Category Archives: Expert Comments

Half Of US Retailers Have Seen A Data Breach This Year

Following research from Thales eSecurity that has revealed that 50 per cent of US retailers have experienced a breach in 2018, up from 19 per cent last year, Ross Rustici, Senior Director of Intelligence Services at Cybereason, explains why this increase has occurred.

Ross Rustici, Senior Director of Intelligence Services at Cybereason:

“This jump is most likely a result of two district trends. First, more retailers are rapidly expanding their use of IT to support their business which creates new risk that is a relative unknown to the organization. Second, last year was underreported. As these companies move to more comprehensive data and IT systems, the technical knowledge within the company and the security capabilities generally increase along with it. This allows the companies to gain greater visibility into their environments and catch activity that has always been there. This is likely a case of a spike in new detections not a spike in new activity.”

The ISBuzz Post: This Post Half Of US Retailers Have Seen A Data Breach This Year appeared first on Information Security Buzz.

Downtime On Prime Day (Est. $75mil In Lost Sales, Comparable To Self Invited DDoS Attack)

In response to the latest reports on the Amazon’s downtime during this week’s Prime Day including estimates that the outage potentially resulted in ~$75 million in lost sales and was comparable to a self-invited DDOS) attack, Corero Network Security offers comments.

Sean Newman, Director Product Management at Corero Network Security:

“Although Amazon appears to have been a DDoS victim of its own making, this just goes to show how even an organization with such immense resources can still be vulnerable to denial of service attacks.  And, when you look at the estimated potential financial impact of this, it’s not difficult to understand why organizations which rely on delivering online services cannot afford to be vulnerable to DDoS attacks.  Plus, there are two sides to risking such obvious and significant financial impact: firstly, if you get attacked, there’s the direct impact but, secondly, you lay yourself open to DDoS for Ransom.  With such significant, and easily calculable, revenue at risk for every minute of downtime, a potential DDoS attacker can readily size a ransom demand which is way less than the sum at risk but, still presents a healthy return for the cyber-criminal, should an organization feel the need to pay-up, to keep the business online.  Of course, the alternative is to deploy the latest generation of real-time, automatic DDoS protection and know you can safely ignore any such demands.”

The ISBuzz Post: This Post Downtime On Prime Day (Est. $75mil In Lost Sales, Comparable To Self Invited DDoS Attack) appeared first on Information Security Buzz.

Bank’s Routers Hacked To Steal $1 Million

The notorious hacker group, MoneyTaker, has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router. Ken Hosac at Cradlepoint discussing how SDN can prevent this issue.

Ken Hosac, VP of IoT Strategy & Business Development at Cradlepoint:

“Software-defined Networking (SDN) enables IoT devices, such as routers, to be deployed on a completely separate network (virtually) that is invisible to the outside world.  Traditional networks utilise a “connect first, authenticate second” model that allows hackers to scan networks for devices and their ports using common hacking tools.  Those same hacking tools are then used to defeat the authentication.  A key benefit of SDN is the model of “authenticate first, connect second”.  These networks are completely invisible and inaccessible unless the organisation’s IoT devices are first properly authenticated.  This means that it is much more difficult for routers to be exploited by hackers.”

The ISBuzz Post: This Post Bank’s Routers Hacked To Steal $1 Million appeared first on Information Security Buzz.

Warning All Airline Passengers, The Most Insecure Airports Identified

Research has been released identifying San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as America’s most cyber insecure airports.

Commenting on the news and offering advice to travellers is Lane Thames, Senior Security Researcher at Tripwire.

Lane Thames, Senior Security Researcher at Tripwire:

“When traveling, there are always security risks to take into consideration for connected devices even when at the airport. Before you leave a secure environment, check your device’s software is up to date and consider removing older applications that you no longer use. It’s common for airports to have public WiFi but avoid using public WiFi hotspots unless extremely necessary. The reason being public WiFi hotspots usually have no encryption. As such, malicious actors within a certain physical distance from you can eavesdrop on your communications. If you do use public WiFi, try to use it only for basic browsing and applications which do not involve submitting personal data. Even better, consider using a VPN service when using a public WiFi and try to use HTTPS when possible. Lastly, always activate security services that are available as this can significantly help reduce the threat of an attack. This could include ensuring there is a PIN or a passphrase to unlock the device as well as enabling 2FA on applications that support it.

The ISBuzz Post: This Post Warning All Airline Passengers, The Most Insecure Airports Identified appeared first on Information Security Buzz.

Human Resources Company ComplyRight Suffers Data Breach

It has been reported that cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardised sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.

Florida-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach.

Ryan Wilk, Vice President at NuData Security:

“One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft.

“This breach underscores once again, for merchants and financial institutions, that mere reliance on passwords and usernames is insufficient to protect their organisation and their customers from online fraud. It’s past time for every organisation handling sensitive data to lock down their security, and to stop relying personally identifiable information to verify users – which is easily stolen and easily reused.

“Many companies are implementing multi-layered solutions with passive biometrics and behavioural analytics to leverage behaviour patterns and hundreds of other indicators to confirm legitimate users with true accuracy. This way companies don’t rely on the credentials and sensitive data exposed in breaches.”

The ISBuzz Post: This Post Human Resources Company ComplyRight Suffers Data Breach appeared first on Information Security Buzz.

Checkpoint Cyber Attack Trends Mid-Year Report 2018.

Following are main findings of latest CheckPoint Cyber Attack Trends: Mid-Year Report 2018:

  • A 100% increase in organizations who reported being hit by cryptomining malware which hijacked CPU power in 1H:18 vs 2H:17;
  • The three most prevalent exploits in 1H:18 were each cryptominers;
  • New techniques are evolving to attack cloud storage services; and
  • Multi-platform attacks increased, targeting consumer mobile and non-Windows devices.

