Author Archives: Dean Alvarez

Russian hackers can breach UK security systems warns GCHQ

Britain’s security services cannot offer “absolute protection” against Russian hackers, a top spy has warned. GCHQ cyber defence chief Ciaran Martin warned that it is a matter of “when not if” the UK suffers a “serious cyber attack”. He claimed spooks are now battling to stop attacks that “most impact on our way of life” instead of trying to prevent every breach. Mr Martin – who heads the National Cyber Security Centre – told the Daily Telegraph that “services can be disrupted” by Putin’s crack hacking squads. He wrote: “Turning off the lights and the power supply by cyber attack is harder than Hollywood films sometimes make out,” he writes.

View Full Story

ORIGINAL SOURCE: The Sun

The post Russian hackers can breach UK security systems warns GCHQ appeared first on IT SECURITY GURU.

SunTrust Bank employee steals data of 1.5 million customers

US-based SunTrust Bank said it is working with law enforcement after it discovered that a former employee had stolen private information belonging to nearly 1.5 million customers. “In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party,” SunTrust CEO William Rogers said in a press conference on Friday.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post SunTrust Bank employee steals data of 1.5 million customers appeared first on IT SECURITY GURU.

Cybersecurity PR Agency Eskenzi honoured with the Queen’s Award for Enterprise 2018

The cybersecurity industry is being treated to a rare regal flare, as Eskenzi PR and Marketing is presented with the Queen’s Award for Enterprise 2018. Eskenzi PR Ltd is a specialist agency, working closely with the very best cyber security companies in the world, including those coming out of Israel, Silicon Valley, Europe and of course, the UK. The agency represents over 25 companies, working with many leading vendors in cyber including Airbus Cybersecurity, Imperva, ESET and AlienVault.

Eskenzi has been in business for over twenty years, working with cyber security companies all over the world, to raise awareness of security issues organisations face and the cutting-edge technology available to thwart cyber-attacks.  This award comes at a time when the government is paying particular focus in this area, having recently launched its strategy to support the export of cyber security technology.

The Queen’s Award for Enterprise are the UK’s most prestigious business awards, recognising and celebrating business excellence across the UK. This year it has been given to just 152 companies for overseas trade and International growth.

Yvonne Eskenzi, Co-Founder at Eskenzi PR said: “The Queen’s Award is the highest accolade that any British company can achieve. For us, it is recognition of the contribution and hard work we, as an agency, deliver in the cyber security sphere. We’re proud to say we’ve been in the space, from the start, working tirelessly to highlight cyber security challenges organisations’ face daily, and promoting the technologies that help strengthen their defences. Over twenty years ago we helped to launch Infosecurity Europe – a cyber security exhibition held annually in London, it was a subject few outside of the sector understood, or even knew existed. Today it’s front page news and being debated during board meetings and at dinner parties around the world. I’m especially proud that we have won the Award for all our work overseas, recognising Eskenzi PR as the go to international PR agency for Cyber Security.”

By investing in technology, Eskenzi PR has the tools needed to ensure it remains one step ahead of its competitors, enabling the agency to grow quickly across the UK, France, Germany, Benelux, The Nordics, and, most importantly, the USA.

In choosing the winners of this award, the Queen is advised by the Prime Minister, who is assisted by an advisory committee including the government, industry and commerce, and trade unions. Successful organisations may fly the Queen’s Award flag at their principal premises and are entitled to use the emblem on their stationery, advertising and goods. A corporate award is valid for five years. Additionally, the Queen hosts a reception at Buckingham Palace for representatives of Eskenzi PR.

The two co-founders of Eskenzi PR – Yvonne Eskenzi and Neil Stinchcombe, who are a husband and wife team, will attend a reception at Buckingham Palace to meet HRH The Prince of Wales and other winners on 28th June.

The post Cybersecurity PR Agency Eskenzi honoured with the Queen’s Award for Enterprise 2018 appeared first on IT SECURITY GURU.

Adobe Flash on its way out

Less than 5% of worldwide websites use Flash, new information has revealed, with most websites favouring Javascript for running features. Flash is used most commonly on Google websites, although there are some others, such as 6rrb.net, Monabrat.org and Intourist, also using it. Recently, Slate.com and Wappalyzer.com have started using the tech, according to technology usage survey site W3Techs, which seems a rather counterintuitive move as pretty much every other website has stopped using it.

View Full Story

ORIGINAL SOURCE: IT Pro

The post Adobe Flash on its way out appeared first on IT SECURITY GURU.

Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies

Positive Technologies experts Ilya Karpov, Evgeny Druzhinin, and Stephen Nosov have discovered four vulnerabilities in management cards for APC by Schneider Electric hardware. These uninterrupted power supply (UPS) units are used in various sectors. Two of the vulnerabilities received the maximum possible CVSS v3 score of 10, indicating a very high degree of risk.  

 

Security issues were found in APC MGE SNMP/Web Card Transverse 66074 management cards, which are present in several series of UPS units: Galaxy 5000/6000/9000, EPS 7000/8000/6000, Comet UPS/3000, Galaxy PW/3000/4000, and STS (Upsilon and Epsilon).[1]

 

The first vulnerability, CVE-2018-7243 (score 10), in the built-in web server (port 80/443/TCP) allows a remote attacker to bypass the authentication system and obtain full administrative access to the UPS, which jeopardizes the continued uptime of equipment connected to electrical power.

 

Schneider Electric recommends replacing vulnerable management cards with NMC kit G5K9635CH on the Galaxy 5000, Galaxy 6000, and Galaxy 9000. For the MGE EPS 7000 and MGE EPS 8000, the vendor recommends installing NMC kit G9KEPS9635CH. For other affected units, no replacement cards are available. The vendor also recommends following cybersecurity best practices in order to minimize risks.

 

The second vulnerability found in the built-in web server (port 80/443/TCP) enables an attacker to obtain sensitive information about the UPS unit (CVE-2018-7244, score 5.3).

 

Exploitation of the third vulnerability (CVE-2018-7245, score 7.3) can result in an unauthorized user changing the settings of the device, including disable parameters. To address these two vulnerabilities, users must, on the access control page, enable authentication for all HTML pages (this can be selected by the user during initial setup of the UPS).

 

With the fourth vulnerability (CVE-2018-7246, score 10), a remote attacker can intercept administrator account credentials. If SSL is not activated on the UPS, account credentials are sent in cleartext when the access control page is requested. The vendor advises specifying SSL as the default mode and applying special precautions to limit access to administration interfaces, such as by using Modbus RTU in combination with a Modbus/SNMP gateway.

 

For early detection of cyberincidents and awareness of ICS vulnerabilities, Positive Technologies offers PT ISIM and MaxPatrol for the specific needs of industrial protocols and networks.

The post Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies appeared first on IT SECURITY GURU.

The importance of inspecting encrypted traffic

Many adversaries to enterprise cybersecurity are using sophisticated encryption tactics to bypass defences and infiltrate networks. Enterprises are trying to fight back by employing HTTPS and using SSH, as well as other advanced protocols for data exfiltration. SSH, for example, is often used for remote management access because it performs well. But, when nearly 70 percent of all enterprise traffic is encrypted, understanding what’s hiding inside that traffic is imperative. So, what can you do to inspect that traffic?

 

The first step is to come up with an enterprise threat model so that you can easily look at and assess a threat, then outline the techniques that your adversaries are going to use. For example, The Mitre corporation developed one that they call attack matrix and as you go through and look at the attack matrix it will outline techniques that are used for exfiltration of data, command and control for remote adversaries to control malware. When you look at this and then look across at your own network you may see that you have a firewall, an IDS and an advanced threat protection, which is all good to have. However, if 60-70% of the traffic you get is encrypted then what use are these security measures at monitoring this? Enterprises need a plan in place to monitor encrypted traffic as well.

 

The next step involves utilising an advanced data exfiltration protocol, such as SSH. SSH is great and is oftentimes used for remote management access because it performs so well. RDP, Remote Desktop Protocol, is another protocol that many enterprises utilise to great effect so, in order to figure out what is best for your enterprise it’s important to consider your threat enterprise model that was discussed above. How does your model aim to inspect traffic and which software are you utilising? Some programs out there only allow you to focus on one protocol at a time while other can inspect everything from SSH to RDP to HTTPS. Which software your enterprise is using will affect what steps you need to take to monitor encrypted traffic.

 

If you’ve followed everything so far then you should be utilising an IPS, IDS, ATP and be using something akin to the Mitre attack template to evaluate your cybersecurity, which may seem like a lot, but as any cybersecurity expert will tell you: ‘there is no such thing as too much protection.’ So what type of issues might you need to still account for?

 

Well let’s assume you have a next-generation firewall and you are performing decryption at then suddenly you hit a performance bottleneck. This bottleneck would likely be caused by advanced threat protection detecting problems that are different than what your next-generation firewalls going to detect, which will be different than your IDS, and so on. All these programs detecting different problems all at the same time will likely incur latency because these are all happening at once. However, there are single devices out there that can do all of these tasks solo which will help improve performance, reducing the chance of a bottleneck creating less of a chance that your users are going to even be aware that you’re performing this inspection.

 

You may also have the issue of employee negligence or ignorance among your IT staff. Last year a report from the Ponemon Institute found that 37% of enterprises hand over their encryption duties to their cloud providers, taking an off-hand approach and rely on someone one else to do such an important job for them. Then separately a survey by Venafi found that 23 percent of their respondents had no idea how much of their encrypted traffic is decrypted and inspected. By passing off responsibility to an outside business and not properly tracking encryption in the business, many enterprises are opening themselves up outside threats, even if they have the latest technology.

 

To conclude, with at least 70 percent of all traffic encrypted it is important that enterprises are aware of everything that is hiding amongst this traffic or they risk cyber threats sneaking through. In order to achieve this, a good cyber threat model is needed as well as utilising an advanced data exfiltration protocol, like SSH. It is imperative that once you have the model in place that you have some technology that can help to easily manage it all and not be met with a performance bottleneck. Finally, it is key that all of the staff in your IT department is fully aware of exactly what is encrypted and heavily monitoring it as frequently as possible. With all of this in place, your enterprise should be fully prepared to keep your business safe from threats hiding within encrypted traffic.

The post The importance of inspecting encrypted traffic appeared first on IT SECURITY GURU.

Cyber Security Agency Eskenzi PR wins a Queen’s Award for Enterprise 2018

Her Majesty The Queen, advised by the Prime Minister, has honoured Eskenzi PR and Marketing with a Queen’s Award for Enterprise 2018, recognising its outstanding achievement in International Trade. Eskenzi has been in business for over twenty years, working with cyber security companies all over the world, to raise awareness of security issues organisations face and the cutting edge technology available to thwart cyber attacks.  This award comes at a time when the government is paying particular focus in this area, having recently launched its strategy to support the export of cyber security technology.

The Queen’s Award for Enterprise are the UK’s most prestigious business awards, recognising and celebrating business excellence across the UK. This year it has been given to just 152 companies for overseas trade and International growth.

Yvonne Eskenzi, Co-Founder at Eskenzi PR said: “The Queen’s Award is the highest accolade that any British company can achieve. For us, it is recognition of the contribution and hard work we, as an agency, deliver in the cyber security sphere. We’re proud to say we’ve been in the space, from the start, working tirelessly to highlight cyber security challenges organisations’ face daily, and promoting the technologies that help strengthen their defences. Over twenty years ago we helped to launch Infosecurity Europe – a cyber security exhibition held annually in London, it was a subject few outside of the sector understood, or even knew existed. Today it’s front page news and being debated during board meetings and at dinner parties around the world. I’m especially proud that we have won the Award for all our work overseas, recognising Eskenzi PR as the go to international PR agency for Cyber Security.”

Eskenzi PR Ltd is a specialist agency, working closely with the very best cyber security companies in the world, including those coming out of Israel, Silicon Valley, Europe and of course, the UK. Today, the agency represents over 25 companies, working with many leading vendors in cyber including Airbus Cybersecurity, Imperva, ESET and AlienVault.

By investing in technology, Eskenzi PR has the tools needed to ensure it remains one step ahead of its competitors, enabling the agency to grow quickly across the UK, France, Germany, Benelux, The Nordics, and, most importantly, the USA.

In choosing the winners of this award, the Queen is advised by the Prime Minister, who is assisted by an advisory committee including the government, industry and commerce, and trade unions. Successful organisations may fly the Queen’s Award flag at their principal premises and are entitled to use the emblem on their stationery, advertising and goods. A corporate award is valid for five years. Additionally, the Queen hosts a reception at Buckingham Palace for representatives of Eskenzi PR.

The two co-founders of Eskenzi PR – Yvonne Eskenzi and Neil Stinchcombe, who are a husband and wife team, will attend a reception at Buckingham Palace to meet HRH The Prince of Wales and other winners on 28th June.

The post Cyber Security Agency Eskenzi PR wins a Queen’s Award for Enterprise 2018 appeared first on IT SECURITY GURU.

TalkTalk customers concerned over privacy

A number of TalkTalk’s broadband ISP customers in the UK have raised concerns after the provider sent them an alarmist warning email, which without providing any useful details claimed that they “may have downloaded a virus on one or more of your devices” (phishing emails adopt a similar approach).

View Full Story

ORIGINAL SOURCE: IS Preview

The post TalkTalk customers concerned over privacy appeared first on IT SECURITY GURU.

Russia to increase cyber activity against UK

A network of Russian trolls is behind a new disinformation campaign about who was responsible for chemical weapons attacks in Syria and Salisbury, a government source has said.
Social media bots are said to be responsible for a 4,000 percent increase in the spread of ‘lies and disinformation’ according to Whitehall research made public for the first time.

View Full Story

ORIGINAL SOURCE: ITV

The post Russia to increase cyber activity against UK appeared first on IT SECURITY GURU.

Six Steps to Secure Cryptographic Keys

Cryptocurrency seems to bring out the best effort from cyber criminals. From nation states to traditional attackers, the rise in crypto-related attacks is staggering. The motivation is obvious: it’s financially driven. Despite the recent drop, cryptocurrency values have skyrocketed over the past couple of years incentivising attackers to create malicious code and sophisticated hacking tools to harvest cryptocurrency coins. One quick way to a massive payday is achieved by compromising a digital wallet and stealing the wallet’s private key. When attackers get their hands on a digital wallet, they can take full control of the funds.

 

Retailers have started to accept cryptocurrency right alongside good old-fashioned cash and credit. This trend is commercialising decentralised currency and forcing the hand of many big banks to get on board. The leg up criminals have, in many of these attacks, is the anonymity involved in crypto-transactions. As this form of currency gains more credibility, organisations in every industry will need to implement security controls to mitigate risk against crypto-credentials from becoming exposed.

 

A Quick Review on Digital Wallets

 

There are two types of digital wallets: hot wallets and cold wallets. Hot wallets are used by individual users and organisations to store smaller amounts of currency, adding the need to be more fluid in nature for quick transfers and exchanges. There are many cryptocurrency services such as Coinbase and Bittrex that manage and store the wallet’s private key and provide users with easy access. In most cases, this type of managed service is password protected.

 

Conversely, cold wallets, used by organisations and security-savvy individuals, typically hold much larger amounts of digital currency. This type of wallet keeps its associated private key off the internet completely (for obvious reasons) and often stores it on an offline computer. Yet, as demonstrated by some of the recent attacks, if the network becomes compromised, then the keys will follow suit shortly thereafter.

 

There are solutions available that store private keys on a USB stick-like device that does not allow the extraction of the private key. The device is simply inserted into a computer to prove the user has access to the key (using cryptographic functionality zero trust algorithms). This solution provides sound security on the private keys, however, this is not suitable for larger organisations that need to control who has access to the device and its associated credentials.

 

Don’t Get Digitally Mugged

Cryptocurrency private keys are not exclusively used by human users. There are many automated processes that perform cryptocurrency transactions as well. Securing private keys for all users (both human and machine) is a foundational first step, quickly followed by authenticating and identifying who has access to the keys, controlling the access and monitoring its usage.

 

What’s essential is that we start to view cryptocurrency private keys as another type of a privileged credential, and take steps to manage and protect them, with the appropriate workflows and access controls.

 

Here are six key (pun intended) considerations to help secure and protect cryptographic keys:

 

  1. Store cryptographic keys in a secure digital vault – Move keys into a digital vault with multiple layers of security wrapped around it, enforce multi-factor authentication to all users who have access to the vault.
  2. Introduce role segregation – Control individual access to stored keys, preventing even the most privileged administrators from getting to them unless explicit permissions have been granted.
  3. Enable secure application access – Enable access to stored keys for authorised applications and verify that the applications are legitimate.
  4. Audit and review access key activity – Audit all activity related to key access and implement trigger events to alert the necessary individuals of any key activity.
  5. Enforce workflow approvals – Enforce workflow approvals for anything considered to be highly sensitive and the same goes for accessing the keys.
  6. Monitor cryptocurrency administrator activities – Facilitate connections – similar to an automated secure proxy/jump host – to target systems that are used to perform cryptocurrency administrator activities (e.g. the system hosting the wallet).

 

Cybercriminals will continue to look at this technology as another opportunity to line their pockets. But with organisations needing to respond to demand for this type of currency, it’s essential to put in place safeguards, rather than just jumping in on the trend. Safeguarding critical systems from key harvesting and many other types of advanced attacks will be key in ensuring they don’t find themselves caught out.

The post Six Steps to Secure Cryptographic Keys appeared first on IT SECURITY GURU.

TaskRabbit has been brought back to life – Security industry opinion

At the beginning of this week (Monday 16th), TaskRabbit, the IKEA-owned mobile marketplace that matches freelance labour with local demand, had its website and app hacked resulting in both shutting down and going offline. The company had offered a statement to its customers saying, “ we understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specifics.”

An investigation is under way to seek what information may have been compromised and how the breach occurred with TaskRabbit advising all users to change passwords and monitor for unusual activity across accounts in case of signs of stolen identity. This is sound security advice but what did the security industry have to say regarding the hack:

Bob Egner, VP at Outpost24 said that the reason this hackers targeted TaskRabbit data is due to it being interesting and valuable. He said, “attacks of this nature are attempted when there is a potential gain for the attacker in this case, to monitize any personal information that can be obtained.  All web applications are vulnerable, it’s only a matter of how much effort the attacker is required to expend.  It’s really an economic problem where the payback has to be larger than the expended effort.

Any public facing web application that holds large amounts of personal information should have a comprehensive application security testing program in place to assess the application, it’s data stores, the infrastructure on which it runs, and the users assigned to manage and operate the overall system.  Any weaknesses should be remediated in a prioritized way so that the potential for attack is reduced to the lowest possible level and maintained there.  The focus should be on the economic equation, where the effort required to compromise the system is much greater than the value of any stolen information.”

According to Tim Helming, director of product management at DomainTools, the TaskRabbit breach is an indication of how comprehensively nefarious actors can interfere with business functions–and potentially harm users. Tim goes on to say, “To take control of a website and expose such trusted resources as TaskRabbit’s GitHub repository, as well as daily transaction volumes and information regarding employees, the threat actors must have had comprehensive access to the network. While we don’t yet know the specifics of how this attack unfolded, it is a good reminder of the importance of practices such as least-privilege access controls, robust network segmentation, and strong phishing controls. Organizations need to take cybersecurity seriously, particularly when it could affect the livelihood, reputation and privacy of both employees and service users.”

The post TaskRabbit has been brought back to life – Security industry opinion appeared first on IT SECURITY GURU.

SANS Experts Share Five Most Dangerous New Attack Techniques

Experts from SANS last night presented the five most dangerous new cyber attack techniques in their annual RSA keynote session in San Francisco, and shared their views on how they work, how they can be stopped or at least slowed, and how businesses and consumers can prepare.

The five threats outlined are:

  1. Repositories and Cloud Storage Data Leakage
  2. Big Data Analytics, De-Anonymization, and Correlation
  3. Attackers Monetize Compromised Systems Using Crypto Coin Miners
  4. Recognition of Hardware Flaws
  5. More Malware and Attacks Disrupting ICS and Utilities Instead of Seeking Profit

Repositories and Cloud Storage Data Leakage

Ed Skoudis, a top hacker exploits expert, SANS Faculty Fellow and lead for the SANS Penetration Testing Curriculum, talked about the data leakage threats facing us from the increased use of repositories and cloud storage:

“Software today is built in a very different way than it was 10 or even 5 years ago, with vast online code repositories for collaboration and cloud data storage hosting mission-critical applications. However, attackers are increasingly targeting these kinds of repositories and cloud storage infrastructures, looking for passwords, crypto keys, access tokens, and terabytes of sensitive data.” 

