Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.
In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.
“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.
“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”
The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.
Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.
NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.
The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.
The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.
The trends analysis is broken down geographically and by five industry sectors.
Among the recommendations for IT leaders:
- Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
- Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
- Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
- Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.
The report can be downloaded here. Registration required.
Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.
“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”
The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.
Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).
Among the highlights (or lowlights):
- Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
- Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
- Web application attacks doubled from 2018 to 43 per cent of all breaches.
- Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.
There is some good news:
- Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
- Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”
Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).
“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”
All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”
“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”
Most worthwhile security controls
Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):
- Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
- Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
to achieve their function.
- Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
- Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
- Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
- Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
encrypting sensitive data and limiting access to authorized cloud and email providers.
- Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
- Implement a Security Awareness and Training Program (CSC 17).
Download the full report here. Registration required.
With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.
Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.
The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.
“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”
Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.
Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.
Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.
“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”
It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.
CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.
- Configuration mistakes blamed for bulk of stolen records last year
- Errors blamed for 21 per cent of data breaches
Nova Scotia removed the unedited documents after being told of their discovery by CBC.
“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”
The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.
According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.
Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”
The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.
In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.
Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.
What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.
The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.
Android developers using Google’s Firebase application development platform are being warned to check their configurations after security researchers discovered thousands of apps are leaking sensitive data.
News website Comparitech says a team analyzed 155,066 apps on the Google Play store, of which 11,730 had publicly exposed databases. Of those 4, 282 apps were leaking sensitive information including email addresses, user names, passwords, full names credit card data and photos of government-issued IDs.
In addition, of the 11,730 with publicly-exposed databases, 9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.
The story says Firebase is used by an estimated 30 per cent of all apps on the Google Play Store. If the tested apps are representative, an estimated 0.83 per cent of all Android apps on Google Play leak sensitive data through Firebase, says Comparitech. That would work out to roughly 24,000 apps.
The article says Google was notified on April 22nd. In response, Google said it’s “reaching out to affected developers to help them address these issues.”
Of the analyzed vulnerable apps, 24 per cent were games, 14,7 per cent were categorized as educational, six per cent related to entertainment, just under 5.3 per cent were business-related and 4.3 per cent were described as travel or local related.
A common Firebase misconfiguration allows attackers to easily find and steal data from storage, according to the article. By simply appending “.json” to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases. Google scrubs these vulnerable database URLs from its search results. However, the article adds, they are still indexed by other search engines like Bing.
App developers can use Firebase for a wide range of functions including authentication, hosting, cloud storage and as a real-time database. Google offers developers guidance on securing data.
As the world continues to grapple with COVID-19, our lives have become increasingly dependent on digital interactions. Operating at home, we’ve had to rely on e-commerce, telehealth, and e-government to manage the everyday business of life. Our daily online usage has increased by over 20 percent. And if we’re fortunate enough to have a job that we can do from home, we’re accessing corporate apps from outside the company firewall.
Whether we’re signing into social media, mobile banking, or our workplace, we’re connecting via online accounts that require a username and password. The more we do online, the more accounts we have. It becomes a hassle to constantly create new passwords and remember them. So, we take shortcuts. According to a Ponemon Institute study, people reuse an average of five total passwords, both business and personal. This is one aspect of human nature that hackers bet on. If they get hold of one password, they know they can use it to pry open more of our digital lives. A single compromised password, then, can create a chain reaction of liability.
No matter how strong or complex a password is, it’s useless if a bad actor can socially engineer it away from us or find it on the dark web. Plus, passwords are inconvenient and a drain on productivity. People spend hours each year signing into applications and recovering or resetting forgotten usernames and passwords. This activity doesn’t make things more secure. It only drives up the costs of service desks.
People today are done with passwords
Users want something easier and more convenient. Administrators want something more secure. We don’t think anyone finds passwords a cause to celebrate. That’s why we’re helping organizations find smarter ways to sign in that users will love and hackers will hate. Our hope is that instead of World Password Day, we’ll start celebrating World Passwordless Day.
Since an average of one in every 250 corporate accounts is compromised each month, we know that relying on passwords isn’t a good enterprise defense strategy. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30 to 60 percent of their support desk calls to password resets. Given how ineffective passwords can be, it’s surprising how many companies haven’t turned on multi-factor authentication (MFA) for their customers or employees.
Passwordless technology is here—and users are adopting it as the best experience for strong authentication. Last November at Microsoft Ignite, we shared that more than 100 million people were already signing in using passwordless methods each month. That number has now reached over 150 million people. According to our recent survey, the use of biometrics for work accounts is set to double this year, with nearly a quarter of companies already using or planning to deploy biometrics soon, signaling an increased desire to ditch the eight-character nuisance.
We now have the momentum to push forward initiatives that increase security and reduce cost. New passwordless technologies give users the benefits of MFA in one gesture. To sign in securely with Windows Hello, all you have to do is show your face or press your finger. Microsoft has built support for passwordless authentication into our products and services, including Office, Azure, Xbox, and Github. You don’t even need to create a username anymore—you can use your phone number instead. Administrators can use single sign-on in Azure Active Directory (Azure AD) to enable passwordless authentication for an unlimited number of apps through native functionality in Windows Hello, the phone-as-a-token capabilities in the Microsoft Authenticator app, or security keys built using the FIDO2 open standards.
Of course, we would never advise our customers to try anything we haven’t tried ourselves. We’re always our own first customer. Microsoft’s IT team switched to passwordless authentication and now 90 percent of Microsoft employees sign in without entering a password. As a result, hard and soft costs of supporting passwords fell by 87 percent. We expect other customers will experience similar benefits in employee productivity improvements, lower IT costs, and a stronger security posture. To learn more about our approach, watch the CISO spotlight episode with Bret Arsenault (Microsoft CISO) and myself. By taking this approach 18 months ago, we were better set up for seamless secure remote work during COVID 19.
For many of us, working from home will be a new norm for the foreseeable future. We see many opportunities for using passwordless methods to better secure digital accounts that people rely on every day. Whether you’re protecting an organization or your own digital life, every step towards passwordless is a step towards improving your security posture. Now let’s embrace the world of passwordless!
- Password spray.
- Protecting against coronavirus phishing attacks.
- IT executives prioritize MFA.
- How to implement MFA.
- Spear phishing.
The post Protect your accounts with smarter ways to sign in on World Passwordless Day appeared first on Microsoft Security.
Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.
At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:
- For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
- In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
- For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.
Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.
Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”
No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.
Basic 24/7 via email
Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.
Email notification settings in Microsoft Defender Security Center.
These emails will be sent to your team and should be monitored for high severity situations after-hours.
If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.
Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.
Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage.
Enhanced 24/7 via APIs
What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:
API call to retrieve authentication token.
Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.
API call to retrieve alerts from Microsoft Defender ATP.
The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.
Example of a Microsoft Defender ATP alert returned from the API.
You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.
24/7 with Red Canary
By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.
Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.
Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):
Managed detection and response with Red Canary.
Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.
Red Canary confirms threats and prioritizes them so you know what to focus on.
At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:
Notes from Red Canary senior detection engineers (in light blue) provide valuable context.
You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.
What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.
Red Canary automation playbook.
This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:
Red Canary Automate playbook to automatically remediate a detection.
Getting started with Red Canary
Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.
Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:
“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”
Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.
Contact us to see a demo and learn more.
The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.