Author Archives: Japonica Jackson

What Defines a Cyber Insurgency?

“A fool pulls the leaves. A brute chops the trunk. A sage digs the roots.” – Pierce Brown

 

The western world is currently grappling with a cyber insurgency.  The widespread adoption of the “kill-chain” coupled with the use of memory resident malware has fueled the cyber-attack wild fire.  The security architectures mandated by regulators and standard bodies are collapsing. History does repeat itself. One should study the evolution of insurgencies to better grasp the nature of cybersecurity in 2018.

 

In the Red Rising Trilogy, Pierce Brown introduces a military tactic that could only work in a world where humans live on multiple planets and asteroids. We won’t spoil the book completely (go read the series, it’s awesome) but for the purposes of this blog an Iron Rain can be defined as a mass invasion tactic. Enemy fleets gather outside the atmosphere of a planet and use pods or other drop ships to launch an unbelievably overwhelming military force on a planets populace.

 

It’s overwhelming. It’s instant and if you miss-react you are doomed to fall to the Iron Rain. Just like with cyberattacks. It must be stated that attacks are not stand alone and in many cases they are simply part of a larger “Iron Rain” effort. If you follow the strategy behind most nation state attacks you quickly start to realise that these efforts resemble insurgency tactics more than they do standard military ones.

 

What defines a cyber insurgency?

 

The Department of Defense Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (Washington, DC: U.S. Government Printing Office [GPO], 12 April 2001), defines an insurgency as “an organised movement aimed at the overthrow of a constituted government through the use of subversion and armed conflict.”

 

In cyber terms “an organised movement aimed at the disruption of cyber systems and through subversion and armed cyber conflict.”

 

The goals of the cyber insurgency may vary however the following conditions must exist for a cyber insurgency:

 

  1. You must have a common entity or authority against whom your actions are directed.
  2. You must have the tools of cyber insurrections themselves: and the systems to launch attacks against the entities.
  3. The cyber insurgents must be willing to use cyber force against their targets. This element distinguishes a cyber insurrection from intelligence gathering purposes.

 

As a former U.S. Marine we were taught to think differently. We were taught to think like the enemy and take it to them when needed. The Marines have a history of doing more with way less we take pride in it. Just like InfoSec teams. Over the last few years it has become apparent that our enemies are emboldened and becoming more aggressive. We must shift thinking and tactics to begin to turn the tide. Just like every battlefield Marine. Intel changes, things move fast and people’s lives are at risk.

 

It is fundamental that cybersecurity professionals take a page from the annals of irregular or low intensity warfare to better understand how to combat this threat.  This article is meant to begin an open discussion on how we as defenders can best modernise our strategies of cybersecurity. Much of the strategic tenants below are derived from The Marine Corps Counter Insurgency Manual or FM 3-24 MCWP 3-33.5 and adapted to the world of cyber.

 

To effectively discuss cyber insurgencies we must discuss the idea of irregular warfare.

 

Low intensity warfare or irregular warfare is a violent struggle among state and non-state actors for legitimacy and influence over the relevant populations. Irregular warfare favours indirect approaches, though it may employ the full range of evasion and other capacities in order to erode an adversary’s prevention, detection, and response capabilities.

 

When counter insurgents attempt to defeat an insurgency, they perform a range of diverse methods. Leaders must effectively arrange these diverse methods in time and cyberspace to accomplish strategic objectives. The various combinations of these methods with different levels of resourcing provide each team with a wide range of strategic options to defeat an insurgency.

 

“Effective cyber counterinsurgency operations require an understanding of not only available cyber security capabilities but also the capabilities of the adversary.”

 

The tasks counter insurgents perform in countering an insurgency are not unique. It is the organisation of these tasks in time and space that is unique. For example, financial organisations may employ strategy to align and shape efforts, resources, and tasks to support strategic goals and prepare for specific attacks on their institution. In support of this goal, good strategies would normally emphasize security cooperation activities, building partner capacity and sharing threat intelligence.

 

Business leaders and security leaders must have a dialogue to decide the optimal strategy to meet the security needs of the organisation the team is supporting. Different capabilities provide different choices that offer different costs and risks.

 

Unified action is essential for all types of involvement in any counterinsurgency. Unified action is the synchronisation, coordination, and/or integration of the activities of entities with cyber security operations to achieve unity of effort. Your organisation must have a unified approach to cyber operations.

