Category Archives: Endpoint Management

Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again

If you follow basic security best practices and quickly patch software issues as they arise, you may think your network is safe from cyberthreats. But think again.

Although the number of reported software vulnerabilities is growing year to year, it’s hardware vulnerabilities that can be even more difficult to fix and can cause extensive damage to enterprise networks. With attack surfaces growing and cybercriminal tactics becoming more dangerous and sophisticated by the minute, security teams can’t afford to neglect hardware flaws.

Security operations center (SOC) analysts need full visibility into Common Vulnerabilities and Exposures (CVE) and other sources of vulnerability data to effectively identify, manage and remediate hardware vulnerabilities. Let’s explore some steps you can take to achieve this visibility and plug security gaps before threat actors can exploit them to breach your network.

Assess Your Inventory to Gain Visibility Into Hardware Vulnerabilites

The first step is to understand your infrastructure. Collect key data on your hardware and software, such as central processing unit (CPU) vendor and model, firmware and basic input/output system (BIOS) version, motherboard vendor and model, and a list of connected devices. These attributes will help you understand the potential impact from a highly visible attack like Meltdown or Spectre and build a response plan accordingly.

If hardware is impacted, it may be very difficult to fix the problem. Often the only viable mitigation strategy is to apply a software patch. Hardware issues frequently occur at the chip level and sometimes require collaboration between hardware and software vendors. Therefore, you need a consolidated view into your hardware and software inventory to assess the exposure level of any hardware vulnerability and know which machines already have a software patch applied.

Identify Reliable Sources of Vulnerability Data

Once you know what hardware and software you have deployed, the next step is to correlate the inventory data with reliable sources of vulnerability data. Data normalization is a known challenge during this phase, and you may choose to either build your own solution or invest in a ready-made application programming interface (API) enriched with vulnerability information. But even with automation, manual work is often required to further enrich this vulnerability data with hardware attributes, assess the impact and prioritize the response accordingly.

Fulfill Your SOC Team’s Need for Speed

To mount a worthy fight against the growing number of cyberthreats amid a growing industrywide skills gap, SOC teams need a solution that addresses their need for speed. If you’re ready to step up to the challenge of hardware vulnerability management, it’s time to shift from a reactive to a proactive approach to endpoint security. Improved visibility into your hardware vulnerabilities is the key to taking that next step.

Make Security Analytics More Effective with Deep Insight into Endpoints

The post Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again appeared first on Security Intelligence.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Endpoint Management Missteps in the ‘Die Hard’ Franchise: Viewing a Holiday Favorite Through a Cybersecurity Lens

“Die Hard” is likely the greatest Christmas movie of all time — especially when viewed from an endpoint management perspective. Perhaps you prefer the classic “It’s a Wonderful Life” or, more controversially, “A Christmas Prince.” But it’s hard to argue with the fact that the 1988 heist movie starring Bruce Willis delivers some real thrills.

“Die Hard” has everything: a high-stakes hostage situation, four sequels and loads of snappy dialogue. Nothing inspires holiday cheer like full-screen explosions and a barefoot underdog hanging by his fingertips in an elevator shaft. And if you know what to look for, the films are also packed with Internet of Things (IoT) vulnerabilities, social engineering and user governance failures.

“Die Hard” was almost certainly created with the primary purpose of delivering pure VHS entertainment. However, it unintentionally explores some IT questions that are still relevant 30 years later, such as how to implement strong endpoint security — or how not to. A December marathon of all five “Die Hard” films makes for surprisingly valuable endpoint management research for contemporary cybersecurity professionals.

What Can ‘Die Hard’ Teach Us About Endpoint Management?

As the Nakatomi Corporation staff is celebrating on Dec. 24, the building security guard is shot by a team of terrorists. Within minutes, the sole hacker on the team, Theo, has used the security guard’s computer to commandeer rudimentary smart systems — elevators, doors and surveillance — to nearly steal $640 million in bearer bonds.

“Die Hard” wasn’t written for an audience of cybersecurity professionals 30 years in the future, and few details are given about the hacking methods used. Theo is portrayed as a one-dimensional character: an agreeable genius who can solve any puzzle in seconds, from escalating credentials to drilling vaults. When asked if he can do the impossible, he beams affirmatively at the lead terrorist Hans:

“You didn’t bring me along for my charming personality.”

Sure, it was the 1980s, but Nakatomi Corporation’s endpoint sins set the whole film in motion. If the security guard’s computer had been protected with stronger user authentication and the building’s smart systems were segregated, perhaps even hacking genius Theo couldn’t have launched a $640 million heist with a few clicks.