He continued: “Defenders need to focus on data inventories, appointing a data curator for their organization and educating system architects and developers about how to secure data assets in the cloud. Additionally, the big cloud companies have each launched an AI service to help classify and defend data in their infrastructures. And finally, a variety of free tools are available that can help prevent and detect leakage of secrets through code repositories.”

Big Data Analytics, De-Anonymisation, and Correlation

Skoudis went on to talk about the threat of Big Data Analytics and how attackers are using data from several sources to de-anonymise users:

In the past, we battled attackers who were trying to get access to our machines to steal data for criminal use. Now the battle is shifting from hacking machines to hacking data — gathering data from disparate sources and fusing it together to de-anonymise users, find business weaknesses and opportunities, or otherwise undermine an organisation’s mission. We still need to prevent attackers from gaining shell on targets to steal data. However, defenders also need to start analysing risks associated with how their seemingly innocuous data can be combined with data from other sources to introduce business risk, all while carefully considering the privacy implications of their data and its potential to tarnish a brand or invite regulatory scrutiny.

Attackers Monetize Compromised Systems Using Crypto Coin Miners

Johannes Ullrich, is Dean of Research, SANS Institute and Director of SANS Internet Storm Center. He has been looking at the increasing use of crypto coin miners by cyber criminals:

Last year, we talked about how ransomware was used to sell data back to its owner and crypto-currencies were the tool of choice to pay the ransom. More recently, we have found that attackers are no longer bothering with data. Due to the flood of stolen data offered for sale, the value of most commonly stolen data like credit card numbers of PII has dropped significantly. Attackers are instead installing crypto coin miners. These attacks are more stealthy and less likely to be discovered and attackers can earn tens of thousands of dollars a month from crypto coin miners. Defenders therefore need to learn to detect these coin miners and to identify the vulnerabilities that have been exploited in order to install them.” 

Recognition of Hardware Flaws

Ullrich then went on to say that software developers often assume that hardware is flawless and that this is a dangerous assumption. He explains why and what needs to be done:

Hardware is no less complex then software and mistakes have been made in developing hardware just as they are made by software developers. Patching hardware is a lot more difficult and often not possible without replacing entire systems or suffering significant performance penalties. Developers therefore need to learn to create software without relying on hardware to mitigate any security issues. Similar to the way in which software uses encryption on untrusted networks, software needs to authenticate and encrypt data within the system. Some emerging homomorphic encryption algorithms may allow developers to operate on encrypted data without having to decrypt it first.”

Malware and Attacks Disrupting ICS and Utilities Instead of Seeking Profit

Finally, Head of R&D, SANS Institute, and top UK cyber threat expert, James Lyne, discussed the growing trend in malware and attacks that aren’t profit centred as we have largely seen in the past, but instead are focused on disrupting Industrial Control Systems (ICS) and utilities:

“Day to day the grand majority of malicious code has undeniably been focused on fraud and profit. Yet, with the relentless deployment of technology in our societies, the opportunity for political or even military influence only grows. And rare publicly visible attacks like Triton/TriSYS show the capability and intent of those who seek to compromise some of the highest risk components of industrial environments, i.e. the safety systems which have historically prevented critical security and safety meltdowns.” 

He continued:

“ICS systems are relatively immature and easy to exploit in comparison to the mainstream computing world. Many ICS systems lack the mitigations of modern operating systems and applications. The reliance on obscurity or isolation (both increasingly untrue) do not position them well to withstand a heightened focus on them, and we need to address this as an industry. More worrying is that attackers have demonstrated they have the inclination and resources to diversify their attacks, targeting the sensors that are used to provide data to the industrial controllers themselves. The next few years are likely to see some painful lessons being learned as this attack domain grows, since the mitigations are inconsistent and quite embryonic.”

The post SANS Experts Share Five Most Dangerous New Attack Techniques appeared first on IT SECURITY GURU.

The Flu and DDoS, From an Epidemic to a Solution

While the mobile industry was busy celebrating telecom innovation at MWC18, another kind of innovation was making headlines: a record 1.35 Tbps DDoS attack. It caused some disruption and highlighted the potential for much worse. In this instance, the attack was detected and mitigated relatively quickly—but it required manual intervention and rerouting of traffic. Fortunately, service was only disrupted for a few minutes, but it could have been much worse, and other targets might not have been as ready.

 

DDoS it is a worldwide problem that will not only be harmful if not treated on time but that also seems to be getting worse. This is why I tend to compare it with a flu epidemic, one that affects the connected world. And indeed both DDoS attacks and the flu have similarities.

For those who haven’t been paying attention to the latest medical news, this flu season has been especially rough. In January, Time magazine explained the phenomenon:

The flu shot is tweaked each year in an attempt to target what are projected to be the most prevalent strains of the disease, but the process isn’t foolproof.”

 

This analysis of the flu season points out to what I see as the major resemblance between DDoS and the flu. Indeed in the case of the flu, vaccination acts as a static defence that targets specific, projected flu strains, and is only effective against 30per cent of H3 viruses. In the same manner, facing DDoS attacks, telecom operators only know how to mitigate what they already know it’s a “known knowns” approach.

 

ISPs and enterprises, just as health professionals are thus facing the same challenge. How will they defend themselves against non-prevalent strains? Indeed the unforeseen DDoS attacks, the new vectors, the zero-day exploits are in fact unknown unknowns. But then the comparison also has its limits. Indeed, fortunately, the world of data communications has a solution to DDoS attacks.

 

Facing DDoS attacks, firms may make use of autonomously adaptive, machine-learning algorithms utilising artificial intelligence techniques to automatically detect anomalous behaviour and trigger mitigation of the attack. And indeed, the recent attack on GitHub was spotted by IT professionals who noticed an unusual spike in inbound traffic. It was caused by the amplification of UDP traffic reflection through Memcached servers’ default port 11211. They eventually managed to fence of the attacks by rerouting traffic to a scrubbing centre provider that cleaned out the malicious packets and the attack ended shortly afterwards.

The attack didn’t last more than a few minutes but could have been worse if it had struck a less prepared company, and indeed other companies aren’t as prepared. If a firm the size GitHub can divert terabits of traffic to external DDoS cleanup services, this is a costly solution and for many firms scrubbing, and latency costs are prohibitive. This problem is bound to become even acuter as 5G and IoT expand the scale of data communications. Adding to heavy security costs, many short-term “hit and run” attacks evade external detection due to their short time stamp and will not get scrubbed.

Facing this harsh reality, I would like to point to a better solution. One that would enable networks, through high-performance, to distribute inline system that use machine learning techniques to automatically detect and mitigate any type of attack at wire speed, regardless of scale, within seconds and without disrupting service. This would unimped legitimate traffic while malicious traffic would be discarded. No manual intervention would be required. Here is how this works:

In the above picture, every packet of data is inspected by high-performance, inline appliance instances. This enables attacks to be automatically detected and surgically blocked within seconds. Network services are neither threatened nor disrupted. This success is achieved by using advanced Network Behavior Anomaly Detection (NBAD) technology. Volumetric attacks are detected by the anomalies they cause in the normally time-invariant behaviour of Layer 3 and Layer 4 packet rate statistics.

The dynamic creation of mitigation rules and surgical filtering of attack packets prevents over-blocking and enables legitimate traffic to flow unimpeded, assuring network protection and service QoE at all times.

DDoS attacks also have an aspect to often overlook: service providers can also be infected and become the source for outgoing botnet attacks. This can be harming for their customers and their reputation. Such outbound attacks can only be caught by inline systems that inspect all packets, travelling in every direction. Inspecting outbound traffic will not only block this attack, but they will also enable better detection of inbound attacks.

The system, by correlating bi-directional traffic, can easily highlight inbound traffic that weren’t in fact sent from the service provider.

During the recent Memcached attacks, Allot’s bi-directional, inline DDoS Secure solution successfully detected and prevented such attacks observed in multiple customer networks worldwide.

 

Below is an example:

 

So, while this year’s flu season may be winding down, DDoS is just gearing up. New vectors, new vulnerabilities and ever-growing volumetric attacks are just a matter of time. Get protected – inline and on time!

The post The Flu and DDoS, From an Epidemic to a Solution appeared first on IT SECURITY GURU.

7 Sins of Security Metrics

If you are at the water cooler muttering “But that’s EXACTLY the graph they asked for.” Enter SIN#1… “Get me a plot of x versus y, colour-coded by z!” They sounded so sure when they asked you, so you created what they wanted, showed it to them, and they hated it. Ok, a bit melodramatic. But in my experience, building the metrics people ask for rarely delivers the insight they want. Why? Often, when someone asks for a metric, they are in the process of working out if there’s value in a question they’d like to ask of their data. Until they see the result, they don’t know if the output will give them what they’re after; AKA the “I’ll know it when I see it” problem.

 

As data scientists / analysts, we need to build metrics that address the questions our stakeholders need answering. If they aren’t entirely clear on either what those questions are, or what questions are most valuable to answer, or whether the metric they’ve asked for is the best way to answer a question, the process of iterating through analysis in the hope of striking gold will be excruciating for everyone involved. If stakeholders don’t have enough definition around the problem they are trying to solve (this is more common than you’d think!) we need to help them. Because if we just build the plot they ask for, we’re essentially crossing our fingers that the work we do will be valuable.

 

“Personally, I find this fascinating.” Oh, the woe. It’s SIN#2… Ah yes. The discovery of fascinating stuff that no one can do anything about. If we don’t produce metrics that are engaging for our audience and useful from their perspective … If a team can’t take our analysis, act on it, and see an improvement … Well, then our charts will be disheartening. And no one likes a metric that makes them miserable.

 

As people who love analysing data, it can be easy to run down metrics rabbit holes, digging around in data indefinitely, exploring things that look like they could uncover some new level of understanding in the information we have. (This is also true when you have done the hard work to create a great set of metrics, but mountains of possible analysis options remain.) We always need to keep the goal of a metric in mind when we spend time picking data apart, which translates to firstly avoiding things that, in retrospect, were pet projects and secondly knowing when we’ve reached ‘good enough for now’ on the level of resolution we have on a problem. The people funding our efforts will have patience if they can see progress, but not if they end up with 30 plots that may be intellectually fascinating, but fail to provide high-value insights they can act on.

 

“It’s ‘actionable insight’, so the team will find it really useful.” Because it’s not like security teams have enough stuff on their to-do list already, it’s SIN#3… A problem with the over-abused word ‘actionable’ in security marketing is there’s a big difference between something that’s actionable, and something that’s worth acting on. Good security metrics don’t enumerate all the possible things that could be changed to make an estate more secure. They get stakeholders engaged around problems they have, that they have the power and budget to solve. Ideally, they also show a clear set of actions that can deliver the greatest improvement to security performance or risk exposure. If metrics deliver a prioritized list of 1000 actions, it’s likely there will be no buy-in from departments already swamped with lists of things to do. (Sure, your 1000 things may be added to their list… just right at the bottom). A single action that deals with 1000 problems will get far more traction. And yes, developing metrics that do this is far from trivial.

 

“I think a decrease in this percentage means that thing we did was good … right?” Welcome to the ambiguity of SIN#4… Ok so we’ve got a high value, actionable metric that addresses something it’s important to change! Hooray! But will our metric track the full impact of our actions? Can external factors affect the data and make things look better (or worse) than they are? For example, a good performance metric should clearly reflect action we’ve taken to improve it. If the scope of such a metric is too broad, a change in its value may be ambiguous and, therefore, hard to attribute. Example: if we’re using the total number of vulnerabilities on our estate as a proxy for our patching rate, Patch Tuesday will boost this number and make our performance look like it’s gotten worse, even if the number of vulnerabilities patched per week has remained constant. Note: This is not a good metric for this scenario! If we’re not measuring something that changes predictably when we make progress, we’ll find ourselves having to endlessly explain metrics to people, and the whole point of a metric is to give stakeholders clarity on the situation.

 

“Our operations teams use these metrics, the CISO’s metrics focus on something else.” Beware the divergence of SIN#5… Sure, a metric can be broken down differently for different stakeholders, but the metrics themselves cannot be ‘different’. Metrics will need to be tailored for different stakeholders, particularly in terms of their granularity and scope, but there must be a common thread running through them.

 

There are two aspects to this. The first is a shared view all the way from the Technology Risk Committee to IT Operations teams of what a set of metrics relating to a risk or performance measure tell them about options for actions or priorities they need to act on. The second is what we call “data lineage” within this shared view. Data lineage is, essentially, the ability to drill down from a high-level metric (i.e. that Execs have on their dashboard), all the way to the raw records metrics are built from (i.e. where actions are taken at operational level). Unless you nail this, you end up with a disconnect between the metrics Executives are given to make budget and resource decisions, the actions that are taken at operational level, and the ability to link the two from one reporting period to the next.

 

“We’re confident that the data is complete.” But of course you are! It’s SIN#6… A tendency to ‘trust not verify’ data sources that are curated by someone (a database that has stripped out ‘irrelevant’ fields from an API, the CMDB that is considered a golden source of truth), can lead to dangerous assumptions. And we know what assumptions make out of you and me… The thing is that people often have very strong feelings about data they either own or curate. It’s personal to them, and they’ll often balk at suggestions that it may not be accurate. However, if we don’t triage assumptions about a data source’s accuracy and trustworthiness, we can end up fundamentally undermining our analysis. At best, this leads to arguments about accuracy from people affected by a metric, and subsequent re-analyzing that takes up valuable time. At worst, it leads to a collapse in confidence of all future analysis.

 

“I think this data would look lovely in a Pie Chart” AAAAARGHHHH! Avert your eyes! It’s SIN#7… You did all this great analysis and then presented it in a pie chart?! Pies are for eating, not for charting. With that outburst over, there is a serious point here. Everyone has a preference for how they like to receive information. Stacked bar charts, doughnut charts. The list of visualisations people ask for that make data scientists grit their teeth is lengthy. To communicate risk or security performance with clarity, we have to be willing to fight our corner about why a particular visualisation is poorly suited to delivering the information decision makers need, whether at operational or strategic level.

 

We also need to select visualisations and construct data journeys that give people the insight they need. But if we don’t help our stakeholders understand the visualizations they are looking at, if we don’t show them how they link to decisions, if we don’t give them the context for our analysis and how we’re presenting it, we’re expecting our audience to make leaps in understanding that we often take for granted after staring at the data for weeks

The post 7 Sins of Security Metrics appeared first on IT SECURITY GURU.

Transavia keeps business flying with One Identity

One Identity, a proven leader in helping organisations get identity and access management (IAM) right, is helping Dutch low-cost airline, Transavia streamline business processes. Through its One Identity Active Roles deployment for a hybrid Active Directory environment, Transavia is able to save roughly 10 minutes per user on provisioning and de-provisioning tasks covering hundreds of extra staff during peak travel seasons.

Air travel companies experience extreme seasonal loads, taking on thousands of short-term staff as demand increases, and then releasing them during the quieter months.  For example, Trasavia hires an extra 400 staff each summer that all require access to business applications – whether systems for on-board merchandise sales or navigation tools – and each employee needs to be added to the company’s IT systems so they can do their jobs.

The Transavia service delivery team estimated that it deals with 1,500-2,000 changes in user roles each year.  The manual cost in time required to make these changes historically proved to be a significant drain on resources.

“We used to provision user roles manually, but this took far too long — 10–15 minutes per user,” said Anders Kok, service delivery manager at Transavia. “We wanted to automate the whole process, so we spoke to One Identity.

“Active Roles was a great fit for our business,” continued Kok. “We now have user groups in Active Directory for cabin crew, cockpit, and technical maintenance, and all the information feeds in automatically from our HR system. When a new person starts, their mailbox is there, the account is there, and basic rights are all there. They can get working straightaway.”

But, he said, the big win is in quality improvement. “A manual process has a high error rate of 20-30 percent, whereas in the automated One Identity solution this is reduced to a minimum.”

Transavia has also been able to get support from One Identity through its transition to the cloud, augmenting its on-premises Active Directory deployment with the cloud-based Azure Active Directory.

“One Identity Active Roles is the ideal identity and access management solution to address the user lifecycle management challenges of Active Directory and Azure Active Directory that Transavia had faced,” said Jackson Shaw, vice president of product management at One Identity. “Active Roles allows Transavia to overcome the shortfalls of native tools and manual processes by using automation for the creation, modification, and removal of user accounts across the hybrid AD environment. This level of consistency, security, and efficiency is something that most organisations lack when relying on native tools.”

One Identity continues to act as a trusted advisor to Transavia, assisting with its user lifecycle challenges.

“We rely on the excellent advice from One Identity Services…  One Identity knows our business and our idiosyncrasies, so we listen when it challenges our decisions,” concluded Kok.

The post Transavia keeps business flying with One Identity appeared first on IT SECURITY GURU.

Routers being hijacked to redirect users to malware

Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.
According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post Routers being hijacked to redirect users to malware appeared first on IT SECURITY GURU.

New Accenture study finds 87 per cent of focused cyberattacks are prevented

With ransomware and distributed denial of service (DDoS) attacks on the rise, the average number of focused cyberattacks per organisation has more than doubled this year compared to the previous 12 months (232 through January 2018 versus 106 through January 2017). In the face of these growing cyber threats, organisations are demonstrating far more success in detecting and blocking them, according to a new study from Accenture (NYSE: ACN).

 

Yet, despite making significant progress, only two out of five organisations are currently investing in breakthrough technologies like machine learning, artificial intelligence (AI) and automation, indicating there is even more ground to be gained by increasing investment in cyber resilient innovations and solutions.

 

The study was conducted from January to mid-March 2018 and investigated focused attacks defined as having the potential to both penetrate network defences and cause damage, or extract high-value assets and processes from within organisations. Despite the increased pressure of ransomware attacks, which more than doubled in frequency last year, the study found organisations are upping their game and now preventing 87 per cent of all focused attacks compared to 70 per cent in 2017. However, with 13 per cent of focused attacks penetrating defences, organisations are still facing an average of 30 successful security breaches per year which cause damage or result in the loss of high-value assets.

 

“Only one in eight focused cyberattacks are getting through versus one in three last year, indicating that organisations are doing a better job of preventing data from being hacked, stolen or leaked,” said Kelly Bissell, managing director of Accenture Security. “While the findings of this study demonstrate that organisations are performing better at mitigating the impact of cyberattacks, they still have more work to do. Building investment capacity for wise security investments must be a priority for those organisations who want to close the gap on successful attacks even further. For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber resilience could become a reality for many organisations in the next two to three years. That’s an encouraging projection.”

 

Security Teams Find Breaches Faster

It’s also taking less time to detect a security breach; from months and years to now days and weeks. On average, 89 per cent of respondents said their internal security teams detected breaches within one month compared to only 32 per cent of teams last year. This year, 55 per cent of organisations took one week or less to detect a breach compared to 10 per cent last year.

 

Although companies are detecting breaches faster, security teams are still only finding 64 per cent of them, which is similar to last year, and they’re collaborating with others outside their organisations to find the remaining breaches. This underscores the importance of collaborative efforts among business and government sectors to stop cyberattacks. When asked how they learn about attacks that the security team has been unable to detect, respondents indicated that more than one-third (38 per cent) are found by white-hat hackers or through a peer or competitor (up from 15 per cent, comparatively, in 2017). Interestingly, only 15 per cent of undetected breaches are found through law enforcement, which is down from 32 per cent the previous year.

 

Addressing Cybersecurity from the Inside Out

On average, respondents said only two-thirds (67 per cent) of their organisation is actively protected by their cybersecurity program. And, while external incidents continue to pose a serious threat, the survey reveals that organisations should not forget about the enemy from within. Two of the top three cyberattacks with the highest frequency and greatest impact are internal attacks and accidentally published information.

 

When asked which capabilities were most needed to fill gaps in their cybersecurity solutions, the top two responses were cyber threat analytics and security monitoring (46 per cent each). Organisations realise the benefits derived from investing in emerging technologies. A large majority of respondents (83 per cent) agree that new technologies such as artificial intelligence, machine or deep learning, user behaviour analytics, and blockchain are essential to securing the future of organisations.

 

Five steps organisations can take to achieve cyber resilience include:

  1. Build a strong foundation. Identify high value assets and harden them. Ensure controls are deployed across the organisational value chain, not just the corporate function.
  2. Pressure test resilience like an attacker. Enhance red defence and blue defence teams with player-coaches that move between them and provide analysis on where improvements need to be made.
  3. Employ breakthrough technologies. Free up investment capacity to invest in technologies that can automate your defences. Utilise automated orchestration capabilities and advanced behavioural analytics.
  4. Be proactive and use threat hunting. Develop strategic and tactical threat intelligence tailored to your environment to identify potential risks. Monitor for anomalous activity at the most likely points of attack.
  5. Evolve the role of CISO. Develop the next generation CISO — steeped in the business and balancing security based on business risk tolerance.