 

We must begin to think collectively as an organisation. The time for siloed decisions is over. The time for unified action is here and we must unify our strategies to combat the ongoing cyber insurgency. On 19th July, we will be releasing the Cb Quarterly Incident Response Threat Report (QIRTR) where we survey dozens of our IR and MDR partners per ground truth in cyber.  The results will be interest to you and your organisation. Stay tuned!

The post What Defines a Cyber Insurgency? appeared first on IT SECURITY GURU.

Amazon Prime Day: 60% increase in cloud transactions impact business apps

Amazon Prime Day took place this week, with the retailer claiming that the first 10 hours grew even faster than the first 10 hours on the same day in 2017, exceeding the £766m ($1bn) in sales globally. According to reports, spending jumped 89 percent in the first 12 hours of the event compared to the same period last year.

Zscaler released its own data, which reveals the number of Amazon transactions taking place in the Zscaler cloud from Monday 16th July at 1am BST to end of the day Tuesday 17th July. The data revealed there were 60 percent more cloud transactions to Amazon.com on Prime Day than seen in the Zscaler cloud on a typical day. You can see the network traffic spikes in the graph attached.

Matt Piercy, vice president and general manager EMEA at Zscaler, commented on the results, noting that as businesses increasingly move their infrastructure to the cloud, these daytime spikes have a reduced impact on business applications:

“Our data indicates that, during Amazon Prime Day, Amazon traffic in the Zscaler cloud rose considerably during the working day, with tens of millions more people visiting Amazon.com than usual over the two days. The growing popularity of retail events like Amazon Prime Day means people are likely going to find ways of shopping while at work, which can have a significant impact on network bandwidth – something that has traditionally posed a problem for the IT team. Indeed, as more businesses adopt BYOD policies, we’re finding a growing number of personal as well as corporate devices connected to the WLAN. Online shopping to this extent can hamper the performance of business critical applications, such as file sharing, backup, and Office 365.

“The truth is, however, that the modern enterprise will incur network spikes, planned or not, that will put a strain on network resources. Whether it’s Amazon Prime Day or another popular sale such as Black Friday/Cyber Monday, unexpected demand for a product, or even an oversubscribed employee webcast, network spikes are no longer an anomaly – they’ll happen. The good news is that we are on the cusp of a new era for business. More and more enterprises are moving their infrastructure to the cloud, which offers a level of elasticity that businesses have not previously experienced. By embracing digital transformation, enterprises no longer need to buy new appliances, install virtual machines or block major retail events like Amazon Prime to accommodate spiked traffic.”

The post Amazon Prime Day: 60% increase in cloud transactions impact business apps appeared first on IT SECURITY GURU.

Cyber Security Incidents: Insider Threat falls in UK (to 65%) and Germany (to 75%) post GDPR, but US risk increases (to 80%)

New research by data security company, Clearswift, has shown that year on year cyber security incidents from those within the organisation, as a percentage of all incidents, have fallen in the UK and Germany, two countries currently now under the ruling of GDPR. However, in the United States, a country outside of the direct jurisdiction, threats are on the rise.

 

The research surveyed 400 senior IT decision makers in organisations of more than 1,000 employees across the UK, Germany, and the US. The data has revealed that when looking at the true insider threat, which takes into account inadvertent and malicious threats from the extended enterprise – employees, customers, suppliers, and ex-employees – this number sits at 65% in the UK, down from 73% in 2017. Similarly, senior IT decision makers in Germany also saw a drop to 75%, down from 80% the previous year. US respondents actually saw a rise in the insider threat up to 80%, a number rising from 72% in 2017.

 

Direct threats from an employee within the business – inadvertent or malicious – now make up 38%, of incidents. This has halted the rising threat evident in 2017 and 2015 showing 42% and 39% respectively. Threats from ex-employees account for 13% of all cyber security incidents, highlighting a clear need for better processes when employees part ways.

 

“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cyber security incidents. Three quarters of incidents are still coming from within the business and its extended enterprise, far greater than the threat from external hackers. Businesses need to shift the focus inwards”, said Dr Guy Bunker, SVP Products at Clearswift.

