Safe Browsing anonymizes this data so it is no longer connected to your account.
You can opt in to this mode by visiting Privacy and Security settings > Security > and selecting the “Enhanced protection” mode under Safe Browsing. It will be rolled out gradually in M83 on desktop platforms, with Android support coming in a future release. Enterprise administrators can control this setting via the SafeBrowsingProtectionLevel policy.
Chrome’s billions of users are incredibly diverse, with a full spectrum of needs and perspectives in security and privacy. We will continue to invest in both Standard and Enhanced Safe Browsing with the goal to expand Chrome’s security offerings to cover all users.
New Program Trains Dallas Veterans for Cybersecurity Careers
A new program to train veterans and their families for careers in cybersecurity was announced today by NPower and AT&T.
NPower is a national nonprofit organization that specializes in delivering cutting-edge information technology training to veterans and their families from underserved communities. The new training program, which starts in late June, will support veterans living in Dallas, Texas, as they embark on a second career in the cybersecurity field.
AT&T has worked with NPower to augment the curriculum of the new program. The telecommunications company has also supported the program with a cash injection of $200,000.
AT&T’s contribution to NPower will support 25 veterans and military spouses as they learn the skills necessary to succeed in a new cybersecurity role.
According to the US Department of Labor (DOL), while some industries are struggling with the effects of lockdown measures introduced to slow the spread of COVID-19, the employment prospects for information security analysts are bright.
The DOL states that employment of information security analysts is projected to grow 32% from 2018 to 2028, much faster than the average for all occupations.
“As more people use digital communications to stay connected during the COVID-19 crisis, our country needs more cybersecurity professionals who are ready to help lead the fight against cybercrime,” said Roger Thornton, VP, Products and Technology, AT&T Cybersecurity.
Thornton said that the training veterans receive from the military gives them transferable skills for a new career in digital defense.
“Military veterans are perfect candidates for these positions because they already have many of the technical skills required for a career in information technology," said Thornton.
"At AT&T, we are proud to employ a large number of military veterans, and we are pleased to be working with NPower to prepare even more veterans for a rewarding career that will allow them to help protect our critical digital infrastructure.”
NPower’s curriculum exposes students to security and cloud architecture and teaches them how to diagnose networks, manage operating systems, and utilize security tools to address vulnerabilities and threats. Students have an opportunity to earn both CompTIA Security+ and Linux+ certifications.
Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.
“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”
The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.
Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).
Among the highlights (or lowlights):
- Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
- Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
- Web application attacks doubled from 2018 to 43 per cent of all breaches.
- Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.
There is some good news:
- Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
- Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”
Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).
“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”
All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”
“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”
Most worthwhile security controls
Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):
- Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
- Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
to achieve their function.
- Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
- Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
- Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
- Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
encrypting sensitive data and limiting access to authorized cloud and email providers.
- Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
- Implement a Security Awareness and Training Program (CSC 17).
Download the full report here. Registration required.
NTT Report Demonstrates Changing Approaches of Cyber-Criminals
There was a marked increase in the volume of cyber-attacks across all industries in 2019 compared with 2018, according to NTT’s 2020 Global Threat Intelligence Report (GTIR) published today. The study also revealed the extent to which cyber-criminals are innovating their methods, which is causing major challenges to all organizations.
According to the global technology service company, the most common methods used by malicious actors last year were remote code execution (15%) and injection (14%) attacks. Such attacks were found to be effective due to organizations’ poor practices related to network, operating system and application configuration, testing, security controls and overall security hygiene.
Additionally, the growing use of artificial intelligence (AI) and machine learning to automate attacks by cyber-criminals was highlighted, with 21% of malware detected found to be in the form of a vulnerability scanner.
NTT also said it had seen a re-emergence of Internet of Things (IoT) weaponization in 2019, with a resurgence of Mirai and derivatives underpinning these attacks.
In the wide-ranging report, it was revealed that technology was the sector most targeted by cyber-criminals last year, involved in 25% of all attacks compared with 17% in the previous year. More than half of attacks aimed at this industry were application-specific (31%) and DoS/DDoS (25%). This was followed by government, at 16% of all attacks, and finance at 15%.
Around 20% of attacks targeted content management systems such as WordPress, Joomla!, Drupal and noneCMS, which criminals see as a means of stealing data from businesses and launching further attacks.
Mark Thomas, global head of threat intelligence at NTT, commented: “The technology sector experienced a 70% increase in overall attack volume. Weaponization of IoT attacks also contributed to this rise and, while no single botnet dominated activity, we saw significant volumes of both Mirai and IoTroop activity. Attacks on government organizations nearly doubled, including big jumps in both reconnaissance activity and application-specific attacks, driven by threat actors taking advantage of the increase in online local and regional services delivered to citizens.”
The report also made some observations regarding the activities of cyber-criminals so far in 2020, particularly in light of the COVID-19 pandemic.
Matthew Gyde, president and CEO of the security division, NTT, said: “The current global crisis has shown us that cyber-criminals will always take advantage of any situation and organizations must be ready for anything. We are already seeing an increased number of ransomware attacks on healthcare organizations and we expect this to get worse before it gets better. Now more than ever, it’s critical to pay attention to the security that enables your business, making sure you are cyber-resilient and maximizing the effectiveness of secure-by-design initiatives.”