 

For the 2018 State of Cyber Resilience study, Accenture surveyed 4,600 enterprise security practitioners representing companies with annual revenues of $1 billion or more in 15 countries. The purpose of the study is to understand the extent to which companies prioritise security, the effectiveness of current security efforts and the adequacy of existing investments. More than 98 per cent of respondents were sole or key decision-makers in cybersecurity strategy and spending for their organisation. For the purposes of this research, a cyber resilient business applies fluid security strategies to respond quickly to threats, to minimise damage and continue to operate under attack. It can therefore introduce innovative offerings and business models securely, strengthen customer trust, and grow with confidence.

The post New Accenture study finds 87 per cent of focused cyberattacks are prevented appeared first on IT SECURITY GURU.

Mining for Trouble: Cryptocurrency and Cyber Security

Cryptocurrency is not a new presence in the world of cyber security. For years cryptocurrencies have been the ransom of choice for hackers looking to make money from cyber attacks. However, over the last six months, we have seen a new strategy from hackers: crypto mining malware. This new motive for hackers has risen in prominence significantly with a 27% increase in use in the first quarter of 2018 and it is on the fast-track to becoming the number one cause of cyber attacks. So, it is incredibly important that enterprise IT security staff get an understanding of what crypto mining is, why it has increased in prominence and what they can do to stop it.

For those who don’t know what crypto mining entails allow us to enlighten you. Cryptocurrencies are virtual money that exists online, kept in crypto wallets and transferable via the use of Blockchains. But unlike physical money which has a governing body in charge of its distribution and printing, cryptocurrencies can be made by anyone. Making cryptocurrency is not easy though. If the average person could generate it, from his or her simple desktop computer at home, then the market would be inflated and the value of the currency diminished. To make just one coin of cryptocurrency requires an absurd amount of computer resources and time, meaning mining it is limited to big business and people heavily invested in the technology to do so.

How crypto mining then relates to cyber security is obvious. Even if someone has the technology to mine cryptocurrencies, the amount of computer power needed makes the entire process very time-consuming. Most people don’t have access to industrial computers or enough computers all running at once to mine the currency. It is this issue that has led crypto mining malware to become so prominent as hackers have discovered the solution to their problems is to secretly install mining software onto the computers of bystanders through malware and then let the infected computers do all the hard work.

The big difference between crypto mining and past cyber attacks around cryptocurrencies is that hackers are not stealing cryptocurrency or demanding it as a payment. As mentioned above, they are using software so that they can use the computers of their unsuspecting victims to do the mining while the hacker reaps the rewards. This method is a lot safer for hackers and can continue as long as they don’t get caught.

Crypto mining was made even easier last September when a bug in the Coinhive software, a crypto mining software, allowed it to be used to distribute malware. Since then reports have found that the frequency of crypto mining attacks on corporations has increased by 500%. In February three of the most wanted malware were crypto mining related and a new report for the first quarter of 2018 is showing that crypto mining is soon to take over ransomware as the biggest cyber threat to enterprises.

The question for enterprises now is how to fight back? In the end, crypto mining malware is still malware and so the methods that all enterprises should already be incorporating – like antivirus, traffic monitoring and mitigation, training employees and so forth – will deal with malware designed to mine cryptocurrency. What enterprises need to be aware of is whether or not they are infected and if so how to deal with it.

Unlike ransomware where the hacker will make his or her presence known, crypto mining malware aims to remain hidden and continue leeching from your computer’s resource and so IT security experts will have to be more proactive in their approach and actively search for the mining software hidden in their network. The main sign that your computer is infected is how slow it will be running, thanks to the mining software using up the CPU. If your computer isn’t performing properly then scan it, look for anomalies, and look for signs of malware. You may just find a little miner chipping away.

Crypto mining and cryptocurrencies, in general, are not going away any time soon so it is important that businesses adapt to the changing cyber security landscape rather than hoping the situation will solve itself or assuming nothing will change.

The post Mining for Trouble: Cryptocurrency and Cyber Security appeared first on IT SECURITY GURU.

85 Percent of Consumers Say Businesses Should Be Doing More to Actively Protect Their Data

A new survey shows that 78 percent of U.S. respondents say a company’s ability to keep their data private is “extremely important” and only 20 percent “completely trust” organizations they interact with to maintain the privacy of their data.

The poll underscores the public’s view of the obligation that organizations have to handle data responsibly and protect it from hackers.

The online survey of 10,000 consumers, conducted by the Harris Poll on behalf of IBM, found that:

  • 75 percent will not buy a product from a company – no matter how great the products are – if they don’t trust the company to protect their data;
  • 73 percent think businesses are focused on profits over addressing consumers’ security needs;
  • 73 percent indicated it is extremely important that companies quickly take proper actions to stop a data breach; and
  • 60 percent are more concerned about cybersecurity than a potential war.

“Increasingly, we are seeing companies around the world trying to balance providing personalized services to consumers, while maintaining privacy,” said John Kelly, IBM Senior Vice President, Cognitive Solutions. “Getting this right requires companies working closely with each other and, importantly, with governments, to ensure the right protections are in place.”

IBM has been a vocal supporter of strong data privacy and security practices for decades. Recent actions include:

  • In 2014, IBM published an open letter to customers regarding government access to data;
  • In 2015, IBM supported the U.S. Cybersecurity Information Sharing Act (CISA), which provides protections from liability for organizations that share information on cyberattacks;
  • In 2015, IBM shared its 800TB collection of information on security threats to help organizations collaborate faster and more effectively to battle cybercrime;
  • In October 2017, IBM issued Data Responsibility @IBM to publish details and obligations about how the company handles clients’ data;

In 2017, IBM signed the EU Data Protection Code of Conduct for Cloud Service Providers, guaranteeing protection over and above the minimum legal requirement for protection of data in the cloud

The post 85 Percent of Consumers Say Businesses Should Be Doing More to Actively Protect Their Data appeared first on IT SECURITY GURU.

Home secretary urges UK businesses to up their game against cyber crime

Cyber crime is a shared responsibility between businesses, industry experts and individuals, the UK home secretary, Amber Rudd, has declared. Speaking at the National Cyber Security Centre’s CyberUK 2018 conference in Manchester on Thursday, Rudd said the UK government is committed to promoting EU cyber cooperation post-Brexit in a new cyber incident classification.

View Full Story

ORIGINAL SOURCE: V3

The post Home secretary urges UK businesses to up their game against cyber crime appeared first on IT SECURITY GURU.

Suppressing the Adversary via Threat Hunt Teams

As the Chief Cybersecurity Officer for Carbon Black, I am witnessing a brave new world in cyberspace. Global cyber insurgencies continue unabated with reports of wide-scale data breaches and politico-hacking happening quickly and often. Personal data and financial information is regularly being hijacked. The energy sector is increasingly vulnerable to risk, with the recent cyberattack on the Energy Services Group (ESG) knocking systems offline.

Here at Carbon Black we firmly believe that decreasing dwell time of these insurgencies is imperative in 2018.  In order to achieve this goal, organisations must embrace the threat huntThe extradition of Russian elite cybercriminal Nikulin is a historic example of this. As a member of the Russian cyber-militia, he had been an influential member for close to a decade. He leveraged his expertise beyond monetary gain to show homage to the regime as a politico-hacker.

It is crucial that every organisation sets up a threat hunt team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a cyberattack is paramount.)

It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and tactics, techniques and procedures (TTPs).

Firstly, your organisation must develop a threat profile. This will help a hunter know where to prioritise hunting (and ultimately where to start hunting). Secondly, you must apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.

As your team gels, you can then develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm. To uphold the security of your organisation through effective threat hunting, it is important the team undertakes the following steps:

  1. Assess threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data.
  3. Anomaly detection through continuous analysis of unfiltered data from the endpoint.

A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behaviour analytics must be employed as it is critical to baseline “normal” network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.

A hunter must position themselves on the “high ground”, defined by greater situational awareness. Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data. From that vantage, one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.

Step I: Go Historical. – take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change.  Domains and IPs may have a ton of false positives.

Stage II: Move up the pyramid of pain – change the threat-intel language to move toward TTPs (action or behaviour). Time is a critical component.

Stage III:  Moving to anomaly-based hunting – algorithmic threat hunting; this involves analysing changes in behaviour versus similarities to previously seen.

Threat hunt teams should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. It is important to remember, static defences without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy threat hunting.

The post Suppressing the Adversary via Threat Hunt Teams appeared first on IT SECURITY GURU.

Outdated security solutions are putting businesses at risk of evolved cyberthreats

The latest trends in cybercrime have seen it all — advanced exploits allegedly developed by high-profile threat actors used in massive ransomware attacks, creativity of spam and phishing attacks on trending topics, and attacks relying heavily on social engineering or legitimate software used as cyber weapons. This evolution of cyberthreats calls for evolution in cybersecurity. The new Kaspersky Endpoint Security for Business is another landmark in this journey: more next generation detection with dynamic machine learning, increased visibility and granular security controls including vulnerability management, credentials protection and integration with EDR.

Next generation technologies in a completely new design

To maintain the highest standards of protection, which have been proven by independent researchers and thousands of customers worldwide, Kaspersky Endpoint Security for Business continues to evolve its detection techniques. This year’s innovation is supported with enhanced dynamic machine learning, allowing the detection of malicious activity in real-time. Other next generation technologies in the product include: Behavioral Detection, HIPS, Exploit Prevention and Remediation Engine.

A variety of broader security controls is supplemented with new capabilities. Those include an added mechanism that guards system-critical processes and prevents credential leakage against the use of mimikatz-like tools. Combined with other measures, this helps to protect businesses from current trending threats, like WannaMine, that hijack computers and use their resources to mine cryptocurrencies.

Vulnerability and Patch Management component allows for automated vulnerability elimination, including detection and prioritisation, patch and update downloads, testing and distribution. This reduces the risk of vulnerabilities in popular software being used by cybercriminals. Due to its automation features, this component also relieves security teams from unnecessary manual routine related to systems management and makes the process transparent.

The completely redesigned user interface visualises layers of protection and security components, showing the status and effectiveness of various next generation technologies — which allows customers to make sure that each protection layer is enabled and working.

Granular security management and complete visibility

Every organisation’s IT is a unique mix of systems, networks and devices — and IT security needs to fit into existing infrastructure and protect every element of it. New Kaspersky Endpoint Security for Business adds a wide variety of security controls for servers that are managed from a single point — including extended protection from ransomware, external traffic protection and Default Deny mode for Microsoft Windows Server, Exploit Prevention and Firewall configuration. These capabilities, available for both workstations and servers, allow for unified security management on the customer’s side.

A new level of visibility is achieved through full native integration with Kaspersky Endpoint Detection and Response. Due to this innovation, Kaspersky Endpoint Security for Business in combination with Kaspersky EDR can be used as an endpoint EDR agent for collection of metadata and IoCs. This innovation benefits businesses’ abilities to conduct a thorough investigation and remediation, should a serious cybersecurity incident occur.

Mobility management improvements include enhanced visibility through monitoring of protection across devices, simplified deployment and management via third-party EMM-systems for Android devices.

Scalability and flexible deployment on the customer’s side

The new version takes another major step towards improving manageability and deployment for customers among larger businesses. The product now brings Enterprise-ready scalability allowing for the management of up to 100,000 endpoints through a single server installation.

Combined with optimised performance and reduced resource consumption in the new light Cloud mode, this makes the product suitable for a company of any size and security needs: from mid segment to large corporations.

Alex Tai, CEO and Team Principal, DS Virgin Racing, comments: ‘We’re excited to partner with Kaspersky Lab. We all know that motorsport comes with inherent risks both sporting and technical, as such it is crucial to have the utmost confidence in every aspect of security and safety. We’re glad to find a trusted partner that takes away our cybersecurity concerns through proven quality of its products and technologies.’

Russ Madley, UK Head of Channel at Kaspersky Lab, says: “The ever-changing threat landscape means every business faces unique risks and challenges, even with the most advanced anti-malware protection in place. As threats continue to grow in complexity, it’s important cybersecurity companies continue to ensure their customers are protected with the most up to date security software. Kaspersky Endpoint Security is the latest addition that will help organisations address the growing number of challenges they face. Businesses can be assured that they will be quickly notified of malicious activity in real-time if a threat is detected.”

The product is available globally under both traditional and subscription licensing. Kaspersky Lab’s partners can address all regional pricing inquiries. More information about Kaspersky Security for Business and particular applications inside each edition is available on the global website.

The post Outdated security solutions are putting businesses at risk of evolved cyberthreats appeared first on IT SECURITY GURU.

31% of Brits have smart security gadgets in the home

Households in the UK are increasingly turning to smart technology to protect their homes, according to new research. The survey of 2,001 British adults carried out by gadgets and technology e-tailer, LaptopsDirect.co.uk, found that more than a third of Brits (31%) are using some form of smart security gadget in their home.

Perhaps not surprisingly, cost was an important factor when it comes to the increasing uptake of security technology, as 38% of those surveyed said the price is now more accessible. Outdoor CCTV topped the list as the most popular security technology Brits have in the home, with over half of the votes (52%). This was followed by 35% who revealed they have a video doorbell to protect their loved ones in the home. 33% have a smart alarm to keep themselves safe from intruders outside of the house and 17% install door and window sensors to keep their home safe from burglars.

A smart door lock, a keyless system which tracks who is entering the home, rounded off the list of the top five security gadgets for the home (12%) that Brits own. Just under half (41%) said they are more concerned about their security in the home now than ever before.

Mark Kelly, marketing manager at LaptopsDirect.co.uk, said: “As product development continues at a rapid rate and with this, more accessible prices, Brits have more sophisticated forms of protecting their homes to choose from than ever. It’s also interesting to see how this technology once was only seen on TV and in films but is now taking place in our homes. These handy gadgets also make security more accessible for those living in smaller spaces such as apartments. To get the most out of your smart home technology make sure you select the products best to serve your household’s security needs.”

Those aged 25 – 34 years old are the age group who are most likely to have this kind of technology in their homes.

The post 31% of Brits have smart security gadgets in the home appeared first on IT SECURITY GURU.

Risk of compromised credentials an HR problem, say senior executives

A worrying number of senior executives in the UK believe the risk of compromised user credentials (mainly stolen or misused passwords) – is an HR training problem, and not an IT issue, according to a study by Centrify, a leading provider of Zero Trust Security through the power of Next-Gen Access.

The study, commissioned through Dow Jones Customer Intelligence, shows that around one fifth (18 per cent) of respondents are happy to place responsibility for their security culture on their Human Resources (HR) department. However, nearly half (47 per cent) believe they have a strong enough security culture within their organisation to mitigate the risk of compromised credentials altogether. A further third claim that they have not experienced any problems relating to compromised credentials.

The study of 800 senior executives, including CEOs, Technical Officers (CIOs, CTOs and CISOs) and CFOs, in the UK and US, also indicates that many do not see compromised credentials as a significant risk, with 43 per cent perceiving default, stolen or weak passwords only as a minor threat or not a threat at all to an organisation’s success. Of these respondents, nearly half (45 per cent) say that a major breach due to compromised credentials would be needed for senior management to change its view on the subject. This is despite Verizon’s 2017 Data Breach Investigation Report indicating that 81 per cent of breaches now involve weak, default or stolen passwords.

Of the respondents that admit that they have suffered at least one significant cybersecurity breach in the last two years, a quarter (26 per cent) in the UK say that training and awareness would most likely have prevented the breach. However, with 23 per cent blaming a breach on senior management not treating cybersecurity as a top priority, the Centrify study suggests that attitudes and behaviour are unlikely to change very soon.

Barry Scott, CTO EMEA, Centrify, comments: “Research from companies like Verizon shows us that most data breaches are the result of compromised credentials, whether obtained through phishing, default or weak passwords, or some other nefarious method. As we become increasingly mobile, and systems and applications more cloud-based, we must rethink outdated traditional ‘castle and moat’ security models, and adopt a Zero Trust Security approach. First, we must verify the user is who they say they are, then validate their device, and give them access only to what they need in order to do their job. Finally, we must learn and adapt to what’s ‘normal’ for the user, and ask for additional authentication (or block access) when risky or abnormal behaviour is detected.

“This is not just an HR problem, nor indeed an IT problem; it’s a company-wide issue that needs to be supported from the top down.  It’s only when senior management start to address cybersecurity as a priority, that it will become integral to the business and to the workforce as a whole.”

The post Risk of compromised credentials an HR problem, say senior executives appeared first on IT SECURITY GURU.

SE Labs Test Shows CylancePROTECT Identifies and Blocks Threats Years Before Malware Appears in the Wild

Cylance Inc., the company that revolutionized the antivirus and endpoint protection industry with true AI powered prevention that blocks advanced cyberattacks, including fileless attacks, malware, advanced persistent threats, and zero-day attacks, today announced the results of SE Labs’ Predictive Malware Response Test of CylancePROTECT, its prevention-focused AI endpoint security product.

SE Labs determined the efficacy of artificial intelligence by identifying what they call Predictive Advantage (PA), the time difference between the creation of the AI model being tested and the first time a threat is identified. All past and present AI models of CylancePROTECT were tested against nine threats and five variants of each that were found in the wild after May, 2015. They were WannaCry, Cerber, Petya, NotPetya, Locky, Bad Rabbit, GhostAdmin, GoldenEye and Reyptson, all dating from February 2016 to November 2017. CylancePROTECT had an average predictive advantage of 25 months, and in some cases, it recognized and protected against threats that would not appear in the wild for another 33 months.

Traditional cybersecurity product tests measure the effectiveness of solutions against known, signature-based malware. However, the detection-based approach to cybersecurity has become ineffective in a rapidly evolving threat landscape. SE Labs’ methodology tests the ability of products to protect against unknown threats. For the test, the May 2015 model of CylancePROTECT was used offline or “self-contained” mode, without the benefit of updates or cloud queries. This allowed SE Labs to isolate and identify the power of older generations of AI against new and upcoming threats. It demonstrated that CylancePROTECT prevented advanced threats without reliance on signature-based learnings, and with no false positives.

“SE Labs asked if a previous version of CylancePROTECT could work in a modern context, against future threats. It’s a unique approach that forces you to consider the role AI plays in protecting users,” said Chad Skipper, VP Competitive Intelligence & Product Testing at Cylance. “Traditional AV relies on recognizing malware signatures to improve its product, but these results clearly show that a preventative, AI-based approach to security is both necessary and a better approach. SE Labs is highly regarded for their quality of tests, and we look forward to working with them to keep AI and a prevention-based approach front and center.”

Test results demonstrate the CylancePROTECT May 2015 model was capable of preventing threats that did not exist at the time the AI model was trained, and provide insight into how far ahead in time it could be effective without new knowledge. In the previous three years, Cylance has developed advanced generations with new insights and learnings. Test results show that CylancePROTECT is able to predict future attacks, giving users an advantage against future adversaries and threats.

“The cybersecurity landscape is crowded, causing confusion in the market and uncertainty from decision-makers as to how to allocate their resources. That is partly why we are developing advanced testing methodologies — to shine a light on the most effective products on the market,” said Simon Edwards, director of UK-based SE Labs. “We as an industry need a better way to test products, and this test is a step in the right direction. CylancePROTECT’s performance in this test showcases the power of its AI against some of the most damaging threats we’ve seen in the past three years.”

Cylance will be at the RSA Conference in San Francisco next week, April 16-20. Visit the Cylance booth in North Hall, booth #3911. For more information about Cylance’s RSA presence, please visit: https://pages.cylance.com/rsa-2018.

Methodology

Product testing was conducted between January 28 and March 24, 2018. The test was conducted without internet or other access to back-end systems. SE Labs conducted the test using virtual machines. Threats and legitimate applications were independently located and verified by SE Labs. Malicious and legitimate data was provided to Cylance once the full test was completed. The test was sponsored by Cylance, and the artificial intelligence models used in the test were chosen and provided by Cylance.

The post SE Labs Test Shows CylancePROTECT Identifies and Blocks Threats Years Before Malware Appears in the Wild appeared first on IT SECURITY GURU.

World’s Leading CISOs and cyber security professionals meet in London for exclusive debates

The fourth annual IT Security Analyst & CISO Forum Debates will take place this year in London on the 2nd  May at No 4 Hamilton Place from 2pm – 6pm.  This unique event consists of four panel debate sessions made up of some of the UK’s top CISOs from HSBC, GSK, Canon, Publicis Groupe and other global IT Security Association Leaders.

The panels will provide attendees with insight from cyber security leaders on: crisis communication in the event of a data breach, military tips for enterprise security, what good security looks like and ways to tackle the cyber security skills gap.

The IT Analyst and CISO Forum Debates, in partnership with ISACA London Chapter, is a well-established and invaluable event that will give registered attendees insight on some of the hottest boardroom topics.