Sean Newman, Director Product Management at Corero Network Security:

“The latest threat report on the block, this time from Check Point, shows no sign of abatement when it comes to botnets being a tool of choice for cybercriminal campaigns.  The sophistication of the latest variants, being able to self-propagate, stay hidden, and be armed with different attack payloads, depending on the particular agenda, makes them a powerful cyber-weapon.  And, the quantity of, and ease with which, IoT devices can be acquired into these botnets explains why they remain so popular.

“While the report highlights the recent rise in popularity of crypto-currency mining as a focus for the cyber-criminals, we shouldn’t forget it’s equally possible that crippling DDoS attacks can be launched using these botnets and that organisations which rely on their online availability shouldn’t be complacent when it comes to ensuring they are properly protected.”

The ISBuzz Post: This Post Checkpoint Cyber Attack Trends Mid-Year Report 2018. appeared first on Information Security Buzz.

Fraudsters Take Aim At UK Universities

Action Fraud has warned of scams which register domains which look similar to UK Universities, attempting to trick supply companies out of vast sums of cash – up to £350,000, reportedly.

Andy Norton, Director of Threat Intelligence at Lastline:

“This is a pretty low tech attack where the criminal sets up lookalike domains to the University, the premise is similar to a Business Email Compromise attack, except that, impersonation not compromise has taken place. The best defence for organisations Is to have robust policies and procedures that ensure a second pair of eyes validates business transactions and the shipment of goods, services or payment.”

The ISBuzz Post: This Post Fraudsters Take Aim At UK Universities appeared first on Information Security Buzz.

Gmail Confidentiality Control- Easy Phishing?

Google is rolling out a sweeping redesign of its popular Gmail service, but federal cybersecurity authorities warn that a key new feature on the system could make its 1.4 billion users more susceptible to dangerous phishing attacks that compromise users’ vital personal information.

The Department of Homeland Security issued an intelligence note, obtained by ABC News, warning users of the “potential emerging threat … for nefarious activity” with the new Gmail redesign. Because the new feature — called “Confidential Email” — requires users to click a link in order to access confidential emails, according to the DHS alert issued May 24, Google has essentially created an opportunity where “malicious cyber actors could exploit the recent Gmail redesign.

Eyal Benishti, CEO & Founder at IRONSCALES: 

“Phishing is already a prevalent threat individuals and organisations face, and features like the one introduced by Google in this case is just making it even easier for nefarious actors to exploit victims. It is so difficult for even trained eyes to spot a sophisticated phishing attempt- how are users meant to differentiate between a real ‘confidential link’ and a fake? Of course, it will be near impossible- exactly what the criminals want.

Until this feature is revoked by Gmail, it is imperative to help users identify well-crafted impersonation techniques, in order to avoid a potential cybersecurity incident. By employing mailbox level detection that tracks user behaviour analysis and sender reputation scoring to build a picture of what is deemed normal behaviour, anomalies in communications and meta data are easily spotted and automatically flagged as suspicious, in tandem providing a mechanism for employees that do spot something amiss in a message to report their findings via inmail alerts, which together allows quick reporting via an augmented email experience, helping the user make better decisions that ultimately helps protect the enterprise.

The ISBuzz Post: This Post Gmail Confidentiality Control- Easy Phishing? appeared first on Information Security Buzz.

Cybersecurity Experts Only Present In 65% Of Organisations

Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert, according to a survey from Gartner. The survey also reveals that skills challenges continue to plague organizations that undergo digitalization, with digital security staffing shortages considered a top inhibitor to innovation.

Andy Norton, Director of Threat Intelligence at Lastline:

“To diligently counter intrusions, organisations need  timely access to expertise in order to manage risk. The current levels of data breaches show that there is a significant amount of unmitigated risk due to the skills shortage and lack of appropriate relevant intelligence. Organisations must embrace AI that is adversary resistant, just like a human expert would be, to provide the analytics to automate prevention and response countermeasures based on an coalesced array of signature, behavioural and anomaly detection technologies.”

The ISBuzz Post: This Post Cybersecurity Experts Only Present In 65% Of Organisations appeared first on Information Security Buzz.

Google Being Hit With A Record Fine From The European Commission

Google being hit with a record fine from the European Commission Mark Skilton, of Warwick Business School, is Professor of Practice in Information Systems & Management, and researches and consults on the digital sector.

Mark Skilton, Professor of Practice in Information Systems & Management, and researches and consults on the digital sector at Warwick Business School: 

“It looks like this time the fine will fit the ‘crime’ in this long running dispute of market dominance and manipulation.

“Google has always been a contradiction, in that it is a market facilitator who also wants to control that market. Google claims that it has to compete with other big players and that swapping to an alternative search service is ‘one click away’, but in my view it is its locking up of around 80% of mobile devices with pre-installed Google Android software that is the issue.

“The real issue is not the supplier side ‘problems’ which have been dominating the shape of the market; its having a demand side where consumers have real choice instead of being locked into just one vendor’s world view of the digital economy.

“It must be remembered Google ‘defines the market’ and is not just an innocent bystander.

“Google claims it is a free market for users, but that’s just not true in practice. Granted, as we see in the telecoms market, network operators want to protect their billion-dollar investment in the infrastructure that enables all this internet to work, but its when it becomes a monopolistic control from the supplier to the end user that it becomes a problem.

“The internet is in urgent need of moving to its next level of evolution, which will be a more distributed and edge-based world. It is being seen with the rise of the internet of things that are multiplying the number of connections to smart homes, products, transport and everything else – this will bring a more open market.

“This is the next battleground for Google and the big tech players, but GDPR and the European Commission’s focus on the tech giants is becoming a significant issue for them.”

The ISBuzz Post: This Post Google Being Hit With A Record Fine From The European Commission appeared first on Information Security Buzz.