As both organizations and developers adapt to the new reality of working and collaborating in a remote environment, it’s more important than ever to ensure that their experiences are secure and trusted. As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers.
New Identity capabilities to help foster a secure apps ecosystem
As organizations continue to adapt to the new requirements of remote work, we’ve seen an increase in the deployment and usage of cloud applications. These cloud applications often need access to user or company data, which has increased the need to provide strong security not just for users but applications themselves. Today we are announcing several capabilities for developers, admins, and end-users that help foster a secure and trustworthy app ecosystem:
- Publisher Verification allows developers to demonstrate to customers, with a verified checkmark, that the application they’re using comes from a trusted and authentic source. Applications marked as publisher verified means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration.
- Application consent policies allow admins to configure policies that determine which applications users can consent to. Admins can allow users to consent to applications that have been Publisher Verified, helping developers unlock user-driven adoption of their apps.
- Microsoft authentication libraries (MSAL) for Angular is generally available and our web library identity.web for ASP.NET Core is in public preview. MSAL make it easy to implement the right authentication patterns, security features, and integration points that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts.
In addition, we’re making it easier for organizations and developers to secure, manage and build apps that connect with different types of users outside an organization with Azure AD External Identities now in preview. With Azure AD External Identities, developers can build flexible, user-centric experiences that enable self-service sign-up and sign-in and allow continuous customization without duplicating coding effort.
You can learn even more about our Identity-based solutions and additional announcements by heading over to the Azure Active Directory Tech Community blog and reading Alex Simons’ post.
Azure Security Center innovations
Azure Security Center is a unified infrastructure security management system for both Azure and hybrid cloud resources on-premises or in other clouds. We’re pleased to announce two new innovations for Azure Security Center, both of which will help secure our customers:
First, we’re announcing that the Azure Secure Score API is now available to customers, bringing even more innovation to Secure Score, which is a central component of security posture management in Azure Security Center. The recent enhancements to Secure Score (in preview) gives customers an easier to understand and more effective way to assess risk in their environment and prioritize which action to take first in order to reduce it. It also simplifies the long list of findings by grouping the recommendations into a set of Security Controls, each representing an attack surface and scored accordingly.
Second, we’re announcing that suppression rules for Azure Security Center alerts are now publicly available. Customers can use suppression rules to reduce alerts fatigue and focus on the most relevant threats by hiding alerts that are known to be innocuous or related to normal activities in their organization. Suppressed alerts will be hidden in Azure Security Center and Azure Sentinel but will still be available with ‘dismissed’ state. You can learn more about suppression rules by visiting Suppressing alerts from Azure Security Center’s threat protection.
Azure Disk Encryption and encryption & key management updates
We continue to invest in encryption options for our customers. Here are our most recent updates:
- Fifty more Azure services now support customer-managed keys for encryption at rest. This helps customers control their encryption keys to meet their compliance or regulatory requirements. The full list of services is here. We have now made this capability part of the Azure Security Benchmark, so that our customers can govern use of all your Azure services in a consistent manner.
- Azure Disk Encryption helps protect data on disks that are used with VM and VM Scale sets, and we have now added the ability to use Azure Disk Encryption to secure Red Hat Enterprise Linux BYOS Gold Images. The subscription must be registered before Azure Disk Encryption can be enabled.
Azure Key Vault innovation
Azure Key Vault is a unified service for secret management, certificate management, and encryption key management, backed by FIPS-validated hardware security modules (HSMs). Here are some of the new capabilities we are bringing for our customers:
- Enhanced security with Private Link—This is an optional control that enables customers to access their Azure Key Vault over a private endpoint in their virtual network. Traffic between their virtual network and Azure Key Vault flows over the Microsoft backbone network, thus providing additional assurance.
- More choices for BYOK—Some of our customers generate encryption keys outside Azure and import them into Azure Key Vault, in order to meet their regulatory needs or to centralize where their keys are generated. Now, in addition to nCipher nShield HSMs, they can also use SafeNet Luna HSMs or Fortanix SDKMS to generate their keys. These additions are in preview.
- Make it easier to rotate secrets—Earlier we released a public preview of notifications for keys, secrets, and certificates. This allows customers to receive events at each point of the lifecycle of these objects and define custom actions. A common action is rotating secrets on a schedule so that they can limit the impact of credential exposure. You can see the new tutorial here.
Platform security innovation
Platform security for customers’ data recently took a big step forward with the General Availability of Azure Confidential Computing. Using the latest Intel SGX CPU hardware backed by attestation, Azure provides a new class of VMs that protects the confidentiality and integrity of customer data while in memory (or “in-use”), ensuring that cloud administrators and datacenter operators with physical access to the servers cannot access the customer’s data.
Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. In addition to expanded coverage of services in Customer Lockbox for Microsoft Azure, this feature is now available in preview for our customers in Azure Government cloud.
You can learn more about our Azure security offerings by heading to the Azure Security Center Tech Community.
British airline EasyJet announced it was the victim of a “highly sophisticated” cyber attack that exposed email addresses and travel details of around 9 million of its customers.
British airline EasyJet announced that a “highly sophisticated” cyber-attack exposed email addresses and travel details of around 9 million of its customers.
“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source.” reads a statement from the company. “Our investigation found that the email address and travel details of approximately 9 million customers were accessed.”
