Category Archives: security

IP-in-IP flaw affects devices from Cisco and other vendors

A flaw in the IP-in-IP tunneling protocol that can be exploited for DoS attacks and to bypass security controls impact devices from Cisco and other vendors.

A vulnerability that affects the IP-in-IP tunneling protocol (aka IP Encapsulation within IP) implemented by Cisco and other vendors could be exploited for denial-of-service (DoS) attacks and to bypass security controls.

IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. The vulnerability, tracked as CVE-2020-10136, has been rated with a CVSS score of 8.6.

The issue can be abused by an unauthenticated attacker to unexpectedly route arbitrary network traffic through a vulnerable device.

“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” reads the advisory published by the CERT Coordination Center (CERT/CC). “An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses. This unexpected Data Processing Error (CWE-19) by a vulnerable device can be abused to perform reflective DDoS and in certain scenarios used to bypass network access control lists.”

Cisco has already addressed the flaw by releasing security updates for its NX-OS software.

“A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service (DoS) condition on an affected device.” states the advisory published by Cisco.

“The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device”

An attacker could exploit the flaw by sending a crafted IP in IP packet to an affected device.

“Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition,” Cisco also explains.

The list of affected products includes:

According to Cisco’s advisory, the vulnerability also impacts devices that do not have an IP in IP tunnel interface configured. Cisco UCS Fabric Interconnects are affected only when NetFlow monitoring is enabled on the device and a flow exporter profile is configured with a source IP address set for the exporter interface. 

The following products are not affected:

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • MDS 9000 Series Multilayer Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • UCS 6400 Series Fabric Interconnects

According to the CERT/CC, the flaw affects products from Digi International, Hewlett Packard Enterprise, and Treck are also affected.

A proof-of-concept (PoC) code was published by the CERT/CC.

Pierluigi Paganini

(SecurityAffairs – IP-in-IP, cybersecurity)

The post IP-in-IP flaw affects devices from Cisco and other vendors appeared first on Security Affairs.

Apple fixes CVE-2020-9859 zero-day used in recent Unc0ver jailbreak

This week Apple released security patches to address the CVE-2020-9859 zero-day vulnerability that had been used to jailbreak iPhones devices.

Apple released security patches to address the CVE-2020-9859 zero-day vulnerability in the iOS kernel that had been used to jailbreak iPhones.

The flaw was discovered by a team of cyber-security researchers and hackers that also released a new jailbreak package dubbed Unc0ver (from the name of the team that devised it) that works on all recent iOS versions.

Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.

By default, Apple does not allow users to have full control over their iPhones and other iOS devices, citing security reasons.

The Unc0ver team released Unc0ver 5.0.0, the latest version of their jailbreak, which can root and unlock all iOS devices, even those running the latest iOS v13.5.

The jailbreak exploits a the CVE-2020-9859 zero-day in the iOS operating system that was discovered by Pwn20wnd, a member of the Unc0ver team, and that has yet to be addressed by Apple.

Pwn20wnd states that #unc0ver v5.0.0 will be a big milestone for jailbreaking because it is the first zero-day jailbreak released since iOS 8 that was released in September 2014.

The Unc0ver team tested the jailbreak on iOS 11 through iOS 13.5, the software did not work on iOS versions 12.3 to 12.3.2 and 12.4.2 to 12.4.5.

What makes this jailbreak outstanding is that according to Pwn20wnd it doesn’t impact Apple’s iOS security features.

According to the CERT Coordination Center, the kernel vulnerability could allow a malicious application to achieve unsandboxed, kernel-level code execution and the jailbreak works on modern iOS devices that use a CPU that supports Pointer Authentication Code (PAC), which indicates that PAC does not prevent exploitation of this vulnerability.

Now Apple addressed the vulnerability and revealed that the root cause of the flaw was memory consumption.

Apple released iOS 13.5.1 and iPadOS 13.5.1 version for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

The IT giant also released security updates for macOS High Sierra 10.13.6 and macOS Catalina 10.15.5 (macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra), Apple TV 4K and Apple TV HD (tvOS 13.4.6), and Apple Watch Series 1 and later (watchOS 6.2.6) to patch the vulnerability.

