Category Archives: security

There She Breaches! Watch Out For Your Identity Data!

Data breaches keep on coming. Here’s what you can do to stay ahead of the hackers

Money makes the world go around. It’s the glue that holds our society together and the engine that drives our economy. But it’s also coveted by a growing global population of highly resourceful and determined cyber-criminals. They’re out to get what they can and their route to riches usually begins with the theft of data—your data. While sometimes it’s stolen direct from individuals, there’s a far bigger potential pay-off from hitting a company that may be storing personal data on millions of customers.

These data breaches have become depressingly common in the 21st century. And over the past month or so another two firms have been found wanting – exposing a further 30 million customers. To keep ourselves insulated as much as possible from incidents like this we need to be alert, to track when breaches happen and if we’re affected, and we need to plan ahead to protect the gateways to our digital lives: our digital IDs and passwords.

Breaches are here to stay

So, what’s the scope of the problem? Well, if cybercrime were a country it would have the 13th highest GDP in the world, generating as much as $1.5 trillion each year, according to some estimates. And according to a new report, there have been nearly 4,000 data breaches already in the first six months of 2019, a 54% increase on the same period last year — exposing 4.1bn records.

A sophisticated underground economy offers hackers all the tools and expertise they need to launch attacks, and a thriving digital Dark Web marketplace in which to sell stolen data to fraudsters and other cyber-criminals. Many do not even need technical skills to get started, they simply rent hacking kits as a service, point and click.

This is what businesses are up against. As long as there’s money to be made, there’ll be a steady stream of cyber-criminals knocking at their door, testing their systems and trying to get in. The latest two to suffer major breaches of customer data are the popular online merchandise store CafePress and the e-commerce firm StockX.

We know by now that even the most secure business in the world can be hacked, as long as the attacker is determined enough. Instead, it’s how the business responds to an attack that matters. Unfortunately, these two firms have been heavily criticized for various deficiencies including:

  • Failing to quickly spot and contain the breach. For CafePress the intrusion is said to have occurred in February, but the breach only came to light in August. In the case of StockX it happened in May, but went unreported until August.
  • Failing to come clean straightaway about the breach. In the case of CafePress, its 23 million affected users don’t appear to have been formally notified at all. Instead, they were urged to change their log-ins as part of an ‘updated’ password policy. StockX also sent out a general password reset for its customers, although a week later it did finally reveal what had happened.
  • Failing to properly secure passwords. Half of those compromised in the CafePress breach are said to have been protected by a weak algorithm (SHA-1), meaning hackers could effectively still use them. Just days after the StockX breach was revealed, it emerged that decrypted passwords were already being sold on the Dark Web.

What could hackers do with my password?

Stolen identity data can be used to impersonate victims online in identity fraud attempts, or in phishing attacks designed to grab even more sensitive data from the victim.

However, a lot of the time it is the email-address-and-password combos that the hackers are after. Why? Because these are the virtual keys to our digital world – offering access to everything from online banking to our emails, cloud storage and even video streaming services.

We all own so many online accounts today that password reuse across these sites and apps is commonplace. Remembering hundreds of complex, secure log-ins is simply unfeasible, so we go for one or two simple ones, and use them for everything.

The problem is the bad guys know this, and use so-called “credential stuffing” techniques to try the log-ins they’ve stolen from CafePress, StockX, or the latest breached company, across multiple sites. They can run these at great speed, and use huge volumes of breached log-ins to try and crack open user accounts on other sites/apps. They only have to be lucky a tiny fraction of the time to make it worth their while.

This technique was behind an estimated 30 billion unauthorized log-in attempts in 2018.

With working log-ins, hackers could:

  • Steal the personal identity information in your account to sell it to fraudsters
  • Sell access to the account itself. The Dark Web is awash with stolen accounts for sale, offering free taxi rides (Uber), video streaming (Netflix) discounted travel (Air Miles) and much more. You might not notice until you next log-in that something is wrong.

What you can do

It’s important than ever for consumers to get proactive about their own data security, by utilizing an identity monitoring service, which notifies you when your credentials have been compromised or are being sold on the Dark Web; and by beefing up how you manage your online credentials—your IDs and passwords—using a password manager tool to create longer and stronger passwords. Trend Micro has solutions for both (see below).

You should also consider adding a second layer of security by switching on two-factor authentication for any accounts that offer it. This will request another “factor” such as a fingerprint, facial scan, or one-time SMS passcode[i] in addition to your passwords. You can achieve the same end-result by downloading a handy 2FA app, such as Google Authenticator or Authy.

Here’s a checklist of other data security tips:

  • Change your password immediately if a provider tells you your data may have been breached and make sure that all of your passwords across all of your online accounts are unique. Hackers will try to use stolen credentials to log in to other sites.
  • Keep an eye on your bank account/credit card activity
  • Only visit/enter payment details into HTTPS sites
  • Don’t click on links or open attachments in unsolicited emails
  • Only download apps from official app stores
  • Invest in AV for all your desktop and mobile devices
  • Ensure all operating systems and applications are on the latest version

[i] Note that one-time passcodes texted to your phone will not keep you safe if the hacker has access to your mobile phone number/account. This has happened multiple times in the past.

How Trend Micro can help

Data breaches at firms like CafePress and StockX may be happening on an almost regular basis today, but Trend Micro offers two complementary services to reduce your risk exposure:

  • Trend Micro ID Safe, available for iOS and Android, ID Safe monitors underground cybercrime sites on the Dark Web to securely check if your personal information is being traded by hackers. If an alert comes back, you can take immediate action, such as cancelling a credit card or changing an account password. All personal data is hashed and sent through an encrypted connection.
  • Trend Micro Password Manager provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to. This means if one site is breached, hackers will not be able to use that password to open your other accounts. If ID Safe alerts you of a compromise, simply open up Trend Micro Password Manager and update the relevant password. Simple and secure.

Staying vigilant about the integrity your online accounts, beefing up your access with 2FA, and using a password manager will contribute significantly to maintaining the safety of your identity in an unsafe world.

_______________________

[1] Note that one-time passcodes texted to your phone will not keep you safe if the hacker has access to your mobile phone number/account. This has happened multiple times in the past.

The post There She Breaches! Watch Out For Your Identity Data! appeared first on .

United States government files civil lawsuit against Edward Snowden

The United States government sued Edward Snowden, the former CIA employee and NSA contractor, to block payment for his book, Permanent Record.