Less Than Half Of Cyberattacks Detected By Anti-Virus

According to a recent SANS report, less than half of cyberattacks were detected via anti-virus. Commenting on the report, Andy Norton, director of threat intelligence for Lastline, said:

Andy Norton, Director of Threat Intelligence at Lastline:

“Endpoint security and anti-virus solutions, are like gun laws, they should change, but they won’t. There are simply too many conflicts of interest on a production system, there will always be a trade off between productivity and security at the endpoint.

“To diligently counter intrusions, organisations need to embrace adversary resistant AI analytics, to automate prevention and response countermeasures based on a coalesced array of signature, behavioural and anomaly detection technologies.”

The ISBuzz Post: This Post Less Than Half Of Cyberattacks Detected By Anti-Virus appeared first on Information Security Buzz.

SANS Reporting Less Than Half Of Cyberattacks Detected By Antivirus Solutions

Antivirus systems only detected endpoint compromise 47% of the time; other attacks were caught through automated SIEM alerts (32%) and endpoint detection and response platforms (26%) according to the SANS 2018 Survey on on Endpoint Protection and Response.

Justin Jett, Director of Audit and Compliance at Plixer:

“The recent SANs 2018 Survey on Endpoint Protection and Response makes clear that point-security solutions are not enough to quell the ever-growing barrage of cyberattacks. Organizations should continue to deploy endpoint security, but with less than half of cyberattacks being detected by antivirus, organizations must deploy other platforms to detect and help remediate these problems as they happen. Network traffic analytics should be used across the entire network infrastructure to help IT professionals see when malicious activity is taking place. By leveraging the network data, network and security teams can work together to thwart the efforts of malicious actors.”

The ISBuzz Post: This Post SANS Reporting Less Than Half Of Cyberattacks Detected By Antivirus Solutions appeared first on Information Security Buzz.

LabCorp Data Breach

Pravin Kothari, CEO of cybersecurity solution provider CipherCloud, today commented on news that LabCorp is investigating a data breach on its computer network that potentially putting millions of people’s sensitive personal information at risk:

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari“The LabCorp data breach is yet another heavy blow in the continued assault on healthcare. Consider that LabCorp is one of the largest diagnostic laboratories in the world, and, as you may not be aware, is a very critical part of U.S. healthcare infrastructure. They have hundreds of networked labs across the United States and all of them are likely interconnected centrally with LabCorp headquarters. This may be one of the largest healthcare networks in the world with connections to many thousands of physician offices, hospitals and their testing facility offices worldwide.

LabCorp made the wise decision to shut down their entire network while determining the extent of the breach. Taking this preventive action may be warranted especially if they are shutting down to stop the propagation of a  targeted ransomware attack and the possible destruction of patient laboratory data.

Consider that the single largest part of any patient record is almost always diagnostic tests. LabCorp connects electronically to many physician electronic medical record/electronic healthcare record (EMR/EHR) systems to both receive requests from physicians for patient testing, and then to return the results. Results are sometimes stored and sent using digital data, and other times using digital images of the test requests and test results. These systems also still work and interconnect with facsimile machines present in physician offices. As mentioned earlier, LabCorp also has connections to most of the hospitals and other clinics in the United States. All of this presents, at some point, perhaps an increased risk of cyberattacks propagating and moving through this expanded ecosystem.

LabCorp no doubt has reviewed and likely beefed up their cybersecurity and HIPAA compliance processes given their recent experiences with HIPAA related litigation. Unfortunately, in a potential breach this large, it is almost de rigueur for the department of Health and Human Services, Office of Civil Rights (HHS/OCR) to request a HIPAA audit of LabCorp and possibly closely related business partners that may get caught up in the breach. LabCorp will have to weather the cost, and risk, of any HIPAA audit and the continued cost and negative news as the saga unfolds.”

The ISBuzz Post: This Post LabCorp Data Breach appeared first on Information Security Buzz.

Russia Stop 25 Million Cyberattacks During World Cup

Following the news around Russia announcing that it had stopped 25 million cyberattacks during the World Cup, Sean Sullivan, Security Advisor at F-Secure offers the following comment:

Sean Sullivan, Security Advisor at F-Secure:

“Clearly there weren’t 25 million “cyber-attacks”. (Which would be physically destructive if properly defined.) And what about DDoS attacks? Unlikely. What then? IP addresses and other related activity? Probably. I have no doubt that threat monitoring would have generated 25 million suspicious data points during the World Cup.

So, it would be more accurate to say something such as unauthorised network scans and DDoS attempts were monitored and successfully mitigated on an impressive scale, requiring tens of millions of data points to be processed. Well done to Russia’s security teams. But that doesn’t sound as impressive, politically speaking, does it?”

The ISBuzz Post: This Post Russia Stop 25 Million Cyberattacks During World Cup appeared first on Information Security Buzz.

Hackers Spoof UK Uni’s To Defraud Businesses Of Hundreds Of Thousands

Action Fraud UK has warned that both businesses and universities need to be on guard against a new scam, which has already resulted in firms being defrauded of £350,000. Hackers are registering spoof UK university domains to look like they belong to UK university email addresses. These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name and the suppliers are never paid back. Kevin commented below as part of our security experts comments series.

Kevin Bocek, Chief Cybersecurity Strategist at Venafi:

“The universities and other businesses affected by this scam are certainly not alone – spoofing sites is now big business. Last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet.

“These attacks are part of a much larger problem that jeopardises the system of trust used throughout the internet and shows why a new system of trust built on reputation is needed. These padlocks are supposed to signify a trusted machine identity – a digital certificate that means a website is genuine. But now cybercriminals can obtain certificates allowing them to look authentic for virtually nothing. This is a high risk, high impact threat that security teams cannot ignore anymore.”

The ISBuzz Post: This Post Hackers Spoof UK Uni’s To Defraud Businesses Of Hundreds Of Thousands appeared first on Information Security Buzz.

