Category Archives: b2b

Chaos Engineering: the Point of Adding Bugs on Purpose

Chaos engineering is a kind of contradiction: it works against the very system it is protecting in order to build an environment that is more resilient and more secure. How does it work? How is introducing errors useful and how does it help to secure the digital environment? Understanding this discipline can lead to substantial improvements.

What is it?

The concept of chaos engineering is based on four principles defined by Netflix. These principles consist of defining a “stable” state, making a hypothesis of the state that will follow, introducing variables that reflect events true to reality, and trying to break the hypothesis (in that order).

Through a series of tests, characteristics of the infrastructure, such as availability, security, and performance, are assessed. The goal is to resolve problems in these distributed systems in order to bolster recovery capabilities for the entire system. This means, in short, getting structures that withstand extreme conditions.

Resilience and “antifragility”

The concept of chaos engineering is only understood if we understand the definition of “antifragility”, a term coined by Nassim Nicholas Taleb. This is the precursor concept of chaos engineering and, in turn, is based on resilience. Resilience is defined as the ability to absorb disturbances. These disturbances are caused by stressors, or stress factors, that trigger destabilization.

It is a concept widely used in living organisms (ecology, physiology, psychology, etc.) and refers to the ability to overcome problems actively and adapt to the situation. “Antifragility” goes beyond resilience since it implies the evolution of a system, which would be able to grow from the stress to which it has been subjected to adapt to new failures.

Panda Adaptive Defense is a tool that keeps a close eye on the principles of antifragility and adds resilience to the company, while increasing visibility into the state of the corporate network.

The Simian Army

Taking all this into account, large companies such as Netflix or Amazon see in chaos engineering the possibility of testing their infrastructure to make their systems more mature and increasingly robust — and also more evolved. In short, more resilient. Since performing an analysis and correcting a problem in a repetitive and escalating way is a very difficult task, they use heuristic strategies focused on prioritizing decision-making aimed simply at resolving problems.

Thus, Netflix, for example, uses its own suite of applications called the Simian Army, which tests the stability of its network. Simian Army has more than a dozen stressors that test the system in various ways. Security Monkey, for expample, is just one “piece” of the Simian Army. It implements a security strategy into cloud-computing platforms based on chaos engineering.

How can chaos engineering help companies?

The first question is, why should a company consider using chaos engineering?

Implementing a strategy based on chaos engineering helps to work the antifragility of a platform, including meeting the control objectives and requirements of PCI-DSS in case of audits. Thus, any company could benefit greatly from implementing a tool such as Security Monkey in its security strategy.

This would require a “chaosification” of the platform in a controlled manner, which could consist of actions of the following type: disable SG (Security Groups) rules, modify files at random, randomly listen to ports, inject malicious traffic into the VPC (Virtual Private Cloud), randomly kill processes while they are taking place… and the list of havoc-wreaking could go on.

Thanks to this tool (or strategy), a deeper visibility of the consequences of attacks can be achieved with the intention of improving defenses. This, in the long run, is the basis of a more mature and reliable system, capable of recovering from attacks and reducing losses in the face of a serious security incident, something that should be mandatory for any high availability service.

The post Chaos Engineering: the Point of Adding Bugs on Purpose appeared first on Panda Security Mediacenter.

6 Things We Should Have Learned in 2017

This past year we bore witness to the sophistication of cyberattacks and their vertiginous growth. If we look at what happened in security in 2017, there are quite a few lessons that we should heed to, especially for businesses. These six lessons will help us to avoid making the same mistakes this year.

  1. Our response to incidents is as important as preventing them

One of the most important events of last year was the Uber incident. It came to light that Uber had concelead the fact that data corresponding to 57 million users had been pirated at the end of 2016. As the Uber CEO acknowledged, the criminals downloaded a database from servers used by Uber containing the personal information of users (name, email, and phone number) and data relating to 600,000 drivers in the United States. To prevent the attack from coming to light, the company paid the hackers $100,000.

