Daily Archives: November 10, 2020

Attackers vs. Hackers – Two *Very* Different Animals

The cybersecurity industry is more well-informed than most, but even so, misconceptions arise and spread, helped along by the fact that the rise in cybersecurity incidents has led to substantial “pop culture” intrigue with all things cybersecurity. One of the more harmful of these misconceptions is the conflation of “hacker” and “attacker,” terms which are […]… Read More

The post Attackers vs. Hackers – Two *Very* Different Animals appeared first on The State of Security.

Patch Tuesday, November 2020 Edition

Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including one zero-day vulnerability that is already being exploited to attack Windows users. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug.

Some 17 of the 112 issues fixed in today’s patch batch involve “critical” problems in Windows, or those that can be exploited by malware or malcontents to seize complete, remote control over a vulnerable Windows computer without any help from users.

Most of the rest were assigned the rating “important,” which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

A chief concern among all these updates this month is CVE-2020-17087, which is an “important” bug in the Windows kernel that is already seeing active exploitation. CVE-2020-17087 is not listed as critical because it’s what’s known as a privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.

Unfortunately, this is exactly what Google researchers described witnessing recently. On Oct. 20, Google released an update for its Chrome browser which fixed a bug (CVE-2020-15999) that was seen being used in conjunction with CVE-2020-17087 to compromise Windows users.

If you take a look at the advisory Microsoft released today for CVE-2020-17087 (or any others from today’s batch), you might notice they look a bit more sparse. That’s because Microsoft has opted to restructure those advisories around the Common Vulnerability Scoring System (CVSS) format to more closely align the format of the advisories with that of other major software vendors.

But in so doing, Microsoft has also removed some useful information, such as the description explaining in broad terms the scope of the vulnerability, how it can be exploited, and what the result of the exploitation might be. Microsoft explained its reasoning behind this shift in a blog post.

Not everyone is happy with the new format. Bob Huber, chief security officer at Tenable, praised Microsoft for adopting an industry standard, but said the company should consider that folks who review Patch Tuesday releases aren’t security practitioners but rather IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data.

“With this new format, end users are completely blind to how a particular CVE impacts them,” Huber said. “What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users. However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”

Dustin Childs with Trend Micro‘s Zero Day Initiative also puzzled over the lack of details included in Microsoft advisories tied to two other flaws fixed today — including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a scary-looking weakness in the Windows Network File System (NFS).

The Exchange problem, Childs said, was reported by the winner of the Pwn2Own Miami bug finding contest.

“With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned,” Childs said. “It is very likely he will publish the details of these bugs soon. Microsoft rates this as important, but I would treat it as critical, especially since people seem to find it hard to patch Exchange at all.”

Likewise, with CVE-2020-17051, there was a noticeable lack of detail for bug that earned a CVSS score of 9.8 (10 is the most dangerous).

“With no description to work from, we need to rely on the CVSS to provide clues about the real risk from the bug,” Childs said. “Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.”

Separately, Adobe today released updates to plug at least 14 security holes in Adobe Acrobat and Reader. Details about those fixes are available here. There are no security updates for Adobe’s Flash Player, which Adobe has said will be retired at the end of the year. Microsoft, which has bundled versions of Flash with its Web browsers, says it plans to ship an update in December that will remove Flash from Windows PCs, and last month it made the removal tool available for download.

Windows 10 users should be aware that the operating system will download updates and install them on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system, see this guide.

But please do back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

VERT Threat Alert: November 2020 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s November 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-915 on Wednesday, November 11th. Note: Microsoft has changed their advisory format and no longer provides basic vulnerability descriptions. In-The-Wild & Disclosed CVEs CVE-2020-17087 This CVE describes a local elevation of privilege vulnerability […]… Read More

The post VERT Threat Alert: November 2020 Patch Tuesday Analysis appeared first on The State of Security.

Getting to Know Cloudjacking and Cloud Mining Could Save Your Business

Reading Time: ~ 4 min.

A few years back, cryptojacking and cryptomining emerged as relatively low-effort ways to profit by hijacking another’s computing resources. Today, cloudjacking and cloud mining capitalize on similar principles, only by targeting the near infinite resources of the cloud to generate revenue for attackers. Knowing this growing threat is key to maintaining cyber resilience.

Enterprise-level organizations make especially attractive cloudjacking targets for a few reasons. As mentioned, the computing power of cloud networks is effectively limitless for all but the most brazen cybercriminals.

Additionally, excess electricity consumption, one of the most common tipoffs for smaller scale cryptojacking attacks, often goes unnoticed at the scale large corporations are used to operating. The same goes for CPU.