Professionals interested in the event can register here and be eligible for 3 CPE credits towards SSCP®/CISSP® and ISACA certifications.

Full timetable:

2:00 – 2:45pm: What is “good security” anyway? CISOs top tips on what makes a company secure

In this panel, CISOs from all walks of industry will share their best practice and advice. From training, technology and techniques, these CISOs will have an open and frank discussion about what “good security” looks like in a modern enterprise.

Moderator: Sarb Sembhi, CTO, CISO & DPO, Virtually Informed

Panellists: Shan Lee, ‎Information Security Officer, TransferWise; Sandip Patel, Director, Information Security Consultancy, GSK; Quentyn Taylor, Director of Information Security, Canon Europe

2:50pm – 3:35pm: Crisis Communications in a post-GDPR world

With the EU’s General Data Protection Regulation (GDPR) on the horizon, what does the board need to make sure they are communicating to employees, customers and stakeholders should the worst happen and a data breach occurs? This discussion will offer best practice advice, what to steer clear of and when to notify when dealing with a data breach event.

Moderators: Lee Munson, security researcher, Comparitech.com

Panellists: Jonathan Armstrong, Partner, Cordery Compliance; Neil Stinchcombe, Director, Eskenzi PR; Sue Milton, Managing Director, SSM Governance Associates; Mark Deem, Partner, Cooley UK 

3:35pm – 4:00pm: BREAK

4:00pm – 4:45pm: What can the Military teach us when it comes to protecting the Enterprise?

This panel will bring together Military professionals to discuss what lessons companies can learn from taking a leaf out of their playbooks.

Moderator: Peter Wood, CEO, First Base Technologies LLP

Panellists: Gerry O’Neill, Director, Inforisca; James Hadley, Founder/CEO, Immersive Labs; Jennifer Dean, Chair of Law at the British Computer Society; Natan Bandler, CEO, Cy-OT

4:50pm – 5:30pm: What are those in the know doing to close the skills gap?

The skills gap has been a major problem plaguing the security industry and will continue to do so for the foreseeable future. Now it’s time for action – hear how some of the industry’s best practitioners and professionals are taking a stand and combating the problem head-on.

Moderator: Stephen Khan, Head of Information, HSBC

Panellists: Quentyn Taylor, Director of Information Security, Canon Europe; Steve Williamson, Audit Account Director, Information Security and Data Privacy, GSK; Thomas Langford, Chief Information Security Officer, Publicis Groupe; Matt Parsons, head of Cyber Skills policy team in DCMS; Peter Wood, CEO, First Base Technologies LLP

The CISO debates are time well spent. We tackle a broad range of security issues,” said Steve Williamson, Director, Risk & ITCP Mgmt, GlaxoSmithKline. “The debate is rich and stimulating as it is fed by many years of collective experience across different industries. I also value the opportunity to network with peers and analysts from different companies.”

Peter Wood, Director Emeritus, First Base Technologies added: “I’ve been privileged to attend and speak at the IT Security and CISO Forum debates for several years. Each event has delivered great speakers providing superb insight and innovative ideas, as well as the opportunity to meet with some of the industry’s leading professionals.”.

Sue Milton, Managing Director, SSM Governance Associates, agreed: “The ‘one-stop/one-size fits all security solution shop’ is a long-way off but insights on what makes solutions more effective can be found at the CISO event, giving professionals direct access to expertise through discussion and debate.  Whether a panel or audience member, together we bring the ideal solution that bit closer.”

PLEASE NOTE: Places are limited to IT Security Professionals who are currently working for commercial or government organisations and provide a commercial email on registration. Delegates MUST provide a company email address on registration, otherwise we will refuse your booking.

Notes to editors: We would be delighted if you could join us on the day.  Please contact Beth Nikolova (elizabeth@eskenzipr.com / 0207 1832 836) to reserve your place.

The post World’s Leading CISOs and cyber security professionals meet in London for exclusive debates appeared first on IT SECURITY GURU.

Ex GCHQ Director formally joins the advisory board of Immersive Labs

Immersive Labs has today confirmed ex-GCHQ Director, Robert Hannigan, as chairman of its advisory board. This is a key appointment for Immersive Labs, given Robert’s excellent understanding of the cyber threat landscape both in the UK and globally. It is also a strong endorsement of Immersive Labs innovative gaming approach to cyber security training and talent retention with someone of Robert’s calibre joining the organisation.

During his tenure as director of GCHQ, a number of key initiatives were introduced, including the formation of the National Cyber Security Centre (NCSC) which was part of Robert’s long-term cyber security strategy to improve the UK’s cyber defence – the first of its kind in the UK.

Today the NCSC continues to collaborate with the UK’s defence and intelligence agencies, as well as international partners, feeding into Robert’s vision to make the UK one of the safest places to live and do business online.

In recent years, Robert’s focus has included efforts to fill the cyber skills gap. He has always been a staunch advocate of the Immersive Labs practical learning environment, previously stating:

“Identifying, developing and measuring practical cyber security skills is the great challenge for all companies today. The Immersive Labs approach is the most exciting thing I’ve seen in this space: scalable, agile and appropriate to the way a new generation learns. It has the potential to disrupt and transform this crucial market.”

Welcoming Robert to Immersive Labs advisory board, its CEO James Hadley said, “It’s fantastic to welcome Robert onto the Immersive Labs team. He is a perfect fit to lead our advisory board, having already been instrumental in helping us grow our academies as well as our commercial proposition.”

Immersive Labs is exhibiting at the RSA conference in San Francisco next week, demonstrating its game changing enterprise skills platform. Visit www.immersivelabs.com to find out more.

The post Ex GCHQ Director formally joins the advisory board of Immersive Labs appeared first on IT SECURITY GURU.

Cloud adoption placed on hold

Enterprises are adopting the cloud much faster than their security teams can keep up – and misunderstanding about cloud environments is pervasive. The 2018 Enterprise Cloud Trends Report from iboss surveyed IT decision makers and office workers in US enterprises and found that 64% of IT decision makers believe the pace of software as a service (SaaS) application adoption is outpacing their cybersecurity capabilities.

View Full Story

ORIGINAL SOURCE: Infosecurity Magazine

The post Cloud adoption placed on hold appeared first on IT SECURITY GURU.

Are you ready to handle the Crisis Comms when you get breached?

You are just about to go to sleep when you get a text from your SOC team: code RED. They have discovered your company has suffered a serious breach and you need to decide what to do.  At this point, you are either in the position of having prepared for such an event and your team will follow checklists and playbooks. As part of this process, the team will inform the appropriate Execs on what the situation is and they will be ready to communicate the right information to the people who need to know using a tried and tested Crisis Comms plan. OR you do not have a plan, let alone a tested one, and panic mode sets in….

 

I am not going to go into all the reasons why you need to be prepared to handle Crisis Communications during a cyber incident, the most important thing to know is that it will make the difference between your organisation’s reputation and brand being damaged far more than it needs to be.   The other key issue is that how the breach notification process is handled could make a massive difference to mitigating the fine from regulators.

 

So what Crisis Communications plans and processes do you need to have in place to handle a breach?  Firstly, a cross functional crisis management team (including the board) needs to be established.  From there, a monitoring strategy can be put in place to mandate who is responsible for determining when an incident has occurred and how serious it is as well as a developing a plan for the crisis – which may work best as a series of checklists or a playbook.

 

Some important things at this point to consider are how to prepare for different breach scenarios (ie is it employee or customer data affected? IP theft? Ransomware? etc…).  This will influence your strategy with the different audiences.  Don’t forget to do practice runs with your internal and external comms teams and include media training where necessary.

 

Once you have done the ground work what goes into a comms plan?

 

  • Prepare crisis checklist to deal with potential scenarios
  • Create a timeline so everyone knows who will do what when
  • Team consults with legal and forensics team to determine what incident it is and establish who it affects
  • Can you keep it under wraps? (hint: this is not usually an option!!)
  • What are your regulatory responsibilities to disclose?
  • Which stakeholders are affected?
  • Who is responsible for communicating with each group and in what order?
  • If a regulator is involved, how can you minimise a fine by demonstrating appropriate action taken?
  • If customers are involved, what is the impact on them and how should they be informed?
  • If the press are involved, how will you manage the communications?

 

It is also important to note that social media can exponentially increase if not responded to quickly and appropriately, so it will need to be determined who is responsible for these interactions.  Keep in mind that messages must be consistent, so you will need to brief managers and employees, especially customer facing teams.  In addition, it will be helpful to prepare:

 

  • An FAQ on incident scenarios
  • Media trained spokespeople
  • An external comms plan with statements on anticipated likely breach scenarios developed by team
  • An internal comms plan

 

Check and review these plans quarterly with the team to see if your organisation’s risk profile has changed.

 

Finally, breathe; keep Calm and Carry on and you will get through it.  It is not a case of if, it is a case of when a breach will happen in your organisation. As breaches become more common, what counts is how you handle them that will set you apart as a leader in your organisation (and worthy of having that place at the boardroom table!)

 

If you would like to get some first-hand advice, I am organising a panel on Crisis Communications in a post-GDPR world at the IT Security Analyst and CISO Forum’s CISO Debates 2018 on Wednesday 2nd May 2018 in London.

 

With the EU’s General Data Protection Regulation (GDPR) on the horizon, what does the board need to make sure they are communicating to employees, customers and stakeholders should the worst happen and a data breach occurs? This discussion will offer best practice advice, what to steer clear of and when to notify when dealing with a data breach event.

 

Moderator: Lee Munson

Neil Stinchcombe, Eskenzi PR

Jonathan Armstrong, Partner, Cordery

Mark Deem, Partner, Cooley (UK) LLP

Sue Milton, Managing Director, SSM Governance Associates

 

Register for free here: https://www.eventbrite.ie/e/it-security-analyst-and-ciso-forums-ciso-debates-2018-tickets-43847984502?aff=es2

The post Are you ready to handle the Crisis Comms when you get breached? appeared first on IT SECURITY GURU.

Internet of Broken Things? 10 key facts about IoT

A recent survey shows 64 percent of organisations have deployed some level of IoT technology, and another 20 percent plan to do so within the next 12 months. This means that by the end of 2018, five out of six organisations will be using at least a minimal level of IoT technology within their businesses.

This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards.

The influx of connected devices onto a company’s network literally creates tens, or even hundreds of new unsecured entry points for cybercriminals. But many companies are turning a blind eye to this, swayed by the potential benefits that IoT can bring their business.

So here are some facts for consideration, before taking the leap into IoT, including a look at the short and medium term consequences of deploying a wave of unsecured devices to your network.

  1. IoT – a cybercriminal’s dream

Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals – the equivalent of an organisation leaving its front door wide open for thieves.

Managing endpoints within an organisation is already a challenge; a 2017 survey showed 63 percent of IT service providers have seen a 50 percent increase in the number of endpoints they’re managing, compared to the previous year.

IoT will usher in a raft of new network-connected devices that threaten to overwhelm the IT department charged with securing them – a thankless task considering the lack of basic safeguards in place on the devices.

Of particular concern is that many IoT devices are not designed to be secured or updated after deployment. This means that any vulnerabilities discovered post- deployment cannot be protected against in the device; and corrupted devices cannot be cleansed. In an environment with hundreds or thousands of insecure or corrupted devices, this can raise huge operational and security challenges.

  1. IT or OT

IT professionals are more used to securing PCs, laptops and other devices, but they will now be expected to become experts in smart lighting, heating and air conditioning systems, not to mention security cameras and integrated facilities management systems.

A lack of experience in managing this Operating Technology (OT), rather than IT, should be a cause of concern. It is seen as operational rather than strategic, and deployment and management is often shifted well away from Board awareness and oversight.

And that’s barely touching the visible surface. Machine-to-machine (M2M) technology is already transforming and will continue to transform businesses.

Many AI applications depend on IoT – for example transportation and logistics are being changed by it. These developments can and will impact most organisations.

Nevertheless, the majority of organisations are deploying IoT technology with not only a lack of strategic direction, but with minimal regard to the risk profile or the tactical requirements needed to secure them against unforeseen consequences. These include not just security requirements, but also business continuity challenges.

  1. Increase in DDoS attacks

DDoS (Distributed Denial of Service) attacks are on the rise. In the UK alone, 41 percent of organisations say they have experienced a DDoS attack.

IoT devices are a perfect vehicle for criminals to use to access a company’s network. In fact, 2016’s high-profile Mirai attack used IoT devices to mount wide-scale DDoS attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.

4…and ransomware attacks

Elsewhere, there has been an almost 2000 percent jump in ransomware detections since 2015. Ransomware became a public talking point in 2017 when WannaCry targeted more than 200,000 computers across 150 countries, with damages ranging from hundreds of millions to billions of dollars.

While most ransomware attacks currently infiltrate an organisation via email, IoT presents a new delivery system for both mass and targeted attacks. Consider the potentially life-threatening impact of ransomware on smart devices within critical applications – the ability of criminals to shut down critical business and logistics systems has already been repeatedly demonstrated. So perhaps it is unsurprising that a 2017 survey found that almost half of small businesses questioned would pay a ransom on IoT devices to reclaim their data.

  1. Increasing intensity and sophistication of attacks

The sophistication of attacks targeting organisations is accelerating at an unprecedented rate, with criminals leveraging the significantly expanded and expanding attack surface created by IoT for new disruptive opportunities.

According to Fortinet’s latest Quarterly Threat Landscape report, three of the top twenty attacks identified in Q4 2017 were IoT botnets. But it says unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, which is much harder to combat.

Wi-Fi cameras were targeted by criminals, with more than four times the number of exploit attempts detected over Q3 2017. The challenge is that none of these detections is associated with a known security threat, which Fortinet rightly describes as “one of the more troubling aspects of the myriad of vulnerable devices that make up the IoT.”

  1. The effects of an attack

The aftermath of a cyberattack can be devastating for any company, leading to huge financial losses, compounded by regulatory fines for data breaches, and plummeting market share or job losses. At best, a company could suffer irreparable reputational damage and loss of customer loyalty.

On top of that, IoT devices have the potential to create organisational and infrastructure risks, and even pose a threat to human life, if they are attacked. We have already seen the impact of nation-state attack tools being used as nation state weapons, then getting out and being used in commercial criminal activity. While the core focus is on defending critical infrastructure, and that is still far behind the curve, weak business infrastructure is a much softer target.

  1. Profit over security

It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing. In the main this is because device manufacturers are pushing through their products to get them to market as quickly as possible, to cash in on the current buzz around IoT.

Though, F-Secure in its Pinning Down the IoT report says other factors include the small size of the chips being used for cost-saving reasons, and that devices are set to the manufacturer’s default password settings, which are set to four zeros or 1234, which are well known to criminals.

Lawrence Munro, vice president SpiderLabs at Trustwave agrees IoT manufacturers are sidestepping security fundamentals as they rush to bring products to market: “We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs,” he notes.

“If consumers aren’t demanding security, manufacturers will never prioritise it,” says the F-Secure report. “But given the extraordinary dependency society is likely to develop on billions of IoT devices, governments may have to step in to demand security requirements.”

  1. Can you see the problem?

Another huge problem is that once a network in attacked, it’s much easier for subsequent attacks to occur.

Yet, recent data shows just half of IT decision makers feel confident they have full visibility and control of all devices with network access. The same percentage believe they have full visibility of the access level of all third parties, who frequently have access to networks, and 54 percent say they have full visibility and control of all employees.

This is a worrying lack of confidence in network visibility and should be a concern for organisations. Yet, the same figures show basic security measures like network segmentation are only being planned by 24 percent of businesses in 2018. Without network segmentation, malware entering a network will often be left to spread.

Elsewhere, less than half of organisations have formal patching policies and procedures in place, and only about a third patch their IoT devices within 24 hours after a fix becomes available.

But because updating IoT devices by nature is more challenging, many remain vulnerable even after patches are issued, so organisations need to properly document and test each IoT device on their network.

  1. Turning a blind eye

Both consumers and manufacturers seem to be burying their heads in the sand when it comes to IoT security.

Despite security concerns often cited as the number one barrier to greater IoT adoption, Trustwave research shows sixty-one percent of firms who have deployed some level of IoT technology have had to deal with a security incident related to IoT, and 55 percent believe an attack will occur sometime during the next two years. Only 28 percent of organisations surveyed consider that their IoT security strategy is ‘very important’ when compared to other cybersecurity priorities.

More worrying is that more than a third believe that IoT security is only ‘somewhat’ or ‘not’ important!

Some more troublesome stats – fewer than half of organisations consistently assess the IoT security risk posed by third-party partners, another 34 percent do so only periodically, and 19 percent don’t perform third-party IoT risk assessment at all.

  1. Efforts to standardise

These security concerns can obviously paint the adoption of IoT in a negative light. But is there anything being done to mitigate these risks?

In the UK, the government’s five-year National Cyber Security Programme (NCSP) is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative.

The group published a review earlier this month that addresses key risks related to consumer IoT and proposes a draft Code of Practice for IoT manufacturers and developers.

Recommendations include: ensuring that IoT devices do not contain default passwords; defining and implementing vulnerability disclosure policy; ensuring software for devices is regularly updated; and a proposal for a voluntary labelling scheme.

While there seems to be some light at the end of the tunnel, it may not be enough. Regulators won’t force device manufacturers to introduce the necessary security regulations and practices before thousands of businesses fall victim to attacks. Turning a blind eye to the IoT security risks could leave your organisation permanently paralysed.

The post Internet of Broken Things? 10 key facts about IoT appeared first on IT SECURITY GURU.

Facebook’s data scandal – the impact

When news broke that Facebook was found to be mishandling user’s data, the company’s stock plummeted as both the social networking site and its owner, Mark Zuckerberg lost billions. A whistle-blower informed that millions of Facebook users had their data exploited by the political consultancy Cambridge Analytica which is accused of improperly using the data on behalf of political clients. It was reported that Facebook knew the data was being harvested in 2015 but did not alert users at the time. Mark Zuckerberg acknowledged that a “huge mistake” had been made, but the damage had already been done. Whatever trust users had in Facebook regarding their data security will have been shot to pieces. What could this negligence be down to?

Egil Bergenlind, CEO and founder of DPOrganizer believes there is a severe lack of consideration from top-tier technology companies when it comes to the handling of data. He said, “this boils down to a lack of transparency from the social media giant about what data is being held on its users, how it is being obtained, what it is being used for and with whom it is being shared and Facebook is not alone in this. The problem is that this leads to a lack of accountability and often results in the incorrect assumption that any data collected belongs to the company, rather than its individual users.”

What organisations need to start realising is the importance of reputation and how a scandal like this can have detrimental impact. When an organisation is lambasted in the headlines for suffering a data breach, the costs in damages can be in the millions. Yet the harm sustained to the reputation of an enterprise is something that cannot be quantified. The Equifax data breach in 2017 is a prime example of this.

The Facebook/Cambridge Analytica scandal will also trigger an immediate reaction on how organisations use Facebook. A belief shared by Chris Ross, SVP International at Barracuda, who claims that, “while the longer-term effect on Facebook’s reputation remains to be seen, we expect to see organisations making decisions about whether the platform poses a security risk and how to minimise the threat on those occasions where an alternative option just doesn’t exist.”

Humans have become more vigilant regarding their data privacy and organisations need to understand this notion and begin to take data security seriously, especially with data protection laws coming into force like the European General Data Protection Regulation. Richard Holmes, cyber services lead at CGI UK touched on this fact, stating “GDPR demands that organisations have a legal basis for processing personal information. Individuals will increasingly demand to know how their data is used and where it is shared.  Terms and conditions of collecting and processing personal information will need to be much clearer to meet this demand.”

Facebook has well and truly brought data security and privacy into the international spotlight and will no doubt bring about a much-needed change in the way organisations collect, store and use sensitive data. In Europe, GDPR is a step in the right direction but time will tell if more stricter laws need to be passed to see a dramatic change.

The post Facebook’s data scandal – the impact appeared first on IT SECURITY GURU.

Dark Net being used by terrorists to plot and hide

Terrorist organisations and individuals are evading security services and intelligence agencies by “hiding in the shadows” of the darknet, using encrypted messaging services, to communicate and anonymous cryptocurrencies such as bitcoin to generate funds.

View Full Story

ORIGINAL SOURCE: The Guardian

The post Dark Net being used by terrorists to plot and hide appeared first on IT SECURITY GURU.

Hacker group exploit Cisco Flaw and target Iran and Russia

The message “Don’t mess with our elections” followed by a U.S. flag appeared on Iranian and Russian screens after a hacker group exploited Cisco Smart Install Client on vulnerable machines. The hackers claim to have targeted only the computer infrastructure in Iran and Russia during the attack on Friday night.

View Full Story

ORIGINAL SOURCE: CSO Online

The post Hacker group exploit Cisco Flaw and target Iran and Russia appeared first on IT SECURITY GURU.