The data theft at Equifax was the biggest hack of sensitive personal data in history. An organized group of cybercriminals took advantage of a security breach within their web application to steal information on 143 million customers, taking their social security numbers, postal addresses and even driving license numbers.

Whereas failure to notify users of the breach led to some legal entanglement for Uber (made worse by their payout to hackers), in the case of Equifax, their inconsistent statements about the vulnerability and their post-breach lack of commitment to consumers demonstrate a highly unprofessional approach.

To avoid situations like these, it is crucial for security updates to be a part of your business strategy — and notifying authorities, though unpleasant, should always be the first step to take after a breach. What happened at Uber can also teach us another lesson: sharing credentials via code is not such a great idea. This bad practice is what gave hackers access to the servers, having obtained the credentials thanks to the code that Uber developers published on Github.

  1. Attacks are not just a matter of malware

Not everything is ransomware (although, if you follow cybersecurity in the media, it may sometimes feel that way). With malwareless attacks, attackers assume the identity of the administrator after having obtained their network credentials using non-malicious tools on the company’s devices. Malwareless attacks are sure to be a trend in 2018, so we would do well to learn from these cases.

PandaLabs detected a case in which the attackers used Sticky Keys to sneak through the back door, accessing the computer without entering credentials. This remote access can then be monetized by generating online traffic that can be sold to third party websites or by auctioning access to the compromised machines. Another example is the use of Powershell for cryptocurrency mining.

To combat these attacks, advanced tools combined with Threat Hunting methods based on user behavior are essential. Monitoring the corporate network in real time and giving visibility to the activities in the teams, we can discover what legitimate tools are being violated and protect our companies.

  1. Secure passwords do not have to be hard to remember

Despite the suggestions of Bill Burr, which for years governed the policy of password creation in the online environment, a secure password should not be difficult to remember. This year we learned that even those that combine alphanumeric, uppercase and lowercase, and special characters can often be guessed by a computer. Given that human behavior is predictable, computer algorithms allow cybercriminals to detect weaknesses and patterns, and with them they manage to decipher our passwords.

In 2017, we witnessed a radical change in the recommendations of the National Institute of Standards and Technology (NIST) to create a secure password. Now we are encouraged to use compound sentences with random words that are easy for us to remember; that way, a bot or a computer can not crack the password by means of countless combinations. The password, then, can still be easily remembered by the user, but it will be difficult for a cybercriminal to decipher it.

  1. The malware tries to go unnoticed

Malware is growing exponentially. PandaLabs registered 15,107,232 different malware files that had never been seen before. Only a small part of ¡ total malware is truly widespread. That is, most malware changes every time it infects, so each copy has a very limited distribution and always tries to go unnoticed.

Having a limited life, the malware attacks the smallest possible number of devices to reduce the risk of being detected. In this sense, it is essential to choose an advanced cybersecurity platform to recognize and respond to attacks in real time.

  1. Be quick to implement patches

When it comes to patches, it’s never too early. The idea is to implement a method of action according to the characteristics of the architecture of our company (its systems, services and applications) in which we evaluate the implications of patching >(or failing to patch). Once this is taken into account, acting quickly is essential. Equifax, to give just one example, was first attacked in May 2017 because they hadn’t patched a vulnerability detected in March.

  1. Neglecting Shadow IT can be very expensive

The systems, solutions and devices used in a company, but which have never been explicitly recognized by the organization, are known as Shadow IT. This enemy in the shadows represents an overwhelming number of blind spots for the security of the company, since it is very difficult to protect something whose existence we aren’t even aware of. According to an EMC study, annual losses caused by Shadow IT reach up to 1.7 trillion dollars. Therefore, it is necessary to design affordable policies that cover the needs of workers, preventing them from resorting to unauthorized solutions. Prioritizing security awareness and evaluating why users turn to applications and tools not provided by the company could even help to improve workflows.