Careful threat actors can also throttle back the amount of resources they’re ripping off—when attacking a smaller organization, for instance—to avoid detection. Essentially, the resources stolen at any one time in these attacks are a drop in the Pacific Ocean to their largest targets. Over time, though, and depending on particulars of a usage contract, the spend for CPU used can really add up.

“Hackers have definitely transitioned away from launching ransomware attacks indiscriminately,” says Webroot threat analyst Tyler Moffitt. “It used to be, ‘everybody gets the same payload, everyone has the same flat-rate ransom.’

“That’s all changed. Now, ransomware actors want to go after businesses with large attack surfaces and more pocketbook money than, say, grandma’s computer to pay if they’re breached. Cloud is essentially a new market.”

High-profile cloudjacking incidents

Arguably the most famous example of cloudjacking, at least in terms of headlines generated, was a 2018 attack on the electric car manufacturers Tesla. In that incident, cybercriminals were discovered running malware to leech the company’s Amazon Web Service cloud computing power to mine cryptocurrency.

Even with an organization of Tesla’s scale, the attackers reportedly used a throttling technique to ensure their operations weren’t uncovered. Ultimately, they were reported by a third-party that was compensated for their discovery.  

More recently, the hacking group TeamTNT developed a worm capable of stealing AWS credentials and implanting cloudjacking malware on systems using the cloud service. It does this by searching for accounts using popular development tools, like Docker or Kubernets, that are both improperly configured and running AWS, then performing a few simple searches for the unencrypted credentials.

TeamTNT’s total haul remains unclear, since it can spread it’s ‘earnings’ across multiple crypto wallets.  The fear though, now that a proven tactic for lifting AWS credentials is out in the wild, is that misconfigured cloud accounts will become prime targets for widespread illicit cloud mining.

SMBs make attractive targets, too

Hackers aren’t just launching cloudjacking attacks specifically against storage systems and development tools. As with other attack tactics, they often see MSPs and small and medium-sized businesses (SMBs) as attractive targets as well.

“Several attacks in the first and second quarters of 2019 involved bad actors hijacking multiple managed service providers,” says Moffitt. “We saw that with Sodonakibi and GrandCrab. The same principles apply here. Hacking a central, cloud-based property allows attackers to hit dozens and potentially hundreds of victims all at once.”

Because smaller businesses typically share their cloud infrastructure with other small businesses, compromising cloud infrastructure can provide cybercriminals with a trove of data belonging to several concerned owners.

“The cloud offers an attractive aggregation point as it allows attackers access to a much larger concentration of victims. Gaining access to a single Amazon web server, for instance, could allow threat actors to steal and encrypt data belonging to dozens of companies renting space on that server hostage,” says Moffitt. 

High-value targets include confidential information like mission-critical data, trade secrets, unencrypted tax information or customer information that, if released, would violate privacy laws like GDPR and CCPA.

Some years ago, smaller businesses may have escaped these cloud compromises without too much disruption. Today, the data and services stored or run through the cloud are critical to the day-to-day even for SMBs. Many businesses would be simply crippled should they lost access to public or private cloud assets.

The pressure to pay a ransom, therefore, is significantly higher than it was even three years ago. But ransoms aren’t the only way for malicious actors to monetize their efforts. With cloud mining, they can get right to work making cryptocurrency while evading notice for as long as possible.

How to protect against cloudjacking and cloud mining

Moffitt recommends using “versioning” to guard against cloudjacking attacks. Versioning is the practice of serializing unalterable backups to prevent them from being deleted or manipulated.

 “That means not just having snapshot or history copies—that’s pretty standard—since with ransomware we’ve seen actors encrypt all of those copies. So, my suggestion is creating immutable backups. It’s called versioning, but these are essentially snapshot copies that can never be edited or encrypted.”

Moffitt says many service providers have this capability, but it may not be the default and need to be switched on manually.

Two more tactics to adopt to defend against cloud jacking involve monitoring your configurations and monitor your network traffic. As we’ve seen, capitalizing on misconfigured AWS infrastructure is one of the more common ways for cybercriminals to disrupt cloud services.

Security oversight of devops teams setting up cloud applications is crucial. There are tools available that can automatically discover resources as soon as they’re created, determine the applications running on the resource and apply appropriate policies based on the resource type.

By monitoring network traffic and correlating it with configuration data, companies are able to spot suspicious network traffic being generated as they send work or hashes to public mining pools that are public and could help identify where mining is being directed. 

There tends to be a learning curve when defending against emerging attacks. But if businesses are aware of how cloud resources are manipulated by threat actors, they can be on guard against cloudjacking by taking a few simple steps, increasing their overall cyber resilience.

The post Getting to Know Cloudjacking and Cloud Mining Could Save Your Business appeared first on Webroot Blog.

CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server

CVSS Score: 9.8 

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C 

Overview 

Microsoft released a patch today for a critical vulnerability (CVE-2020-17051) in the Windows NFSv3 (Network File System) server. NFS is typically used in heterogenous environments of Windows and Unix/Linux for file sharing. The vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver. Interestingly, the November patches from Microsoft also include a remote kernel data read vulnerability in the same nfssvr.sys driver (CVE-2020-17056), which leads to a potential ASLR (address space layout randomizationbypass. The combination of these two vulnerabilities dramatically increases the likelihood of a remote exploit when used on Windows Server to bypass exploit mitigations.  CVE-2020-17051 is the first known vulnerability which has been disclosed within the Windows implementation of the NFSv3 protocol to the best of our knowledge.  

Threat Surface 

The vulnerability is believed to impact all versions of Windows Server when: 

  1. An authenticated user has write access to any NFS share. 
  2. An NFS share has been configured with anonymous write access (no authentication required) 

A Shodan query reported 38,893 servers with port 2049 exposed to the internet; however, it is unknown what percentage of these servers are actually NFS shares and actuallconfigured with anonymous write access. The network share discovery technique is typically used by an adversary within the discovery phase of the MITRE ATT&CK framework with the objective to gain further privileges. CVE-2020-17051 would give adversaries the ability to spread wormlike within heterogenous Windows and Unix/Linux environments using anonymous write access file shares over NFSv3. 

Mitigation 

Patching is always the first and most effective course of action. If it’s not possible to patch, the best mitigation is to limit Windows NFSv3 server share write access internally and block any external access to vulnerable servers. For those McAfee customers who are unable to deploy the Windows patch, the following Network Security Platform (NSP) signatures will provide a virtual patch against attempted exploitation of this vulnerability. 

NSP Attack ID: 0x40c01200 – NFS Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051) 

The post CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server appeared first on McAfee Blogs.

Honoring Our Brave Military Veterans from the McAfee Community

Paying Tribute

November 11 marks Veterans Day and Remembrance Day. It is a time for us to come together and honor the brave men and women who have risked their lives to protect our nations.

We pay tribute to those who have served in the U.S. military during Veterans Day. In the Commonwealth countries, we honor military members through Remembrance Day, a day to remember those who have passed on in the line of duty.

At McAfee, we’re proud to work with our veterans! They’ve served and protected our countries and today, they protect all that matters at McAfee.

To honor their sacrifice, we asked McAfee veterans to share throwback photos from their days of service or photos with loved ones in service. Check them out!

 

Thoughts from our veteran community
This Veterans Day, members from our McAfee Veterans Community share what this day means to them:

This day reminds me of the people I worked with and the difference we made. It’s the people who volunteer to serve in the military, sacrificing years of their lives, and in some cases, their very lives, who guard and protect the freedoms guaranteed by the Constitution. All military personnel take an oath that, in part, says, ‘I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same.’ This oath doesn’t expire when a service member leaves military service.

Andrew, Senior Service Reliability Engineer, Cloud

 

This day is the day we honor the silver haired guy in a Prius with a Silver Star license plate or the quiet thirty something mom in the store with her noisy kids wearing the Marine-Corps T-shirt with two tours in Afghanistan under her belt.. Not everyone was a Delta operative or a Navy SEAL. They all however – to a man and woman – had their place in the system that kept us safe. Find them; thank them for their service and your freedom.” 

–  Kevin, Customer Success Manager, CSG

 

I will never stop being Ex Armed Forces. I think fondly of my time in the Royal Navy. I would do it all again in a heartbeat. I still get a lump in my throat when I hear “Heart of Oak” or the “The Last Post” being played. The friends I made and the people I met during my service from all countries and all parts of the Armed Forces, friend or foe, all have a similar vein running through them. Remembrance Day reminds me that while some of us are not here anymore, that vein is still with us and them.

– Paul, Associate Technical Support Engineer, Customer Success Group

 

My family has a history of service and I grew up knowing I would join the Military. I joined the Royal Navy in 1982 at age 18. I’m proud to have served and I will continue to observe the 1 minute silence and attend the remembrance service and take the time to remember the sacrifice. Lest we not forget. For those brave who gave their lives so we could live ours.” 

– Tudor,  Sr. Project Manager – New Product Information, Global Product Operations

 

We continue to make strides in actively recruiting veterans and nurturing career growth by empowering the transferable skills from active duty. Join us!

 

Search Career Opportunities with McAfee

Interested in joining our team? We’re hiring! Apply now.

Stay Connected

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

 

 

The post Honoring Our Brave Military Veterans from the McAfee Community appeared first on McAfee Blogs.

Ransomware Group Turns to Facebook Ads

It’s bad enough that many ransomware gangs now have blogs where they publish data stolen from companies that refuse to make an extortion payment. Now, one crime group has started using hacked Facebook accounts to run ads publicly pressuring their ransomware victims into paying up.