The US DoJ filed a lawsuit against Edward Snowden to prevent the former CIA employee and National Security Agency contractor from receiving the payment for his book, Permanent Record.

According to the civil lawsuit, filed in the Eastern District of Virginia, Snowden violated non-disclosure agreements signed when he was an employee at the US intelligence agencies.

“The United States today filed a lawsuit against Edward Snowden, a former employee of the Central Intelligence Agency (CIA) and contractor for the National Security Agency (NSA), who published a book entitled Permanent Record in violation of the non-disclosure agreements he signed with both CIA and NSA.” reads the press release published by the DoJ.

“The lawsuit alleges that Snowden published his book without submitting it to the agencies for pre-publication review, in violation of his express obligations under the agreements he signed. Additionally, the lawsuit alleges that Snowden has given public speeches on intelligence-related matters, also in violation of his non-disclosure agreements.”

The agreements require signatories to submit books and any publication to the agencies for review, before publishing it, to avoid the disclosure of classified information.

“Intelligence information should protect our nation, not provide personal profit,” declared G. Zachary Terwilliger, US Attorney for the Eastern District of Virginia, in a statement. “This lawsuit will ensure that Edward Snowden receives no monetary benefits from breaching the trust placed in him.”

The book, titled “Permanent Record,” has been released on September 17th, it was published by Henry Holt and Company.

Edward Snowden’s book includes details of the author’s life, including the description of his activity at the US intelligence agencies while they were buiding the Prism surveillance system.

The legal initiative of the UD DoJ aims at recovering all proceeds earned by Snowden, instead of blocking the publication of the book.

“The United States’ lawsuit does not seek to stop or restrict the publication or distribution of Permanent Record. Rather, under well-established Supreme Court precedent, Snepp v. United States, the government seeks to recover all proceeds earned by Snowden because of his failure to submit his publication for pre-publication review in violation of his alleged contractual and fiduciary obligations.” continues the press release.

The US DoJ also sued the publisher to prevent that payments are transferred to Snowden.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

“This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

Edward Snowden lives in Russia since 2013 after leaking information about the US intelligence’s mass surveillance program, recently appealed to France’s government to grant him asylum.

Pierluigi Paganini

(SecurityAffairs – Edward Snowden, hacking)

The post United States government files civil lawsuit against Edward Snowden appeared first on Security Affairs.

Banks, Arbitrary Password Restrictions and Why They Don’t Matter

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.

I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening:

People are Upset About Arbitrary Restrictions

This is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week:

It feels wrong because 5 digits presents an extremely limited set of different possible combinations the password can be. (There's something a little off with the maths here though - 5 digits would only provide 100k permutations whereas 5 characters would provide more in the order of 1.5B.)

That said, Westpac down in Australia certainly appears to be 6 characters:

Which puts us well north of a billion possibilities again. Want more? CommBank will give you 16 characters:

On the one hand, it's a damn sight more generous than the previous two banks yet on the other hand, why? And while I'm here questioning CommBank's logic, what the hell is going on with this:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

1Password has an open letter to banks on precisely this because its awful advice steeped in legacy misunderstandings of both technology and human brains. That open letter is often used as a reference to persuade banks to lift their game:

So on the surface of it, the whole thing looks like a bit of a mess. But it's not necessarily that bad, and here's why:

Password Limits on Banks Don't Matter

That very first tweet touched on the first reason why it doesn't matter: banks aggressively lock out accounts being brute forced. They have to because there's money at stake and once you have a financial motivator, the value of an account takeover goes up and consequently, so does the incentive to have a red hot go at it. Yes, a 5-digit PIN only gives you 100k attempts, but you're only allowed two mistakes. Arguably you could whittle that 100k "possibilities" down to a much smaller number of "likely" passwords either by recognising common patterns or finding previously used passwords by the intended victim, but as an attacker you're going to get very few bites at that cherry:

Next up is the need to know the target's username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical "spray and pray" account takeover attempts.

Then there's the authentication process itself and it reminds me of a discussion I had with a bank's CISO during a recent workshop. I'd just spent two days with his dev team hacking themselves first and I raised the bollocking they were getting on social media due a new password policy along the lines of those in the tweets you see above. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?" Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy. You won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture:

Then there's the increasing propensity for banks to implement additional verification processes at key stages of managing your money. For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee. Obviously, SMS has its own challenges, but what we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage and that will always be more secure than authentication alone.

And if all of this fails? Banks like ING will give you your money bank:

Now, compare all this to logging on to catforum.com:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

How much sophistication do you think is behind those username and password fields in that vBulletin forum? Exactly, it's basic string-matching and this is really the point: judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison.

However, I disagree with banks taking this approach so let me now go and argue from the other side of the fence.

Banks Shouldn't Impose Password Limits

There are very few independent means by which we can assess a website's security posture in a non-invasive fashion. We can look for the padlock and the presence of HTTPS (which is increasingly ubiquitous anyway) and we look at the way in which they allow you to create and use passwords. There are few remaining measures of substance we can observe without starting to poke away at things.

So what opinion do you think people will form when they see arbitrary complexity rules or short limits? Not a very positive one and there are the inevitable conclusions drawn:

Hey [bank], does that 16 character limit mean you've got a varchar(16) column somewhere and you're storing passwords as plain text?

As much as I don't believe that's the case in any modern bank of significance, it's definitely not a good look. Inevitably the root cause in situations like this is "legacy" - there's some great hulking back-end banking solution the modern front-end needs to play nice with and the decisions of yesteryear are bubbling up to the surface. It's a reason, granted, but it's not a very good one for any organisation willing to make an investment to evolve things.

But beyond just the image problem, there's also a functional problem with arbitrarily low password limits:

I've been through this myself in the past and I vividly recall creating a new PayPal password with 1Password only to find the one in my password manager had been truncated on the PayPal side and I was now locked out of my account. This is just unnecessary friction.

Summary

So wrapping it all up in reverse order, arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.

But would I stop using a bank (as I've seen suggested in the past) solely due to their password policy? No, because authentication in this sector (and the other security controls that often accompany it) go far beyond just string-matching credentials.

Let's keep pushing banks to do better, but not lose our minds about it in the process.

The Top 10 Highest Paying Jobs in Information Security – Part 1

Given a surge in digital threats like ransomware, it is no surprise that the field of information security is booming. Cybersecurity Ventures estimates that there will be 3.5 million job openings across the industry by 2021. Around that same time, the digital economy research firm forecasted that global digital security spending would exceed one trillion […]… Read More

The post The Top 10 Highest Paying Jobs in Information Security – Part 1 appeared first on The State of Security.