Pwn20wnd confirmed that iOS 13.5.1 addressed the vulnerability exploited by their jailbreak.

Pierluigi Paganini

(SecurityAffairs – Apple, jailbreak)

The post Apple fixes CVE-2020-9859 zero-day used in recent Unc0ver jailbreak appeared first on Security Affairs.

Umbrella with SecureX built-in: Coordinated Protection

This blog was written by David Gormley, Cloud Security Product Marketing Manager at Cisco.

Cybercriminals have been refining their strategies and tactics for over twenty years and attacks have been getting more sophisticated. A successful cyberattack often involves a multi-step, coordinated effort. Research on successful breaches shows that hackers are very thorough with the information they collect and the comprehensive plans they execute to understand the environment, gain access, infect, move laterally, escalate privileges and steal data.

An attack typically includes at least some of the following steps:

  • reconnaissance activities to find attractive targets
  • scanning for weaknesses that present a good entry point
  • stealing credentials
  • gaining access and privileges within the environment
  • accessing and exfiltrating data
  • hiding past actions and ongoing presence

This whole process is sometime called the “attack lifecycle” or “kill chain” and a successful attack requires a coordinated effort throughout the process. The steps above involve many different elements across the IT infrastructure including email, networks, authentication, endpoints, SaaS instances, multiple databases and applications. The attacker has the ability to plan in advance and use multiple tactics along the way to get to the next step.

Security teams have been busy over the past couple of decades as well.  They have been building a robust security practice consisting of tools and processes to track activities, provide alerts and help with the investigation of incidents.  This environment was built over time and new tools were added as different attack methods were developed. However, at the same time, the number of users, applications, infrastructure types, and devices has increased in quantity and diversity.  Networks have become decentralized as more applications and data have moved to the cloud. In most instances, the security environment now includes over 25 separate tools spanning on-prem and cloud deployments. Under these conditions, it’s difficult to coordinate all of the activities necessary to block threats and quickly identify and stop active attacks.

As a consequence, organizations are struggling to get the visibility they need across their IT environment and to maintain their expected level of effectiveness. They are spending too much time integrating separate products and trying to share data and not enough time quickly responding to business, infrastructure, and attacker changes.  The time has come for a more coordinated security approach that reduces the number of separate security tools and simplifies the process of protecting a modern IT environment.

Cisco Umbrella with SecureX can make your security processes more efficient by blocking more threats early in the attack process and simplifying the investigation and remediation steps. Umbrella handles over 200 billion internet requests per day and uses fine-tuned models to detect and block millions of threats. This “first-layer” of defense is critical because it minimizes the volume of malicious activity that makes its way deeper into your environment.  By doing this, Umbrella reduces the stress on your downstream security tools and your scarce security talent.  Umbrella includes DNS Security, a secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality. But no one solution is going to stop all threats or provide the quickly adapting environment described above. You need to aggregate data from multiple security resources to get a coordinated view of what’s going on in your environment but can’t sink all your operating expenses into simply establishing and maintaining the integrations themselves.

That’s where Cisco SecureX comes in. Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including Umbrella– and your other security tools for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. Let’s explore some of the capabilities of SecureX, the Cisco security platform and discuss what they mean in the context of strengthening breach defense.

  • Visibility: Our SecureX platform provides visibility with one consolidated view of your entire security environment. The SecureX dashboard can be customized to view operational metrics alongside your threat activity feed and the latest threat intelligence. This allows you to save time that was otherwise spent switching consoles. With the Secure threat response feature, you can accelerate threat investigation and take corrective action in under two clicks.
  • Automation: You can increase the efficiency and precision of your existing security workflows via automation to advance your security maturity and stay ahead of an ever-changing threat landscape. SecureX pre-built, customizable playbooks enable you to automate workflows for phishing and threat hunting use cases. SecureX automation allows you to build your own workflows including collaboration and approval workflow elements to more effectively operate as a team.   It enables your teams to share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes.
  • Integration: With SecureX, you can advance your security maturity by connecting your existing security infrastructure via out-of-the-box interoperability with third party solutions. In addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. In short, you’re getting more functionality out of the box so that you can multiply your use cases and realize stronger outcomes.