 

“I think at the very least what GDPR has done is ensure firms have a better view of where critical data sits within their business and highlighted to employees that data security is an issue that is now of critical importance, which may be why we’ve seen a drop in the insider threat across EU countries. If a firm understands where the critical information within the business is held and how it is flowing in and out of the network, then it is best placed to manage and protect it from the multitude of threat vectors we’re seeing today.”

 

Although internal threats pose the biggest threat to most organisations, employers believe that the majority (62%) of incidents are accidental or inadvertent rather than deliberate in intent; a number that is slightly down on 2017 (65%).

 

The insider threat was slightly less for companies with over 3,000 employees (36%), as opposed to those with between 1,000 – 3,000 employees. This is a possible indication of more robust internal processes and checkpoints at larger businesses.

 

Bunker added, “Organisations need to have a process for tracking the flow of information in the business and have a clear view on who is accessing it and when. Businesses need to also ensure that employees ‘buy into’ the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what’s not, is crucial to a successful cyber security strategy.

 

“Having said that, mistakes can still happen and technology can act as both the first and last line of defence. In particular, Adaptive Data Loss Prevention solutions can automatically remove sensitive data and malicious content as it passes through a company network.”

 

The post Cyber Security Incidents: Insider Threat falls in UK (to 65%) and Germany (to 75%) post GDPR, but US risk increases (to 80%) appeared first on IT SECURITY GURU.

UK School Software Bug Assigns Kids to the Wrong Parents

IT firm Capita has come clean about a bug in the software it supplies to UK schools that has been mismatching kids with the wrong families since December 2017. According to a message sent to school administrators this week, the bug affects the Schools Information Management System (SIMS), a type of software used by UK schools to keep track of students, their grades, classes, and parent information.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post UK School Software Bug Assigns Kids to the Wrong Parents appeared first on IT SECURITY GURU.

New Gmail feature could open more users to phishing risks: Government officials

Google is rolling out a sweeping redesign of its popular Gmail service, but federal cybersecurity authorities warn that a key new feature on the system could make its 1.4 billion users more susceptible to dangerous phishing attacks that compromise users’ vital personal information.

View Full Story

ORIGINAL SOURCE: ABC News

The post New Gmail feature could open more users to phishing risks: Government officials appeared first on IT SECURITY GURU.

Securing real-time payments with tokenization

For banks, direct debit (ACH) fraud represents a bigger financial risk than card fraud. In particular, growing momentum for real-time payment schemes across the world is creating huge opportunities for fraudsters and placing increasing pressure on banks and clearing houses, who now have only seconds instead of days to identify fraudulent transactions.

There are various security approaches available to banks in the fight against fraud, but tokenization has already proved successful in protecting in-store and online card payments, with all the major payment systems, digital wallets and original equipment manufacturers adopting the technology.

By replacing unique sensitive information or data with a context-specific proxy, tokenization can significantly reduce the risk and impact of account-based fraud and foster safe, secure real-time payment initiatives across the world.

Adding tokenization to the real-time security mix

Financial institutions already deploy various techniques to prevent and mitigate ACH fraud.

Banks coordinate with agencies such as OFAC (Office of Foreign Assets Control) in the US and OFSI (Office of Financial Sanctions Implementation) in the UK to share intelligence and monitor suspicious entities or actions.

At a more practical level, out of pattern activity identifies irregular or unusual transactions, transaction limits help prevent high-value fraud, and ACH block services aim to root out unauthorized senders and recipients.

But it is old-fashioned manual review that continues to be a mainstay of bank processes. According to research from the Federal Reserve Bank of Minneapolis, 83% of banks in the US use this as a primary line of defense. This is simply not compatible with real-time payments and banks recognize the inherent limitations, with 43% per cent admitting it was “somewhat effective or ineffective”.

Tokenization is not a silver bullet. Rather, it is a process that should be considered as complementary to all existing anti-fraud measures, adding another robust layer of security and bringing unique benefits.

Mitigating account-based fraud

It is a hostile world, and for many organisations data breaches are more a case of ‘when’, not ‘if’.

Payment account tokenization mitigates the impact of data breaches when they are attempted, as sensitive account information is not stored in its raw form. This reduces the risk of stolen account numbers being used to commit transactional fraud, for example.

Similarly, control parameters limit how tokens can be used. So, if a token can only be used to pay a monthly direct debit to a specific merchant, it cannot then be used fraudulently to perform several person-to-person transactions on the same day.