To start the year on the right foot, we can take 2017, internalize it, and move forward. External threats continue to grow, so our attention to basic tasks and lessons learned should do so in turn.

The post 6 Things We Should Have Learned in 2017 appeared first on Panda Security Mediacenter.

How Did Cyberattacks Evolve in 2017?

Cyber​​attacks have never seen such a degree of sophistication in the hands of criminals. Unfortunately, 2017 was a terribly prolific year for ill-intentioned hackers, and though cybersecurity may be evolving, attack techniques are evolving even faster. How will we rise to the challenge going into the new year?

Ransomware, the star of the show

As we analyzed in the PandaLabs Annual Report for 2017, what has become clear is that extortion and cyber hijacking were the main avenues of attack for the year. This past year marked a milestone with the expansion of two major attacks whose names will remain engraved in history: WannaCry and Petya/Goldeneye.

The first was especially impactful. With hundreds of thousands of computers infected and unusable, WannaCry was a global crisis for companies who found themselves blackmailed by cybercriminals. Other important attacks of 2017 related to ransomware were Reyptson, Leakerlocker, Osiris , and WYSIWYE. And the list goes on.

NotPetya, a variant of Goldeneye, had clear political motives aiming to disable critical systems in Ukariane, according to the Ukrainian authorities. It spread exponentially via a security gap in the MeDoc update service, taking advantage of the EternalBlue exploit.

But we shouldn’t lose sight of “traditional” DDoS attacks that continue to be widely used, as well as the proliferation of all types of malware, whose activities can be linked to half of the security breaches suffered this past year.

More attacks and better techniques

Due to the proliferation of “tools” on the black market, attacks have become increasingly sophisticated. The democratization of technology and the rise of open source solutions have provided an incredible opportunity for cybercriminals.

Now, practically anyone can buy specialized malware to perform a ransomware attack for a few hundred dollars on the black market. This was the case of WYSIWYE, an interface for setting up an RDP (Remote Desktop Protocol) attack using brute force to gain access to user credentials. Once inside the network, the tool’s user can encrypt the content and subsequently extort the company for a ransom.

Penetration through the Remote Desktop Protocol (or RDP) has become a very common method of infiltrating systems. In 2017, the Trj/RDPPatcher Trojan was discovered, capable of modifying the Windows registry with the intention of changing the type of validation order of the RDP. It collects system information and connects to the command and control (C&C) server to decide how best to evade control of the system’s antivirus.

The backdoor discovered in the CCleaner software, known as HackCCleaner, which compromised more than two million users before analysts became aware that their application had been infected, is another example of a technically sophisticated and well-organized attack.

A new era in cyberwarfare

As the efficiency of attacks and number of techniques increase, so does the interest of companies, government entities, and home users in maintaining effective cybersecurity practices. New groups of cybercriminals were discovered that take advantage of the increased availability of hacking tools. (See, for example, the case of “Eye Pyramid”, an espionage ring that had broad influence in Italy).

Other criminal organizations choose to obtain consumer information to pirate content. Especially important are the leaks related to large companies and producers such as Netflix or Marvel.

This means that millions of gigabytes of personal data are endangered day after day despite efforts to prevent it. This is the consequence of an increasingly complex and rapidly evolving struggle, where many countries are making important bets on cybersecurity while at the same time the technological fabric stretches to include the Internet of Things (IoT), where connected cars, refrigerators, and an endless cornucopia of other devices will become part of the ever-growing battlefield.

The post How Did Cyberattacks Evolve in 2017? appeared first on Panda Security Mediacenter.

Key Points to Understanding the Changeover to WPA3

On October 16 of last year, the Wi-Fi Protected Access 2 protocol, known more commonly as the WPA2, fell out of favor after a long tenure as the standard wireless network security protocol. A serious vulnerability was revealed, effectively putting an end to the WPA2 era.