Pre-built playbooks focus on common security use cases, and you can easily build your own using an intuitive, drag-and-drop interface. One example of the coordination between Umbrella and SecureX is in the area of phishing protection and investigation. Umbrella provides protection against a wide range of phishing attacks by blocking connections to known bad domains and URLs. SecureX extends this protection with a phishing investigation workflow that allows your users to forward suspicious email messages from their inbox. In addition, a dedicated inspection mailbox starts an automated investigation and enrichment process. This includes data from multiple solutions including Umbrella, email security, endpoint protection, threat response and malware analysis tools. Suspicious email messages are scraped for various artifacts and inspected in the Threat Grid sandbox. If malicious artifacts are identified, a coordinated response action, including approvals, is carried out automatically, in alignment with your regular operations process.

The SecureX platform is included with Cisco security solutions to advance the value of your investment. It connects Cisco’s integrated security portfolio, your other security tools and existing security infrastructure with out-of-the-box interoperability for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications.

Sign up to the SecureX waitlist so you can be first to receive sign-on instructions when it becomes generally available later in June at Cisco.com/go/SecureX 

The post Umbrella with SecureX built-in: Coordinated Protection appeared first on Cisco Blogs.

VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue

VMware has released an update to address a privilege escalation flaw in VMware for the macOS version of Fusion that was introduced by a previous patch.

In March, VMware patched a high-severity privilege escalation vulnerability (CVE-2020-3950) in Fusion, Remote Console (VMRC) and Horizon Client for Mac.

The CVE-2020-3950 is a privilege escalation vulnerability caused by the improper use of setuid binaries, it could be exploited by attackers to escalate privileges to root.

The flaw was reported by Jeffball of GRIMM and Rich Mirch, VMware assigned it a CVSSv3 base score of 7.3 and rated it as Important severity. The issue impacts Fusion (11.x before 11.5.2), Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

Mirch and Jeffball, immediately noted that the patch issued by VMware was incomplete, VMware confirmed it a few days later and released a new patch at the end of March. Unfortunately the new fix introduced a new security issue.

The vulnerability introduced by the second patch, tracked as CVE-2020-3957, is a time-of-check time-of-use (TOCTOU) issue that could allow attackers with low permissions to execute arbitrary code with root privileges.

Last week, the company releases version 11.5.5, but the issue for VMRC and Horizon Client for Mac are yet to be approved.

Pierluigi Paganini

(SecurityAffairs – Fusion, cybersecurity)

The post VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue appeared first on Security Affairs.

Analysing the (Alleged) Minneapolis Police Department “Hack”

Analysing the (Alleged) Minneapolis Police Department

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today:

I was CC'd into a bunch of threads that were redistributing the alleged email addresses and passwords, most of them referring to a data breach (or "leak") of some kind allegedly perpetrated by "Anonymous". I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. This is one of the more popular ones that links a hack of the MPD website to leaked credentials:

Analysing the (Alleged) Minneapolis Police Department

I've got a lot of "allegedly" and air quotes throughout this post because a lot of it is hard to substantiate, but certainly there's a lot of this sort of thing spreading online at the moment:

Just to be clear: there's not necessarily a direct link between whoever put the video above together and the data now doing the rounds and attribution is tricky once you get a bunch of different people under different accounts and pseudonyms all flying the "Anonymous" banner. What I'm interested in whether the data I referred to earlier is actually from the MPD or, as I speculated, from elsewhere:

So let's dig into it. There are 798 email addresses in the data set but only 689 unique ones. 87 of the email addresses appear multiple times, usually twice, but one of them 7 times over. I'll come back to the passwords associated with that account in a moment, what I will say for now is that it's extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won't let an address register more than once.

Of the 689 unique email addresses, 654 of them are already in Have I Been Pwned. That's a hit rate of 95% which is massively higher than any all-new legitimate breach. If you have a browse through the HIBP Twitter account, you'll see the percentage of previously breached accounts next to each tweet and it's typically in the 60% to 80% range for services based in the US (lower rates for areas of the world that are underrepresented in HIBP, for example Indonesia and Japan).