Russia not to blame for cyber attack on Arizona elections in 2016

A hack on an Arizona election database during the 2016 U.S. presidential campaign was carried out by suspected criminal actors and not the Russian government, a senior Trump administration official told Reuters on Sunday.

View Full Story

ORIGINAL SOURCE: Reuters

The post Russia not to blame for cyber attack on Arizona elections in 2016 appeared first on IT SECURITY GURU.

Malwarebytes Unveils Endpoint Protection and Response to Simplify Endpoint Monitoring, Detection and Remediation

Malwarebytes™, the leading advanced malware prevention and remediation solution, today announced the release of Malwarebytes Endpoint Protection and Response.

 

When it comes to Endpoint Detection and Response (EDR), most businesses fall into one of three categories: they either don’t have EDR and have limited visibility into endpoint activity across their infrastructure; they have an EDR solution that provides visibility, but staff lack the time to gain the expertise necessary to leverage EDR data; or they have EDR and the expertise but the solution they are using simply provides alerts without resolution. Each of these circumstances often results in missed threats or extended dwell time.

 

“Many businesses don’t have the resources to bring on dedicated, highly-specialised EDR technology and talent, leaving them with a tool that simply adds to a long queue of alerts, without fixing the underlying problems,” said Marcin Kleczynski, CEO, Malwarebytes. “Endpoint Protection and Response provides proven endpoint protection with integrated detection and response capabilities via a single agent, so organisations of all sizes can easily protect their endpoints from targeted attacks, thoroughly remediate systems and rollback ransomware.” 

 

According to ESG’s annual IT spending intentions research, IT and cybersecurity professionals have identified cybersecurity as the number one “problematic shortage” area across all of IT – for six years running. When complicated with a lack of trained EDR experts, very few companies have the resources and capabilities to accurately monitor, protect and respond to today’s threats. Malwarebytes Endpoint Protection and Response cuts through complexity, simplifies endpoint monitoring and detection, and makes remediation easy.

 

Malwarebytes Endpoint Protection and Response Features: 

 

Key features of Malwarebytes Endpoint Protection and Response protect across every stage of an attack including:

  • Cloud-based single management console and a unified agent.
  • Continuous visibility into endpoints –Endpoint Protection and Response’s flight recorder provides continuous monitoring and visibility into Windows desktops to obtain powerful insight. Businesses can easily track file system activity, network activity, process activity and registry activity. Flight recorder events are stored both locally and in the cloud, adding another sphere of safety.
  • Multi-layered protection – MalwarebytesEndpoint Protection and Response’s multi-vector protection (MVP) uses a seven-layered approach, which includes both static and dynamic detection techniques. This technique gives protection against all known and unknown threat types, from traditional viruses to tomorrow’s advanced threats.
  • Rapid identification and three modes of endpoint isolation – When an endpoint is compromised, Malwarebytesstops the bleeding by isolating the endpoint. Endpoint Protection and Response is the first product to offer three ways to isolate an endpoint. Network isolation restricts which processes can communicate. Process isolation to controls which processes are allowed to keep functioning. Desktop isolation alerts the end user and halts further interaction to limit damage. With these three controls, malware is rendered incommunicado and remote attackers are locked out.
  • Complete remediation and ransomware rollback –Malwarebytesproprietary linking engine provides complete and thorough remediation to rapidly return an endpoint to a truly healthy state and minimise impact to the end-user, post-compromise. Rollback technology winds back the clock up to 48 hours, negating the impact of ransomware with just-in-time backups prior to infection.

Customer Benefits:

 

Unlike other vendor solutions, Malwarebytes Endpoint Protection and Response provides:

  • Multi-layered protection incorporating signature-based and signature-less technologies
  • A proprietary Linking Engine Technology achieving complete and thorough remediation
  • Ease of deployment and management with remediation from a single console
  • Elimination of EDR complexity with three modes of endpoint isolation, automated remediation, and Ransomware Rollback up to 48 hours

Malwarebytes Endpoint Protection and Response allows organisations to proactively hunt for malware across all of their endpoints without the need for a dedicated resource. This increases the efficacy of protection and provides a lower total cost of ownership. The single console delivers significantly greater security visibility and direct drill-downs to explore and instantly manage all security events. All this is accomplished with reduced hardware cost and a reduced server footprint.

The post Malwarebytes Unveils Endpoint Protection and Response to Simplify Endpoint Monitoring, Detection and Remediation appeared first on IT SECURITY GURU.

Research Findings Show Industry Leaders Struggle to Balance Digital Innovation and Security

Akamai Technologies, Inc. (NASDAQ: AKAM), the world’s largest and most trusted cloud delivery platform, today released data noting how companies are struggling with the tug-of-war between advancing digital innovation and ensuring secure digital experiences that maintain user trust and mitigate risk. As part of a commissioned study of more than 350 global information technology leaders conducted by Forrester Consulting on behalf of Akamai, the results also show that the companies defined as being the most digitally mature — best balancing innovation and security– grow faster than their competitors.

As the world’s largest and most trusted cloud delivery platform, Akamai has delivered approximately 95 exabytes of data a year across billions of devices. Top financial institutions, online retailers, media and entertainment providers, and government organisations have leveraged the power of Akamai’s cloud platform to deliver exceptional digital experiences to customers. As a result, Akamai has seen firsthand the critical intersection of user experience and digital security, and how it ultimately impacts customer behavior.

“With the help of this research by Forrester, Akamai has created a way to evaluate how digitally mature a company is, based both on the effectiveness of its digital experience and the strength of its security posture,” said Ari Weil, vice president of product marketing, Akamai. “It is imperative for these innovators to strike a delicate balance between seamless digital experience and comprehensive security. We think our research shows how companies are achieving, or struggling to reach, that balance, and Akamai is ready to help usher any organisation along a path to digital maturity.”

Those interested in getting a jumpstart on your own digital maturity initiative can click here for a self-assessment to determine how well a company balances digital experience delivery with digital security. Following the assessment, check out this infographic on best practices for delivering digital experiences.

Digital innovation sits at the helm of today’s complex enterprise environment. The Forrester study indicates that delivery of digital experiences is critical to competitive edge, customer satisfaction and even more importantly — achieving customer trust. For any given enterprise organisation, meeting unique customer needs is a challenge — addressing disparate regions, network connectivity and device usage has complicated the ability to deliver secure, personalised digital experiences. The study examines how digital businesses across the globe and various industries align overall user experience and security with strategic priorities.

Findings from the survey research include:

  • Digital struggles are a reality: A high number of executives reported difficulty in achieving the proper balance between security and digital experiences. Most respondents feel as though their firm is strongest in security and trust, but weakest in digital experience maturity.
  • Trust is at an all-time low: More than one third of surveyed executives feel they only have a moderate level of trust from their customers, due in large part to suspicion around a company’s data use practices.
  • Lack of trust attributed to lack of security, equates to lack of revenue: Customers are more comfortable sharing data with companies they actually trust; when firms fail to deliver on security, their brand reputation, customer trust and even revenue are negatively impacted. In fact, the study notes that even suspicion of a company’s data use practices can lead to a 25 percent reduction in revenues.

To learn more about Forrester’s analysis into how industry leaders balance digital experience with customer trust, download the full study here.

The post Research Findings Show Industry Leaders Struggle to Balance Digital Innovation and Security appeared first on IT SECURITY GURU.

Study Reveals 40 Percent of Large Businesses Will Implement Intelligent Assistants or Chatbots by 2019

 Spiceworks today announced the results of a new survey examining the adoption and usage of intelligent assistants and AI chatbots in the workplace. The results show that within the next 12 months, 40 percent of large businesses – those with more than 500 employees – expect to implement one or more intelligent assistant or AI chatbot on company-owned devices, compared to 25 percent of mid-size companies and 27 percent of small businesses. The findings indicate that although adoption is on the rise, some organisations are holding back due to a lack of use cases in the workplace and privacy concerns.

Across all company sizes, Microsoft Cortana is the most commonly used intelligent assistant in the workplace, likely due to its native integration into Windows 10. Among organisations that have implemented intelligent assistants or chatbots on company-owned devices and services, the results show 49 percent are currently using Microsoft Cortana for work-related tasks, followed closely by Apple Siri at 47 percent. Additionally, 23 percent of organizations are using Google Assistant and 13 percent are using Amazon Alexa. Looking specifically at AI chatbots, the results show 14 percent of organizations are using AI chatbots integrated in collaboration tools (e.g., Microsoft Teams, Slack), while only 2 percent of organizations have custom-built AI chatbots. However, an additional 10 percent plan to build one in the next 12 months.

One in four organizations use AI chatbots and assistants to support team collaboration

Among companies using AI chatbots and intelligent assistants, 46 percent are using them for voice to text dictation, 26 percent are using them to support team collaboration, and 24 percent are using them for employee calendar management. Additionally, 14 percent are using AI chatbots and assistants for customer service and 13 percent are using them for IT help desk management.

In terms of which departments are supported by AI chatbots and assistants, the results show 53 percent of organizations use them within their IT department, 23 percent use them to support their administrative department, and 20 percent use them to support the customer service department. Sixteen percent of organizations are also using AI chatbots and assistants in their sales and marketing departments.

Among organizations that are not using AI chatbots or intelligent assistants, the results show 50 percent have not implemented them due to a lack of use cases in the workplace, while 29 percent note security and privacy concerns and 25 percent are holding back due to the cost.

IT professionals believe AI will help automate mundane tasks rather than replace jobs

Although 40 percent of IT professionals believe AI can replace entry-level jobs that don’t require human creativity, they feel relatively secure when it comes to their own jobs. Only 17 percent of IT professionals believe AI will put IT jobs at risk. In fact, 76 percent believe AI will help automate mundane tasks and enable more time to focus on strategic IT initiatives. On average, IT professionals believe 19 percent of their current daily tasks can be automated via AI and intelligent automation.

However, despite the rising adoption of AI, only 20 percent of IT professionals believe their organization has the proper skills, talent, and resources to implement and support AI technology. The study also revealed only 5 percent of IT professionals believe their organization values AI skillsets and experience when making hiring decisions.

“While AI has the potential to drastically alter life as we know it, the technology is still in its infancy,” said Peter Tsai, senior technology analyst at Spiceworks. “As a result, many companies aren’t thinking about the tools and expertise they’ll need to support artificial intelligence. However, AI is rapidly advancing and becoming a more integral part of our software, devices, and lives. As a result, companies should start putting policies and procedures in place so they can to take full advantage of and manage this technology in the future.”

The post Study Reveals 40 Percent of Large Businesses Will Implement Intelligent Assistants or Chatbots by 2019 appeared first on IT SECURITY GURU.

Global Trends Report Reveals All-Time High of 20,000 Vulnerabilities Last Year

Flexera, the company that’s reimagining how software is bought, sold, managed and secured, today released Vulnerability Review 2018 – Global Trends, the annual report from Secunia Research at Flexera. The report provides data on vulnerabilities to help companies understand the vulnerability landscape and devise strategies to secure their organizations. Vulnerabilities are a root cause of security issues – errors in software that can work as entry point for hackers, and be exploited to gain access to IT systems.

A Surge in Vulnerabilities

This year’s report reveals a continuing surge in vulnerability growth. In 2017 documented vulnerabilities increased 14 percent to 19,954, up from 17,147 in 2016. This means that companies are being exposed to an escalating number of security risks, underscoring the need to maintain continuous visibility of their software assets and the vulnerabilities affecting them. Companies also need to ensure critical vulnerabilities are prioritized and addressed before exploitation risk increases.

“There’s no question based on this year’s results, the risks remain high,” said Kasper Lindgaard, Director of Research and Security at Flexera. “As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes – instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”

Avoiding Attack is Possible: 86 Percent of Patches Available on Disclosure Day

The Flexera report offers hope for companies seeking to minimize their risk of incidents. Patches were available for 86 percent of the vulnerabilities on the day of disclosure. In addition, zero-days – instances in which a vulnerability is exploited before public disclosure – remain rare. Only 14 of the 19,954 known vulnerabilities in 2017 were zero-days, a 40 percent drop from 2016.

“Organizations need to take advantage of this knowledge to remediate most vulnerabilities before risk of exploitation increases,” advised Lindgaard. “But the process cannot be adhoc. Without a consistently applied patching methodology, organizations will slip, leaving vulnerabilities unpatched for long periods. This gives criminals a large window of opportunity to execute their attacks. We advise a formal, automated software vulnerability management process that leverages intelligence to identify risks, prioritize their importance and resolve threats.”

Key Findings from the 2018 Vulnerability Review

  1. In 2017, Secunia Research at Flexera detected 19,954 vulnerabilities discovered in 1,865 applications from 259 vendors. This represents an increase of 38 percent over five years, and 14 percent when compared to the previous year.
  2. 86 percent of vulnerabilities had a patch available within 24 hours of disclosure, compared to 81 percent in the previous year.
  3. The number of zero-days – vulnerabilities exploited prior to public disclosure – dropped to 14, compared to 23 in the previous year.
  4. 17 percent of vulnerabilities in 2017 were ranked Highly Critical, and 0.3 percent as Extremely Critical.
  5. The primary attack vector to trigger an attack was via a remote network at 55 percent.

The post Global Trends Report Reveals All-Time High of 20,000 Vulnerabilities Last Year appeared first on IT SECURITY GURU.

60% of Critical Infrastructure Operators Say Cyber Security Controls Lacking

Indegy, the leader in industrial cyber security, today announced that nearly 60 percent of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats. As expected, nearly half of all respondents indicated their organizations plan to increase spending for industrial control system (ICS) security measures in the next 12-24 months.

“We have been tracking the escalation in cyber threat activity specifically targeting critical infrastructures for some time,” says Barak Perelman, CEO of Indegy. “As the recent joint DHS/FBI CERT Technical Alert illustrates, adversaries have compromised facilities across the US to conduct reconnaissance and likely develop “Red Button” capability for future attacks.”

Lack of Visibility and Control Cited

While organizations have made significant investments to secure their IT infrastructures, they have not fully addressed threats to operational technology (OT) environments. The recent Indegy poll of nearly 100 executives from various critical infrastructure organizations underscores the lack of preparedness in key sectors including energy, utilities and manufacturing. Among the key findings:

  • 35% of respondents said they have little visibility into the current state of security within their environment, while 23% reported they have no visibility
  • 63% claimed that insider threats and misconfigurations are the biggest security risks they currently face
  • 57% said they are not confident that their organization, and other infrastructure companies, are in control of OT security
  • Meanwhile, 44% of respondents indicated an increase in ICS spending was planned in the next 12 to 24 months, with 29% reporting they were not sure

To find out more about critical infrastructure and industrial security threats and countermeasures visit: https://www.indegy.com/resources/

The post 60% of Critical Infrastructure Operators Say Cyber Security Controls Lacking appeared first on IT SECURITY GURU.

Cyber Threat Intelligence is Maturing but 62 per cent of Respondents Say Lack of Skilled CTI Professionals is Major Roadblock to Implementation

SANS, the largest and most trusted provider of cyber security training and certification to professionals worldwide, has released the results of its annual SANS 2018 Cyber ​​Threat Intelligence Survey. The study sheds light on the evolution of Cyber ​​Threat Intelligence (CTI) in cyber security and shows that CTI is maturing as a discipline.

In one of the clearest trends SANS has seen in the last three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities. In 2018, 81 percent of respondents state their cyber threat intelligence implementations have resulted in improvements, compared to 78 percent in 2017 and 64 percent in 2016. In addition, the number of respondents who answered “unknown” (in other words, they didn’t feel they could answer the question confidently) has more than halved since 2016, jumping from 34 percent in 2016 to 21 percent in 2017, and now to only 15 percent in 2018.

What’s more, 68 percent of respondents say they have implemented CTI this year, and another 22 percent plan to introduce it in the future. Only 11 percent of companies have no plans to do so, falling from the previous year (15 percent). This indicates that CTI is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response strategies.

“As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats,” says the survey’s author, Dave Shackleford, SANS Analyst and Senior Instructor. 

CTI skill set in demand

However, finding skilled staff to operate CTI consoles is getting more difficult, according to this year’s report, despite the trends showing that CTI can play an important role in an organisation’s security strategy. In this year’s survey, 62 percent of respondents cite a lack of trained CTI professionals and skills as a major roadblock, an increase of nearly 10 percentage points over 2017 (53 percent). This indicates that the more CTI is used and consumed, the more this skill set is in demand. It may therefore be much more difficult to find staff members who are experienced in setting up and operating CTI programs. Similarly, 39 percent cite a lack of technical ability to integrate CTI tools into the organizational environment. 

Better visibility and improved security operations
As a result of their CTI program efforts, respondents report better visibility and improved security operations. For example, 71 percent indicate overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70 percent of participants report improved security operations, while 66 percent cite improved ability to detect previously unknown threats.

Responses to the 2018 survey reveal a growing emphasis on CTI being used for security operations tasks: detecting threats (79 percent), incident response (71 percent), blocking threats (70 percent) and threat hunting (a little further down the list at 62 percent). The survey responses indicate that threat intelligence is key in augmenting and improving firewall rules, network access control lists and reputation lists. Known sites and indicators associated with ransomware are then being shared through threat intelligence, allowing operations teams to quickly search for existing compromise and proactively block access from internal clients.

Fortunately, many organizations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence. All of this has resulted in improvements in organizations’ abilities to improve security operations and detect previously unknown attacks,” Shackleford continues.

He summarises the results this way: “These results reinforce the trends we’re seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response.”

The full report can be found at: https://www.sans.org/reading-room/whitepapers/threats/cti-security-operations-2018-cyber-threat-intelligence-survey-38285

The post Cyber Threat Intelligence is Maturing but 62 per cent of Respondents Say Lack of Skilled CTI Professionals is Major Roadblock to Implementation appeared first on IT SECURITY GURU.

Cylance® Strengthens Executive Team with New Chief Information Officer, Chief Marketing Officer and Chief Product Officer

Cylance Inc., the company that revolutionized the antivirus and endpoint protection industry with true AI-powered prevention that blocks advanced cyberattacks, including fileless attacks, malware, advanced persistent threats, and zero-day attacks, today announced the appointment of Grant Johnson as Chief Marketing Officer (CMO) and Kumud Kalia as Chief Information Officer (CIO). The company also promoted Eric Cornelius to Chief Product Officer (CPO). Johnson and Kalia bring decades of leadership experience at global enterprise technology organizations. Cornelius has over a decade of experience as a trusted security practitioner and product builder.

“Cylance’s long-term vision to protect every person and device is only possible if we continue to bolster a best-in-class leadership team,” said Stuart McClure, Chairman and CEO at Cylance. “Grant and Kumud bring a stellar track record of executive leadership and the expertise required to propel our mission and build on our proven strategy. Not only are the new executives critical to our success, we are also recognizing Eric’s exemplary product and innovation leadership. Today, our executive team is stronger than ever as we establish Cylance as the global leader in endpoint protection.”

As CMO, Johnson will lead Cylance’s global marketing strategy and execution, reporting to Daniel Doimo, President and COO. Previously, Johnson was CMO at Kofax, a robotic process automation company. Johnson led Kofax’s marketing efforts during its growth from a private company through its IPO on Nasdaq and a rollup and integration of a $700 million software portfolio. During his extensive career, Johnson also held senior marketing roles at Pegasystems, Guidance Software, FileNet Corporation, FrontBridge and Symantec and developed substantial expertise in global market expansion, product line extension and customer acquisition to help drive rapid revenue growth.

“Cylance’s commitment to protecting every endpoint from the most advanced threats is redefining cybersecurity across every vertical,” Johnson said. “As Cylance emerges as the global leader in endpoint protection, I am excited to help drive the next phase of Cylance’s growth.”

As CIO, Kalia will be responsible for the strategy, implementation and management of the infrastructure and applications that support Cylance’s business processes and rapid growth. Kalia will report to Stuart McClure, Chairman and CEO. With over 30 years of experience scaling IT systems for high-growth companies, Kalia joins Cylance from Akamai Technologies, where he led IT and business transformation to enable the company’s growth. Previously, Kalia has held CIO and operations roles within global energy, telecom and finance organizations.

“Artificial intelligence-powered prevention represents the future of security,” Kalia said. “I am thrilled to join the Cylance team, helping our customers solve their most critical security challenges. I look forward to helping the team scale the business, and to delivering an agile user experience to customers, employees and partners.”

In his role as Chief Product Officer, Cornelius will drive product and innovation, and will continue to lead Cylance’s product management and corporate development teams. As a veteran security practitioner and product builder, Cornelius joined Cylance in 2012 as head of critical infrastructure and incident response under the services team and was later promoted to VP of Innovation. He was formerly Deputy Director and Chief Technical Analyst for the Control Systems Security Program at the United States Department of Homeland Security.