Now, with the new year freshly begun, the Wi-Fi Alliance® has announced a substitute for WPA2. It bears the name of WPA3. The announcement was made at the CES in Las Vegas. What changes will this new protocol bring about? And how will this problem (and its solution) affect businesses and end users?

WPA2 is no longer secure

As Mathy Vanhoef of the Key Reinstallation Attacks (KRACK) group said at the time, a series of errors in the core of the WPA2 protocol can expose Wi-Fi connections to attacks. This means that an attacker could access the network, as well as all traffic between every access point, through a newly discovered exploit.

The group designed a conceptual test demonstrating that breaking the security of WPA2 to access the network is not expensive or complex. This endangers virtually any modern Wi-Fi network, including the vast majority of corporate networks. Since the security breach was made public, several entities, including the Wi-Fi Alliance®, have worked to patch the problem as soon as possible.

What changes will the WPA3 bring?

According to its developers, four new features based on the principles of WPA2 (configuration, authentication, and encryption) will be added to WPA3. One of them will offer more robust protection even when users choose their own passwords and fail to comply with complexity recommendations.

Another feature is that it will simplify the security configuration process for devices that have a limited or no display interface.

A third will help strengthen user privacy in open networks through individualized data encryption. This could be done, according to some experts in the sector, through Opportunistic Wireless Encryption (OWE), a type of encryption without authentication.

Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm Suite (or CNSA) of the National Security Systems Committee, will further protect Wi-Fi networks with higher security requirements, such as those associated with Government, Defense, or industry.

Why is it more secure than WPA2?

WPA2 uses what is known as a four-way handshake, which guarantees that both users and access points use the same password when they join a Wi-Fi network. This same process is used by the exploit to access network traffic. However, WPA3 will use a new type of handshake, which will not be vulnerable to bruteforcing.

That, added to the new 192-bit security suite, in addition to using individualized encryption to secure the connection between each device on the network and the router, makes WPA3 the long-awaited solution. Even before the public appearance of vulnerability.

How does it affect companies?

The fact that WPA and WPA2 are present in virtually all Wi-Fi connections means that the vast majority of companies are affected by a serious vulnerability. Why? Because all existing Wi-Fi connections are susceptible to being accessed and spied on. This can be a critical problem for the company.

This also implies that 41% of Android devices, as reported last October, are vulnerable to a particularly “devastating” variant of the attack that exploits the vulnerability of WPA2. This makes them possible vectors to inject malicious code and perform all types of attacks, including ransomware, so the combination of Android devices plus WPA2 can be potentially harmful to the company’s network.

For the moment, the announcement of WPA3 is already out in the open, and we will soon see a massive adoption of this new protocol. Meanwhile, you can stay vigilant by controlling network traffic and avoiding wireless connections where possible — certainly a tall order in this hyper-connected digital age, but not impossible.

The post Key Points to Understanding the Changeover to WPA3 appeared first on Panda Security Mediacenter.

Your Company Suffered 130 Security Breaches in 2017

The number of cyberattacks worldwide is growing at a dizzying pace. The latest to come to mind is Bad Rabbit, but there have been many others. This number goes hand in hand with the growing economic impact of cybercrime, as underlined by the recent report of Accenture and Ponemon Institute “2017 Cost of Cybercrime”.

The number of security breaches increased by 27%

Since the beginning of this study, in 2009, the number of cyberattacks has grown year by year. But the pace from 2016 to 2017 has been dramatic: on average, companies were successfully attacked 130 times on average. One of the main reasons for this high number was undoubtedly WannaCry and NotPetya.

The economic consequences of these and other security breaches, and the investment required to combat them, have meant an average cost for companies in excess of 11.7 million dollars.

Time is money

The study notes something that may seem quite obvious: the longer it takes to find a solution, the greater the economic impact of cybercrime. And the bad news is that, in general terms, that time interval is increasing. Although security officers have been able to respond more aggressively to DDoS and web-based attacks (twenty-two and sixteen days respectively), they increasingly need more time to implement mitigating measures for cyberattacks that use malware (fifty-five days vs. forty-nine as of 2016). Malicious software attacks, in particular, were the most costly for companies, reaching 2.4 million dollars.