Drone attacks hit two Saudi Arabia Aramco oil plants

Drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Drone attacks have hit Saudi Arabia’s oil production suffered severe damage following a swarm of explosive drones that hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia.

Online are circulating the images of a huge blaze at Abqaiq, site of Aramco’s largest oil processing plant, the Abqaiq site. A second drone attack hit the Khurais oilfield. Abqaiq is about 60km south-west of Dhahran, while in Khurais, 200km further south-west, there is the second-largest oilfield in the country.

According to the local media, the emergency response of the fire brigade teams allowed to control the fires at both facilities.

Saudi Arabia drone attacks 2
The two facilities are located in Abqaiq and Khurais, Saudi Arabia’s interior ministry said. (Photo: Twitter videograb | @Sumol67)

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

“The military spokesman, Yahya Sarea, told al-Masirah TV, which is owned by the Houthi movement and is based in Beirut, that further attacks could be expected in the future.” reported the BBC.

“He said Saturday’s attack was one of the biggest operations the Houthi forces had undertaken inside Saudi Arabia and was carried out in “co-operation with the honourable people inside the kingdom”.”

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Officials have attributed the attacks to a specific threat actor:

“At 04:00 (01:00 GMT), the industrial security teams of Aramco started dealing with fires at two of its facilities in Abqaiq and Khurais as a result of… drones,” the official Saudi Press Agency reported. “The two fires have been controlled.”

The attacks will have a dramatic impact on Saudi Arabia’s oil supply, it could be cut off 50 percent following the incidents.

These latest attacks demonstrate the potential impact of drone attacks against critical infrastructures, at the time is not clear if the Houthis group use weaponized commercial civilian drones or they obtained military support from Iran.

“The Saudi Air Force has been pummelling targets in Yemen for years. Now the Houthis have a capable, if much more limited, ability to strike back. It shows that the era of armed drone operations being restricted to a handful of major nations is now over.” continues the BBC.

Groups like the Houthis and Hezbollah have access to drone technology and could use it is sophisticated operations. Intelligence analysts fear the escalating tensions in the region that could open a world oil crisis.

Pierluigi Paganini

(SecurityAffairs – drone attacks, Saudi Arabia)

The post Drone attacks hit two Saudi Arabia Aramco oil plants appeared first on Security Affairs.

This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how fileless malware abuses PowerShell. Also, read how Trend Micro researchers are pulling back the curtain on the cybercriminal underground to warn consumers and businesses about potential threats against IoT devices.

Read on:

Are IoT Threats Discussed In The Cybercriminal Underground?

Trend Micro researchers from around the globe monitored five different cybercriminal undergrounds and, given the amount of chatter, found that there is no doubt that IoT devices, mainly routers, are certainly a target.

From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-201901208 in Internet Explorer

Researchers share a proof of concept showing how a use-after-free vulnerability in Internet Explorer can be fully and consistently exploited in Windows 10 RS5. The flaw was discovered through BinDiff and addressed in Microsoft’s September Patch Tuesday.

‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell

The newest iteration of Purple Fox that researchers came across, being delivered by Rig, retains its rookit component by abusing publicly available code and now eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. This blog discusses features of this malware and security recommendations to avoid these types of threats.

Trend Micro Security’s Family of 2020 Releases Provide Enhanced Protections for PCs, Macs, Mobile Devices, and Home Networks

Trend Micro ensures its family of products is progressively enhanced to meet the needs of consumers and the Trend Micro Security 2020 Fall Release is no exception. Endpoint and network security products are improved to provide the most advanced protections from persistent, new, and emerging threats.

Smart Cities Will Require Smarter Cybersecurity

As cities become smarter, officials and security experts say that current defenses are unlikely to keep hackers at bay. Ideas for making cyber defenses smarter include reducing reliance on passwords and open-sourcing security standards to benefit from the perspective of a wider range of security professionals.

September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days

Continuing the trend from last month, several critical patches were for Remote Desktop Clients – all Remote Code Execution (RCE) vulnerabilities. Microsoft also patched two zero-days which are both elevation of privilege vulnerabilities.

Cybersecurity: 99% of email attacks rely on victims clicking links

Social engineering is by far the biggest factor in malicious hacking campaigns and nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action. While many of these attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.

Business Roundtable calls on Congress to pass consumer data privacy law

CEOs of 51 companies from the Business Roundtable, including Amazon, IBM and Salesforce, signed a letter to U.S. congressional leaders urging them to create a comprehensive consumer data privacy law.

Wikipedia Gets $2.5M Donation to Boost Cybersecurity

Wikipedia confirmed that it was hit by a malicious DDoS attack that took it offline across many countries. Following the attack, the Wikipedia Foundation received a $2.5M donation from Craigslist founder, Craig Newmark, to further expand security programs.

Ransomware attack on Premier Family Medical reportedly impacts records of 320K patients

The medical provider noted that the malware restricted employee’s access to their systems and data and has officially revealed the approximate number of affected patients in a disclosure to the federal government.

IoT Security: Now dark web hackers are targeting internet-connected gas pumps

Cyber criminals are increasingly turning their attention to hacking Internet of Things devices as connected products proliferate. While routers remain the top target for IoT-based cyberattacks, there’s a lot of discussion in underground forums about compromising internet-connected gas pumps.

Enhanced Trend Micro Security protects inboxes from scams and phishing attacks
Trend Micro announced the latest version of its flagship consumer offering, Trend Micro Security, which features enhanced protection from web threats and a new AI-powered Fraud Buster tool to protect Gmail and Outlook inboxes across the globe.

Texas Municipalities Hit by REvil/Sodinokibi Paid No Ransom, Over Half Resume Operations

Cybercriminals who held to ransom the files of 22 Texas local government units for a combined ransom amount of US$2.5 million did not get a single cent thanks to a coordinated state and federal cyber response plan.

Are you well-versed on Trend’s suggestions for protecting your routers and other devices from malware? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground appeared first on .

The Five Incident Response Steps

It is important to remember that implementing incident response steps is a process and not an isolated event. For a truly successful incident response, the team should have a coordinated approach. There are five key steps in responding to incidents to ensure efficiency.

<iframe width=”560″ height=”315″ src=”https://www.youtube.com/embed/Euhl7hNquTQ” frameborder=”0″ allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen></iframe>

The five important incident response steps are the following.