On the evening of Monday, Nov. 9, an ad campaign apparently taken out by the Ragnar Locker Team began appearing on Facebook. The ad was designed to turn the screws to the Italian beverage vendor Campari Group, which acknowledged on Nov. 3 that its computer systems had been sidelined by a malware attack.

On Nov. 6, Campari issued a follow-up statement saying “at this stage, we cannot completely exclude that some personal and business data has been taken.”

“This is ridiculous and looks like a big fat lie,” reads the Facebook ad campaign from the Ragnar crime group. “We can confirm that confidential data was stolen and we talking about huge volume of data.”

The ad went on to say Ragnar Locker Team had offloaded two terabytes of information and would give the Italian firm until 6 p.m. EST today (Nov. 10) to negotiate an extortion payment in exchange for a promise not to publish the stolen files.

The Facebook ad blitz was paid for by Hodson Event Entertainment, an account tied to Chris Hodson, a deejay based in Chicago. Contacted by KrebsOnSecurity, Hodson said his Facebook account indeed was hacked, and that the attackers had budgeted $500 for the entire campaign.

“I thought I had two-step verification turned on for all my accounts, but now it looks like the only one I didn’t have it set for was Facebook,” Hodson said.

Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents. Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.

The results of the unauthorized Facebook ad campaign. Image: Chris Hodson.

It’s not clear whether this was an isolated incident, or whether the fraudsters also ran ads using other hacked Facebook accounts. A spokesperson for Facebook said the company is still investigating the incident. A request for comment sent via email to Campari’s media relations team was returned as undeliverable.

But it seems likely we will continue to see more of this and other mainstream advertising efforts by ransomware groups going forward, even if victims really have no expectation that paying an extortion demand will result in criminals actually deleting or not otherwise using stolen data.

Fabian Wosar, chief technology officer at computer security firm Emsisoft, said some ransomware groups have become especially aggressive of late in pressuring their victims to pay up.

“They have also started to call victims,” Wosar said. “They’re outsourcing to Indian call centers, who call victims asking when they are going to pay or have their data leaked.”

Cisco Secure Workload (Tetration) expands microsegmentation and workload security capabilities

Cisco Secure Workload (Tetration) release 3.4 expands support for micro-segmentation, workload and container security

Cisco Secure Workload, (formerly Tetration) a leader in micro-segmentation and workload security, announces significant new enhancements, available now, that help security architects achieve the protection required for today’s heterogeneous multi-cloud environments.

One of the key challenge’s businesses face is how to provide a secure infrastructure for applications without compromising business agility.  With the rise of cloud usage, containers and microservices architectures, you need a solution that brings security closer to your applications using a new firewall type of enforcement that surrounds each workload.  Many companies like Per Mar Security Services choose Tetration to be the foundation of their zero-trust and broader cybersecurity plan, protecting their critical applications from compromise.

This latest Cisco Secure Workload release includes features that support new microsegmentation capabilities, workload protection, sensor support for new operating system versions, platform features required for enterprise customers and much more.

Enhancements include:

Microsegmentation:

Enhanced usability and management of microsegmentation.  Granular control to specify which workloads should receive what policy elements, making policy definition, generation, and enforcement much more flexible and customizable to your environment

Latest versions and enhancements across Kubernetes and OpenShift orchestration platforms and support for microsegmentation policy enforcement on ingress controllers such as HAProxy or Nginx .

Application dependency mapping updates to speed policy generation.  (ADM offers forensic understanding of applications/workloads and their complex interdependencies)

Compromised state awareness: alerting/ policy changes after a workload or endpoint is detected as compromised with flows to a known threat.

Workload Protection:

Enhanced vulnerability detection that leverages, in addition to NIST CVE (Common Vulnerabilities and Exposures) database, the latest threat intelligence from Operating System vendors to ensure accuracy and the most up to date risk profile for applications in your environment.   

New MITRE-based attack detection techniques and tactics plus several new anomalous Windows processes alerts.

Usability and operational improvements

New and improved user interface to better visualize and manage application scopes, workloads that are part of those applications and associated hierarchies.

Improved visualization of policy version differences to easily understand what rules were added or removed and also filter for specific rules based on number of parameters.

Resiliency features including new mode of continuous data backup, new backup and restore workflows, the Federation of multiple Tetration clusters for a high degree of scalability and availability.

Software sensors:

OS updates: Support for the latest versions of key operating systems our customers care about (RHEL, CentOS, Oracle Linux, Ubuntu, plus added support for IBM AIX for legacy applications in key verticals like healthcare and financials.

Easily transition from deep visibility to policy enforcement to speed the time to microsegmentation

Enhanced monitoring and management features for better sensor visibility and usability in key areas like monitoring, installation, upgrade status.