Five keys to increasing the level of security in your company

The negative effects of a cyberattack can vary widely: data theft, reputation crises, economic losses, irreparable damage to equipment and technical infrastructure, etc. So it is important to take into account a series of measures to increase your company’s level of protection and minimize the impact of cybercrime.

  • Prioritize critical assets: It is unrealistic to think that the company can be one-hundred percent protected. An effective security plan is able to identify which assets are fundamental to the operation of the company and strengthen their defenses.
  • Build awareness with your employees: The protection of the company depends, to a certain extent, on their decisions. Properly your company’s workforce reduces, for example, the risk of suffering a social engineering attack.
  • Implement advanced cybersecurity solutions: These tools allow you to anticipate the malicious behavior of threats and to activate protection systems even before the malware is executed. For example, thanks to the continuous monitoring of all processes and the advanced prevention, detection and remediation capabilities of Panda Adaptive Defense, none of the clients equipped with our solution was affected by Bad Rabbit.
  • Make backups: Your company doesn’t only need backup copies; the data contained in these backups is critical and, therefore, must be protected correctly. Among other measures, these backup copies should only be accessed by those who expressly need it and access passwords should be sufficiently robust.
  • Have a coordinated security strategy: On numerous occasions, cybercrime is a form of organized crime. The defense must also be coordinated and highly organized.

The number of security incidents and the economic impact of cybercrime will continue their upward trend. It’s time to start thinking of cybersecurity as an investment, and not an expense.

The post Your Company Suffered 130 Security Breaches in 2017 appeared first on Panda Security Mediacenter.

From 1980 to 2018: How We Got to the GDPR

In 1980, the Organization for Economic Cooperation and Development, or OECD, established frameworks to protect privacy and personal data. From then until now, we have experienced several profound changes in legislation, notably the EU Data Protection Directive. Now in 2018, the General Data Protection Regulation, or GDPR, will begin to take on its true value, as May of this year will be when the adaptation period will be over.

The first moves toward a data protection law

The development of the OECD Guidelines, stemming from the need to adapt the already obsolete OEEC, was the first step to committing the thirty-five participating countries to mutual respect and clarity in the transfer of information.

As the importance of the Internet and data grew and became global, the OECD guidelines established the first comprehensive personal data protection system in all its member states.

These guidelines were based on eight principles to ensure that the interested party was notified when their data were collected; that this data was used for the stated purpose and for nothing else; that, in addition, these purposes were defined at the time of collection; that your data would not be disclosed without your consent; that the data record be kept secure; that the interested party be informed of everything; that they could access their data and make corrections; and, finally, that the interested party had at their disposal a method to hold the data recorder accountable for not following said principles.

And then came the data protection framework

In 1995, it was time to update the regulation of personal data and its management. Directive 95/46/EC of the European Union, also known as DPD, or Data Protection Directive, was a step forward that included the eight OECD guidelines and extended the application in a context where privacy was much more important.

But the fundamental change was in the legal section. Specifically, the OECD guidelines consisted of the Council’s recommendations regarding the guidelines that govern the protection of privacy and the cross-border flow of personal data and, therefore, non-binding.

Directive 95/46/EC changed this aspect, providing more concise definitions and specific areas of application. Although the directive itself is not binding for citizens, the member states had to transpose the local directives before 1998. This modification was also intended to create an administrative homogeneity and an equal legal framework for all member states.

Adopting the GDPR

Despite the considerable efforts involved in the implementation of the Data Protection Directive, in just a decade the progress proved to be insufficient. One of the main criticisms of the previous directive was the limited control of the interested parties over their data, which includes their transfer outside the European area.