Verizon Data Leak Exposes 14 Million Customers After Security Lapse

After Verizon’s data breach exposing  the personal data of 14 million customers, web security company High-Tech Bridge’s CEO, Ilia Kolochenko, has commented that identifying and preventing such risks can be easy if done proactively:

Ilia Kolochenko, CEO at High-Tech Bridge:

“This is a remarkable, albeit sad, example of shadow IT created by third-parties in the era of cloud. Such incidents are very difficult to prevent and mitigate. Even if you meticulously control the security policies of your suppliers and request records of their external and internal audits, human mistake on their side remains unpredictable and thus virtually unpreventable. We will likely see a further growth of similar incidents, many of which can trigger severe financial consequences imposed by law and regulations such as GDPR. To help companies identify similar risks in a proactive manner, ImmuniWeb® Discovery continuously searches for unprotected cloud storage attributable to a company or its subsidiaries.”

The ISBuzz Post: This Post Verizon Data Leak Exposes 14 Million Customers After Security Lapse appeared first on Information Security Buzz.

Ukraine Blocks Major VPNFilter Attack Against Chemical Plant

The Ukrainian Secret Service (SBU) said today it stopped a cyber-attack with the VPNFilter malware on a chlorine distillation plant in the village of Aulska, in the Dnipropetrovsk region.
Commenting on the news are the following security professionals:

Craig Young, Security Researcher at Tripwire:

Consumer routers show up in very unexpected places at times but critical infrastructure is certainly the last place I’d expect to find them. Due to the lack of details provided by Ukranian Secret Service, it is not possible to know which devices may have been compromised with VPNFilter malware and what they were being used for in this plant. It is possible that the infected systems were routers in the homes of employees who remotely access the facility or that the plant may have had some affected network storage devices.

Another big question is when this attack took place and whether this means that VPNFilter has already evolved since the recent FBI shutdown of the botnet’s command and control system. It is possible that VPNFilter has been revived with a more robust operation targeting a wider range of devices including more enterprise-centric devices.

Tim Erlin, VP of Product Management & Strategy at Tripwire:

If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by  investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern (link to survey) among security professionals as a critical disaster could result in significant loss of life.

The ISBuzz Post: This Post Ukraine Blocks Major VPNFilter Attack Against Chemical Plant appeared first on Information Security Buzz.

New Sextortion Scam Tricking Victims

A new scam is doing the rounds, where fraudsters are emailing people their own passwords in a bid to convince them they secretly filmed them watching porn on their computers.

https://eu.vocuspr.com/Publish/3428621/vcsPRAsset_3428621_591246_89955cf3-246d-435b-aac6-ff8b29080150_0.JPG

Figure 1 – Example Email 

Action Fraud officials have said it is the first time they have ever seen a scam include the victim’s real password in the subject line. The security experts have contacted several of the victims who have confirmed that the passwords are genuine.

Eyal Benishti, CEO & Founder at IRONSCALES: 

“Criminals are clever, and will go the extra mile to scare victims in order to get what they want- scams like this play on people emotions, and are much more likely to result in people handing over whatever they are asked for, in order to avoid embarrassment.  If techniques like this succeed, criminals are likely to continue targeting victims; they know they are vulnerable and can be exploited.

When facing a scam like this, it’s always best to take a step back and assess the situation- don’t act rashly and pay the ransom being demanded. Change all your passwords associated with the account, and if possible enable the use of two factor authentication. Do not try and contact the fraudsters, and report the scam to an official body like Action Fraud. Never click any link provided in the email you have received.

Phishing is not new- but this just goes to show that it is still as effective for cybercriminals as it was years ago. By using familiar subject matter, phishers are one step closer to baiting unsuspecting victims into their nets, and if done correctly, will consequently have access to all sorts of valuable data, information and in this case, money.”

The ISBuzz Post: This Post New Sextortion Scam Tricking Victims appeared first on Information Security Buzz.

12 Russian Agents Indicted In Mueller Investigation

The special counsel investigating Russian interference in the 2016 election issued an indictment of 12 Russian intelligence officers on Friday in the hacking Hillary Clinton’s campaign and the Democratic National Committee during the presidential election. The 12 Russians stole and leaked emails as part of a Russian government effort to interfere with the election. The indictment came only three days before President Trump was planning to meet with President Vladimir V. Putin of Russia in Helsinki, Finland.

Leo Taddeo, Chief Information Security Officer at Cyxtera:

“The indictment teaches cyber security professionals several important lessons.  Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today’s adversaries.

First, access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password.  It must be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. And it should be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly, and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Second, the indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk.  Alternate access control technologies, such as Software-Defined Perimeter, are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security.  With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Last, but not least, the indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. They then installed and managed different types of malware to explore the DNC network and steal documents.  This highlights need for organizations to better manage the risks of third-party access.  By using a solution that leverages the Software-Defined Perimeter security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”

The ISBuzz Post: This Post 12 Russian Agents Indicted In Mueller Investigation appeared first on Information Security Buzz.

US & Russia Joint Cyber Initiatives

Following yesterday’s release of Recorded Future’s research on Russia’s national vulnerability database, and the Trump-Putin summit in which it was suggested that the US and Russia work more closely on cyber initiatives, Priscilla Moriuchi has followed up with her thoughts. Please see below.

Priscilla Moriuchi:

“Without a doubt there are many issues within the cyber context that the United States and Russia could work together on to improve. These include cyber operations in wartime, attacks on critical infrastructure, and cyber-enabled intellectual property theft among others.

However, operating a joint working group on cybersecurity in order to examine the digital and forensic evidence of Russian interference in the 2016 U.S. election would be both counterproductive and dangerous. Enabling Russia to gain an even greater understanding of U.S. cyber defences and analytic capabilities would put American citizens and businesses at even greater risk of attack.

In addition to the knowledge that Russian operatives have influenced U.S. elections through cyber operations, it is also clear that its handling of public vulnerability information demonstrates a fundamentally opposed approach to information security.