According to the company, hackers also accessed a small subset of customers and obtained credit card details for 2,208 of them, no passport details were exposed.
“Our forensic investigation found that, for a very small subset of customers (2,208), credit card details were accessed.” continues the company.
At the time of writing the airline did not disclose details of the security breach, it is not clear when the incident took place and how EasyJet discovered the intrusion.
EasyJet conducted a forensic investigation and once identifies the unauthorized access has locked it.
The airline reported the incident to the Information Commissioner’s Office (“ICO”), the good news is that the company is not aware of any attack in the wild that abused the stolen information.
EasyJet is still investigating the security breach.
“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” says EasyJet Chief Executive Officer Johan Lundgren.
“Since we became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. Every business must continue to stay agile to stay ahead of the threat.”
The airline has started notifying the incident to all the impacted customers and is recommending them to be “extra vigilant, particularly if they receive unsolicited communications.”
According to the Reuters that cited two people familiar with the investigation, hacking tools and techniques used by attackers point to a group of suspected Chinese hackers that targeted multiple airlines in recent months.
(SecurityAffairs – EasyJet, hacking)
The post Easyjet hacked: 9 million customer’s data exposed along with 2,200+ credit card details appeared first on Security Affairs.
European budget airline EasyJet says it suffered a data breach that exposed 9 million customers' personal details. While no passport details were exposed, the company's ongoing investigation has also found that attackers "accessed" a small number - just 2,208 - of customers' payment card details.
In 2018, PCI Security Standards Council established its first Global Executive Assessor Roundtable (GEAR) consisting of senior leadership members of payment security assessors. The vision for the roundtable was simple: encourage the exchange of information, and increase payment security, through greater coordination with this key stakeholder group.
In my last blog I talked about how we should define “zero day” and the many misuses which in my view muddy the waters, making it ever more difficult to address the actual problem. In case you missed that one you can read it here, or you can simply accept the premise that zero day threats are very rare.
Either way, I absolutely accept that we shouldn’t stop worrying about zero-day threats completely, but I do think we should put them into context and focus our resources accordingly. The VAST majority of malware we face is not zero day and is in fact exploiting vulnerabilities that are known about and have available patches to render them ineffective.
Focusing your resources accordingly will, of course, depends on how many resources you have and how skilled they are, so you should adapt the below list to fit your situation, but as a general rule here’s how I would prioritize things:
Application of new patches is a key part of your defense.
There are times (and places) where patching cannot be implemented immediately, but if you can patch you should do so – and do so as fast as possible.
Don’t overlook the importance of user education.
A significant proportion of malware is delivered via phishing attacks and better training would reduce the number of times these links are activated, resulting in fewer attacks that your other defenses need to identify and block (and of course fewer they can potentially miss).
Defense in depth is the only sensible approach.
As malware creators become more adept at tricking users and technology alike, putting all your eggs in one basket seems to be a more and more outdated approach. An endpoint security solution that leverages multiple methods of protection has a higher chance of being effective.
- The fastest and least resource intensive method of catching malware is via signatures. It may sound a bit ‘last century’ and it’s true that signatures can only catch malware that has already been seen elsewhere (and you may even be thinking about that 725,000 number I mentioned in my previous blog) but keep in mind that even if this method won’t catch the very newest malware it’s still the best way to identify the other 925 million malware files in the database. Filtering out the known bad files without overtaxing your PC allows more CPU cycles for other tasks – namely, the machine learning methods in the next 2 points but even more importantly, running the applications you actually turned the PC on for!
- Once you have filtered out a large proportion of the known bad malware, you need to think about how to protect against the small percentage for which signatures do not exist – and that brings us back to the previously mentioned machine learning. To understand more about machine learning in general try reading this blog written by one of my colleagues. But, for the purposes of this blog, and in the context of anti-malware, machine learning comes in 2 fundamental flavors; Pre-execution machine learning and Post-execution machine learning (or machine-learning-assisted behavioral analysis). The Pre-execution flavor does exactly what it says on the tin…it examines a file before it allows it to execute and tests it against a malware model. If it deems the file is statistically likely to be malware then it blocks it – critically before it is allowed to execute and therefore before it can do any damage whatsoever. Post-execution machine learning requires the file to execute and then instead of examining the static file for indications of maliciousness it watches the actual behavior of the process(es). Once this trace data is available it can be compared to a different type of model and again an estimation can be made as to whether it is likely to be malicious or not. Both variants have value and complement each other so just like you should be looking at signature and non-signature based detection so you should be looking at pre- and post-execution versions of machine learning.
- The scenario outlined above where post-execution scanning is required (because the pre-execution scan has not identified something that is malicious and allows it to execute) is a neat segue into the value of application containment. This concept, delivered by McAfee back in 2017, is designed to minimize the damage that a malicious process can achieve even when the endpoint defenses have been deceived. This is of particular importance given the current prevalence of crypto-malware, whereby even if the behavioral analysis does identify malware running on your system it may have already deleted restore points, encrypted data and overwritten source files. Dynamic Application Containment will identify if a file has no reputation and if it doesn’t (so it is not known as either good or bad), and assuming the pre-execution scanning suggests it is safe, will allow it to execute but will contain it at the same time. This means that should it subsequently turn out to be malicious it will have been prevented from, for example, overwriting user data, modifying the registry, accessing network shares and a whole host of other things we wouldn’t want the bad guys to do.