“We have surpassed incredible milestones throughout my five years at Cylance,” Cornelius said. “From executing on our aggressive innovation agenda to expanding globally, the company is poised to accelerate our vision and take on new strategic opportunities.”

The post Cylance® Strengthens Executive Team with New Chief Information Officer, Chief Marketing Officer and Chief Product Officer appeared first on IT SECURITY GURU.

CISO Chat – David Smith, CISO for Nuix

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

Continuing the CISO Chat after the Easter break is David Smith, CISO for Nuix who feels the skills gap is not only a question of organisational ownership, but individual application. The security industry is spreading in multiple directions of expertise, and recognition of that allows for focussed learning.

As a CISO, what is your objective?

My primary objective as a CISO is to design, implement, and maintain an effective information security plan.  I begin by considering the three primary information security objectives:  confidentiality, integrity, and availability.  With those three objectives in mind, I next consider the risk picture:  what are the threats and vulnerabilities my company faces?  Once I have considered the main objectives and the risk landscape, I follow a ‘Defence in Depth’ strategy to build a comprehensive information security plan.

 

What is the goal of information security within your organisation?

Of course as the CISO I want to protect our information and information systems at all levels, regardless of sensitivity.  I want Nuix to be more than just compliant with a given governance framework;  I want Nuix to be a model of information security for other organisations.

 

What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?

In general an organisation has more ability to reduce vulnerabilities compared with threats. But threats and vulnerabilities are both important parts of your risk equation.  An organisation can reduce its overall risk by reducing threats, vulnerabilities, or both.  Threats can be difficult to avoid – there will always be hackers, disgruntled employees, and natural disasters.

 

What do you see being the biggest threats for 2018?

External attacks? Insider Threats?

I have been in the CISO field for 18 years, and very often I see people focusing on “what’s new” with threats without realizing that some of the traditional threats are still with us, and are the most dangerous.  So, for 2018, I would begin with a few of the classic threats:  poorly trained and informed employees; missing or inappropriate log files and other forms of forensic readiness; and inadequate contingency planning.

As for newer threats for 2018, I do think we are seeing an enormous surge of problems related to 3rd party cloud storage.  It seems like every day a security researcher finds a significant amount of sensitive information sitting in a poorly secured AWS bucket.

 

How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?

The best way to improve the cyber skills gap is for each organisation to take responsibility for their employees, students, or other users.  I think many organisations assume that users have a baseline knowledge of information security, which is rarely the case.  Moreover, many information security best practices need constant reinforcement, especially those in the areas of social engineering and operational security.  An organisation should provide as much training and as much reinforcement as possible.

For those getting started in cyber security, one recommendation I would give is for individuals to recognize that ours is a field that is not only growing quickly, but also rapidly spreading in multiple directions (e.g. critical infrastructure and industrial controls; information governance frameworks; new and expanding areas of forensics, and of course newer technologies).  I would begin by learning as much as you can within multiple fields, but start thinking about specific areas where you want to be a subject matter expert.

 

Today, IoT and AI have become real big focus’ for organisations with almost every device, toy and appliance created has this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?

This is not a new problem – most of the original, core Internet protocols had or have no security built in, because the designers never thought that people would use them in unintended ways to cause harm.  That problem is still with us, though the issue is magnified due to the rapid proliferation of IoT in toys, home automation devices, vehicles, medical equipment, and more.  This is mostly due to the fact that product designers and engineers don’t think about security as they develop these products.  Until security is an integral part of the product life cycle this problem will never go away.

 

With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?

At Nuix we have a very solid and comprehensive GDPR preparedness plan. My main concern with GDPR is the lack of consistency we will undoubtedly see from one organisation to another.  I have seen this with the NIST Risk Management Framework/800-53 model, and that has significantly more guidance on how an organisation is supposed to go from Step A to Step B and so forth.

 

What’s your worst security nightmare? What would be your plan to prevent and mitigate it?

I don’t really have a worst security nightmare;  I look at all security incidents, threats, and vulnerabilities as sort of a combined monster that we have to deal with.  The best plan is to have an organized security plan rooted in a Defence in Depth approach.

 

How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding for the work you and your team do?

 I am fortunate that at Nuix our executive leaders are very security conscious and are very supportive of our information security plan.

 

Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?

As a security issue, it depends on what kind of workplace we are talking about.  Honestly, I think some organisations that forbid social media do so for productivity reasons more than anything.  Since we are talking about social media in general, my primary security concern is operational security;  are employee posting information that could cause some kind of harm to themselves or the organisation?

 

What would be your no.1 piece of cyber security advice as we begin 2018?

Information security training and awareness, at your own personal level and at the organisational level, is always the single best information security investment one can make.

The post CISO Chat – David Smith, CISO for Nuix appeared first on IT SECURITY GURU.

No Room for Cyber-Complacency: a Quarter of DDoS Attacks Claim Unintended Victims

Over a quarter of businesses that have been hit by a Distributed Denial of Service (DDoS) attack don’t think they were the intended target, highlighting that businesses can’t afford to be complacent when it comes to today’s threat landscape. According to research from Kaspersky Lab, 27 per cent of respondents said being an innocent bystander was the most likely reason for DDoS attacks on their organisation, suggesting that all businesses are in the firing line, even when they are not on the hit list.

The continued threat of DDoS attacks and the value that they bring to those that deploy them – from halting company operations, through to accessing confidential information or demanding a ransom – means that all businesses are potential targets. Despite this, organisations are still showing signs of cyber-complacency, with 28 per cent not using specialised anti-DDoS protection because they believe they are unlikely to be targeted by DDoS attacks.

However, this complacency is misplaced. Of the companies that experienced a security incident within the last 12 months, 44 per cent blamed a DDoS attack as being a contributing factor to that incident – up from a quarter (25 per cent) in 2016. This shows the impact of these types of attacks in today’s workplace and the need for organisations to proactively defend themselves against them.

It’s not just unintended attacks that firms must be ready to ward off at a moment’s notice. Nearly a quarter (23 per cent) of businesses believe a competitor was behind a DDoS attack on their organisation – most likely for espionage or disruption purposes; 24 per cent believed it was used as a distraction tactic to hide another attack from IT staff, and 24 per cent believe that a DDoS attack was designed to specifically disrupt their operations.

“Businesses can’t afford to display an ‘it won’t happen to me mentality’ towards DDoS attacks, but a worryingly large proportion of organisations are still doing so – despite today’s heightened threat landscape,” commented David Emm, Principal Security Researcher at Kaspersky Lab. “Given the number of attacks that companies have faced over the last year, businesses must take responsibility for their cybersecurity – no organisation is safe from DDoS attacks. There is no room for complacency when it comes to keeping operations running smoothly and critical data protected.”

With the financial consequences of DDoS attacks ranging from fighting against the attack itself, to a loss of revenue or business opportunities, it’s certainly better to be safe than sorry. That’s where Kaspersky DDoS Protection comes into play, providing a fully-integrated solution with advanced intelligence capabilities to protect businesses of all sizes from the most complex and high-volume DDoS attacks. More information can be found here.

The post No Room for Cyber-Complacency: a Quarter of DDoS Attacks Claim Unintended Victims appeared first on IT SECURITY GURU.

How to protect ATMs against logical attacks

One of the fastest-growing threats facing banking technology is the risk posed by malware – in particular, malware that can be remotely implemented via logical attacks. A recent study by Europol and Trend Micro found that the size and frequency of logical attacks on ATMs has been increasing in recent years, with criminals becoming more sophisticated and able to take advantage of poorly protected networks and the vulnerabilities found in ATM technology.

Fortunately, there are steps that financial institutions and independent ATM operators can take to better protect their networks so they are well defended against cybercriminals. This process starts with operators taking a layered approach to network security; by conducting security preparations in this way operators could avoid leaving any cracks in the ATM’s armour.

As any security expert knows, creating a holistically secure environment can be complicated, and if any elements are forgotten it could bring an organisation’s security infrastructure tumbling down. Owen Wild, Security Marketing Director at NCR discusses the 15 rules all operators should abide by to help to protect ATMs against logical attacks:

Rule 1: Secure the BIOS

The Basic Input-Output System (BIOS) is a set of programs consisting of code and configuration settings that enables an ATM’s central processing unit (CPU) to communicate with peripheral devices. The settings are used to control the BIOS program’s operation and also the hardware parameters that are exposed to the operating system of the ATM.

Securing the BIOS is fundamental to the security of the ATM. To do this, administration of the BIOS must adhere to the following principles:

  • During normal operations, operators should configure the BIOS to boot from the primary hard disk only
  • BIOS updates must be reviewed and tested prior to deployment
  • Editing of BIOS settings must be password protected

Rule 2: Establish a password policy for all passwords – no matter the level of access

Every ATM deployment needs to come with a secure user account and password policy. For most ATM operators, the secure user account policy will be managed by a central account management system, such as Microsoft Active Directory. The password protection policy however, is more process driven.

The minimum password policy standards that need to be adopted include: all default passwords must be changed; all user accounts and passwords for every ATM machine must be different so the successful hacking of one does not lead to the hacking of another; passwords should be changed at least every 90 days and should be at least 14 characters long, incorporating at least one number, both upper and lower case characters, and non-alphanumeric characters.

Rule 3: Implement communications encryption across all networks

The transmission of sensitive cardholder data must be encrypted across all networks, so cyber-criminals if able to view data in transmission, cannot read it. Furthermore, PCI DSS Requirement 4.1 actually dictates the use of strong cryptography and security protocols to safeguard sensitive cardholder data transmission, so this rule is also a legal imperative.

Rule 4: Install a firewall and configure it correctly

The ATM firewall must be configured to only allow known authorised incoming and outgoing connections that are necessary for the ATM environment, and the connections must be configured per programme as opposed to per port. Different firewalls have different configurations, so it’s important that no assumptions are made with regards the deployment and that the unique configuration settings for the product purchased are examined carefully to ensure successful implementation.

Rule 5: Adopt a principle of “if you don’t use, disable it”

It is recommended that any unused services and applications are removed from the system to reduce the attack surface area open to criminals.

For example, if the applications do not require output caching, the relevant module should be disabled. Thereafter, if future security vulnerabilities are found in this module, the application remains protected. This is just one example – the full spectrum of services and applications within the ATM environment must be examined to identify redundant areas.

Rule 6: Deploy an effective anti-malware mechanism

By deploying appropriate anti-malware software, operators can maintain the integrity of the ATM software stack and help to prevent malicious software compromising the inner workings of the ATM. An active white-listing solution will provide protection beyond both known and unknown malware threats. This can include memory protection, zero-day attacks and threat alerting.

Rule 7: Establish a regular patching process for all installed software

Just like any computing device, it is important that all the software running on an ATM is kept up to date with the latest security patches. By ensuring all software is up to date, attackers will not be able to take advantage of known vulnerabilities within it. If this isn’t the case, operators could be leaving their ATMs open to infection by malicious software that could steal customer information or cause the ATM to freely dispense the money inside it – straight into the hands of the criminals.

Rule 8: Harden the Windows Operating System (OS) to make it more secure

The Windows OS must be hardened to restrict the privileges and behaviour of the ATM so only the functions necessary for its operation in a self-service environment take place. This consists of setting up a locked down OS environment on a standalone ATM based on:

  • Disabling Windows Auto-play
  • Implementing a locked-down user account
  • Implementing a keyboard disable to block keypresses being interpreted within the locked down account
  • Apply file, folder and registry permissions to restrict the access to the minimum required for the ATM to function
  • Apply computer and user policies to restrict the minimum functionality required to the ATM to work correctly and securely

If an alternative OS is being used, operators should speak with the manufacturer for guidance on the best way to harden that OS.

Rule 9: Implement role based access control to minimise the human based attack surface area

The more people within an organisation who can access cardholder data environments, the greater the risk that a consumer’s account details will be compromised. Therefore, access must be restricted to those who have a legitimate business reason for needing access to this data.

For all users accessing the ATM environment, access permissions should be based on the role they have. For example, branch staff who only need to replace the receipt paper do not need access to the cardholder data, so their user privilege should reflect that. Access restriction should also cover those who access the ATM computer remotely.

Finally, operators may wish to consider multi-factor authentication for those ATMs equipped for this. Multi-factor incorporates something a user knows well, like a password; something owned, like a token device or smart card; and something unique to that individual, like a fingerprint or retinal scan.

Rule 10: Deploy a full hard disk encryption solution

Deploying full hard disk encryption affords protection against:

  • Malware attacks when the ATM hard disk is offline
  • Attackers reverse engineering software on the ATM hard disk
  • Attackers harvesting data from the ATM hard disk
  • The hard disk being seen by attackers when the ATM is booted from removable media
  • The hard disk being removed from the ATM and mounted as a secondary drive
  • The core being removed from the ATM

Rule 11: Ensure communications between the ATM core and the cash dispenser are protected

By encrypting the communications between the ATM core and the cash dispenser, operators can better protect against black-box attacks. In this kind of attack, criminals gain access to the ATM via physically cutting into it, they then disconnect the cash dispenser from the core and reconnect it to an external electronic device – the black box – then tells the machine to dispense its cash reserves.

If the communications are encrypted, attempted commands from hackers to the cash dispenser will be recognised as invalid and therefore be ineffective.

Rule 12: Perform a security test of your ATM annually

The best practice method is to liaise with an external organisation to conduct annual penetration tests. The test needs to be made up of various simulated attacks and attempt to find misconfigurations, weaknesses and vulnerabilities in the ATM system that could be exploited by an attacker. It should also consider vulnerabilities in the physical casing of the ATM that could allow criminals to access the ATM core to upload malware. The test will enable the operator to identify any areas that need to be addressed from a security perspective.

Rule 13: Deploy a software distribution tool that will assist in maintaining the confidentiality, integrity and availability of ATMs

A software distribution capability that has best practice security controls, authorisation and authentication built in to make it secure, is an essential layer that will assist in maintaining the confidentiality, integrity and availability of ATMs.

If ATM malware is found or suspected, software distribution will expedite the clean-up and update the malware signature files across the ATM estate. This will help put the ATMs into a more secure state, helping to prevent attacks from occurring and help limit damage to those that may be compromised.

Rule 14: Consider the physical environment of the ATM deployment

Even if an ATM operator has the best technological protection, the physical environment in which the ATM is deployed can influence the risk of attack. For example, if located in an unattended environment, it is more appropriate to install a through-the-wall ATM, as this will have greater physical security that a standalone unit.

Rule 15: Consult an enterprise security specialist to assess and deploy industry best-practice security controls within your enterprise

By working with a third party security specialist, ATM operators can ensure they are identifying and better protecting themselves against both human and technological security risks. For example, a specialist may instruct special Security Aware Training for all employees to minimise the risk of phishing attacks. Similarly, they may offer a robust patching process to ensure that ATM software is kept up to date with the latest security and operational patches. Even the most prepared organisation can benefit from an independent look at its security policies.

The post How to protect ATMs against logical attacks appeared first on IT SECURITY GURU.

City of Atlanta running out of time to pay ransom for data

Time is running out for the city of Atlanta, which was given until Wednesday to pay off the cyberattackers who laid siege to city government data and are threatening to wipe the computers clean.

View Full Story 

ORIGINAL SOURCE: NPR

The post City of Atlanta running out of time to pay ransom for data appeared first on IT SECURITY GURU.

European Cyber Security Bloggers Awards Opens for Nominations

The European Cyber Security Bloggers Awards has returned in 2018 to recognise the best blogs and podcasts in the industry, as voted by peers. Nominations have now opened until midnight on the 30th of April.  The winners will be revealed at the security blogger’s meet up on Tuesday, 5th of June to coincide with Infosecurity Europe held at Kensington Olympia.

This year will see the third European Cyber Security Blogger Awards hosted by Brian Honan from BH Consulting and Eskenzi PR. Bloggers and podcasters can vote for their favourite blogs that must be focused on information security issues from around the world as well as Europe. The awards will take place alongside the Infosecurity Europe event to be held in London from June 5th to June 7th.

“Cyber security issues touch everyone’s life in some form or another; whether it’s in the workplace or personal use of the many devices and applications we use in our day to day lives,” said Brian Honan, founder of BH Consulting. “The European Cyber Security Bloggers Awards are designed to recognise the very best blogs and podcasts that help keep us up to date with the latest security advice and vulnerabilities – which is no easy feat in today’s security landscape.”

The categories under which security related blogs, podcasts etc. can be nominated are listed below:

Best Corporate Security Blog

The Best European Corporate Security Blog

Best European Security Podcast

Best Security Podcast

Best Security Video Blog

Best Personal Security Blog

Best European Personal Security Blog

Most Entertaining Blog

Most Educational Blog

Best New Security Blog (Must be live after 01/06/2015)

Best EU Security Tweeter

Grand Prix Prize for the Best Overall Security Blog

 

To vote, please visit: https://www.surveymonkey.com/r/eubloggerawards2018

Nominations close midnight GMT 30th April 2018. The nominated blogs will then be put forward to be voted on by the public and the panel of judges.

 

The winners of the awards will be announced at the security bloggers meetup on Tuesday the 5th of June at The Crown & Sceptre 34 Holland Road, London W14 starting at 18:00. Bloggers and podcasters can register here to attend: https://www.eventbrite.ie/myevent?eid=43660782576

“Eskenzi PR is delighted to be able to host the European Cyber Security Bloggers Awards as we know how much time and dedication goes into writing a truly insightful and balanced blog,” said Yvonne Eskenzi, Founder of Eskenzi PR. “As these awards are judged by the general public alongside a team of independent judges, it’ll be both intriguing and interesting to find out who everyone agrees is the vocal player out there, making a difference to the cyber-security industry! Time will tell!”

The judges who will be sifting through all the nominees for the awards include:

Javvad Malik from AlienVault; Jack Daniel from Tenable; Brian Honan from BH Consulting; Yvonne Eskenzi from Eskenzi PR; Quentyn Taylor from Canon Europe and Dan Raywood from Infosecurity Magazine.

The post European Cyber Security Bloggers Awards Opens for Nominations appeared first on IT SECURITY GURU.

Quarter of DDoS victims are targeted accidentally

According to the latest report by Kaspersky Lab, a quarter of businesses that suffered a distributed denial of service attack believe they were an accidental victim, and that the DDoS attack wasn’t intended for them in the first place.

View Full Source 

ORIGINAL SOURCE: IT Pro Portal

The post Quarter of DDoS victims are targeted accidentally appeared first on IT SECURITY GURU.

Macro-less Word Document Attacks on the Rise and Zero Day Malware Variants Jump 167 Percent

Total malware attacks are up by 33 percent and cyber criminals are increasingly leveraging Microsoft Office documents to trick victims and deliver malicious payloads, according to the latest Internet Security Report from WatchGuard Technologies, based on global threat intelligence data from nearly 40,000 Firebox appliances. WatchGuard has also launched a new Threat Landscape data visualisation tool, giving public access to daily updates about the most prevalent computer and network security threats affecting SMBs and distributed enterprises.

Dynamic Data Exchange (DDE) attacks topped WatchGuard’s top-ten malware list as hackers increasingly exploited issues within the Microsoft Office standard to execute code. Also called ‘macro-less malware’, these malicious documents often use PowerShell and obfuscated script to get past network defences. Additionally, two of the top-ten network attacks involved Microsoft Office exploits, further emphasising the growing trend of malicious document attacks.

Overall, malware attacks grew significantly, while zero day malware variants jumped 167 percent. WatchGuard Fireboxes blocked over 30 million malware variants in Q4 2017, which was a 33 percent increase over the previous quarter. Out of the total threats prevented, the subset of new or zero day malware instances rose steeply by 167 percent, compared to the previous quarter. These increases can likely be attributed to heightened criminal activity during the holiday season.

 

“After a full year of collecting and analysing Firebox Feed data, we can clearly see that cyber criminals are continuing to leverage sophisticated, evasive attacks and resourceful malware delivery schemes to steal valuable data,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies. “Although these criminal tactics may vary over time, we can be certain that this broad trend will persist, so the risks have never been greater for small and midsize organisations with less IT and security resources. We encourage businesses of all sizes to proactively mitigate these threats with layered security services, advanced malware protection and employee education and training in security best practices.”

 

The report also shows that nearly half of all malware detected eluded basic antivirus (AV) solutions. WatchGuard Fireboxes block malware using both legacy signature-based detection techniques and a modern, proactive behavioural detection solution – APT Blocker – which provides advanced malware protection by catching malware variants missed by legacy AV signatures. This zero day malware accounted for 46 percent of all malware in Q4. This level of growth suggests criminals are using more sophisticated evasion techniques capable of slipping attacks past traditional AV services, which further underscores the importance of behaviour-based defences.