To authoritarian states like Russia and China, “control” of information technology and their public is the paramount concern. For Russia, “control” is a term that means complete power over and domination of the domestic information and technology space by the government.

This translates to control over hardware, software, and platforms, but also control over the content on those platforms and the citizens who utilise them. This type of state control is what we mean when we assess that the Russian vulnerability management is intended to support control of the Russian state– their database is a tool the Russian state uses to impose technology reviews on companies and other draconian controls on users.

Putin does not seek transparency in cyber operations with the United States, he seeks an advantage in what he views as a zero-sum power struggle with the West. A joint cyber operations working group would grant him that advantage.”

The ISBuzz Post: This Post US & Russia Joint Cyber Initiatives appeared first on Information Security Buzz.

Telefonica Data Breach

In response to the news that Telefonica has suffered a data breach which exposed the details of millions of Spanish users, Rob Shapland, IT security experts commented below.

Rob Shapland, Principle Cyber Security Consultant at Falanx Group: 

“Telefonica will need to assess the scope of the breach in order to understand how it impacts GDPR. Has the breach been exploited and the information stolen by hackers? If so, they will certainly need to inform the GDPR supervisory authority, and very likely each of the affected customers. They could then be liable to fines of up to €20 million or 4% of their global turnover (their turnover is $53 billion, so potentially over €2 billion in fines though that is highly unlikely).

Flaws like this are quite common in websites. It does imply that the website has not been tested against industry best practice as the flaw that was exploited should be easily discovered during penetration testing. It could also be that Telefonica made changes to the system without running additional checks, which then introduced the vulnerability.

Customers who have been affected should update their password on Telefonica’s systems (and any other websites that same password was used), just in case passwords were exposed, though there is no evidence of this at this stage. It would also be prudent for customers to update their security questions on any key websites such as online banking, in case the personal info that was stolen could be used to answer these questions.”

Ryan Wilk, Vice President at NuData Security:

“This sort of data exposure is why so many organisations who transact with customers online – from the banking and finance sector to eCom and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics. In doing so, they’re shifting from “let’s make our company a bunker for everyone” to “let’s leave the bunker for risky users only.”  They do so by using technology that doesn’t rely on data that could have been exposed in a breach, thus preventing post-breach damage.

“For years now, many top merchants and financial institutions have incorporated passive and active biometrics and behavioural analytics to verify customer identities online. By analysing hundreds of indicators derived from the user’s online behaviour, companies don’t have to rely on passwords, payment data, and other leaked information to make an authentication decision. Removing the organisation’s reliance on ‘things users know’, companies are far less vulnerable to the data exposed by leaks and breaches.

“Passive biometric technology cannot be mimicked by hackers, and helps break the chain of perpetual fraud that grows whenever customer data is breached and stolen.”

The ISBuzz Post: This Post Telefonica Data Breach appeared first on Information Security Buzz.

AI Will Create As Many Jobs As It Displaces

Today PWC published a report which stated that AI will create as many jobs as it displaces by boosting economic growth. In response to the release of this report, Matt Walmsley, EMEA Director at Vectra – a company that automates the hunt for cyber threats by using AI – has provided commentary on how AI is helping to create new cybersecurity jobs.

Matt Walmsley, EMEA Director at Vectra:

“AI is already changing the workplace, and in some areas creating new work opportunities. For example, in the uniquely adversarial world of cybersecurity, we’re seeing that AI is addressing a significant professional skills and resource gap and is reducing the barrier to entry to the cybersecurity profession. Here AI is being used to combat cybersecurity threats by analysing digital communications in real time and spotting the hidden signals to identify attacker behaviour. A task that is simply beyond the scale and speed of humans alone. And when you are able to quickly identify and stop cyberattacks before they’re able to wreak havoc, you dramatically reduce business risk.

We are seeing enterprises actively deploying AI platforms to support junior staff in front-line cybersecurity operations roles. In some cases, even utilising graduate program interns. AI helps these less technically experienced, but still savvy staff, to teach on the job and augment them with intelligent supporting technology. These are people who traditionally would be unable to take on these positions without significant further education, professional development, and substantial experience. This enables them to quickly ramp up to being productive members of the cybersecurity team by using AI to empower them.”

The ISBuzz Post: This Post AI Will Create As Many Jobs As It Displaces appeared first on Information Security Buzz.

Series Of DDoS Attacks Aimed At Blizzard

Blizzard Entertainment, a gaming company with such offerings as Overwatch, Heroes of the Storm, World of Warcraft, was plagued last weekend by a series of Denial-of-Service attacks that caused lag time for some players and prevented others from logging in.

Sean Newman, Director of Product Management at Corero Network Security:

“Most services available on the Internet today are vulnerable to DDoS attacks and online gaming is no exception.  With the chance for gamers to often get an unfair advantage by blocking their adversaries from playing, the motivation for launching attacks against these platforms is high.  For the providers that host the players of these games, the stakes can also be high.  And, the only way to ensure resiliency, for what is often a soft target, is for the providers to deploy the latest generation of real-time, automatic DDoS protection.”

The ISBuzz Post: This Post Series Of DDoS Attacks Aimed At Blizzard appeared first on Information Security Buzz.

GDPR And Timehop Breach

Timehop has revealed that more even more data had been stolen that originally thought in their breach. Timehop admitted that in their haste to report the incident, they did not have all the facts of the breach at that time. Timehop’s efforts will be reviewed now that GDPR has been instituted.