- In some environments you can also consider application control as a way of ensuring that malicious code cannot take advantage of any vulnerabilities that may exist. This is a whitelist type approach that allows the IT department to predefine a set of applications and code that is allowed to execute and simply blocks everything else. Since malicious code won’t be on the whitelist it can never run, so why isn’t this the default position of every enterprise worldwide? Answer: because it tends to result in the IT department being overrun with irate users trying to get the job done and discovering that only a limited set of applications will work. One person is a lover of a different web browser, but they’re blocked from using that application. Another person has a personal device and wants to load the relevant software to connect it, but they can’t. A third person wants to use their great new presentation clicker only to find it needs its own software – and that’s not allowed. The list goes on….and the users get more irate.
- Some endpoint security solutions are better than others, but it is worth keeping in mind that there has never been, nor will there ever be one that is 100% perfect. No vendor can guarantee that malware or hackers will never find their way into your environment and that is why there is a burgeoning market for Endpoint Detection and Response (EDR) solutions. These solutions are designed to continually analyze and interrogate your infrastructure to detect low-level malicious activity that is going unidentified by other defense systems, and then enable you to react to those threats, isolate infected systems, remediate the damage and restore normal service as quickly as possible.
In summary, zero day threats are a pretty long way down the list of things I think companies should be focusing on addressing. That’s not to say they should be ignored, but there are easier things to fix and which are likely to have a more positive impact. My advice would be to hold off until patching is fully under control, the users know how to act as your first line of defense and you have a good quality antimalware solution (leveraging both signatures and machine learning) installed. Only then should you be turning your attention to the dangers of the ‘zero day’!
The airline has said the personal information of 9 million customers has been compromised
• EasyJet reveals cyber-attack exposed 9m customers’ details
Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a rogue application. The app allows attackers to access and modify the contents of the victim’s account, but also to retain that access indefinitely, Cofense researchers warn. The attack The attack starts with an invitation email that directs potential victims to a file hosted on Microsoft SharePoint (a web-based collaborative platform that integrates … More
The post Phishers are trying to bypass Office 365 MFA via rogue apps appeared first on Help Net Security.
easyJet Says Details of Nine Million Customers Accessed in Data Breach
easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a “highly sophisticated” cyber-attack on its system. This includes credit card details of a small subset of these customers (2208), with the airline confirming it has already taken action to contact and offer support to those individuals.
For the rest of the customers affected, email addresses and travel details were accessed. Easyjet said these customers will be contacted in the next few days to and the company will “advise them of protective steps to minimize any risk of potential phishing.”
The company took immediate steps to manage the incident once it was aware of the attack and closed off the unauthorized access. It also stated that it has notified the National Cyber Security Centre and the Information Commissioner's Office (ICO) of the breach. The firm has not given any details on the nature of the breach.
There is currently no evidence that the information accessed has been misused; however, the airline is urging its customers to stay alert to any unsolicited communications and to be “cautious of any communications purporting to come from easyJet or easyJet Holidays.”
Johan Lundgren, easyJet chief executive officer, said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
The incident has come a particularly bad time for easyJet, who face the possibility of a large fine under General Data Protection Regulation (GDPR) rules.
Commenting on the breach, Felix Rosbach, product manager at data security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant. On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.”
Last year, British Airways (BA) was hit by a record £183m GDPR (intention to) fine after failing to prevent a digital skimming attack in 2018.
Today, we published a special supplement to our annual State of Software Security report that focuses exclusively on the security posture of the open source libraries found in applications. Prominent in almost every application today, open source libraries allow developers to move faster by quickly adding basic functionality. In fact, it would be nearly impossible to innovate with software without these libraries. However, lack of awareness about where and how open source libraries are being used and their risk factors is a problematic practice. This analysis, which examined 351,000 external libraries in 85,000 applications, found that open source libraries are, as expected, ubiquitous in applications, and that they do in fact contain risky code. But it also unearthed some good news about ways to keep track of and alleviate that risk. The report???s highlights include:
Open source libraries are ubiquitous, and risky
Along with their prevalence comes risk. The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries ??? present in 30 percent of libraries ??? followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).
Developers may be pulling in more libraries than they realize
This report highlights the amount of interconnected dependencies among open source libraries, and how that can be contributing to layers of hidden risk. In fact, our data reveals that most flawed libraries end up in code indirectly. Forty-seven percent of the flawed libraries in applications are transitive ??? in other words, they are not pulled in directly by developers, but are being pulled in by the first library (42 percent are pulled in directly, 12 percent are both). This means that developers are introducing much more code, and often flawed code, than they might be anticipating.
Securing these libraries is not necessarily a major undertaking
In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!
This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.
See below for the data highlights, and check out theﾂ?full reportﾂ?for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.
Software as a Service (SaaS) applications are known for their high potential for cybersecurity vulnerabilities — that is, if you don’t manage them properly. What’s more, with so many SaaS apps available online, it can be hard to keep track of every single one that your employees might be using, which can increase your security vulnerabilities.
The good news is, you can reduce the risks of cyber threats by keeping a close eye on your SaaS management system and establish the right strategies like overcoming cloud security challenges. There are many ways to defend against cyber threats, but in this guide, we’ll take a look at how SaaS management vigilance can protect your company from cyberattacks.