Preparation

The key to an effective incident response is preparation. Sometimes even with the best team, they cannot effectively address a situation without the proper guidelines or plan. This should be in place in order to support the team and is one of the most important incident response steps.

Features that should be included in the plan are:

  • Develop and document policies and procedures for proper incident response management.
  • Create a communication standard so teams can coordinate properly during an incident.
  • Incorporate threat intelligence feeds, and perform ongoing analysis and synchronization of feeds.
  • Do cyber hunting exercises for a more proactive approach to incident response.
  • Assess the current threat detection capability of the organization, and update if needed.

Detection and Reporting

The second in the series of incident response steps is detecting and reporting potential security threats.

Monitor

Firewalls, IP systems, and data loss prevention solutions can all help you monitor security events in the environment.

Detect

Security threats can be detected by correlating the alerts in a SIEM solution.

Alert

An incident ticket should then be created and the initial findings documented. An incident classification would then be assigned.

Reporting

All report processes should include ways to accommodate regulatory reporting escalations.

Analysis

Most of the understanding of a security threat happens during the analysis part of the incident response steps. Evidence is collected from the data coming in from tools and systems for proper analysis and identification of the incident.

Analysts should focus on three main areas:

Endpoint Analysis

  • Find any tracks that could have been left behind by the threat actor.
  • Collect all the artifacts required to recreate the timeline of events.
  • Analyze the systems from a forensic perspective.

Binary Analysis

Analyze any malicious binaries or tools used by the attacker, and document these programs along with their functionalities. This can be done either through behavioral analysis or static analysis.

Enterprise Hunting

  • Check systems and the event log to determine what was compromised.
  • Document all the accounts, machines, tools, programs, etc. that were compromised for proper containment.

Containment

The fourth in the incident response steps is one of the most critical: containing and neutralizing the threat based from all indicators gathered through the analysis. Normal operations can resume after system restoration.

Coordinated Shutdown

Once all the affected systems are identified, a coordinated shutdown should be done for these devices.

Wiping and Rebuild

All infected devices need to be wiped, then the operating systems are rebuilt from the ground up. Passwords need to be changed for accounts compromised by the threat event.

Threat Mitigation Requests

If domains or IP addresses are identified and known to be used by threat actors, you should issue a threat mitigation request in order to block all future communication with these domains.

Post-Incident

There is more work to be done even after containment is successful with the final of the incident response steps.

  • Create a complete incident report.
  • Closely monitor the activities of affected devices and programs.
  • Update your threat intelligence to avoid similar attacks.
  • Last but not least of the incident response steps, implement new preventive measures.

Also Read,

Building Your Incident Response Team

Many Organizations Lack Plan to Respond to Incidents: Study Report

The post The Five Incident Response Steps appeared first on .

The Free Mobile Anti-virus you are using can be a Fake!

Quick Heal Security Labs recently spotted multiple Fake Antivirus Apps on Google Play Store. What’s more alarming, is that one of these fake AV Apps has been downloaded 100000+ times already. These Apps appear to be genuine Anti-virus/virus-removal Apps with names like Virus Cleaner, Antivirus security, etc., but do not…

This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how music festival goers need to be on guard for phishing attacks when trying to find a lost iPhone. Also, read how Trend Micro researchers went public with their findings on a zero-day vulnerability impacting the Android mobile operating system. 

Read on:

Finding a Better Route to Router and Home Network Security

New research published reveals that many of the home routers sold in the US today are still missing basic protections. Read on to learn about how your router is exposed to hackers, what attacks are possible and how to protect your router and smart home with Trend Micro’s help.

Hiding in Plain Text: Jenkins Plugin Vulnerabilities

Jenkins, a widely used open-source automation server that allows DevOps developers to build, test, and deploy software efficiently and reliably, recently published security advisories that included problems associated with plain-text-stored credentials. Vulnerabilities that affect Jenkins plugins can be exploited to siphon off sensitive user credentials.

Big Tech Companies Meeting with U.S. Officials on 2020 Election Security

Facebook, Google, Twitter and Microsoft met with government officials in Silicon Valley on Wednesday to discuss and coordinate on how best to help secure the 2020 American election, kicking off what is likely to be a marathon effort to prevent the kind of foreign interference that roiled the 2016 election.

Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions

Trend Micro recently caught a malvertising attack distributing the malware Glupteba, an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. This blog discusses features of this malware and security recommendations to avoid this kind of attack.

Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion

A Trend Micro honeypot detected a spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers, which then sends an email with an embedded link to a scam site to specific email addresses.

Google, Trend Micro, IBM’s Red Hat ID’d Among Top Container Security Vendors

Container security presents a hot growth opportunity for the channel, with the global market expected to more than quadruple by 2024, reaching nearly $2.2 billion. North America is expected to account for the highest market share through 2024.

IPhone Theft Leads to Stolen Apple Credentials Through Phishing Attack

Of the hundreds who had their cellphones stolen or lost during the Lollapalooza music festival, one woman’s attempt to find her iPhone led her to a phishing scheme that stole her credentials. Like a regular phishing scheme, she received a seemingly legitimate text message with a link to what looked like the Find My iPhone webpage, but realized they were fake after she entered her credentials.

Ransomware Attacks Hit Taiwan Hospitals and Dubai Firm

Two notable ransomware attacks targeted several hospitals in Taiwan and a contracting company in Dubai last week. The ransomware attack in Taiwan prevented several hospitals from accessing their information systems, while the attack in Dubai froze a company’s systems.

Trend Micro, AWS Deliver Transparent, Inline Network Security for Enterprise Clouds

Trend Micro is taking new steps to help enterprises using Amazon Web Services to better deliver network security for cloud and hybrid operations.  IDN looks at Trend Micro Cloud Network Protection, along with the firm’s new XDR solution.

Sextortion Scheme Deployed by ChaosCC Hacker Group Demands US$700 in Bitcoin

A recently discovered email scheme reportedly deployed by a hacking group called ChaosCC claims to have hijacked recipients’ computers and recorded videos of them while watching adult content. This sextortion scheme reportedly attempts to trick recipients into paying US$700 in bitcoin.

Unusual CEO Fraud via Deepfake Audio Steals US$243,000 From U.K. Company

This fraud incident used a deepfake audio, an artificial intelligence (AI)-generated audio, and was reported to have conned US$243,000 from a U.K.-based energy company. According to a report, in March, the fraudsters used a voice-generating AI software to mimic the voice of the chief executive of the company’s Germany-based parent company to facilitate an illegal fund transfer. 