This directly involves multinationals and large companies that were able to take advantage of the deficient framework of the previous directive for their own interests. To resolve this, in 2016 the adoption of the General Data Protection Regulation, or GDPR, was approved.

Since then, and until May 2018, everyone has had time to adapt to the regulations. The most remarkable thing about the GDPR is that, unlike the previous directives, it does not require local legislation, homogenizing, once and for all, legislation regarding protection within the member states and companies that work with EU citizens’ information, inside and outside of this region.

Is your company ready?

The European Union foresees that the application of the GDPR will suppose sanctions of up to twenty million euros or 4% of turnover of the previous period for non-compliance. Now that we are in the final stretch, it is convenient to determine whether our company is prepared to meet the challenges.

All companies that collect and store the personal data of their employees, customers and suppliers residing in the EU are affected. This is important if we take into account that 80% of the data handled by the organizations is unstructured.

The increase of confidential data stored in an array of databases puts protection in the spotlight. Cyberattacks could lead to a serious sanction. Good practices in Data Security Governance are the key to mitigating these risks and ensuring compliance.

Luckily we have tools such as Panda Adaptive Defense and Panda Adaptive Defense 360, which have a Data Control module to help with such tasks. This tool is specialized in simplifying the management of this personal data since it discovers, audits and monitors in real time the complete life cycle of these files. And do not forget that keeping up with the GDPR is an active and meticulous process, but one which can be simplified and automated if with the right help. Don’t wait until May!

The post From 1980 to 2018: How We Got to the GDPR appeared first on Panda Security Mediacenter.

2017 in Figures: The Exponential Growth of Malware

2017 was especially hectic for cybercrime, especially when it comes to malware and its offshoots. The increased number of attacks and, above all, the professionalization of the techniques used by cybercriminals has been at the root of malware’s exponential proliferation. In 2017 alone (according to data collected up to September 20), PandaLabs registered 15,107,232 different malware files that we had never seen before. But the total number of new malware is much higher — up to 285,000 new malware samples every day.

It makes perfect sense that the top 10 of malware files in our cloud includes names like WannaCry, the ransomware that caused havoc in business networks around the world, and a version of CCleaner, installed by more than two million users. But in addition to the trends that have been making headlines everywhere, what conclusions can we draw about the state of malware in 2017? We discuss the essentials in PandaLabs’ Annual Report.

Malware’s Attempt to Go Unnoticed

Upon reviewing the figures, we see that of the 15,107,232 files registered, 99.10% have been seen only once. That is, 14,972,010 files. We have only seen 989 malware files on more than 1,000 computers, 0.01%. This corroborates what we already knew: namely, that aside from a few exceptions — such as the abovementioned WannaCry or HackCCleaner — most malware changes every time it infects, so each copy has a very limited distribution.

This year’s data makes it clear that although there are many more types of malware, each of them infects only a few devices individually. By attacking the minimum number of possible devices, each specimen reduces the risk of being detected and fulfils its purpose: to go unnoticed and ensure the attack’s success.

In any case, the total number of new malware samples (15 million) is not so relevant when it comes to calculating risk. What really affects us is the frequency with which we can individually confront the malware itself. To evaluate this risk, PandaLabs measured only those malware infection attempts that were not detected by signatures or by heuristics.

Recommendations for a Malware-free 2018

Following these tips will help reduce the risk of becoming a victim of malware:

  • Think before you click: do not access links sent to you by strangers.
  • Avoid downloading applications from unreliable sources.
  • Do not wait until tomorrow — keep up with system updates.
  • Use strong passwords to protect your identity.
  • Choose an advanced cybersecurity platform.

Our protection technologies improve and are updated as the amount of malware grows, which is why we are able to detect the threats that other solutions cannot. Panda Adaptive Defense is keeping up with threats and offers the market the services and tools needed to face whatever awaits in 2018. We’re ready to take on the new year!

The post 2017 in Figures: The Exponential Growth of Malware appeared first on Panda Security Mediacenter.