Next up is the distribution of addresses across breaches and I'll share a couple of snippets from one of the tools I use to help attribute data such as this:

Analysing the (Alleged) Minneapolis Police Department

HIBP presently has a ratio of just over 2 breaches per email address in the system. However, what we're seeing here is a very high prevalence of each address appearing not just in 2 breaches, but in an average of 5.5 breaches. In other words, these accounts are breached way more than usual. When we look at which incidents they've been breached in, they're very heavily weighted towards data aggregators, with a couple of notable exceptions:

Analysing the (Alleged) Minneapolis Police Department

The People Data Labs breach is in the top spot and it's presently the 4th largest breach in HIBP. Verifications.io is the second largest and Anti Public the 6th largest. The conclusion I draw from this is that a huge amount of the data is coming from aggregated lists known to be in broad circulation. LinkedIn is a bit of an outlier here because whilst the data is in very broad circulation, it's not an aggregation of multiple sets rather a single, discrete breach. Which brings me to next tweet in my thread:

Two of the passwords in the data clearly tie it back to the LinkedIn breach, one literally being the word "LinkedIn" and the other an all lowercase version of that. It's difficult to imagine someone creating an MPD account with that password. Then again, people do stupid things with passwords (yes, even police officers) so it's possible. What's less likely is that a current day official police department system would allow an all lowercase 8-character password. Not convinced? The following passwords are also present:

  1. le (yes, with just 2 characters)
  2. 1603 (which looks like a PIN)
  3. password
  4. 123456

As with the LinkedIn passwords, it's possible these are from an official police system, but the likelihood is extremely low. So where could they be from? Let's run them all against Pwned Passwords and see.

There are 795 rows with passwords in the data. That's 3 less than the total number of email addresses as the first 3 lines are addresses only which is also a bit odd. Then again, those first 3 addresses are all @minneapolis.mn.us whereas all the other addresses are @ci.minneapolis.mn.us which feels more like a human error by whoever collated the list rather than the natural output of a dumped database. Of the passwords, 767 of them are distinct (that's a case sensitive distinct) with the dupes being passwords such as:

  1. goldie (4 occurrences)
  2. minneapolis (3 occurrences)
  3. 123456 (2 occurrences)

Frankly, the individual occurrences of those in the data set are quite low, it's the prevalence of the passwords in existing data breaches that's more interesting. Only 86 of the 795 total rows didn't return a hit so in other words, 89% of them have been seen before. Not only seen before, but massively seen before - here's their prevalence in Pwned Passwords:

  1. 123456 (23,547,453 occurrences)
  2. qwerty (3,912,816 occurrences)
  3. password (3,730,471 occurrences)
  4. abc123 (2,855,057 occurrences)
  5. password1 (2,413,945 occurrences)
  6. sunshine (412,385 occurrences)
  7. shadow (343,769 occurrences)
  8. linkedin (291,385 occurrences)
  9. andrew (265,776 occurrences)
  10. joshua (262,771 occurrences)
  11. loveme (233,835 occurrences)
  12. freedom (221,713 occurrences)
  13. friends (218,341 occurrences)
  14. summer (214,360 occurrences)
  15. samantha (211,498 occurrences)
  16. maggie (211,290 occurrences)
  17. batman (206,795 occurrences)
  18. harley (197,503 occurrences)
  19. jasmine (192,023 occurrences)
  20. martin (188,772 occurrences)

I want to go back to the email address I mentioned earlier on, the same one that appeared 7 times over. That address appeared once with the alias precisely represented as the password, once with it almost precisely as the password, once with "mickey23", once with "mickey23mikmonkhou", once with "32yekcim" (try reversing it...), once with "mickey2" and once with a "mickey23" prefix followed by a string that created an email address at a college. Why so many times? Because the data has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one:

These may well be legitimate MPD email addresses and the passwords may well have been used along with those email addresses on other systems, but they almost certainly didn't come from an MPD system and aren't the result of the police department being "hacked".