Zero-Day Disclosed in Android OS

Yesterday, Trend Micro researchers went public with their findings on a zero-day vulnerability impacting the Android mobile operating system after Google published the September 2019 Android Security Bulletin, which didn’t include a fix for their bug. The vulnerability resides in how the Video for Linux (V4L2) driver that’s included with the Android OS handles input data.

Container Security in Six Steps

Containers optimize the developer experience. However, as with any technology, there can be tradeoffs in using containers. This blog contains sex steps developers can follow to minimize risks when building in containers.

Are you well-versed on Trend’s suggestions for protecting your router and smart home from hackers? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams appeared first on .

Expanding bug bounties on Google Play

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

[Cross-posted from the Android Developers Blog]

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

Three Common Email Security Mistakes That MSPs Make

MSPs can generate recurring revenue by being proactive about educating customers about email threats and how to defeat them—if they avoid three common mistakes.

Businesses have come to rely on cloud email and file-sharing applications for communication and productivity. But, too often, they assume these platforms’ built-in security delivers enough protection against email-borne threats.

The reality is quite different.

While the built-in protection of platforms such as Microsoft Office 365 and Google Drive catches some threats, it is not designed to detect the myriad unknown dangers that amount to 95% of all cyber threats in the wild, according to Trend Micro research.

Businesses need an added layer of protection for email and file-sharing platforms. But most organizations don’t realize this need until it’s too late and their systems have already been breached.

That’s why MSPs and IT service providers should be proactive in educating customers about email threats–and how to defeat them. In so doing, providers position themselves to generate new recurring revenue. But they must avoid three common mistakes providers make regarding email security:

1. Failing to educate customers

Surprisingly, not all MSPs and IT service providers are aware of the need to add a layer of protection to cloud email platforms. Like their customers, many believe built-in controls get the job done.

This being the case, providers fail to educate customers on the dangers of email-born threats, leaving them susceptible to malware infections through phishing and spam, fraud, spying and information theft. Providers must make clear that an attack caused by one user’s bad decision to click an infected URL or attachment can bring an organization to its knees and have long-term repercussions: Atlanta is still reeling from a 2018 ransomware attack that cost the city $2.7 million.

2. Placing too much faith on end-user training

There’s no question users need education on safe security practices to avoid infecting their own computers and their network. Phishing is effective because it preys on users’ trust and curiosity to deliver ransomware and other forms of malware: Consider that in 2018, credential phishing tactics accounted for 40 percent of all high-risk email threats. But you can’t stop phishing by merely telling users not to click a link or attachment; someone is always going to do it.

Because training alone cannot fully address security risks, providers should introduce solutions to customers that stop threats before they reach users. They should also teach users to spot threats before clicking infected links and attachments.

3. Leaving service revenue on the table

Providers can build various services around security, including assessments that show how many threats their cloud platforms miss, as well as simulations that determine how many end users fall for phishing scams.

Assessments can lead to other, ongoing services, including awareness and training programs to help users avoid and report email threats. These services create new revenue streams and stickiness with customers.

Trend Micro’s Approach

Increased customer reliance on cloud email makes these platforms a bigger target for hackers. MSPs can minimize the target with the right solutions and services to protect customers. Trend Micro’s email security solution is easy to set up; it has direct APIs for various cloud applications, and it employs advanced features such as machine learning and Writing Style DNA to identify and stop phishing and other threats. Secure your email–and your company’s future–today.

 

The post Three Common Email Security Mistakes That MSPs Make appeared first on .

Trend Micro Named A Leader in 2019 Gartner Magic Quadrant for Endpoint Protection Platforms

Leadership. It’s a weighty term, although frequently it is used too lightly and all too often it’s a self-declared position. We believe, leaders can come and go, and leadership can be fleeting depending on the factors for long term success.

It is for all these reasons, that we are proud, not only to be in a Leader’s position in the 2019 Gartner® Magic Quadrant for Endpoint Protection Platforms[1] (EPP), but to have been named a Leader by Gartner in this category since 2002[2].

We believe that true leadership is sustained leadership with a proven track record of consistent strength in vision and execution.

It has been a transformative period for the EPP market with waves of innovation along the way. We believe, the difference with Trend Micro as a Leader, is that new techniques and capabilities are additive to our solution value, they are not the sum of it.

We’ve been able to build out our endpoint offering by continuously adding to the wide range of threat detection & response capabilities, along with investigative features as an innate part of a single-agent solution, simplifying deployment and enabling integrated workflows. This provides a balanced and comprehensive approach to endpoint security, which is imperative given the diversity in the threat landscape.

Job one is detecting and blocking as many endpoint threats as possible without manual intervention. The more threats you automatically prevent or stop, the fewer you need to investigate and respond to. That point can’t be overlooked or undervalued, although it often is.

When threats get through, you need actionable insight and an investigative toolset for hunting and sweeping activities, patient zero identification, and root cause analysis covering the use cases most needed and most leveraged.

The market continues to be excited about Endpoint Detection and Response (EDR), and we are strongly committed to delivering an effective solution in this regard; however, we believe effectiveness is not just about deepening the capabilities (although we are doing that), but by also delivering more than what EDR alone is designed to do.

That is why we are committed to going beyond the endpoint, with XDR.

For example, we recently introduced the capability to combine email and endpoints in the investigation of a detection, enabling you to trace a root cause analysis back into email (#1 attack source) to understand who else received the email or has a malicious file in their Office365 or Gmail inbox. Containing the threat and stopping the spread gets easier when you are looking beyond the endpoint — something you can’t do with EDR alone.

Our broader XDR strategy provides customers a means to further integrate and extend their detection and response capabilities across email, endpoints, servers, cloud workloads, and networks in a single platform and/or via a managed service.  With XDR, you can clearly visualize the overall security posture and effectively hunt, detect, analyze and respond to threats across security layers. Leveraging our market-leading products like Apex One (endpoint) Deep Security (server/cloud workloads), Deep Discovery and TippingPoint (network) and Cloud App Security (messaging and collaboration), XDR offers expert security analytics for alert correlation, and consolidated visibility and investigation of events. The key value of XDR is that it can connect minor events from different security silos (like EDR) to detect more complex attacks that would have otherwise remained unnoticed. You can learn more about XDR here.

The truth is that for many companies, the capabilities of the detection and response tools often exceed their capacity to use them due to time and resource limitations. Thus, a managed service is a great option. Trend Micro’s Managed XDR service can take the burden off of constrained teams, and also offers customers an opportunity to use the service for one or a multitude of security vectors – endpoint, network, servers & cloud workloads, email – for a single source of detection and response. The more sources to correlate, the better the insight – that’s the XDR advantage.