SaaS management is the practice of monitoring and controlling your company’s purchasing, licensing, renewals, onboarding and offboarding of SaaS apps. Software that’s accessed over the web comes in literally thousands of shapes and sizes.
This array of diversity, and the different ways each product is used in different business environments, makes it crucial to proactively manage your SaaS stack. Vigilant management is the only way to ensure your team is making the most of its tools while minimizing the associated dangers.
Here are more details on four key benefits associated with SaaS management.
1. Gives you visibility over your SaaS apps
You need to have visibility over your SaaS apps to track their effectiveness, ensure that you’re getting the returns for your investment, and manage your software and tools successfully. Without an excellent vantage point, however, you could miss seeing potential gaps in your company’s security from unaccounted and unassessed apps.
An excellent way to ensure you have visibility over your applications and tools stack is to work with a SaaS management platform. Platforms like Intello, for instance, offer a wide range of features and tools to help you gain full visibility over all the SaaS apps in your company. Plus, the platform can help your company reduce spending and optimize apps usage based on data analytics and insights – and get alerts about newly added apps, upcoming renewals, etc.
Why is automated SaaS stack transparency such a game changer? “Because manually tracking this in a spreadsheet or through conversations with various departments isn’t going to cut it when the average organization of more than 300 employees has at least 150-300 SaaS apps currently in use,” notes Intello’s Kelsie Skinner. “And from our experience, most IT Managers are only aware of 30-50% of those today.”
By gaining visibility over your SaaS solutions, you’ll know who uses what, how, and when at all times – giving you control over the tools and apps that should only be used in your company.
2. Reduces and prevents the risks of Shadow IT
Any time software or hardware is purchased, installed, or used without approval from your IT department, it’s considered to be “shadow IT.”
The freedom to adopt new tech solutions at will is a productivity dream for line-of-business employees. Shadow IT, however, poses tons of potential security risks because most times, your employees and teams can forget, underutilize, and mismanage them. For instance, unsanctioned software and platforms like cloud storage might not adhere to the same security standards your company has set in place – which can lead to vulnerabilities in your systems or privacy regulation violations.
By establishing SaaS management vigilance, you can mitigate the risks of shadow IT.
Here are a few tips on how to do just that.
- Build a risk prioritization and ranking system since not all apps outside your IT control offer the same level of threats to your company.
- Create a list of approved devices for BYOD (Bring Your Own Device) use and set specific restrictions such as prohibiting the use of jailbroken operating systems in smartphones, tablets, etc.
- Use the right solutions and platforms to help you monitor your network for shadow IT applications.
- Block the installation and use of apps that might be dangerous to your systems and require users to get approval from your IT department before they can download.
With a SaaS management system that monitors unsanctioned use of unauthorized apps and tools, you can reduce cybersecurity risks and prevent potential cyberattacks to your company.
3. Keeps your license management up-to-date
With the sheer number of SaaS tools and apps in your IT infrastructure, it can get challenging to keep track of renewals and underutilized or unused licenses. However, without clear ownership attribution to teams or employees, unused licenses can pose security threats.
For instance, without license attribution of ownership, ensuring your company doesn’t neglect or forget to revoke access to former employees so they no longer have access to your confidential business information can be challenging.
Plus, unused licenses can potentially trigger automatic renewals – which can incur unnecessary costs for your company.
By implementing proper and active SaaS management, you can keep all these things from happening and ensure you get the most value out of your investment. Additionally, optimizing your SaaS licenses help ensure the number of seats meets your company’s actual needs, preserving the value of your tools and apps.
4. Establishes an onboarding system for your employees
One of the best ways to ensure your SaaS apps are deployed properly and that the rules about usage are clear is by setting everything straight for your employees and teams from the get-go. If not, unclear SaaS management policies or issues with gaining access to various software services your company uses can lead to misuse and mismanagement.
Plus, this can potentially lead your staff to turn to unsanctioned tools and software instead – which can increase your cybersecurity risks.
To help ensure that your SaaS protocols and systems are adopted correctly in your company, you can organize your employee onboarding process for each tool. You can assign teams or your IT department to ensure that all new employees get proper access and training for the various software services your company is using.
Doing so will help eliminate potential inefficiencies since your employees understand the proper deployment of your SaaS apps. This also helps ensure that no service is underutilized, mismanaged, and misused – which can reduce the risks of potential security vulnerabilities and cyberattacks. You should also have an offboarding system to ensure that employees who no longer work for your company do not have access to your SaaS apps.
The bottom line
Implementing vigilance on your SaaS management and using the right strategies can help protect your company from potential cyberattacks.
Not only that, but having a robust SaaS management system in place will help reduce the complexities of managing many software and apps, improve your visibility over your entire application stack, and remove overlapping tools.
Image Source: Unsplash
The post How SaaS Management Vigilance Protects Your Company From Cyberattacks? appeared first on .
There’s a pretty common misconception among small businesses and medium-sized businesses (SMBs) that hackers only target large organizations. Unfortunately, this belief couldn’t be further from the truth. In fact, according to the most recent Verizon Data Breach Investigations Report, more than 70% of cyberattacks target small businesses. Additionally, many attacks are now shifting to target managed service providers (MSPs), specifically because breaching an MSP can give hackers access to their entire SMB customer base.