3rd Party Ecosystem Partners

ServiceNow CMDB integration for ingesting CI (Configuration Item) attributes to provide more context to help define inventory filters, tag workloads, define policies, and visualize flow traffic.

Native support for Workload AD (Windows Domain Controller) for rich user and workload context to enhance policy definition, inventory filters and visualize flow traffic.

 

For a comprehensive list of all the features in this release, please visit:  

https://www.cisco.com/c/en/us/td/docs/security/workload_security/tetration-analytics/sw/release-notes/cta_rn_3_4_1_1.html

To learn more, please visit: https://www.cisco.com/c/en/us/products/security/tetration/index.html

How CASB and EDR Protect Federal Agencies in the Age of Work from Home

Malicious actors are increasingly taking advantage of the burgeoning at-home workforce and expanding use of cloud services to deliver malware and gain access to sensitive data. According to an Analysis Report (AR20-268A) from the Cybersecurity and Infrastructure Security Agency (CISA), this new normal work environment has put federal agencies at  risk of falling victim to cyber-attacks that exploit their use of Microsoft Office 365 (O365) and misuse their VPN remote access services.

McAfee’s global network of over a billion threat sensors affords its threat researchers the unique advantage of being able to thoroughly analyze dozens of cyber-attacks of this kind. Based on this analysis, McAfee supports CISA’s recommendations to help prevent adversaries from successfully establishing persistence in agencies’ networks, executing malware, and exfiltrating data. However, McAfee also asserts that the nature of this environment demands that additional countermeasures be implemented to quickly detect, block and respond to exploits originating from authorized cloud services.

Read on to learn from McAfee’s analysis of these attacks and understand how federal agencies can use cloud access security broker (CASB) and endpoint threat detection and response (EDR) solutions to detect and mitigate such attacks before they have a chance to inflict serious damage upon their organizations.

The Anatomy of a Cloud Services Attack

McAfee’s analysis supports CISA’s findings that adversaries frequently attempt to gain access to organizations’ networks by obtaining valid access credentials for multiple users’ O365 accounts and domain administrator accounts, often via vulnerabilities in unpatched VPN servers. The threat actor will then use the credentials to log into a user’s O365 account from an anomalous IP address, browse pages on SharePoint sites, and then attempt to download content. Next, the cyberthreat actor would connect multiple times from a different IP address to the agency’s Virtual Private Network (VPN) server, and eventually connect successfully.

Once inside the network, the attacker could:

  • Begin performing discovery and enumerating the network
  • Establish persistence in the network
  • Execute local command line processes and multi-stage malware on a file server
  • Exfiltrate data

Basic SOC Best Practices

McAfee’s comprehensive analysis of these attacks supports CISA’s proposed  best practices to prevent or mitigate such cyber-attacks. These recommendations include:

  • Hardening account credentials with multi-factor authentication,
  • Implementing the principle of “least privilege” for data access,
  • Monitoring network traffic for unusual activity,
  • Patching early and often.

While these recommendations provide a solid foundation for a strong cybersecurity program, these controls by themselves may not go far enough to prevent more sophisticated adversaries from exploiting and weaponizing cloud services to gain a foothold within an enterprise.

Why Best Practices Should Include CASB and EDR

Organizations will gain a running start to identifying and thwarting the attacks in question by implementing a full-featured CASB such as McAfee MVISION Cloud, and an advanced EDR solution, such as McAfee MVISION Endpoint Threat Detection and Response.

Deploying MVISION Cloud for Office 365 enables agencies’ SOC analysts to assert greater control over their data and user activity in Office 365—control that can hasten identification of compromised accounts and resolution of threats. MVISION Cloud takes note of all user and administrative activity occurring within cloud services and compares it to a threshold based either on the user’s specific behavior or the norm for the entire organization. If an activity exceeds the threshold, it generates an anomaly notification. For instance, using geo-location analytics to visualize global access patterns, MVISION Cloud can immediately alert agency analysts to anomalies such as instances of Office 365 access originating from IP addresses located in atypical geographic areas.

When specific anomalies appear concurrently—e.g., a Brute Force anomaly and an unusual Data Access event—MVISION Cloud automatically generates a Threat. In the attacks McAfee analyzed, Threats would have been generated early on since the CASB’s user behavior analytics would have identified the cyber actor’s various activities as suspicious. Using MVISION Cloud’s activity monitoring dashboard and built-in audit trail of all user and administrator activities, SOC analysts can detect and analyze anomalous behaviors across multiple dimensions to more rapidly understand what exactly is occurring when and to what systems—and whether an incident concerns a compromised account, insider threat, privileged user threat, and/or malware—to shrink the gap to remediation.

In addition, with MVISION Cloud, an agency security analyst can clearly see how each cloud security incident maps to MITRE ATT&CK tactics and techniques, which not only accelerates the entire forensics process but also allows security managers to defend against similar attacks with greater precision in the future.