We believe XDR is another proof point of our deep-seated commitment to our ongoing evolution and innovation. This is how we’ve stayed current, relevant and effective over the years.

At the end of the day, the endpoint is extremely important to a company’s defenses and thus demands a strong solution. That’s why having confidence you are making a reliable choice for endpoint protection, now and over the long term, is imperative.  In a market that is changing, amid a vendor landscape that is noisy and confusing, that can be difficult. That’s why third-party evaluations like the Gartner Magic Quadrant are important, along with independent testing and POCs.

Get the full report here.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Magic Quadrant for Endpoint Protection Platforms, 20 August 2019, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber

[1] Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Lawrence Pingree, Dionisio Zumerle, Prateek Bhajanka, Paul Webber, August 2019

[1] Under the names of “Magic Quadrant for Endpoint Protection Platforms,” and previously, “Magic Quadrant for Enterprise Antivirus”

(Enterprise Antivirus 2Q02 MQ: Room for Improvement, Magic Quadrant for Enterprise Antivirus, 1H03, Magic Quadrant for Enterprise Antivirus, 2006,  “Magic Quadrant for Endpoint Protection Platforms” from 2007 onwards)

 

The post Trend Micro Named A Leader in 2019 Gartner Magic Quadrant for Endpoint Protection Platforms appeared first on .

This Week in Security News: DevOps Implementation Concerns and Malware Variants

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how most respondents to a Trend Micro survey shared their concern for the risks in implementing DevOps. Also, read on about how Trend Micro uncovered a MyKings variant that had been hiding for roughly two years before it was discovered.

 

Read on:

How Do Threats Align with Detection and Solutions?

There are many different threats targeting many different areas of a corporate network. I built an interactive graphic to help others understand the full ecosystem of how security works across your network, how to detect threats and ultimately what solutions can be utilized in the different areas of networks to protect themselves and their systems and data.

XDR Is the Best Remedy as Attackers Increasingly Seek to Evade EDR

Greg Young, vice president of cybersecurity at Trend Micro, discusses how many enterprises don’t effectively manage their endpoints and how Trend Micro’s XDR solution is a more effective solution for endpoint management and dealing with evasive threats.

Nest Enrages Users by Removing Option to Disable Camera Status LEDs

Google just made good on one of the promises it made at I/O 2019 — it’s removing the option to disable camera status LEDs. Nest customers have responded with almost universal anger to the change. They’ll be able to dim the lights on Nest Cam, Dropcam, and Hello devices, but you won’t be allowed to turn them off while they’re recording.

The Sky Has Already Fallen (You Just Haven’t Seen the Alert Yet)

Rik Ferguson, vice president of security research at Trend Micro, discusses how the typical security operations center (SOC) of today is drowning in a volume of alerts. In the financial world, 60 percent of banks routinely deal with more than 100,000 alerts every day, with 17 percent of them reporting more than 300,000 security alerts, and this pattern is repeated across industry verticals.

Innovate or Die?

Bill Malik, vice president of infrastructure strategies at Trend Micro, discusses how a recent series of IT acquisitions and IPOs highlight a simple economic fact: companies that fail to keep up with the fast-paced innovation of technology can easily become targets for acquisition.

MoviePass Exposed Thousands of Unencrypted Customer Card Numbers

Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. A massive, exposed database on one of the company’s many subdomains was found containing 161 million records at the time of writing and growing in real time.

The Path to Secure DevOps Initiatives: Bridging the Gap Between Security and DevOps

The growing demand for faster and more efficient software development brings DevOps to the fore, but not without disrupting the inner workings of production and security teams. In a survey commissioned by Trend Micro, majority of the respondents shared their concern for the risks in implementing DevOps.

FAKE APPS! Courtesy of Agent Smith

Early this month a new global Android malware campaign called Agent Smith was revealed to have compromised 25 million handsets across the globe including many in the U.S., serving as another reminder to users not to take mobile security for granted. Fortunately, users can make giant strides towards keeping the hackers at bay with a few easy steps.

Google Android Adware Warning Issued To 8 Million Play Store Users

Security researchers at Trend Micro have revealed that the Google Play Store hosted 85 apps ridden with adware. Worse still, these apps have netted more than 8 million downloads. The adware-ridden apps were posing as legitimate services focusing on gaming or photography. 

OVIC Finds PTV in Violation of Privacy and Data Protection Act 2014 in myki Records Disclosure

The Office of the Victorian Information Commissioner (OVIC) determined that the Public Transport Victoria (PTV) breached the Information Privacy Principle (IPP) under the Privacy and Data Protection Act 2014. The decision came after the PTV released data in 2018 that exposed more than 15 million myki cards’ “touch on” and “touch off” travel history data, which could be used to identify specific users.

BEC Scam Costing Almost US$11 Million Leads to FBI Arrest of Nigerian Businessman

The CEO of the Invictus Group of Companies, Obinwanne Okeke, has reportedly been arrested by the U.S. Federal Bureau of Investigation (FBI) after he was accused of conspiracy to commit computer and wire fraud. The FBI investigation into Okeke was initiated after a victim of a business email compromise (BEC) scam informed the FBI that it had been defrauded of nearly US$11 million.

22 Texas Towns Hit with Ransomware Attack In ‘New Front’ Of Cyberassault

State officials confirmed this week that computer systems in 22 municipalities have been infiltrated by hackers demanding a ransom. A mayor of one of those cities said the attackers are asking for $2.5 million to unlock the files. The Federal Bureau of Investigation and state cybersecurity experts are examining the ongoing breach, and officials have not disclosed which specific places are affected.

Uncovering a MyKings Variant with Bootloader Persistence via Managed Detection and Response

MyKings alone has already infected over 500,000 machines and mined an equivalent of US$2.3 million as of early 2018. The timing of the attack we recently found could indicate that it may have been part of the campaign we previously found in 2017.

Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector, which inject code in Word and PDF files respectively.

They’re Attacking the Brain of Your Smart Home (or Office)

A smart device that turns your lights off when you leave or checks to see if you left any doors or windows unlocked may be convenient, but adding and connecting more smart items to your house can cause new and unexpected problems and let the bad guys in. Greg Young, Trend Micro’s vice president of cybersecurity, discusses various ways to protect smart homes from these kinds of cyber attacks.