Why are hackers targeting SMBs?
Simply put— it’s easy money. First, the smaller the business is, the less likely it is to have adequate cyber defenses. Moreover, even larger SMBs typically don’t have the budgets or resources for dedicated security teams or state-of-the-art intrusion prevention. On top of that, smaller businesses often lack measures like strong security policies and cybersecurity education programs for end users, so common vulnerabilities like poorly trained users, weak passwords, lax email security, and out-of-date applications make SMBs prime targets.
What’s more: some hackers specialize in breaching specific business types or industries, refining their expertise with each new attack.
Which business types are in the cross hairs?
Realistically speaking, the majority of businesses face similar amounts of risk. However, some industries do tend to be targeted more often, such as finance or healthcare. Here are some of the business types that are currently topping hacking hit lists.
Managed Service Providers
MSPs hold a lot of valuable data for multiple customers across industries, which makes them desirable targets. Hackers use a technique known as “island hopping”, in which they jump from one business to another via stolen login credentials. MSPs and their SMB customers are both potential targets of these attacks.
Hospitals, physical therapy offices, pediatricians, chiropractors, and other healthcare practices are easy targets for cybercrime because they can have such chaotic day-to-day operations, and because they often lack solid security practices. In addition, medical data and research can extremely valuable. Patient records alone can sell for up to $1,000 or more on the dark web.
There are many reasons that cybercriminals, particularly nation-state terrorists, might target local and national governments. In particular, small governments and local agencies generate troves of sensitive information, while large governments can be victims of nationwide disruption, either for financial gain or sheer destruction.
You probably aren’t surprised by this list item. Banks, credit unions, and other financial institutions have long been targets for hackers due to a wealth of data and money. Only a few years ago in 2018, over 25% of all malware attacks targeted banks––that’s more than any other industry. More recently, automation has further enabled cybercriminals to run advanced attacks on financial institutions at scale.
Celebrities, Politicians, and High-Profile Brands
Hacktivists, who are usually politically, economically, or socially motivated, like to seek out politicians, celebrities, and other prominent organizations as targets. They may even attempt to embarrass public figures or businesses by stealing and disseminating sensitive, proprietary, or classified data to cause public disruption, or for private financial gain via blackmail.
What are your next steps?
The only real requirement for becoming a hacking target is having something that hackers want, which means all businesses are at risk. Luckily, a few relatively straightforward tips can go a long way in keeping your business secure.
Think Like a Hacker
Cybersecurity awareness training with phishing simulations is a vital component of an effective protection strategy. In fact, Webroot’s own research found that regular training over just 4-6 months reduced clicks on phishing links by 65%. Understanding hacker practices and motivations can help you predict potential threats and thwart attacks.
Lock Down Your Business First
The right security layers can protect you from threats on all sides. If you haven’t already, check out our free Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.
Embrace Comprehensive Cyber Resilience
Being resilient in the face of cybercrime doesn’t just mean having powerful, automated endpoint threat detection in place. It also means having security layers that can protect your business and clients front and back. That includes layers like security awareness training, as well as network protection and strong backup and disaster recovery services. The best defense is prevention, and by preventing attacks and planning your recovery proactively, you’ll be ready to bounce back right away at the first sign of trouble.
Hackers have diverse means and motives, so it’s up to you to know their methods and prepare your business and customers to block advanced threats.
To get started on the road to cyber resilience, you can learn more about Webroot® Business Endpoint Protection or take a free trial here.
The personal details of nine million customers of budget airline EasyJet have been accessed by hackers in what the budget airline is describing as a “highly sophisticated attack.”
British low-cost airline group easyJet revealed that an hacking incident had exposed approximately nine million customers’ information. On May 19, easyJet issued a “Notice of cyber security incident” in which it revealed that it had fallen victim to a digital attack from a “highly sophisticated source.” An investigation revealed that those responsible for the security […]… Read More
The post Around 9 Million easyJet Customers’ Details Stolen in Hacking Incident appeared first on The State of Security.
The Australian flat product steel producer BlueScope Steel Limited was hit by a cyberattack that caused disruptions to some of its operations.
Australian steel producer BlueScope was recently hit by a cyberattack that disrupted some of its operations.
The incident was spotted on Friday at one of its businesses located in the US, but the company did not share any detail about the attack.
“BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions.” reads the statement published by the company. “In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds.”
The problems faced by the company are usually the result of a ransomware attack, the suspect is confirmed by iTnews that said the incident was caused by this family of malware and that is restoring systems from backups.
“BlueScope Steel is suffering IT “disruption” that is believed to be the result of a ransomware infection, impacting production systems used by its global operations.” reads a post published by iTnews. “iTnews has learned that production systems were halted company-wide in the early hours of Thursday morning, though recovery from backup was understood to be progressing on Thursday afternoon.”
BlueScope confirmed that the security incident impacted some of its IT systems. Manufacturing and sales operations in Australia were deeply impacted.
“In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.” continues the post.
Recently another Australian giant was hit by ransomware, the transportation and logistics giant Toll disclosed a security incident.
In May, Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.
Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.
(SecurityAffairs – BlueScope, hacking)
The post Australian product steel producer BlueScope hit by cyberattack appeared first on Security Affairs.
The FBI has issued a “flash alert” warning that hackers are planting Magecart-style credit card-skimming code on Magento-powered online stores running an out-of-date plugin.