Figure 1. Executed Threat View within McAfee MVISION Cloud

 

Figure 2. Gap Analysis & Investigations – McAfee MVISION Cloud Policy Recommendations

 

Furthermore, using MVISION Cloud for Office 365, agencies can create and enforce policies that prevent the uploading of sensitive data to Office 365 or downloading of sensitive data to unmanaged devices. With such policies in place, an attacker’s attempt to exfiltrate sensitive data will be mitigated.

In addition to deploying a CASB, implementing an EDR solution like McAfee MVISION EDR to monitor endpoints centrally and continuously—including remote devices—helps organizations defend themselves from such attacks. With MVISION EDR, agency SOC analysts have at their fingertips advanced analytics and visualizations that broaden detection of unusual behavior and anomalies on the endpoint. They are also able to grasp the implications of alerts more quickly since the information is presented in a format that reduces noise and simplifies investigation—so much so that even novice analysts can analyze at a higher level. AI-guided investigations within the solution can also provide further insights into attacks.

Figure 3. MITRE ATT&CK Alignment for Detection within McAfee MVISION EDR

With a threat landscape that is constantly evolving and attack surfaces that continue to expand with increased use of the cloud, it is now more important than ever to embrace CASB and EDR solutions. They have become critical tools to actively defend today’s government agencies and other large enterprises.

Learn more about the cloud-native, unified McAfee MVISION product family. Get your questions answered by tweeting @McAfee

The post How CASB and EDR Protect Federal Agencies in the Age of Work from Home appeared first on McAfee Blogs.

In the Financial Services Industry, 74% of Apps Have Security Flaws

Over the past year, the financial services industry has been challenged with pivoting its operations to a fully digital model, putting the security of its software center stage. Despite the unanticipated pivot, our recent State of Software Security v11 (SOSS) report found that the financial services industry has the smallest proportion of applications with security flaws compared to other sectors, along with the second-lowest prevalence of severe security flaws, and the best security flaw fix rate.

Financial services chart SOSS

But despite the impressive fix rate, the financial services industry is falling behind when it comes to the time to make those fixes. This is a troubling finding because speed matters in application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, sometimes even hours. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to theツ?Equifax breach.

By looking at the data, the reason for the delay in remediation becomes more clear. In the financial services sector, applications tend to be older than those in other industry sectors and the organizations are fairly large. Combined with these challenging factors, developers and security professionals in this industry aren???t regularly employing best practices consistent with DevSecOps and known to improve fix rates, such as scanning for security both frequently and regularly and using more than one testing type.

Nature vs Nurture

What does this mean for the financial services industry? The data suggests that for many financial services firms, developers face a challenging environment, with the adoption of additional DevSecOps practices showing the most opportunity for improvement in addressing security flaws.

And while talking about flaws, it???s worth noting that the most common security flaws in the financial services industry are information leakage, code quality, and CRLF injection. Injection flaws are especially important to keep an eye on since they???re the top web application security risk according to OWASP Top 10. On a positive note, the industry has lower than average cryptography, input validation, Cross-Site Scripting, and credentials management flaws.

For more information on software security trends in the financial services industry, check out The State of Software Security Industry Snapshot.

Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available

Microsoft Endpoint Data Loss Prevention

Endpoint Data Loss Prevention (DLP) | What it is and how to set it up in Microsoft 365.

Watch today

Managing and protecting data is critical to any organization. Data is growing exponentially, and remote work is making it even harder to manage risks around data. In fact, a recent Microsoft survey of security and compliance decision-makers found that data leaks are the top concern in remote and hybrid work scenarios.

To help our customers to address this challenge, today we are excited to announce the general availability of Microsoft Endpoint Data Loss Prevention (DLP).

A unified approach to data loss prevention

At Microsoft, we have long invested in developing information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party SaaS applications, and more—on premises or in the cloud. This unified data loss prevention approach provides simplicity, enabling you to set a DLP policy once and have it enforced across services, devices, and first-and third-party apps.

Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints. It’s built into Windows 10, the Microsoft 365 Apps, and Microsoft Edge—without the need to deploy additional software on the device, which eliminates friction and makes it far easier to have visibility into your data. For users, it ensures security, without compromising productivity. Endpoint DLP provides policy tips to help educate users when they are about to violate a policy. It’s also integrated with Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection), which can help you prioritize incident response based on additional factors.

New capabilities based on public preview feedback

With the general availability today, we’re happy to share that we’ve added additional capabilities as a part of the public preview program based on valuable feedback from our customers.