Are you up to speed on how security works across your network, how to detect threats and what solutions can be utilized in different network areas to protect systems and data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: DevOps Implementation Concerns and Malware Variants appeared first on .

The Sky Has Already Fallen (you just haven’t seen the alert yet)

Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.

The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.

There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).

This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.

Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.

This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.

In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.

Water, water everywhere and all the boards did shrink,

Water, water everywhere nor any drop to drink.

A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.

We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.

The post The Sky Has Already Fallen (you just haven’t seen the alert yet) appeared first on .

FAKE APPS!—courtesy of Agent Smith

As new mobile malware sweeps the globe, here’s how to keep your device secure.

We’re spending more and more of our lives online and for most of us the door to this digital world is our smartphone. It’s the first thing we look at when we wake up and the last thing we check at night. It’s where we do our banking and shopping, where we hang out with friends, play games to pass the time, post status updates and share photos. It’s where we watch TV, hail cabs and even consult our local doctor.

There’s just one problem: the bad guys know this and they’ve become highly skilled at making money off the back of our reliance on mobile devices. Early this month a new global Android malware campaign called Agent Smith was revealed to have compromised 25 million handsets across the globe including many in the US.

It should be another reminder to users not to take mobile security for granted. Fortunately, with a few easy steps you can make giant strides towards keeping the hackers at bay.

What is Agent Smith?

Remember the malignant agent/virus antagonist to Neo in The Matrix? Well, Agent Smith is the latest in a long line of malware campaigns designed to infect consumers’ mobile devices. It begins life embedded inside legitimate-looking applications like photo apps, gaming titles and/or adult-themed software. These are found more on popular third-party marketplaces such as 9Apps, rather than the official Google Play store, though it showed up there too.

Once a user installs one of these booby-trapped apps, the malware will get to work, exploiting vulnerabilities in the Android operating system. It extracts a list of all the legit apps that the user has installed on their phone and then sets about replacing them with identical-looking but malicious versions.

How does it affect me?

If you’re unlucky enough to have your device infected with Agent Smith, it will then go on to hijack your apps to show unwanted ads – thereby generating the hackers money. Although this doesn’t sound too catastrophic for the victim, there is the potential for the attack to get much worse. Researchers have claimed that the same malware could be used to steal sensitive information like online banking credentials from an infected device.

As of early July, Agent Smith had already infected over 302,000 mobile devices in the US. The number may be even higher today. It’s one of the biggest threats seen so far this year, but it’s by no means the only one. Attackers are always looking for ways to get malware onto consumers’ devices, and in so doing:

  • Steal log-ins for key accounts like online banking
  • Secretly mine for crypto-currency using your device, which can cause it to slow down
  • Flood your screen with pop-up adverts, making it unusable
  • Lock your device with ransomware until a fee is paid
  • Sign your device up to premium rate services which can incur heavy charges

How do I stay safe?

Google is getting better at preventing apps loaded with hidden malware from being published on its official Play Store, but there are still occasions when some sneak through. The hackers behind Agent Smith were found to have hidden malware elements on 11 apps listed on Google Play. Two of them had already reached 10 million downloads by the time Google was notified and they were withdrawn.

App downloads are also only one of several avenues where your mobile device could be at risk of attack. Others include via malicious text or IM messages, public Wi-Fi networks that you might be sharing with hackers, and even lost or stolen devices.

Here’s a quick rundown of some key steps to stay safe:

  • Stick to legitimate stores (Google Play and Apple’s App Store) – you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
  • Read the permissions requested by applications when you install them. If they seem excessive (i.e., a gaming app that wants to access your address book and microphone) then avoid. It’s better to be safe than sorry.
  • Always ensure you’re on the latest version of Android.
  • Don’t log-in to public Wi-Fi, or if you must, don’t use any sensitive accounts (email, banking etc) until you get back onto a private and secure network. Otherwise, use a WiFi VPN, like Trend Micro WiFi Protection.
  • Ensure your device has a remote lock and wipe feature switched on, to sign out of accounts and wipe the device if it is lost or stolen.
  • Don’t brick/jailbreak the device as this can expose it to security risks.
  • Be cautious – you may be more likely to click on phishing links in emails, texts, and via social channels when on the move as you could be distracted and/or in a rush.
  • Run anti-malware on your mobile device, from reputable company like Trend Micro.

How can Trend Micro help?

The last recommendation is non-trivial. Trend Micro offers customers comprehensive anti-malware capabilities via Trend Micro Mobile Security (TMMS), which provides protection from malicious apps via the Mobile App Reputation Service (MARS).

With Agent Smith, there are two malicious parts: the Agent Smith malware itself and the doppelganger apps that it creates on victim devices to replace the legitimate ones. MARS/TMMS detects both. On Google Play, the MARS/TMMS pre-install scan will detect Agent Smith before it installs. (This same function will prevent you from downloading other malicious apps to your device.) Otherwise, both Agent Smith (installed from a 3rd-party store) or the doppelganger apps it creates will trigger the real-time scan in MARS/TMMS and warn you the apps are not safe, so you can delete them from your device.

Among its other features, Trend Micro Mobile Security also:

  • Blocks dangerous websites
  • Checks if public WiFi connections are safe
  • Guards financial and commercial apps
  • Optimizes your device’s performance
  • Protects your kids’ devices with parental controls
  • Protects your privacy on social media
  • Provides lost device protection.

Used in conjunction with Trend Micro Password Manager, for securing and managing your passwords, and Trend Micro WiFi Protection, for keeping you save on public WiFi, Trend Micro Mobile Security can help keep your mobile device—both you and your identity—safe from threats like Agent Smith and countless others.

The post FAKE APPS!—courtesy of Agent Smith appeared first on .

Extended Validation Certificates are (Really, Really) Dead

Extended Validation Certificates are (Really, Really) Dead

Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.

The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead. Here's the Google announcement:

On HTTPS websites using EV certificates, Chrome currently displays an EV badge to the left of the URL bar. Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon.

And here's the Firefox announcement:

In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information).

Chrome 77 is currently scheduled to ship on September 10 and Firefox 70 on October 22. With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.

I will admit to some amusement in watching all this play out, partly because the ludicrous claims about EV efficacy really come crashing down when it's no longer visible to the end user. But also partly because of comments along the lines of "Google is pushing the EV changes into the spec". Google wasn't pushing anything into a spec, no more so than Apple was last year and Mozilla is now, they were all simply adapting their own UIs to better service their customers and they've all arrived at the same conclusion: remove the EV entity name. But it's the reasons why they're doing this that I find particularly interesting, for example in the Chrome announcement:

Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.