Importantly, as an underlying single account credential can have multiple tokens associated with it supporting specific use-cases, banks can tailor the controls and limits they wish to put in place. If one is compromised, it can be quickly and easily replaced without impacting the main account credential or other associated tokens.

Faster, safer, easier

Tokenization as a technology is suitable to support multiple payment use cases via a single system, ensuring emerging commercial models and the ability to adapt to new requirements are not constrained by an inflexible security framework.

Also, tokens route normally through the payments systems and networks, so consumers and businesses can send and accept payments as normal with no change in authorizations. Depending on the system and token usage, tokens can be formatted and validated in the same way as the original credential, allowing non-disruptive use in an existing ecosystem to enable the swift onboarding of member financial institutions. And for new services, the token format can be simplified for frictionless use by the consumer.

For payment account tokenization to be effective, however, the infrastructure must be implemented at a systemic level.

This means Central Banks and Automated Clearing Houses have a crucial role to play in tokenizing the account numbers and managing the token vault – the centralized and highly secure server where the issued tokens and the account numbers they represent are stored.

Account-based tokenization beyond security

The main aim of tokenization is to protect account credentials to increase security.

There is an opportunity for banks, though, to take a wider view on the strategic use and potential of tokenization. Account-to-account based payment services, such as mobile payments and P2P, are increasingly popular following the introduction of regulation such as PSD2. Banks can use tokenization as a means to build stronger trust with customers through the provision of ever-simpler and seamless account-to account payments.

 

The post Securing real-time payments with tokenization appeared first on IT SECURITY GURU.

Nozomi Networks teams up with IBM to Answer Demand for Integrated IT/OT Cyber Security

With Operational Technology (OT) attacks on the rise, Nozomi Networks and IBM earlier this week announced that they have teamed up to bring industrial organizations around the world easier access to deep OT network visibility and continuous threat detection. The news follows recent warning from various bodies – including the UK’s NCSC and the US’ DHS and FBI of an increased treat to critical infrastructures  which could potentially cause damage far beyond the obvious economic impact.

Speaking about this partnership in a blog post, Kim Legelis – Nozomi Networks’ CMO said, “We have an existing relationship with IBM having previously teamed up on joint customer engagements, so it makes perfect sense to extend the relationship to address the converging need for IT and OT cyber security.

“In fact, our solution provides the common platform for IT and OT to monitor cyber and reliability risks. For OT, Nozomi Networks technology provides a no-process-risk solution that delivers comprehensive visibility to all ICS assets, rapid identification of threats, policy violations and reliability risks. For IT, it offers complete visibility to OT networks, consolidated information from multiple industrial facilities through a single monitoring tool, faster troubleshooting of OT incidents and seamless integration with QRadar and other IT applications.”

Paul Garvey, Vice President, IBM Security Asia Pacific adds, ““Our clients are deeply concerned about escalating threats and cyber risks to critical infrastructure and industrial operations. By partnering with Nozomi Networks, our customers immediately gain market-leading OT network monitoring and threat detection technology that is fully integrated with key IBM security services and platforms such as QRadar. This partnership makes it simple and fast for our customers to improve the visibility and cyber security of industrial networks through the largest global security provider.”

The new Nozomi Networks QRadar solution is available for download on the IBM X-Force App Exchange. It provides deep visibility to OT network and assets and real time monitoring of cyber security threats and risks.

The live-streaming app displays events detected by Nozomi Networks SCADAguardian. The dashboard header provides important details at a glance – highlighting the number of events with a magnitude of 7+, the most used protocol and the most seen event name. Graphical charts provide details on event source and destination IP, while the most recent events are displayed in a live streaming list. The dashboard also supports drill down for deeper event investigation.

RSA Conference Japan

Nozomi Networks is also collaborating with IBM at the RSA Conference being held in Singapore July 24. Through a pre-conference workshop and an integrated IBM/Nozomi Networks IT/OT cyber security demo, RSA attendees will be able to see the solution’s deep industrial network visibility, non-intrusive monitoring, continuous threat detection and intelligent threat hunting capabilities firsthand

The post Nozomi Networks teams up with IBM to Answer Demand for Integrated IT/OT Cyber Security appeared first on IT SECURITY GURU.