Last month, we also announced the addition of integration of unified data loss prevention with Microsoft Cloud App Security (MCAS) in public preview, allowing you to extend data protection to non-Microsoft cloud apps. For example, say a user is trying to share a document in a third-party app on his or her mobile device. Because Microsoft Cloud App Security helps protect cloud apps, the same DLP policy will be triggered, both the end-user and the admin will receive a notification, and in this case, the link will be automatically disabled.

In addition, we heard feedback from some of you that you’d like to be able to leverage your existing security investments. Endpoint DLP integrates with Microsoft Defender for Endpoint, but it is also compatible with most anti-virus software, which enables you to have a choice and extend the investments you’ve already made.

Today’s general availability announcement is only the beginning. We are also excited to announce some new capabilities going into preview today:

  • Sensitivity labels are now included as a condition for Microsoft Data Loss Prevention (DLP) policies. This lets you define new enforcement actions and locations within Endpoint DLP that take into account the sensitivity context of information to better meet protection requirements.

Using sensitivity labeling as a condition of a policy in Endpoint DLP.

Figure 1: Using sensitivity labeling as a condition of a policy in Endpoint DLP.

  • A new dashboard within Microsoft 365 compliance center helps you to manage DLP alerts. Alerts provide details about DLP events—including the sensitive information types detected in the content, confidence score rating, and event count—to help DLP reviewers quickly identify high-risk events so they can more effectively triage and remediate events.

Data loss prevention event alerts show in the new dashboard in Microsoft 365 compliance center.

Figure 2: Data loss prevention event alerts show in the new dashboard in Microsoft 365 compliance center.

  • New conditions and exceptions announced in public preview enhance the already existing predicate capabilities in DLP. Mail flow predicates provide a high degree of flexibility to configure the applicable ‘include’ and ‘exclude’ conditions in DLP policies to ensure that specific policies are applied to emails that only match the defined conditions.

New conditions and exceptions you can extend to your DLP policies to email messages.

Figure 3: New conditions and exceptions you can extend to your DLP policies to email messages.

You can learn a lot more about these new public preview capabilities in the TechCommunity blog.

Protecting your data

We continue to invest in providing you with the tools and visibility you need to help to protect your most precious asset – your data.

Endpoint DLP general availability will start rolling out to customers’ tenants in Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance starting today. Learn more about Endpoint DLP by reading the TechCommunity blog and visiting our documentation. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available appeared first on Microsoft Security.

Coffee Briefing, November 10, 2020 – Dell EMC Ready Solutions get a facelift, MSPs talk Azure, and more

Dell EMC Ready Solutions get a facelift, MSPs talk Azure, and more in today's Coffee Briefing.

The post Coffee Briefing, November 10, 2020 - Dell EMC Ready Solutions get a facelift, MSPs talk Azure, and more first appeared on IT World Canada.

SECURITY ALERT: New Norwegian Campaign of Scam Phone Calls (Impersonating Microsoft)

A new Norwegian campaign of scam phone calls has been spotted, along with a rise in malicious phone calls from hackers claiming to be Microsoft support representatives. The usual scheme of such phone calls is simple: the would-be hackers call you from a legitimate-looking number (not hidden or concealed in any way) and afterward attempt […]

The post SECURITY ALERT: New Norwegian Campaign of Scam Phone Calls (Impersonating Microsoft) appeared first on Heimdal Security Blog.

2020 Was a Secure Election

Over at Lawfare: “2020 Is An Election Security Success Story (So Far).”

What’s more, the voting itself was remarkably smooth. It was only a few months ago that professionals and analysts who monitor election administration were alarmed at how badly unprepared the country was for voting during a pandemic. Some of the primaries were disasters. There were not clear rules in many states for voting by mail or sufficient opportunities for voting early. There was an acute shortage of poll workers. Yet the United States saw unprecedented turnout over the last few weeks. Many states handled voting by mail and early voting impressively and huge numbers of volunteers turned up to work the polls. Large amounts of litigation before the election clarified the rules in every state. And for all the president’s griping about the counting of votes, it has been orderly and apparently without significant incident. The result was that, in the midst of a pandemic that has killed 230,000 Americans, record numbers of Americans voted­ — and voted by mail — ­and those votes are almost all counted at this stage.

On the cybersecurity front, there is even more good news. Most significantly, there was no serious effort to target voting infrastructure. After voting concluded, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, released a statement, saying that “after millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies.” Krebs pledged to “remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results,” and no reports have emerged of threats to tabulation and certification processes.

A good summary.

Ukrainian Gets 9 Years in Prison for Trying to Steal $10M from Microsoft

A Ukrainian citizen received a nine-year prison sentence for a scheme in which he tried to steal $10 million from Microsoft. On November 9, the U.S. District Court in Seattle handed down the sentence to Volodymyr Kvashuk, 26, a Ukrainian citizen who was residing in Renton, Washington. According to court documents, Kvashuk used to work […]… Read More

The post Ukrainian Gets 9 Years in Prison for Trying to Steal $10M from Microsoft appeared first on The State of Security.