 

Script-based attacks caught by signatures for JavaScript and Visual Basic Script threats, such as downloaders and droppers, accounted for 48 percent of top malware detected in Q4. Users should take note of the continued popularity of these attacks and watch out for malicious script in web pages and email attachments of any kind.

 

The full Internet Security Report features evaluations of the quarter’s most pervasive malware and network attacks, recommendations for useful defensive strategies in today’s threat landscape, and a detailed breakdown of “the Krack Attack” – one of the top information security issues in 2017.

 

Additionally, the report includes a new research project from the WatchGuard Threat Lab, which analyses a database of more than 1 billion stolen password records to stress just how often users choose weak passwords and re-use credentials across multiple accounts. This quarter’s conclusions are based on anonymised Firebox Feed data from nearly 40,000 active WatchGuard Fireboxes worldwide, which blocked more than 30 million malware variants (783 per device) and 6.9 million network attacks (178 per device) in Q4 2017.

The post Macro-less Word Document Attacks on the Rise and Zero Day Malware Variants Jump 167 Percent appeared first on IT SECURITY GURU.

Consumer Groups Calls on Mark Zuckerberg to Step Down As Facebook CEO and Board Chair Amid Data Breach, Privacy Scandals

SumOfUs, an international consumer watchdog with more than 14 million members around the world, is demanding that Facebook CEO Mark Zuckerberg step down amid several now-public controversies regarding the company’s use of user data, and its collection and distribution.

 

Last week, Facebook stated that it had suspended Strategic Communication Laboratories (SCL), and its political data analytics firm, Cambridge Analytica, for violating the company’s policies on data collection and retention. Both SCL and Cambridge Analytica ran data operations for Donald Trump’s 2016 presidential election campaign, and are widely credited with helping Trump more effectively target voters on Facebook, though the exact nature of their role is unknown. Over the weekend, Facebook admitted that it had been collecting call and text history from some users for years.

 

In reaction to the news, and in light of other issues concerning privacy, censorship and data collection at Facebook, Lisa Lindsley, Capital Markets Advisor for SumOfUs, issued the following statement, calling on Facebook’s Mark Zuckerberg to step down as CEO and Board Chair.

 

“Facebook CEO Mark Zuckerberg should step down. For too long, Mark Zuckerberg has kept users in the dark about how it censors speech, allowed companies like SCL and Cambridge Analytica to take advantage of users on its platform, and collected private user call and text data. This is unacceptable.

 

“Last year, we worked with Facebook shareholders to urge that the company create an independent board chair, warning that the current structure, where Zuckerberg serves as his own boss, was a recipe for disaster.  

 

“Multiple scandals later, it’s clear that enough is enough. Zuckerberg has proven himself unable or unwilling to protect Facebook’s user data or privacy, which is why we firmly believe that shareholders should take action to remove him as CEO and Board Chair.

 

“It’s time for new leadership at Facebook—one that protects users from unethical data collection, state-sponsored censorship, and privacy violations.”

 

Last year, SumOfUs asked Facebook to adopt an independent board chair to oversee Zuckerberg and other managers.  The SumOfUs shareholder proposal received support of almost half of the shares not controlled by Zuckerberg.

 

SumOfUs also targeted Mark Zuckerberg with a petition last year over Facebook’s removal of Black Lives Matter-related videos and police violence, and other state-sponsored censorship around the globe. The joint petition gathered nearly 600,000 signatures.

The post Consumer Groups Calls on Mark Zuckerberg to Step Down As Facebook CEO and Board Chair Amid Data Breach, Privacy Scandals appeared first on IT SECURITY GURU.

Organisations with Threat Detection platforms can cut time taken to identify a threat by 80 percent

A new Total Economic Impact (TEI) study conducted by Forrester Consulting and commissioned by AlienVault, a leading crowdsourced threat intelligence provider, examined the potential return on investment (ROI) for organisations that deployed the AlienVault Unified Security Management (USM) Platform and has revealed excelling results for the product.

Organisations that deployed the AlienVault solution saw an 80 percent improvement in threat detection and incident response time, effectively reducing the risk of a security breach and bringing down the average costs of a cyber incident.

With the average cost of a cyber attack reportedly costing $11.7m a year, this could be some welcomed news for organisations seeking to invest in a new security solution.

The research also revealed that organisations that utilised the cloud-based security monitoring solution, AlienVault USM Anywhere, would save more than $40,000 annually in threat intelligence spending.

“The results of the study are clear – there are significant benefits to our differentiated approach,”  said Barmak Meftah, AlienVault’s president and CEO. “A SaaS-driven deployment model that integrates critical security capabilities into a unified platform enabling faster detection and response to threats. We commissioned this study from Forrester to help organisations and partners better understand why it’s time to re-think how they approach security.”

Furthermore, the research which was carried out by Forrester and based on in-depth AlienVault customer interviews and analysis, uncovered that over a three-year period, organisations will also see a return on investment of up to six times as well as see a reduction in compliance reporting by 94 percent, a saving of nearly 6,000 hours of compliance reporting for auditors.

Meftah continues saying, “in addition to operational efficiency gains, organizations can reduce risk while ensuring compliance mandates are met to help drive business growth. To detect security threats and manage compliance, many organisations and MSSPs are using traditional point solutions, but this approach is expensive and resource intensive.”

To view the full study click here: https://www.alienvault.com/resource-center/analyst-reports/forrester-total-economic-impact-study

The post Organisations with Threat Detection platforms can cut time taken to identify a threat by 80 percent appeared first on IT SECURITY GURU.

CISO Chat – Darran Rolls, Chief Technology and Chief Information Security Officer at SailPoint

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

We spoke with Darren Rolls, Chief Technology and Chief Information Security Officer at SailPoint, who believes that despite there always going to be new threats and vulnerabilities, the same old risks will remain.

As a CISO, what is your objective? What is the goal of information security within your organisation?

My key objectives are protecting company assets and customer data, continually improving internal security operations and staying ahead of the adversary. A lot of this comes down to striking the right balance between user convenience and operational efficiency for the business and protecting the sensitive data of our employees and customers. As a security software provider, we are very focused on all elements of our security posture from end-user awareness to compliance with our ISO/IEC 27001:2013 certification and SOC 2 Type 2 attestation. Taking a holistic approach is essential to our business as a security company. Being an identity governance provider means we also have a strong focus on using our own technology and best practices to achieve these goals.

What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?

You have to consider both. A focus on vulnerability without an understanding of threat and risk can lead to an over-focus on noise. On the other side, an understanding of threats with poor processes for managing, detecting and mitigating vulnerability is again flawed. It’s essential to start from a strong threat modeling and assessment perspective to help understand a business risk posture. All of this comes together to create an assessment of where to focus. Once you know where to focus, then you can look more closely at potential vulnerabilities in the areas of highest risk.

What do you see being the biggest threats for 2018?

I don’t see a major change in the threat landscape for 2018. The reality is, new vulnerabilities are discovered and publicised on a daily basis. As we found out late last year with the Meltdown and Spectre vulnerabilities, even the CPU is vulnerable. We didn’t know that vulnerability existed, so who knows what will be next? There’s always going to be a new threat and a new vulnerability. The same old risks remain. Malware will increase in sophistication, more intelligent phishing campaigns will be carried out, and what we once thought was safe will become known to be vulnerable. Buckle up, batten down and get ready to respond!

How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?

At SailPoint, we’re fortunate to be in the security industry, so all of our people see themselves as security professionals, no matter what their role. It’s difficult to find good security people, but fortunately for us, security professionals are excited to work for security companies. We love and believe in security, so we work to find people who fit that mold. We’re also working to help with education and certification in our own area of the security ecosystem, identity management. We’re proud to be founding members and sponsors of IDPro, a new association that is looking to establish a professional body for IAM professionals. We believe in supporting and advancing professional bodies that can create a known and understood standard for education and awareness in our industry. Internally we also try to make security fun and interesting for our staff across the board. This doesn’t mean corny motivational posters on the wall. It means hosting events like lock-picking happy hours, security book clubs and hackathons that make security top of mind for all our staff.

My advice to someone hoping to get into the cybersecurity industry is to become an enthusiast. Some of the best security professionals I know were hobbyists first. It’s imperative to gain an interest in security from the ground up. I’m a big advocate of events like Defcon that focus on engaging with a diverse community that together can learn and love cybersecurity. If you have an interest in cybersecurity, go hack something, and it doesn’t have to be plain old software. Go look at social engineering or lock picking or go hack a written procedure – break it down, understand how it works and look for a way around it. If you want to get into security, get into the mindset of a hacker.

Today, IoT and AI have become really big focus’ for organisations with almost every device, toy and appliance created having this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?

Security is an afterthought in most consumer devices because most people today don’t buy them for security. When someone buys a laptop, security takes a backseat to things like price, screen size or memory capacity. When someone purchases a video baby monitor, they’re most concerned with how the picture looks and whether or not they can see the footage on their phones. In order for security to gain prominence in consumer devices, it has to become a feature that people value and are willing to pay for. The only way we can change the lack of focus on security in consumer devices is by consumers demanding it.

With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?

GDPR demands security by design, which is an approach we’ve long been advocating for in our products and solutions. We’re ready to help our customers address the challenges of GDPR by helping them govern access to sensitive data stored across their applications and in files.

 What’s your worst security nightmare? What would be your plan to prevent and mitigate it?

The life of a CISO is filled with fear, uncertainty and doubt. That’s the nature of the job. It’s the CISOs job to understand all of these threats and make actionable business decisions with them. This is a job of sleepless nights, but the best way to actually get some peace is to have a well-exercised incident response plan, because the reality is that something bad is going to happen eventually. Having the right technology, good people and well-defined and well-exercised procedures is the best you can do. Fires will start, and it’s our job to put them out. To do this effectively takes practice. It’s important to regularly ring the fire alarm, see how people respond and figure out if the hoses are long enough to reach the fire.

How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding of the work you and your team do?

We’re very fortunate as a security company, because cybersecurity truly is a board-level concern for us. This is not always the case. There is a growing awareness for the importance of cybersecurity, but many boards do not truly understand security risks in terms of business outcomes. Security operations are inherently technical and too many C-level cybersecurity professionals describe it that way to the board – all tech and all budget. But the conversation needs to be about managed risk. At SailPoint, our board is invested in our cybersecurity posture so I’m a lucky guy. I don’t have to rely on legislation to get the ear or the focus of the board.  Fortunately, many boards are now realising that the reputational risk and cost of security breaches are something that can be understood and managed like any other business risk in terms of investment and return.

Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation? 

Security is the principle of the weakest link, and social media can be just that. I can do a fantastic job of securing my internal systems, but if one of my employees posts something inappropriate, we’re in trouble. Of course, education is key, but this needs to be complemented with good governance and oversight. We have to view both employee and company-owned social media accounts as valuable assets that need to be protected. Controlling these accounts and their usage has to be seen as critical corporate governance, because reputational damage can be just 128 characters away.

What would be your no.1 piece of cyber security advice as we begin 2018?

Putting identity at the center of your organisation’s cybersecurity strategy. Yes, this is right out of our solutions play-book, but I really think that it’s the right thing to do. Moving toward an identity-centric view of cybersecurity should be a driving mandate for every organisation in 2018.

Darran Rolls directs the continued development and communication of SailPoint’s technology strategy and vision. His long history in information security has helped SailPoint emerge as a company with which to be reckoned in every area of identity management – from compliance and governance, to role management and role engineering, to user lifecycle management and provisioning. He believes the key to that success has been finding the balance between striving to be a market-leading innovator and acting pragmatically to make sure clients’ needs are met.

The post CISO Chat – Darran Rolls, Chief Technology and Chief Information Security Officer at SailPoint appeared first on IT SECURITY GURU.

Over half of European companies unprepared for email-based cyberattacks

Today Cofense, the leading provider of human-driven phishing defence solutions worldwide, announced the results of its European-wide Phishing Response Trends Report, which looked at the phishing response strategies of IT security decision-makers across a variety of industries throughout Europe. The report found that 57 percent of European companies believed they were unprepared for a phishing attack, despite 78 percent of IT professionals having dealt with a security incident originating from a deceptive email. This was significantly lower than the 66 percent in the US that had dealt with a similar incident.

Across all the European countries surveyed, security teams reported that they are struggling to manage their response to the number of suspicious emails being received. The US and Europe differ, however, in their appetite for automated email analysis to solve this problem. 59 percent of respondents in Europe had automated email analysis on their wish list, compared to only 33 percent in the US. Arguably, this could point to the skills gap much discussed across Europe . With organisations of all sizes struggling to find IT talent and particularly cyber security skills, perhaps the need for an automated and integrated system to deal with suspicious emails is being felt more acutely in Europe.

Other key findings in the report include:

– The number one security concern is phishing and email-related threats.

– 41 percent of respondents say their biggest anti-phishing challenge is poorly integrated security systems.

– 6 in 10 companies believe they have insufficient defences against email-based threats.

– The UK reports the most suspicious emails each week across Europe with 23 percent reporting more than 500, Belgium reports the least at 16 percent followed by Germany at 18 percent, France at 20 percent and the Netherlands at 22 percent.

With phishing and email-related threats being the primary security concern of the European-based survey respondents, it is critical that businesses have an effective strategy to counter the attack vector which is fully integrated with broader security solutions. It is paramount, for example, that phishing simulations are akin to the real thing and encourage reporting which, in turn, can not only stop a malicious email compromising an enterprise’s network, but can give the incident response team a head start.

“The analysis of email-based attacks gives us extremely valuable insight into the security posture of European organisations,” said Rohyt Belani, co-founder and CEO of Cofense. “What we’re really looking at here is addressing human susceptibility and building human resiliency to work in concert with technology to combat security threats facing Europe. Technology solutions alone have proved time and time again that they can only go so far to protect enterprises. It is not enough to lock down systems and force users into acting a certain way, instead we need to build a human-driven phishing defence posture that leverages human instinct for detection and technology to scale response,” he concluded.

The full report is available for download here: https://cofense.com/phishing-response-trends-europe/

To learn more about Cofense’s incident response solutions, please visit: https://cofense.com/product-services/triage/

The post Over half of European companies unprepared for email-based cyberattacks appeared first on IT SECURITY GURU.

Registration now open for the annual IT Security CISO Debates and Conference

The IT Security Guru is pleased to announce that registration is now open for the IT Security CISO Debates and Conference with a comprehensive line up of topics including the cyber security skills shortage, GDPR and industry’s best practices.

The UK’s top CISOs and global IT Security Association Leaders will lead these exciting and current debating sessions and earn CPE credits towards your SSCP®/CISSP® and ISACA certifications.

The full conference line up is as follows:

2:00 – 2:45pm: What is “good security” anyway? CISOs top tips on what makes a company secure

In this panel, CISOs from all walks of industry will share their best practice and advice. From training, technology and techniques, these CISOs will have an open and frank discussion about what “good security” looks like in a modern enterprise.

Moderator: Sarb Sembhi, CTO, CISO & DPO, Virtually Informed

Panellists: Shan Lee, ‎Information Security Officer, TransferWise; Sandip Patel, Director, Information Security Consultancy, GSK; Quentyn Taylor, Director of Information Security, Canon Europe

2:50pm – 3:35pm: Crisis Communications in a post-GDPR world

With the EU’s General Data Protection Regulation (GDPR) on the horizon, what does the board need to make sure they are communicating to employees, customers and stakeholders should the worst happen and a data breach occurs? This discussion will offer best practice advice, what to steer clear of and when to notify when dealing with a data breach event.

Moderators: Lee Munson

Panellists: Jonathan Armstrong, Partner, Cordery Compliance; Neil Stinchcombe, Director, Eskenzi PR; Sue Milton, Managing Director, SSM Governance Associates; Mark Deem, Partner, Cooley UK

3:35pm – 4:00pm: BREAK

4:00pm – 4:45pm: What can the Military teach us when it comes to protecting the Enterprise?

This panel will bring together Military professionals to discuss what lessons companies can learn from taking a leaf out of their playbooks.

Moderator: Peter Wood, CEO, First Base Technologies LLP

Panellists: Gerry O’Neill, Director, Inforisca; James Hadley, Founder/CEO, Immersive Labs; Jennifer Dean, Chair of Law at the British Computer Society

4:50pm – 5:30pm: What are those in the know doing to close the skills gap?

The skills gap has been a major problem plaguing the security industry and will continue to do so for the foreseeable future. Now it’s time for action – hear how some of the industry’s best practitioners and professionals are taking a stand and combating the problem head-on.

Moderator: Stephen Khan, Head of Information, HSBC;

Panellists: Quentyn Taylor, Director of Information Security, Canon Europe; Steve Williamson, Audit Account Director, Information Security and Data Privacy, GSK; Thomas Langford, Chief Information Security Officer, Publicis Groupe; Matt Parsons, head of Cyber Skills policy team in DCMS; Peter Wood, CEO, First Base Technologies LLP

5:30pm – 6:00pm: Food and Drink reception

To secure your place to attend the IT Security CISO Debates hosted by IT Security Guru and learn from the UK’s top industry experts,  please register: https://www.eventbrite.ie/e/it-security-analyst-and-ciso-forums-ciso-debates-2018-tickets-43847984502?aff=es2

The post Registration now open for the annual IT Security CISO Debates and Conference appeared first on IT SECURITY GURU.

Global Organisations Fail to Invest in Much-Needed Security Ahead of GDPR

Less than two-thirds (63%) of global organisations have a breach notification process in place for their customers, while only half have increased investment in IT security ahead of the GDPR despite complaints from tech staff, according to Trend Micro.

The global cybersecurity leader polled over 1,000 IT decision makers from businesses with 500+ employees around the world: in the UK, US, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland.

Its findings revealed that just 51% have increased security investments to help with compliance, despite a quarter of respondents complaining that “lack of sufficient IT security protection” (25%) and a “lack of efficient data security” (24%) are the biggest challenges to compliance efforts.

Less than a third (31%) said they have invested in encryption, despite it being one of the few technologies named in the GDPR. Similarly, few organisations have spent money on Data Loss Prevention (33%) or advanced technologies designed to detect network intruders (34%).

A quarter of organisations (25%) claimed that limited resource are the biggest challenge to compliance, providing further insight into some of the reasons behind this under-investment.

“The GDPR is clear that organisations must find state-of-the-art technologies to help repel cyber-threats and keep key data and systems secure. It’s concerning that IT leaders either don’t have the funds, or can’t find the right tools to tackle compliance,” said Simon Edwards, Cyber Security Solution Architect at Trend Micro. “Organisations need defence-in-depth combining a cross-generational blend of tools and techniques, from the endpoint to the network and hybrid cloud environment.”

Aside from a lack of investment in security, the research also revealed that just 37% of global organisations have invested in staff awareness programmes.

The 72-hour window 

The study also uncovered evidence that many firms aren’t prepared to handle new requirements to notify of a breach within 72 hours.

A fifth (21%) of respondents said they have a formal process in place to notify only the data protection authority. However, Article 34 of the GDPR states that individuals must also be notified if a breach results in a high risk to their rights and freedoms.

Some 6% of respondents said they have no process in place at all, while a worrying 11% didn’t know if they had one or not.

There are also concerns around preparations to support the so-called “right to be forgotten”, a key part of the GDPR.

Although 77% of global respondents said they have adequate processes to address any customer requests concerning personal data managed by the organisation, it was a different story for data handled by third parties.

Around a third of organisations either didn’t know or had no processes/tech in place to handle right to be forgotten requests for data collected by third-party agencies (36%), cloud providers (32%) and partners (32%).

The post Global Organisations Fail to Invest in Much-Needed Security Ahead of GDPR appeared first on IT SECURITY GURU.

Malicious Apps in Global App Stores Decrease 37 Percent, Feral Apps Lose Ground to Third-Party Stores

Malicious mobile apps were on the decline in Q4 of 2017 largely due to a decrease in the inventory of AndroidAPKDescargar, the most prolific dealer of blacklisted apps, according to digital threat management leader RiskIQ in its Q4 mobile threat landscape report, which analysed 120 mobile app stores and more than 2 billion daily scanned resources. Listing and analysing the app stores hosting the most malicious mobile apps and the most prolific developers of potentially malicious apps, the report documents the return of familiar threats such as brand imitation, phishing, and malware—as well as the discovery of a bankbot network preying on cryptocurrency customers.