Fast-Forward to Today’s IoT Risks

In the 1990 sequel, “Die Harder,” a team led by a former special forces colonel William Stewart remotely hacks into the air traffic control system of Washington D.C.’s Dulles Airport. Stewart’s team turns off all airport lights and cuts in-flight communications. The fourth installment, 2007’s “Live Free or Die Hard,” features a financially motivated cyberattack on FBI financial databases. The same nefarious hackers later crack the communication systems of an F-35B Lightning II fighter jets and use social engineering tactics to impersonate a flight controller.

These plot twists are brought to you by the same IoT risks we face today in an increasingly smart and interconnected world. In late July, IBM X-Force presented research on four common smart city devices that revealed 17 security vulnerabilities, including nine critical flaws. The same week, researcher Ruben Santamarta shared vulnerabilities in the IoT global satellite communication system (SATCOM) that could potentially disable in-flight communications for commercial aircraft.

Unlike in 1990, IoT technology adoption is on the rise, and attacks are growing. According to a Ponemon Institute report titled “The Internet of Things (IoT): A New Era of Third-Party Risk,” 21 percent of organizations reported data breaches related to unsecured IoT devices this year, and cyberattacks involving IoT devices increased by 5 percent between 2017 and 2018.

The IoT security failures in the “Die Hard” franchise are, first and foremost, narrative tools. Had the company known how to implement stronger endpoint security, audiences wouldn’t be able enjoy hours of explosions and near-misses. Still, it is worth wondering why those IoT threats are more relevant today than the hairstyles sported by the franchise’s cast members.

There Are No Endpoint Management Miracles

“For many of us, Christmas films are as much a part of the psychological and emotional preparation for the season as mince pies and mulled wine,” wrote Natalie Haynes of the BBC. She argued that the formula that defines a great Christmas film is more complex than films designed to evoke heartwarming feelings.

One theme that unites many movies we return to each December is the idea of miracles — and the triumph of NYPD cop John McClane over many terrorists on Christmas Eve in Nakatomi Plaza is nothing short of miraculous.

While viewing the “Die Hard” franchise through an endpoint security lens is a strictly optional exercise, there’s value in considering how such an incredible movie could have ended in the first 30 minutes if the building had taken the time to implement stronger endpoint security. As it turns out, these decades-old exploits resemble vulnerabilities that persist in the enterprise today.

Trust-based authentication or biometrics, behavioral analytics, and embedded security for IoT devices could have allowed Bruce Willis’s heroic character to enjoy Christmas with his family instead of fighting evil in bare feet. But then we would’ve missed out on so many ageless one-liners.

“Now I have a machine gun, ho-ho-ho.”

The post Endpoint Management Missteps in the ‘Die Hard’ Franchise: Viewing a Holiday Favorite Through a Cybersecurity Lens appeared first on Security Intelligence.

As Mobile Security Challenges Mount, How Can CIOs and CISOs Eliminate Blind Spots?

If we’ve learned anything this year, it’s that mobile malware, malvertising and phishing attacks are growing. Organizations of all sizes and industries are at risk, and IT and security leaders responsible for managing endpoints and mobile security are well aware that their organizations’ data, customer privacy and brand reputation — just to name a few — are in the crosshairs of threat actors who stand to gain more than they have to lose.

Security professionals are desperately looking for tactful approaches to seek out and destroy mobile malware as it becomes more advanced and diverse, and as incidents become more common. With phishing, man-in-the-middle (MITM) and data exfiltration attacks on the rise, it’s never been more critical to cover all our bases and educate end users. And let’s not forget that threats come from all directions, not just the outside. In fact, employees are the weakest link; Workers are notorious for consuming massive amounts of data and inadvertently subjecting their organizations to legal and regulatory compliance violations.

Register for the Dec. 4 webinar

A Short List to Start Your Mobile Security Strategy

With so many distinct challenges to contend with, where can chief information security officers (CISOs) and chief information officers (CIOs) even begin to prioritize? At a minimum, these stakeholders should answer the following questions as soon as possible:

  • With mobile devices growing in number and variety, how can we achieve adequate protection at a granular level?
  • How do we enforce compliance for device users without disrupting their level of productivity and interoperability with internal and external stakeholders?
  • As employees demand anytime-anywhere accessibility from the devices of their choosing, how do we ensure that the right, authorized users are getting the exact access they are entitled to?

In crafting appropriate responses and action plans to address these questions, it’s abundantly clear that modern enterprise security challenges demand a deeper level of visibility, policy and protection. Fortunately, there are modernized approaches available to simplify and streamline this process.