Chris Olson, CEO at The Media Trust:

Chris Olson“The GDPR regulators will likely take into account Timehop’s efforts to self-report the breach when they calculate the penalties, but they might take issue with a few things:

1.Did Timehop put in place sufficient security measures? For starters, the attacker gained access to their cloud environment through an account that was unprotected with multi-factor authentication. Furthermore, pervasive encryption was applied only after the breach.
2.Did Timehop had data protection in mind when they designed their processes. It’s not clear how and why user data had “unwittingly been transferred” to the cloud. A data controller and processor should have been enforcing the right policies on handling the data.
3.Did they report the breach in a timely manner? The GDPR requires that a breach is reported within 72 hours of its discovery.
The fact is a company’s largest digital threats are often posed by their digital third parties. With a growing number of regulations on consumer data privacy and many breaches being carried out via third-party code suppliers, companies should get to know and closely monitor who they’re working with. Companies should also ensure those third parties’ activities are compliant with regulations, as they share the blame for third parties’ mishaps.”

The ISBuzz Post: This Post GDPR And Timehop Breach appeared first on Information Security Buzz.

Australian Airport ID Vendor

In Australia yesterday, as reported by abc.net.au, a third party supplier of airport security ID cards was hacked.  The breach isn’t necessarily big in number, but it’s serious in terms of airport security as the ID cards are designed to stop criminals or terrorists from accessing planes and other restricted airport zones.  Australia’s airports and the people who work at them are considered some of the most sensitive elements of Australia’s national security infrastructure.

Pravin Kothari, Founder and CEO at CipherCloud:

Pravin Kothari“In any context, the Aviation ID Australia data breach is a risk for airport security. The cyber attackers may have access to the database for the cards that are created and used to authenticate authorized personnel on the airport grounds. These ID cards are designed to stop unauthorized parties from accessing planes and other sensitive and restricted airport zones. Did the cyber attackers also steal the graphics files and images necessary to reproduce and clone these ID cards?

Beyond the security risks, the data to produce the ID cards seems to have included names of the airport personnel, addresses, birth certificate numbers, driver’s license numbers, Medicare card numbers and more. This comprehensive data could enable ID theft and even worse, financial fraud.”

The ISBuzz Post: This Post Australian Airport ID Vendor appeared first on Information Security Buzz.

Crypto-Mining Malware Has Increased 50% Since Last Year

A new report from Check Point suggests that the number of companies who have fallen victim to malware which focuses on crypto-mining has double over the last year.

Andy Norton, Director of Threat Intelligence at Lastline:

“Cryptocurrencies like Monero have really opened the door for botnet operators to create this trend. Monero brought two key things to the criminal arsenal: Firstly it uses the cryptoknight algorithm which is suitable to mine coins on everyday devices, and secondly it uses ring signatures which offer complete anonymity to botnet miner. Recently the botnet operators started adding tried and trusted malware evasion techniques to the mining payloads in order to avoid being blocked by sandbox checks.”

The ISBuzz Post: This Post Crypto-Mining Malware Has Increased 50% Since Last Year appeared first on Information Security Buzz.

IBM Reveals High Cost Of Data Breaches

IBM and the Ponemon Institute are out with a new study:  Hidden Costs of Data Breaches Increase Expenses for Businesses – Study for First Time Calculates the Full Cost of “Mega Breaches,” as High as $350 Million. Among key findings:

  • Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
  • At 50 million records, estimated total cost of a breach is $350 million dollars
  • The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
  • The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)

In response IT security experts commented below.

Christian Vezina, CISO at OneSpan:

“Why is it that in spite of ever-increasing spending in cybersecurity ,organizations worldwide are still hit with major data breaches? The security perimeter has dissolved and as a result the attack surface has increased way beyond what organizations want to realize. With the prevalence of IoT, increased mobility and cloud usage, the use of complex supply chains, and the increased speed of business, organizations can’t get a complete grasp over their attack surface. Organizations will need to re-think their cybersecurity investments and prioritize their initiatives carefully.  If what you do doesn’t work, you may want to change your approach. As you cannot possibly protect from everything, you will probably be better off shifting your cybersecurity investments and approach from ‘prevention only’ (which seems to be failing) to a ‘detect and respond’ approach.”

Jonathan Sander, CMO at STEALTHbits Technologies:

“One thing we see is what turns a run of the mill breach into a mega-breach is the attacker getting insider access. Sometimes that happens because it’s insider threat and they had it all along. Most of the times an attacker captures insider access through weak configurations and exploitation of busy users. With insider level access, the bad guys can strike at less well secured but still information rich targets like documents, scanned information, and other file data. If you look at all the largest breaches that have hit the headlines, they all included attackers running off with saved emails, scanned contracts, and simple files filled with passwords. That stuff is truly toxic and is only available once the bad guys make that leap to insider status and turn these incidents into mega-breaches.”

Pravin Kothari, Founder and CEO at CipherCloud:

Pravin Kothari“From any perspective the cost of a data breach is painfully high in the short-term for remediation expense and lost business, in the longer-term as a result of damage to the brand, and then the ongoing impact to revenue and customers. IBM’s study brings sharp focus to the numbers and clearly highlights the high cost of failure for executives and their board of directors. The lesson to learn? Data breaches are inevitable for any large enterprise. Attackers will get into your networks. This rising tide of cyberattacks represent an expensive and almost existential threat to your business. Given the current set of breaches being announced almost daily, it’s both prudent and necessary to move aggressively to update your security strategy and then add the best-of-breed security technologies necessary to support them.

Some very basic technologies, implemented correctly, can make a significant impact on the potential risk to your organization. For example, by our estimate, the use of end-to-end encryption would likely have reduced the list of successful breaches in IBM’s study by over 75%. Why? Encrypted data is unintelligible to the cyber attackers and hence the breach of this data is inconsequential. Other important technologies, such as 2-factor authentication, would also have made a very significant impact in reducing the number of successful data breaches.”