Feral Apps are Down

The Google Play store again led the way with the most blacklisted apps, but Q4’s analysis confirmed that feral apps—apps available for download outside of a store on the web—fell in popularity for the first time in several quarters, falling from the number two spot and giving way to three other stores:

  • ‘AndroidAPKDescargar’ had 7,419 blacklisted apps, comprising 41 percent of the apps RiskIQ observed in their store
  • ‘9game.com’ had 4,083 blacklisted apps, accounting for 86 percent of the total apps RiskIQ observed
  • ‘9apps’ had 3,644 blacklisted, 15 percent of the total apps 

‘KitApps’ Makes Another Appearance Indicating a Wider Trend

One consistent developer observed almost every quarter is ‘KitApps, Inc.’ With 147 blacklisted apps in 2017, 96 percent of those were found in the AndroidAPKDescargar store. Of these blacklisted apps, 137 contain Trojans and 133 have adware—two categories of blacklisted apps that can be found en masse across the AndroidAPKDescargar store. This may indicate the store is being used as a hub for campaigns in which actors are repackaging apps with Trojans and adware. 

Riding the Cryptocurrency Wave

In November, RiskIQ researchers found a mobile app that was trying to pass itself off as a cryptocurrency market price app. This app was found to be part of the bankbot family of mobile Trojans and would monitor the device that installed it for a list of target apps. If the app were launched while the Trojan was installed, the Trojan would put an overlay over the legitimate app and collect sensitive information, such as login credentials from the banking customer. 

Mobile Threat Actors are “Well-Connected”

In October, RiskIQ researchers were able to take malware hashes associated with the Red Alert 2 Android Trojan and find samples that contained data that was used to uncover infrastructure used by the malware. Pivoting off a host found in the APK, researchers discovered an IP address and registrant address, both of which led to further infrastructure. Two additional domains were found to be hosting more malicious apps claiming to be Adobe Flash Player updates, showing the breadth of infrastructure of mobile threat campaigns.

“Securing the mobile app ecosystem continues to be a challenge for app stores of all sizes, but efforts to improve version control, monitor for abuse, employ verification techniques, and offer security education can help,”  said Mike Wyatt, director of Product Operations at RiskIQ. “Tracking the use of brand names and likeness is an equally daunting challenge for corporations. Brands should evaluate and implement solutions that constantly monitor their digital footprint online and in mobile app stores.”

 

For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q4 2017 Report at https://www.riskiq.com/research/2017-q4-mobile-threat-landscape-report/.

The post Malicious Apps in Global App Stores Decrease 37 Percent, Feral Apps Lose Ground to Third-Party Stores appeared first on IT SECURITY GURU.

Legacy Cybersecurity Defenses Won’t Keep Pace with New Ransomware and Cryptojacking Threats

Webroot, the Smarter Cybersecurity® company, revealed the results from the 2018 edition of its annual threat report, which demonstrated attackers are constantly trying new ways to get around established defenses. The data, collected throughout 2017 by Webroot, illustrates that attacks such as ransomware are becoming a worldwide threat and are seamlessly bypassing legacy security solutions because organizations are neglecting to patch, update, or replace their current products.

The findings showcase a dangerous, dynamic threat landscape that demands organizations deploy multi-layered defenses that leverage real-time threat intelligence. 

Notable Findings and Analysis: 

  • Cryptojacking is gaining traction as a profitable and anonymous attack that requires minimal effort. Since September 2017, more than 5,000 websites have been compromised with JavaScript cryptocurrency miner CoinHive to mine Monero by hijacking site visitors’ CPU power.
  • Windows 10 is almost twice as safe as Windows 7. However, the data reveals that the operating system migration rate for enterprises has been quite slow; Webroot saw only 32 percent of corporate devices running Windows 10 by the end of 2017.
  • Polymorphism, i.e. creating slightly different variants of malicious or unwanted files, has become mainstream. In 2017, 93 percent of the malware encountered and 95 percent of potentially unwanted applications (PUAs) were only seen on one machine. In these instances, the identifiers are unique and undetectable by traditional signature-based security approaches.
  • Ransomware and its variants became an even more serious threat. This past year, new and reused ransomware variants were distributed with a variety of purposes. Together, WannaCry and NotPetya infected more than 200,000 machines in over 100 countries within just 24 hours.
  • High-risk IP addresses continue to cycle from malicious to benign and back again. Webroot saw 10,000 malicious IP addresses reused an average of 18 times each in 2017. The vast majority of malicious IP addresses represent spam sites (65 percent), followed by scanners (19 percent), and Windows exploits (9 percent).
  • Of the hundreds of thousands of new websites created each day in 2017, 25 percent of URLS were deemed malicious, suspicious, or moderately risky. High-risk URLs fell into two major categories: malware sites (33 percent) and proxy avoidance and anonymizers (40 percent).
  • Phishing attacks are becoming increasingly targeted, using social engineering and IP masking to achieve greater success. On average, phishing sites were online from four to eight hours, meaning they were designed to evade traditional anti-phishing strategies. Only 62 domains were responsible for 90 percent of the phishing attacks observed in 2017.
  • Mobile devices continue to be a prime target for attackers—32 percent of mobile apps were found to be malicious. Trojans continue to be the most prevalent form of malicious mobile apps (67 percent), followed by PUAs (20 percent). 

Hal Lonas, Chief Technology Officer, Webroot said “Over the past year, news headlines have revealed that attackers are becoming more aggressive and getting extremely creative. Cryptojacking made our threat report for the first time this year as an emerging threat that combines everything an attacker could want: anonymity, ease of deployment, low-risk, and high-reward. Organizations need to use real-time threat intelligence to detect these types of emerging threats and stop attacks before they strike.”

The post Legacy Cybersecurity Defenses Won’t Keep Pace with New Ransomware and Cryptojacking Threats appeared first on IT SECURITY GURU.

Former TalkTalk and GCHQ Chief Executives announced as keynote speakers at Infosecurity Europe 2018

Infosecurity Europe, the region’s number one information security event, has announced Baroness Dido Harding and Robert Hannigan will deliver opening keynotes at this year’s event, which takes place at Olympia, London, 5-7 June, speaking on 5 and 7 June respectively.

Baroness Harding, Chair of NHS Improvement, will give a talk titled – View from the Board: A CEO’s Perspective on Cybersecurity, in which she will draw on her seven years as Chief Executive of TalkTalk PLC during which she led the company through one Britain’s most high-profile cyber-attacks. She will explore what a CEO really needs from the information security function, how to promote a security culture across the enterprise and how, in the event of a breach, to work with the CEO to minimise impact and protect the reputation of the organisation.

Baroness Dido Harding said: “Technology is accelerating at an extraordinary rate across all aspects of our society and as cyber-attacks get ever more frequent and sophisticated, the information security community faces huge challenges ahead.   I am very much looking forward to presenting Infosecurity Europe’s opening keynote to an audience that is striving to be one step ahead of the cyber adversary to keep our world a safer place.”

As former Director GCHQ, the UK government’s largest intelligence and cyber agency, Robert Hannigan has a long history of involvement in cybersecurity and technology, having drawn up the UK’s first Cybersecurity Strategy and outlined the government’s ambition of making the UK ‘the safest place to live and do business online’.  In his talk, Weaponising the Web: Nation-State Hacking & What it Means for Enterprise Cybersecurity, Robert will discuss the reality of alleged nation-state sponsored cybercrime emanating from countries such as Russia and North Korea, the risk to different types of organisations and how to mitigate that risk.

Robert Hannigan said: “Nation-state sponsored cyber-attacks are a daily reality for organisations not just in the UK but globally. In particular, countries around the world are seeking opportunities to exploit increasingly technologically-integrated Western infrastructure. I look forward to sharing my experience with the Infosecurity Europe audience about the cyber threats posed by nation-states and how to prevent and defend against them successfully.”

Victoria Windsor, Content Manager, Infosecurity Europe, said: “Baroness Harding’s perspective on the crucial issue of how to engage senior leaders in cybersecurity will be a fascinating start to our
Keynote Stage programme. Few people can claim to be as knowledgeable about nation-state hacking as Robert Hannigan, and I’m sure his talk will really resonate with our audience. I’m delighted to be welcoming two speakers with such different, but equally insightful, perspectives to the Keynote Stage this year.”

Reflecting the need for the information security community to get one step ahead of the cyber adversary, the Keynote Stage will address the challenges of building strong cybersecurity strategies and tactics to protect an organisation’s critical information assets as the world around transforms.

The theme of this year’s Infosecurity Europe is Building Tomorrow’s Cybersecurity Today.

The post Former TalkTalk and GCHQ Chief Executives announced as keynote speakers at Infosecurity Europe 2018 appeared first on IT SECURITY GURU.

9 Web Application Threats that Continue to Target Sites

Vulnerabilities in web applications can occur in several areas including DBA tools (e.g., phpMyAdmin), SaaS applications, and content management systems, such as WordPress. With web apps being an integral part of business processes, insecure web applications make an easy target, potentially resulting in damaged client relations, rescinded licenses, or even legal actions.

Based on Imperva’s experience, the nine vectors listed below are commonly used by competitors and bad actors to steal data or disrupt web applications.

  1. Web Scraping – Probing website data is useful in several ways, including conducting market research and page ranking by search engines. But in some cases, there’s a grey area where illicit web scrapers deploy bots to steal database information. In a competitive business category, bot operatives are able to duplicate your site content elsewhere using their name. E-commerce sites are especially vulnerable, and it’s not uncommon for scrapers to set up their site to constantly underbid your pricing.
  2. Backdoor Attack – Being a form of malware, a backdoor circumvents login authentication to enter a system. Many organizations offer employees and partners remote access to application resources, including file servers and databases. This enables bad actors to trigger system commands in the compromised system and keep their malware updated. The attacker’s files are usually heavily cloaked, making detection problematic. We all heard about WannaCry, Petya, Locky, among other ransomware that emerged after 2010 and took over hundreds of thousands of computers around the world. While most of the attacks required the victims to pay a ransom in exchange to recover back their data, there were others that went beyond and also provided a backdoor access to the companies’ systems.
  3. SQL Injection (SQLI) – SQL injection relies on SQL code to manipulate database back-ends. It gains access to data your organization didn’t intend to make public, such as secure company data, user databases, or customer information. Unwanted file deletion is also a possibility in some cases. The perpetrator can even grant themselves admin rights. Here are some examples here that just happened in 2017: WordPress, Hetzner South Africa, GoDaddy, and of course, Equifax. Just counting the last one, around 145 million records were compromised.
  4. Cross-Site Scripting (XSS) – Cross-site scripting is a common vector that inserts malicious code into a web application found to be vulnerable. Unlike other web attack types, such as SQLI, its objective isn’t your web application. Rather, it targets its users, resulting in harm to your clients and the reputation of your organization.
  5. Reflected XSS – Reflected XSS assaults (a.k.a., non-persistent attacks) use a malicious script to reflect traffic to a visitor’s browser from your web application. Initiated via a link, a request is directed to a vulnerable website—possibly yours. Your web application is then manipulated to activate harmful scripts.
  6. Cross-Site Request Forgery (CSRF) – Also known as XSRF, Sea Surf, or session riding, cross-site request forgery deceives the user’s browser—logged into your application—to run an unauthorized action. A CSRF can transfer funds in an authorized manner and change passwords, in addition to stealing session cookies and business data.
  7. Man in the Middle Attack (MITM) – A man in the middle attack can occur when a bad actor positions himself between your application and an unsuspecting user. MITM can be used for eavesdropping or impersonation— nothing appears amiss in the latter. Meanwhile, account credentials, credit card numbers, and other personal information can easily be harvested by the attacker.
  8. Phishing Attack – Phishing continues to be a favorite of social engineering practitioners. Like MITM, it can be set up to steal user data—such as credit card and login information. The perpetrator, posing as a trustworthy entity, fools their prey into opening an email, text memo, or instant message. The latter is then enticed to click a link that hides a payload. Such an action can cause malware to be surreptitiously installed. It’s also possible for ransomware to freeze the user’s PC, or for sensitive data to be passed. One of the top examples here is the Target data breach that exposed more than 40 million payment cards during the holidays. The simplicity about this attack was that it just needed to steal the credentials of a third-party contractor who was in charge of Target’s HVAC systems. In order to perform remote maintenance on air conditioners the contractor had access to Target’s contractor network, giving the perpetrator access once its account was hacked.
  9. Remote File inclusion (RFI) – Remote file inclusion (RFI) exploits weaknesses in those web applications that dynamically call external scripts. Taking advantage of that function, an RFI attack uploads malware and takes over the system.

The post 9 Web Application Threats that Continue to Target Sites appeared first on IT SECURITY GURU.

The Digital Disconnect: 70% of UK employees not equipped with necessary tools and training

Sungard Availability Services ® (Sungard AS), a leading provider of information availability through managed IT, cloud and recovery services, today reveals that the skills shortage is having a detrimental impact on UK businesses and could pose serious risks in the years ahead. Both IT Decision Makers (31%), and Line of Business Decision Makers (41%) have labelled it as their biggest issue impacting digital initiatives, with seven in ten employees claiming they’re not getting the training or tools they need to add value back to the business.

Technology priorities

Despite extensive media hype and scare-mongering about the technologies such as Artificial Intelligence (AI) impacting or replacing human jobs, research* undertaken on behalf of Sungard AS reveals that just under half (49%)  of UK businesses have this listed as a technology that will help them prepare for the challenges they face.  In reality, Cloud (75%), Internet of Things (69%) and Big Data Analytics (64%) are the big three when ranking these technologies, AI doesn’t even make the top four.

Employee disconnect

At least in the immediate future, many jobs and processes that are mooted to be automated or taken over by robots will stay firmly within the remit of the human workforce; yet 70% employees state they are underprepared for the digital journey ahead. Businesses therefore need to invest in their staff – not just in strategic technologies.  This will ensure that employees feel supported by and committed to their organisations, and be confident they can do their jobs now and in the future.  For business leaders, it means their companies have the skills in situ to optimise all technology investments.

Despite the benefits in doing so, the extent to which the majority of UK businesses are not prioritising investment in people makes for grim reading. Over a quarter of UK workers stated that a lack of training has stopped them from adopting digital working practices, only 30% claiming their company has provided them with the tools to overcome the challenges they are facing.

Meanwhile, increasing employee satisfaction, increasing staff mobility and increasing staff retention levels were revealed to be the three lowest priorities for business decision makers over the next two years, at only 32%, 23% and 19% respectively.

Communication is key

The research also found that businesses need to be more transparent about how they intend to navigate future challenges. Only 32% of UK employees polled feel like they are kept up to speed with their employer’s digital roadmap. This is in stark contrast to the 75% of ITDMs who reported that they are kept well informed of strategic direction.

This lack of business-wide communication could have serious ramifications for business leaders and commercial success, especially when the UK is heading into the uncharted waters of Brexit, and has the European GDPR directive looming on the near horizon. For example, when asked about their understanding of the changes that will come into force as a result of GDPR, a large majority (84%) of line of business heads in the UK have some understanding, compared to 3% of employees who say they understand completely, contrasting with the 50% who report they do not understand at all. Considering that employees are often the weak link in an organisation’s security chain, this lack of understanding about their roles and responsibilities when it comes to security compliance should serve as a wakeup call to businesses.

Commenting on the findings, Kathy Schneider, CMO, Sungard Availability Services said:

“In addition to Brexit and GDPR, the lack of digital skills is yet another challenge facing UK organisations over the next couple of years.   To remain competitive, businesses will need to prioritise digital skills development and training to help navigate the new technology trends.   This means investing not only in technologies and systems, but also in training around the required skills. Communication of the challenges and the digital journey ahead will be vital to ensuring business resiliency. Failure to do so could open businesses up to unnecessary – and avoidable – risks.”

Eddie Curzon, Regional Director at the CBI adds:

“Despite the widespread news coverage highlighting the impact that skills shortages are having on UK plc and associated GDP, these findings suggest that some businesses are not making their staff a priority. A good business thrives off people, processes and technology and need to place equal emphasis on each to avoid going off course.”     

The post The Digital Disconnect: 70% of UK employees not equipped with necessary tools and training appeared first on IT SECURITY GURU.

Budget Cuts, Staff Shortages and Cyber Threats Keep IT Leads Awake at Night as GDPR Looms

43% of IT executives at European financial institutions reveal that fears of a cyber-attack keep them awake at night – two months before the General Data Protection Regulation (GDPR) comes into force, according to figures published by financial services IT consultancy and service provider Excelian, Luxoft Financial Services – a division of Luxoft (NYSE:LXFT).

The survey of over 200 IT executives working in capital markets, wealth management and corporate banking reveals that although 89% agree implementing a cybersecurity strategy is a top priority, budget cuts and staff shortages make implementing cybersecurity strategies difficult. 55% of respondents cite a lack of IT investment as a significant source of stress in their role, rising to 63% of professionals in the UK alone. However, those in Switzerland and Austria are less concerned about budget cuts, with only 40% and 43% of IT professionals expressing frustrations, respectively.

IT executives also feel they don’t have access to the right talent and are not fully trained – 54% say they are frustrated by a lack of training and learning opportunities, whilst 26% are also kept awake by a skills shortage in their IT department. As a result, 36% of IT professionals working in the financial services sector are reluctant to recommend increasing cybersecurity spend.

“IT departments in banks are being pulled in two directions,” says Marcin Swiety, Global Head of Luxoft’s Information Security practice. “Banks want to focus on digital innovation, but IT professionals feel unable to escape from the ever-present cyber threat. Budget cuts are leaving smaller teams with fewer spare hours in the day. Unable to plan ahead, they spend their days firefighting problems and upgrading legacy systems.”

 European IT professionals working in financial institutions on both the buy-side and sell-side also believe that insufficient cybersecurity strategies combined with reacting to other daily struggles is preoccupying too much of their time. On average, IT executives say more than half of a CIO’s role is responding to events as they happen, whereas only 40% of their role is proactive. 

The complexity of internal technology systems at larger and more established institutions in particular also forces those CIOs to have less time to implement change. 28% of IT executives say that the complicated internal processes make it more difficult to implement cybersecurity strategies.

“Most financial institutions want to capitalise on technologies like blockchain, AI and the cloud, but they are difficult to implement both securely and at pace,” says Mr Swiety. “If we want to see digital transformations that are truly protected from the cyber threat, then institutions must find a way for IT departments to free up their time.”

The post Budget Cuts, Staff Shortages and Cyber Threats Keep IT Leads Awake at Night as GDPR Looms appeared first on IT SECURITY GURU.

More than a quarter of companies expect to be breached in next 6 months

Nearly 4 in 5 companies (79%) were hit by a breach in the last year, according to new research from Balabit. The report, called the Known Unknowns of Cyber Security, also revealed that 7 out of 10 (68%) businesses expect to be impacted by further breaches this year with more than a quarter anticipating this happening within the next 6 months.

The Unknown Network Survey, undertaken in the UK, France, Germany and the US, reveals the attitudes of 400 IT and security professionals when it comes to businesses’ concerns over IT security and their experience of IT security breaches, their understanding of how and when breaches occur and how they are trying to combat hackers.

Knowing your environment

The majority of businesses know very little about the nature of the security breaches that take place within their organisations. Whilst a high percentage of companies are experiencing breaches, less than half (48%) stated they would be fully confident knowing a breach had even happened, meaning that more could have taken place without their knowledge.

Only 42% feel very confident about what data was accessed and a mere 39% were fully confident that they could identify the source of a breach. As privileged users, or those with the most access within an organisation are the most vulnerable to attack or becoming insider threats, it’s imperative for businesses to protect access to critical IT systems and sensitive data.

This is leading to internal tension within businesses around the development of cohesive security strategies. With half of all security breaches being employee-related, 69% of senior IT professionals agree that insider data breach is the biggest threat many are facing in terms of network security. It should come as no surprise that 80% of respondents agreed that educating employees is key to securing the network. The truth is however, that businesses must aim for a balance between technology and employee education in order to tackle the insider threat, whether that’s a malicious or accidental threat.

“Attacks are becoming more and more sophisticated and every organisation is at risk.’ said Csaba Krasznay, Security Evangelist, Balabit. “Security is no longer about simply keeping the bad guys out. Security teams must continuously monitor what their own users are doing with their access rights, as part of a comprehensive and cohesive security strategy.”

“What’s really alarming, though, is that the majority of businesses know very little about the nature of the security breaches that are happening to them. Many even admit that a security breach could quite feasibly go unnoticed. That’s how loose a grip we’ve got on them, or how little we really understand them. We know about breaches, sure – but we really don’t know enough.” Krasznay continued.

Turning the security unknowns into knowns

Whilst 83% of businesses agree that technology is effective in preventing breaches, 73% think technology struggles to keep up with security threats. It’s little wonder that there is still no cohesive response to the on-going threat of cybercrime.

The research demonstrates that when more often than not, the threat is unpredictable and exists already within a business, it is essential to create comprehensive security strategies. This should incorporate a balance of both employee education and appropriate security technology. This way, organisations can ensure that they know their environments and are prepared to tackle ever-evolving security threats.

The post More than a quarter of companies expect to be breached in next 6 months appeared first on IT SECURITY GURU.