Trust in Data and Metrics Processes Cause Security Headaches for Financial Services
Security leaders are being challenged to create business metrics, but without having total trust in the data they work with.
According to research by Panaseer of over 400 security leaders in financial services organizations, 96% of companies use metrics to measure their cyber-posture, but 36% said their biggest challenge in creating metrics to measure and report on risk is trust in the data.
Other issues included the resources required to produce metrics (21%), the frequency of requests (14%) and confusion over knowing what metric to use (15%). Fewer than half of respondents (47%) could claim to be very confident that they are using the right security metrics to measure cyber-risk.
Nik Whitfield, CEO, Panaseer, said not knowing the accuracy, timeliness or even limitations of a security metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface.
“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis,” he said. “Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the board can then have a better understanding of what risks are and aren't acceptable to keep customer data safe.”
The research determined the primary use for security metrics to be risk management (41%), demonstrating the success of security initiatives (28%), supporting security investment business cases (19%) and board and executive reporting (10%).
The research also found that teams are wasting an inordinate amount of time processing metrics, as it can take an average of five days to produce them. Auditors demand data most frequently at every 10.4 days per month, while boards have a need for updated metrics almost twice a month or more.
Commenting, Bob Sibik, vice-president of Fusion Risk Management, said that most CEOs “are starved for metrics and want solid metrics as they use them to prepare for how secure they are.” Talking to Infosecurity, Sibik said CEOS like “internal metrics” to show trends and to be able to compare themselves to their peers.
“We rely heavily [on metrics] and metrics are huge for us, and they come in handy and are crucial for day-to-day operations and to define a future strategy,” said Fusion director of cybersecurity, Safi Raza.
Manual processes were also cited as fueling data mistrust. Over half (59%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52% are using custom scripts. Nearly one in five (18%) admitted to relying exclusively on manual processes to develop their security metrics for risk.
Ben Buchanan has written "A National Security Research Agenda for Cybersecurity and Artificial Intelligence." It's really good -- well worth reading.
Airline apologises after credit card details of about 2,200 passengers were stolen
EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.
The company on Tuesday disclosed that email addresses and travel details were accessed and said it will contact all of the customers affected.Continue reading...
FBI Unlocks Pensacola Shooter’s iPhones as Barr Slams Apple
The US attorney general has again attacked Apple for its stance on device encryption even as he revealed that FBI investigators had managed to access a deceased terrorist’s iPhones.
At a press conference to announce updates to the investigation into fatal shootings at Pensacola Naval Air Station, William Barr, claimed the “relentless efforts and ingenuity of FBI technicians” had helped reveal more about Mohammed Saeed Alshamrani’s ties to Al Qaeda.
However, he couldn’t resist doubling down on long-standing government criticism of Silicon Valley over encryption.
“Apple made a business and marketing decision to design its phones in such a way that only the user can unlock the contents no matter the circumstances,” Barr argued.
“In cases like this, where the user is a terrorist, or in other cases, where the user is a violent criminal, human trafficker, or child predator, Apple’s decision has dangerous consequences for public safety and national security and is, in my judgment, unacceptable.”
Barr again repeated the belief, roundly debunked by the world’s leading encryption experts, that “there is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.”
In fact, it is widely believed in security circles that if Apple or any tech firm engineered de facto backdoors into their products, the information would eventually end up on the cybercrime underground, undermining security for hundreds of millions of legitimate users.
The Cupertino giant hit back at Barr’s suggestion it had not been any help in the investigation, claiming that it provided iCloud backups, account info and other information on Alshamrani to the FBI.
“The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security,” it continued in a statement.
“It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers.”
Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.
Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.
Cybercriminals Capitalizing on the Chaos
The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely.
A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month.
Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector
The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects.
The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand.
The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day.
Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days.
The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content.
Hackers Love Causing Severe Disruptions
Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018.
The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue.
Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure.
Not a New Concern
Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too.
In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up.
Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February.
The Energy Industry Must Remain Vigilant
The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.
About the author
(SecurityAffairs – COVID-19, hacking)
The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.
NHS Trusts Fail Government Cybersecurity Tests
Only one of hundreds of NHS trusts has passed the government-backed Cyber Essentials Plus assessment, according to a concerning new report from the National Audit Office (NAO).
Of the 204 trusts with on-site assessments in place, the average score was 63%, according to a new report from the NAO on digital transformation in the health service.
Although this is an increase from an estimated 50% in 2017, trusts require a 100% pass rate. The scheme tests areas such as vulnerability management, access controls, end-user devices, servers and network security.
“NHSX and NHS Digital consider some trusts have reached an acceptable standard, even though they did not score 100% in the assessment, and note there has been a general improvement in cybersecurity across the NHS,” the NAO explained.
“However, while some attempts have been made to address underlying cybersecurity issues, and progress has been made, it remains an area of concern. A 2019 survey of 186 IT leaders across the sector showed that 61% considered cybersecurity one of their top priorities (sixth highest priority overall).”
The NAO expressed particular concerns over legacy systems in the NHS, although it claimed that since the 2017 WannaCry incident a Windows 10 licensing agreement has been reached which should partly address this. A Data Security Centre was also launched to help prevent, detect and respond to cyber-attacks.