Andy Norton, Director of Threat Intelligence at Lastline:

“The fact that the cost of breaches has risen so starkly shouldn’t come as a surprise to many. These mega breaches have increased sharply in recent years, and show no signs of slowing. Cybercrime has become increasingly more organised and easy to access, with ransomware-as-a-service and phishing-as-a-service packages readily available on the dark web. These breaches also work as something of a self-fulfilling prophecy, as the stolen data provides a pipeline for future cyberattacks. GDPR will also have help the impact of breaches to be felt more financially, as the fines associated with poor data protection have rocketed. Although these breaches may not be as a direct result of human error, a general lack of security awareness outside of IT or security departments is undoubtedly a contributing factor. A combination of educational initiatives and appropriate spending on cyber defences is the best approach to stemming the flow of data breaches.”

The ISBuzz Post: This Post IBM Reveals High Cost Of Data Breaches appeared first on Information Security Buzz.

Supply Chain Cyberattacks

Cybercriminals are using everything from everyday devices like USBs to vulnerabilities in networks, servers, browsers, websites and even employees to infiltrate the supply chain.

Matan Or-El, CEO and Co-founder at Panorays:

“Other supply chain attacks include targeted attacks against those suppliers storing and processing information for an organization on its behalf. For example, an outsourcing law firm may hold a company’s sensitive and confidential information such as M&A-related documents, sales transactions and financial health statements. An attacker may decide to attack them to retrieve that information and sell it to competitors, other data seekers and even for insider trading information. In fact, just a couple of years ago, T-Mobile announced that credit and financial information of 15 million of their customers have been compromised. The breach source? Experian, a supplier of credit applications that T-Mobile was using.”

Matan offers this advice for companies before working with a supplier:
1.    Prior to choosing a supplier it is important to consider their security posture. Understand what systems they are running, protocols they’re using and even the security technologies they have in place.
2.    Engage with the supplier and pinpoint the issue so that they become aware of the problem, understand the issue, and know how to fix it.
3.    In case you do need to work with a supplier which does not have a good security posture, we suggest taking extra steps to secure the interaction with that supplier.
This includes being more vigilant about the information being shared and how it is shared. Such measures may include for instance, the demand and enforcement of data removal after a certain period of time or limited access to various systems.

The ISBuzz Post: This Post Supply Chain Cyberattacks appeared first on Information Security Buzz.

Leave Backdoors Open To Cheap Remote Desktop Protocol Attacks, According To New McAfee Findings

McAfee has just released its new Advanced Threat Report, which finds that Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks. An expert with Corero offers thoughts and perspective.

Ashley Stephenson, CEO at Corero Network Security:

“If your system is accessible from the Internet then you should expect malicious actors somewhere in the world will try and break in. They do this automatically and continuously with scripts so there is no way to avoid their attempts. In the overwhelming majority of cases they are not specifically targeting you, just any system that is on the Internet.

“There are legitimate needs for systems to be remotely accessible but there is no excuse for trivial or guessable passwords. Password guessing via brute force attempts is the most common method for gaining access to these systems.

“The practice of adding two-factor authentication to Internet accessible systems is a growing trend and can reduce the risk of spontaneous unauthorized access to almost zero.

The overriding message with regard to Internet Security is to be prepared by anticipating the worst attacks but plan your protection for achieving the best defense whether the threat is Breach, Ransomware, or DDoS.”

The ISBuzz Post: This Post Leave Backdoors Open To Cheap Remote Desktop Protocol Attacks, According To New McAfee Findings appeared first on Information Security Buzz.

Choosing Convenience Or Security?

Please find the comment below, from Andy Cory, Identity Management Services lead at KCOM as part of our security experts comments series on latest cyber security news.

Andy Cory, Identity Management Services lead at KCOM:

“There has always been a conflict between security and convenience. Consumers are increasingly irritated by intrusive authentication measures, including obscure security questions and complicated passwords. They want their lives to be made constantly easier, so are happiest using apps and services that are both simple and fast to log into. However, they may fail to understand that the smoothest logins are compromising security for the sake of that convenience. All too often this ends in disaster, as we have seen with Timehop this week.

“It is time we found a balance between these tricky demands. The future of secure authentication is certainly multi-factor, but it should also aim for low friction. To improve customer experience without reducing security, authentication strategies should be both integrated and simple.

“An example of this would be an ‘adaptive’ authentication mechanism that reviews a combination of factors such as geographic location, source IP address, device fingerprint as well as a password before allowing the user access. Most of this information can be obtained from the device being used, while the consumer only has to provide their password. This gives multi-factor authentication where the user is only aware of one factor.

“If an authentication platform determines that the person trying to log in using your username and password is doing so from the device you usually use and from the location from which you usually log in, that gives a good indication that it’s really you. This means the platform doesn’t feel the need to ask you to provide the middle name of your favourite cricket player, or the colour of the first pair of socks you ever bought, before trusting that you are indeed you.”

The ISBuzz Post: This Post Choosing Convenience Or Security? appeared first on Information Security Buzz.

Trustwave On European Parliament Approving A Draft Cyber Security Act

Please see below for comment from Trustwave regarding a key committee of the European Parliament approving a draft Cybersecurity Act that will introduce a new security certification system for connected devices, as well as strengthen the EU’s networks security agency Enisa.

Ed Williams, Director EMEA, SpiderLabs at Trustwave:

amrit williamsI welcome any initiative to increase the security and assurance of ICT products; given the current climate this legislation is welcome.  Without question, this is a difficult task, ICT products can be difficult and complex, ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do – secure by design is a must in 2018 and moving forward.  I have some reservations around the certification framework, depending on the type of product, certification may be voluntary or mandatory. Personally, I would like to see mandatory security for ‘all’ products.

It also appears that assurance will be broken down into different categories, basic, substantial and high; where basic “provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service”, I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?  It will be interesting to see how consumers take to this, my hope is that the certification framework is agile, simple and clear and that having high assurance doesn’t come with additional costs (whatever they may be).  In 2018 we shouldn’t be paying more for secure products, we should be expecting all products to be secure.

The ISBuzz Post: This Post Trustwave On European Parliament Approving A Draft Cyber Security Act appeared first on Information Security Buzz.