Unify Your Approach to Endpoint Management

Unified endpoint management (UEM) is foundational to the success of modernized endpoint and mobile security. UEM allows organizations to take a consistent management approach to view, manage and protect any device — whether it’s a smartphone, tablet, laptop or desktop — all from one place. Beyond devices, UEM gives IT teams an effective means to:

  • Manage user identity and access;
  • Deliver mission-critical applications;
  • Make crucial content accessible for collaboration; and
  • Grant secure access to enterprise resources and data.

An optimal unified endpoint management platform will be rich with artificial intelligence (AI) insights, actionable information and contextual analytics that allow administrators to discover risks and opportunities related to their environment — and offer appropriate guidance to prioritize and overcome challenges in as few steps as possible.

To maximize the security of your endpoint and mobile environment, your UEM solution should make it easy to configure and enforce policies at a granular level. Administrators should be able to detect when an unapproved application is installed on a device, when user behavior seems suspicious or when a risky URL is clicked. Furthermore, it should be simple to automate the type of response that occurs when that type of incident occurs.

Add Effective Threat and Data Management

Beyond assurance that your devices, users, applications, content and data are secure, organizations need to ensure that they can identify and respond to threats before they make an impact. Most of the phishing and malware attacks we read about in the news have already occurred. To reduce the number of these incidents, organizations need to be able to recognize and respond to threats in the moment. If you do not have an appropriate framework to determine which of your devices have malware on them — or whether there’s a cybercriminal targeting your critical assets — the time is now to get the appropriate strategy and tools in place.

Last, but no less important, is data. Data has proven to be a double-edged sword for IT and security teams: Its accessibility is essential for business productivity, yet if accessibility is too extensive, costs go up. If it’s underregulated, vulnerabilities increase. Thus, appropriate strategies and investments ensure that:

  • Data consumption is measured and controlled;
  • Conditional access to applications, content and resources is enforced; and
  • Browsing behavior is monitored and maintained.

A Partnership for Total Mobile Threat Prevention

To help organizations rise above these very real security challenges, Wandera and IBM MaaS360 with Watson joined forces to deliver enhanced visibility, policy and protection.

According to Roy Tuvey, co-founder and president of Wandera, this partnership “enables IT leaders to effectively understand and manage mobile risk. The joint solution delivers unprecedented visibility on the endpoint and in the mobile network, allowing for a deeper assessment of mobile threats and fine-tuned policy actions to defend against them. We are excited to be collaborating with IBM MaaS360 with Watson to eliminate mobile blind spots and equip customers with the tools they need to fully embrace mobility as a business enabler.”

Join experts from IBM and Wandera for an upcoming live webinar at 1 p.m. EST on Dec. 4 to learn more about this exciting collaboration and see a live demonstration of new platform integrations and capabilities.

Register for the Dec. 4 webinar from Wandera/IBM

The post As Mobile Security Challenges Mount, How Can CIOs and CISOs Eliminate Blind Spots? appeared first on Security Intelligence.

New Ransomware Strain Evades Detection by All but One Antivirus Engine

Researchers discovered a new strain of Dharma ransomware that is able to evade detection by nearly all of the antivirus solutions on the market.

In October and November 2018, researchers with Heimdal Security uncovered four strains of Dharma, one of the oldest ransomware families in existence. One of the strains slid past a total of 53 antivirus engines listed on VirusTotal and 14 engines used by the Jotti malware scan. Just one of the security scanners included in each of those utilities picked up on the strain’s malicious behavior.

In its analysis of the strain, Heimdal observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file that, when unpacked, directed victims to pay a ransom amount in bitcoin.

How Persistent Is the Threat of Ransomware?

The emergence of the new Dharma strain highlights ransomware’s ongoing relevance as a cyberthreat. Europol declared that it remains the key malware threat in both law enforcement and industry reporting. The agency attributed this proclamation to financially motivated malware attacks increasingly using ransomware over banking Trojans, a trend that it anticipates will continue for years to come.

Europol identified this tendency despite a surge in activity from other threats. For example, Comodo Cybersecurity found that crypto-mining malware rose to the top of detected malware incidents in the first three months of 2018. In so doing, malicious cryptominers supplanted ransomware as the No. 1 digital threat for that quarter, according to Comodo research.

Defend Against New Malware Strains With Strong Endpoint Security

Security professionals can help keep ransomware off their networks by using an endpoint management solution that provides real-time visibility into their endpoints. Experts also recommend using tools that integrate with security information and event management (SIEM) software to streamline responses to potential incidents.

Sources: Heimdal Security, Europol, Comodo Cybersecurity

The post New Ransomware Strain Evades Detection by All but One Antivirus Engine appeared first on Security Intelligence.