The NAO’s report on the ransomware worm laid the blame on systemic failures at the NHS and Department of Health. Although NHS Digital issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry, there was no formal mechanism for checking whether trusts had complied, it found.
Incident response plans were also found not to have been tested at a local level, meaning some trusts couldn’t communicate with national bodies when the ransomware struck.
Around a third of trusts were disrupted due to the cyber-attack, with an estimated 19,000 appointments and operations cancelled. It’s calculated to have cost the NHS £92m, mainly in emergency IT support.
Cloud Exposes SMBs to Attack as Human Error Grows
SMBs are increasingly seeing the same kinds of cyber-attacks as their larger counterparts as cloud and web-based applications help to close the gap between the two, according to Verizon.
The vendor’s annual Data Breach Investigations Report is compiled from an analysis of 32,002 security incidents and 3950 confirmed breaches.
The report claimed that smaller businesses comprised just over a quarter (28%) of the total number of breaches.
However, more telling was the alignment of top breach-related threats: phishing came top for both SMBs and larger firms, with password dumper malware and stolen credentials featuring in the top four for both.
More than a fifth (20%) of attacks on SMBs were against web applications and involved the use of stolen credentials.
In fact, attacks against cloud-based data were on the up overall with web app threats doubling to 43%. Credential theft, errors and social attacks like phishing accounted for over two-thirds (67%) of breaches.
Preventing human error has also become an increasingly important factor in cybersecurity. This year’s report found that related breaches are even more common than malware-driven breaches and almost as popular as phishing.
In total, human error accounted for 22% of all breaches, with misdelivery of emails slightly more common than the growing challenge of misconfiguration.
“The fact that misconfiguration is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities,” argued Tripwire VP of product management, Tim Erlin.
“At a high level, the key things for every organization to worry about are brute forced and stolen credentials, and web applications.”
On the plus side, patching appears to be getting better: just one in 20 breaches exploit vulnerabilities, and 81% were contained within a day or less.
Elsewhere, the insider threat remains pronounced, accounting for 30% of all breaches, while organized crime dominated the external breaches, comprising 55% of the overall total.
“If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure,” said Erlin.
Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.
Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 22.214.171.124.
“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 126.96.36.199, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”
Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.
Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.
In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.
“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.
According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.
Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.
“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.
The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)
(SecurityAffairs – Symantec Web Gateways, hacking)
The post Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways appeared first on Security Affairs.
Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year. Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals … More
A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.
A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.
As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.
The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.
The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”
The accuracy of the data has been verified by Vedomosti media.
“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website rbc.ru. “
“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”
According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.
The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.
(SecurityAffairs – dark web, hacking)
The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.
If your organisation is to remain compliant with ISO 27001, you need to conduct regular internal audits.
An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the requirements of the ISO 27001 standard.
Regular audits can be beneficial, since they enable continual improvement of your framework.
What is an internal audit?
Unlike a certification review, it’s conducted by your own staff, who will use the results to guide the future of your ISMS.
The requirements of an internal audit are described in clause 9.2 of ISO 27001.
Get started with your ISO 27001 audit plan
To help you achieve ISMS internal audit success, we have developed a five-step checklist that organisations of any size can follow.
1) Documentation review
You should begin by reviewing the documentation you created when implementing your ISMS.
This is because the audit’s scope should match that of your organisation.
Therefore, doing so will set clear limits for what needs to be audited.
You should also identify the main stakeholders in the ISMS.
This will allow you to easily request any documentation that might be required during the audit.
2) Management review
This is where the audit really begins to take shape.
Before creating a detailed audit plan, you should liaise with management to agree on timing and resourcing for the audit.
This will often involve establishing set checkpoints at which you will provide interim updates to the board.
Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.
3) Field review
This is what you might think of as the ‘audit proper’. It is at this stage when the practical assessment of your organisation takes place.
You will need to:
- Observe how the ISMS works in practice by speaking with front-line staff members.
- Perform audit tests to validate evidence as it is gathered.
- Complete audit reports to document the results of each test.
- Review ISMS documents, printouts and any other relevant data.
The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.
Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.
You will need to present the audit’s findings to management. Your report should include:
- An introduction clarifying the scope, objectives, timing and extent of the work performed.
- An executive summary covering the key findings, a high-level analysis and a conclusion.
- The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
- An in-depth analysis of the findings.Conclusions and recommended corrective actions.
- A statement detailing recommendations or scope limitations.
Further review and revision might be needed, because the final report typically involves management committing to an action plan.
How often do I need to conduct an audit?
Like many standards, ISO 27001 doesn’t specify how often an organisation needs to carry out an internal audit.
That’s because every organisation’s ISMS is different and will need to be treated as such.
Experts recommend carrying out an ISO 27001 internal audit annually. This won’t always be possible, but you need to conduct an audit at least once every three years.
This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for, suggesting that beyond this point there’s a good chance that the organisation has fallen out of compliance.
Need help with your ISO 27001 audit?
At IT Governance, we’re serious about security.
Our unique combination of technology, methodology and expertise will give you the peace of mind that your organisation is secure and compliant.
You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.
Developed by expert ISO 27001 practitioners, it contains a customisable scope statement as well as templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.
The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.
A version of this blog was originally published on 18 July 2018.
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”
"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"
"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"
"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."
"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."
"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."
"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"
"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"