Kapersky Report: $10 Million in Ether Stolen Through Phishing Last Year

A new report from Kapersky Labs claims that cybercriminals are turning to cryptocurrency as a domain for scams and frauds. The schemes target ICO investors, who are perhaps vulnerable as they are seeking to invest money to begin with. “Kaspersky Lab experts have exposed a relatively new fraudulent trend: the development of cryptocurrency is not only attracting investors, but also cyber-criminals seeking to boost their profits,” reads the report.

View Full Story

ORIGINAL SOURCE: Unhashed

The post Kapersky Report: $10 Million in Ether Stolen Through Phishing Last Year appeared first on IT SECURITY GURU.

WordPress Sites Targeted in World Cup-Themed Spam Scam

Spammers using a ‘spray & pray’ approach to post comments on WordPress powered blogs, forums, says Imperva. WordPress-powered websites are being targeted in a comment spam campaign designed to get users to click on links to sites offering betting services on the 2018 FIFA World Cup games.

View Full Story

ORIGINAL SOURCE: Dark Reading

The post WordPress Sites Targeted in World Cup-Themed Spam Scam appeared first on IT SECURITY GURU.

‘Data is a fingerprint’: why you aren’t as anonymous as you think online

In August 2016, the Australian government released an “anonymised” data set comprising the medical billing records, including every prescription and surgery, of 2.9 million people.

View Full Story

ORIGINAL SOURCE: The Guardian

The post ‘Data is a fingerprint’: why you aren’t as anonymous as you think online appeared first on IT SECURITY GURU.

Cylance Unveils “Cylance Smart Antivirus;” AI-Powered Antivirus for Consumers

Cylance Inc., the leading provider of AI-driven, prevention-first security solutions, today launched Cylance Smart Antivirus, AI-powered antivirus software designed specifically for consumers. By extending the enterprise-grade AI of CylancePROTECT into the home, Cylance provides internet users with next-generation security software that proactively predicts and blocks never-before-seen threats.

More than 350,000 new pieces of malware are created every day, and traditional consumer antivirus software simply can’t keep pace with today’s security reality. Existing solutions rely on reactive, signature-based technologies that slow down systems, bombard users with pop-up notifications, and require some form of breach in order to begin detecting malware. The exponential growth of malicious code, especially zero-day threats and ransomware, requires more innovative and thoughtful solutions to adequately—and effectively—protect end-users.

To help consumers stay ahead of bad actors, Cylance Smart Antivirus provides predictive security to spot and block threats before they have a chance to run without affecting device performance or disrupting the user.

“Consumers deserve security software that is fast, easy to use, and effective,” said Christopher Bray, senior vice president, Cylance Consumer. “The consumer antivirus market is long overdue for a groundbreaking solution built on robust technology that allows them to control their security environment.”

With Cylance Smart Antivirus, everyday internet users now have the option to purchase next-generation software built on artificial intelligence. Many people have experience with legacy products that are only as good as their last update. Such tools require extensive manual interactions such as downloads, installations, reboots, and scans. Cylance Smart Antivirus is a game-changer by offering an easy set-it-and-forget-it security experience that gives consumers true peace of mind and ease of use. Key features include:

  • Predictive threat prevention: With its AI-driven approach, Cylance Smart Antivirus is designed to proactively stop malicious threats, including complex malware variants.
  • Minimal impact on performance: Cylance Smart Antivirus runs silently and constantly without noticeable degradation of device performance, diminishing the constant pop-ups, scan requests, and bloatware features that characterize existing AV solutions.
  • Effortless user experience: Easy to install and manage, Cylance Smart Antivirus automatically updates in the background for a set-it-and-forget-it security experience. Users can get up and running in minutes, without unnecessary updates or reboots.
  • Visibility: Cylance Smart Antivirus empowers the technical expert in any family with full awareness and control of the security status of all devices regardless of device location. An easy-to-use web dashboard lets users set alerts if an attack has been blocked, monitor the status of protected devices, and view lists of malicious files blocked on each device.
  • Simple pricing: Cylance Smart Antivirus offers fair and transparent pricing. Unlike many vendors that steeply discount the first year of usage only to surprise consumers with auto-renewals at much higher rates, Cylance discounts subsequent years of use to encourage and reward long-term security hygiene.

The post Cylance Unveils “Cylance Smart Antivirus;” AI-Powered Antivirus for Consumers appeared first on IT SECURITY GURU.

Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More

Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software. Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More appeared first on IT SECURITY GURU.