Cost Of Data Breaches Doubles In Just 5 Years

The amount of so-called mega breaches – cases that involve more than 1m records being lost – have nearly doubled over the last five years, with 16 mega breaches occurring in 2017. Data compiled by IBM revealed that breaches on this scale can cost a business anywhere from $40m (£30m) to $340m, with more than 90 per cent of these breaches stemming from malicious and criminal attacks as opposed to glitches or human error. Tim Helming, Director of Product Management at DomainTools commented below.

Tim Helming, Director of Product Management at DomainTools:

“This is a worrying, but expected statistic. The cost of breaches has skyrocketed in recent years due to a commercialization of the cybercrime industry, with attack kits available to purchase for non-technical actors to ply their trade. Legislative changes such as GDPR will also make the administrative costs of a breach soar even further in the next five years, without even considering the implications of reputational costs. I’m slightly doubtful that human error accounts for so little of the breach activity; failing to have a proper culture cybersecurity awareness at an organisation is implicated in phishing, which is one of the leading vectors of breaches. The ultimate responsibility for this lies with humans.”

The ISBuzz Post: This Post Cost Of Data Breaches Doubles In Just 5 Years appeared first on Information Security Buzz.

Failed GDPR Consent Efforts

The Facebook fine announced today for the Cambridge Analytica breach would have been significantly larger under GDPR.  While the flurry of activity around the May 25 GDPR deadline may have subsided, the confusion regarding privacy, consent and what comprises actual GDPR compliance is only building.

Pravin Kothari, Founder and CEO of cloud security provider CipherCloud, offers insights and advice regarding consent and other GDPR issues.

Pravin Kothari, Founder and CEO at CipherCloud:

Pravin Kothari

Lack of Compliance readiness:

“With compliance regulations in the U.S. such as HIPAA, most companies were active well ahead of the deadline to ensure compliance. With GDPR, most companies are still struggling to understand how it affects them.  At best, businesses focused on the compliance deadline of May 25 as a point of departure to begin the conversation. For a large multinational this is a dangerous and risky state of affairs. You may get called out on compliance failure. The EU is putting together plans, member by member, to proactively audit in support of GDPR compliance. Ending up on the wrong side of such an audit could constitute a business disaster given the large fines. Large multinationals will be in the bulls-eye before anyone else.”

Misleading approval for collection of personal data:

“The first issue that requires immediate action is the explicit approval for the collection of personal data. This notification is necessary for the websites of companies that collect data on European Union residents. This requires explicit approval or you cannot collect the data. Most companies have instead structured a privacy notice exclusion where you can click yes, or in some cases not click anything at all, and still proceed to use the website and have your data collected. This is ingredient number one of a recipe for compliance failure.”

The role of encryption:

“Encryption is a nice fail-safe to successfully completing the GDPR compliance journey. The breach of encrypted data does not require notification under GDPR as this data is useless to the attacker. In order to gain this safe harbor it is essential that you maintain tight control and do not share the data encryption keys, keep the data encryption keys stored in a separate location from the data, and that you encrypt the data end-to-end, not just when the data is sitting in the back-end database. Based upon anecdotal evidence, we believe that over 75% to as many as 85% of the cloud data in large multinationals which would appear to require compliance under GDPR is not properly encrypted, managed, or compliant.”

Tips for good security hygiene:

“Once you have decided to move decisively to support the GDPR compliance journey, there are other important steps to help you maintain good security hygiene. We recommend you review the number and access levels of privileged users such as administrators. Limit and restrict these privileges to the smallest possible number. All users should be observed using technologies such as user experience behavior analysis (UEBA) to understand if the behavior of a user fits expected behavior, as opposed to that of an attacker. This can identify and stop an attack quickly. UEBA monitors all user activity, time of day, attempts to bulk file download and more. Access control monitoring should also look a the time of day, IP address and geo-location of the user, device (official company issued device, user provided device, mobile device, or something else) to also ascertain if a potential user is legitimate. Digital rights management is another important technology to secure data, both online and offline, and can reduce risk substantially in the event of an active breach event. In the event that downloaded data needs to be protected from misuse ,administrators have the ability to retract access to the data, even if it was downloaded and copied to another device, stolen or even lost. Finally, logging and tracking must be comprehensive in order to support any GDPR related activities or audit.”

The ISBuzz Post: This Post Failed GDPR Consent Efforts appeared first on Information Security Buzz.

Corporate Networks Vulnerable To Insider Attacks

During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise. Penetrating the network perimeter has become easier over time, the report reveals, with the difficulty of accessing the internal network assessed as “trivial” in 56% of tests in 2017, compared with just 27% in 2016. On average, Positive Technologies testers found two attack vectors (vulnerabilities) per client that would allow their internal network to be penetrated. Christopher Day, Chief Cybersecurity Officer at  Cyxtera commented below.

Christopher Day, Chief Cybersecurity Officer at  Cyxtera:

“Organizations must reduce the attack surface to effectively combat today’s cyber threats. Insiders shouldn’t have access to systems they don’t need to do their job. External threat actors shouldn’t be able to exploit a weak password and gain the keys to the digital kingdom. We recommend that organizations adopt a Zero Trust mindset and build their security controls accordingly. Also, take a fresh look at your tool set and determine whether it’s adequate to secure today’s hybrid, decentralized infrastructure. For example, the network perimeter is not only easy to penetrate, it has extended well beyond traditional premise-based boundaries. Software-defined perimeter (SDP) solutions can address the entirety of the IT environment, wherever it is, and employ fine-grained access controls to reduce the attack surface dramatically. Wi-Fi networks continue to be an area of weakness so we need to do more than merely scan them to identify possible vulnerabilities. Newer technologies can determine whether assets behind the vulnerable access point can be compromised and whether or not a mitigating control is in place.”

The ISBuzz Post: This Post Corporate Networks Vulnerable To Insider Attacks appeared first on Information Security Buzz.