That absolutely nails it - users aren't going to change their behaviour when they see a DV padlock rather than an EV entity name. This is precisely what Mozilla called out in their announcement:

The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.

In fact, Mozilla went even further and referenced the great work that Ian Carroll did when he registered a colliding entity name and got an EV cert for it:

More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.

All Ian had to do was spend $100 registering "Stripe Inc" in a different US state to the payment processor you'd normally associate the name with then another $77 on the EV cert and less than hour later, he had this newsworthy result:

Extended Validation Certificates are (Really, Really) Dead

He did this perfectly legally and in a fashion compliant with the baseline requirements yet shortly thereafter, Comodo CA (now Sectigo) revoked the certificate. They later apologised and blamed the decision on "A Comodo CA employee who is not a member of senior management". Apple knew this was a problem when they killed off the EV entity name last year:

Apple said that this changes was based on research and customer input. “Org name is not tied to users intended destination the same way that the domain name is”

So now I'm curious - how long will take the CAs selling EV to adjust their marketing to align with reality? For example, Sectigo is going to need to kill off most of their EV description:

Extended Validation Certificates are (Really, Really) Dead

Half their "visible trust indicators" go too which leaves them with an identical set of bullet points to DV:

Extended Validation Certificates are (Really, Really) Dead

But hey, you still get to put a logo on the page! 🤦‍♂️

Let's not just single out Sectigo though, DigiCert will also need to significantly revise their marketing paraphernalia:

Extended Validation Certificates are (Really, Really) Dead

I'm assuming the bit about brand refers to the entity name in EV as it doesn't appear against OV or DV on that page. Oh - and just for reference, DigiCert refused to issue Ian a certificate for Stripe due to "risk factors". What risk factors? Well...

It's time for re-sellers to clean up their act too, for example The SSL Store:

Extended Validation Certificates are (Really, Really) Dead

I chose to leave the entire browser window in this screen grab to highlight the irony of "The SSL Store" having an EV cert issued to "Rapid Web Services". Remember one of Apple's complaints - "Org name is not tied to users intended destination" - yeah...

Actually, The SSL Store provides many great opportunities for reflection on the EV craziness that was (it's pretty safe to use the past tense now). Their piece on how EV provides "tremendous value" is clearly now on the nose and is full of great zingers such as how important it is to be able to differentiate PayPal.com from FakePayPal.com. Why a great zinger? Because PayPal themselves decided that didn't matter back in September last year. And since that entire piece was in response to me writing about just how useless EV was even back then, let's pick it apart even further, for example:

The value of an EV certificate is clear. It is the ability to know more than your browser can assert through connecting to a hostname, parsing a certificate file, and verifying an encryption key.

Ouch - that didn't age well!

EV is now really, really dead. The claims that were made about it have been thoroughly debunked and the entire premise on which it was sold is about to disappear. So what does it mean for people who paid good money for EV certs that now won't look any different to DV? I know precisely what I'd do if I was sold something that didn't perform as advertised and became indistinguishable from free alternatives...

Catch a Ride Via Wearable

More often than not, commuters and travelers alike want to get to their destination quickly and easily. The advent of wearable payments helps make this a reality, as passengers don’t have to pull out a wallet or phone to pay for entry. Adding to that, users are quickly adopting wearable technology that has this payment technology embedded, causing transportation systems to take notice and adopt corresponding technology as a result. Unfortunately, there’s a chance this rapid adoption may catch the eye of cybercriminals as well.

Just last month, the New York City Subway system introduced turnstiles that open with a simple wave of a wearable, like an Apple Watch or Fitbit. Wearables may provide convenience and ease, but they also provide an open door to cybercriminals. With more connections to secure, there are more vectors for vulnerabilities and potential cyberthreats. This is especially the case with wearables, which often don’t have security built-in from the start.

App developers and manufacturers are hard-pressed to keep up with innovation, so security isn’t always top of mind, which puts user data at risk. As one of the most valuable things cybercriminals can get ahold of, the data stored on wearables can be used for a variety of purposes. These threats include phishing, gaining access to online accounts, or transferring money illegally. While the possibility of these threats looms, the adoption of wearables shows no sign of slowing down, with an estimated 1.1 billion in use by 2022. This means developers, manufacturers, and users need to work together in order to keep these handy gadgets secure and cybercriminals out.

Both consumers and transport systems need to be cautious of how wearables can be used to help, or hinder, us in the near future. Rest assured, even if cybercriminals utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape. In the meantime, consider these tips to stay secure while traveling to your destination:

  • Always keep your software and apps up-to-date.It’s a best practice to update software and apps when prompted to help fix vulnerabilities when they’re found.
  • Add an extra layer of security. Since wearables connect to smartphones, if it becomes infected, there is a good chance the connected smartphone will be impacted as well. Invest in comprehensive mobile security to apply to your mobile devices to stay secure while on-the-go.
  • Clear your data cache. As previously mentioned, wearables hold a lot of data. Be sure to clear your cache every so often to ensure it doesn’t fall into the wrong hands.
  • Avoid storing critical information. Social Security Numbers (SSN), bank account numbers, and addresses do not need to be stored on your wearable. And if you’re making an online purchase, do so on a laptop with a secure connection.
  • Connect to public Wi-Fi with caution. Cybercriminals can use unsecured public Wi-Fi as a foothold into a wearable. If you need to connect to public Wi-Fi, use a virtual private network, or VPN, to stay secure.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Catch a Ride Via Wearable appeared first on McAfee Blogs.

Businesses Beware: Top 5 Cyber Security Risks

Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.

  1. Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
  2. Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
  3. Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
  • Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
  • Create and manage a patch management program to guard against vulnerabilities.
  • Create a process to ensure patching is completed.

Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.

  1. Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
  2. Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.

Cost for a Single Record Data Breach

The Bottom Line

You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.

I Can’t Stress It Enough

Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:

  • Define and document data security requirements
  • Classify and document sensitive data
  • Analyze security of data at rest, in process, and in motion
  • Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
  • Identify and document data security risks and gaps
  • Execute a remediation strategy

Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.

Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!

The post Businesses Beware: Top 5 Cyber Security Risks appeared first on Connected.

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:

 

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:

 

The post WPA2 Hacks and You appeared first on Connected.

Shut Down Unlikely Attack Vectors in Your Organization

As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.

For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.

That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.

That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.

So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.

Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.

The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.