One Step Beyond: Using Threat Hunting to Anticipate the Unknown

Article by Paul German, CEO, Certes Networks

A cyber threat could be lurking in any corner of an organisation’s infrastructure. The complex networks encompassing numerous smart and interconnected technologies make it easy for cybercriminals to hide, but much harder for them to be found.

Yet, waiting for a cyber threat to make an appearance is far too dangerous; if left undetected, a cybercriminal could stay in an organisation’s network for years - and just think of the damage that could be caused. To combat this, threat hunting is now an essential component of any cybersecurity strategy. Rather than waiting for a hacker to make themselves known, threat hunting involves constantly and proactively searching for the threats hiding within a system, working on the assumption that a cyber hacker is ever-present and looking for signs of unusual activity before it even occurs.

But how does threat hunting work in practice, and how can the approach ensure an organisation’s data is kept safe? Why a proactive approach to cybersecurity is essential at a time when the threat has never been more severe.
 Anticipating the unknown is the only way to stay ahead of hackers

The Need for Observability 
Today’s networks are complex, presenting numerous places for a cyber hacker to hide. And unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. In fact, a recent report shows that it takes organisations an average of 280 days to identify and contain a data breach, but organisations can’t afford to wait this long. In this time, a cyber hacker can be travelling through the network, infiltrating systems and stealing information, making an organisation’s data increasingly vulnerable.

And the length of time can even be longer than this; in the 2018 Marriott International data breach, hackers were accessing the network for over four years before they were discovered, which resulted in the records of 339 million guests being exposed. The hotel chain then suffered a second data breach this year after cybercriminals had been in the network for over one month, impacting approximately 5.2 million guests.

So, what needs to change? It is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without 24/7/365 managed detection and response (MDR) tools for proactive threat hunting that uses event monitoring logs, automated use case data, contextual analysis, incident alerting and response and applying tactics, techniques and procedures (TTPs) to identify issues that improve an organisation’s security posture.

Anticipating the Unknown
When anticipating the unknown, cybersecurity analytics tools can capture data and detect evasive and malicious activity, wherever they are in the network in real-time. Generating fine-grained policies and enforcing these is one step security teams can take to proactively detect and remediate malicious activity immediately. With policy enforcement, attackers will have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in any part of the network, as the security team will be able to see inside the network and protect against threats across all attack surfaces across all manged endpoints with a unified multi-layer approach. This includes policy generation and enforcement MDR tools that can provide greater insight into the overall reliability, impact and success of network systems, their workload and their behaviour to identify threats and proactively respond and protect assets. 

In reality, this means that security teams can take measurable steps towards controlling system access of the network environment; knowing who is in the network, who should be able to access what data and which applications, and being the first to detect indicators of compromise (IOC).

Ahead of the Game
Threat hunting is a way to stay one step ahead of cybercriminals. Organisations no longer have to wait to be alerted of a data breach before taking action; today it is essential to have a complete picture of the entire network in real-time, including extending these capabilities to teleworkers, so that unusual activity can be identified and halted immediately before any damage occurs. With strong MDR tools at the core, organisations can ensure a strong and effective security posture based on anticipating the unknown, clear visibility into vulnerabilities that pose the biggest threat and identifying barriers that prevent successful tracking and remediation.

Cyberthreats are on the rise; do you know where they’re coming from and how to protect against them?

By Kevin Magee, Chief Security and Compliance Officer for Microsoft Canada 2020 has brought about major disruptions to both our physical and digital worlds. It has also enabled unprecedented acceleration of digital transformation that will have long reaching and beneficial effects on how we work, where we work and what kind of work we do.…

The post Cyberthreats are on the rise; do you know where they’re coming from and how to protect against them? first appeared on IT World Canada.

Hashtag Trending – Tim Berners-Lee’s new idea; SpaceX makes moves in Canada; Shifts in shopping behaviour

How would you feel about being in full control of your data? Space X is moving closer to delivering high-speed internet in rural Canadian areas, and supermarkets are experiencing a major shift for shopping behaviour amidst the pandemic.

The post Hashtag Trending - Tim Berners-Lee's new idea; SpaceX makes moves in Canada; Shifts in shopping behaviour first appeared on IT World Canada.

Watch Out! New Android Banking Trojan Steals From 112 Financial Apps

Four months after security researchers uncovered a "Tetrade" of four Brazilian banking Trojans targeting financial institutions in Brazil, Latin America, and Europe, new findings show that the criminals behind the operation have expanded their tactics to infect mobile devices with spyware. According to Kaspersky's Global Research and Analysis Team (GReAT), the Brazil-based threat group Guildma