And why is this happening? Because people are outraged at the situation in Minneapolis and they want this to be true:

I want to be really clear about something at this point: events in the US at present are tragic and people should damn well be angry. But anger shouldn't mean throwing logic and reason out the window and I cannot think of a time where fact-checking has ever been more important than now, not just because of the Minneapolis situation, but because so much of what we see online simply can't be trusted. So by all means, be angry, but don't spread disinformation and right now, all signs point to just that - the alleged Minneapolis Police Department "breach" is fake.

One last note: Please keep any commentary on this blog post focused on the data and don't let it descend into politics or emotional responses. This analysis is intended to be data-centric and cut through the FUD that so quickly spreads around highly emotive issues. Disinformation spreads very quickly online, especially so in situations like this where people get "caught up in the excitement".

ENISA published “Proactive detection – Measures and information sources” report

EU Agency for Cybersecurity ENISA has published a new report of the proactive detection of incidents, including measures and information sources.

The EU Agency for Cybersecurity ENISA has published a new report and accompanying repository on measures and information sources that could help security experts and operators of IT and critical infrastructure to proactively detect network security incidents in the EU.

The documents aims at evaluating methods, tools, activities and information sources for proactive detection of network security incidents.

The proactive detection process aims at discovering malicious activity conducted by threat actors through internal monitoring tools or external sources that shares information about detected incidents.

“The current project aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents, which are used already or potentially could be used by incident response teams in Europe nowadays.” reads the report. “The current report evaluates available methods, tools, activities and information sources for proactive detection of network incidents.”

ENISA proactive detection security incidents

The EU agency launched this project to improve the detection of network security incidents in the EU, by:

  • Providing an inventory of available measures and information sources;
  • Identifying good practices;
  • Recommending possible areas for development.

This report identifies and analyzes how proactive detection in the EU is evolved between 2011 and 2019. Among the goals of the project there is the exploration of new areas that could help to improve operational cooperation and information sharing.

The deliverable of the project are three reports and in a living repository hosted on GitHub.

“The objective is to offer a point of reference for new or well-established teams who need to identify or reassess appropriate measures for proactive detection of incidents.” continues the post published by ENISA.

1- Report – Survey results

  • Survey among incident response teams in Europe;
  • Comparison with the 2011 survey.

2- Report – Measures and information sources

  • Inventory of available methods, tools, activities and information sources;
  • Evaluation of identified measures and information sources.

3- Report – Good practices gap analysis recommendations

  • Analysis of the data gathered;
  • Recommendations.

4- Online repository – GitHub

  • Information sources;
  • Measures and tools.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – ENISA, cybersecurity)

The post ENISA published “Proactive detection – Measures and information sources” report appeared first on Security Affairs.

API Security and Hackers: What’s the Need?

API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?

Here are the simple tips for API security, let’s have a look! 

Authentication

Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).

Encryption 

Just be cryptic. For internal or external correspondence nothing should be in the open.

You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).

Using the new versions of TLS to block the use of weaker cipher suites.

Monitoring: Audit, Log, and Version 

In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.

Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.

Call Security Experts

It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company. 

Share as Little as Possible 

For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces. 

OAuth & OpenID Connect 

Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.

OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.

OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.

System Protection with Throttling and Quotas 

Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.

You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.

Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).

OWASP top 10

Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.

Data Validation 

Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection. 

Infrastructure 

Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).

API Firewalling 

Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:

  • DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
  • The second level is LAN, with advanced data information protection mechanisms.

Set a Budget for Security Testing 

Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.

About the author: Waqas Baig

Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here waqasbaigblog@gmail.com

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post API Security and Hackers: What’s the Need? appeared first on Security Affairs.

People Are The Strongest Link

Here’s a little preview of what you’ll find in Episode 6 of the Security Stories podcast.

If you’re looking for behind the scenes tales from some of the leading figures in cybersecurity, then you’re in the right place. If you’re looking for anecdotes from significant security events in the past, then you’re also in the right place. 

If you’re looking for advice on how to create the perfect TicToc video, well, you’re in the wrong place, but do stick around and see if you find anything interesting.

Brian HonanOn today’s show we have a great interview with an altruistic Irishman who wears cool glasses and has a nice variety of white hats.

Nope, it’s not Bono, but we are lucky enough to have Brian Honan as our guest on this episode.

Brian is an internationally recognised expert on cybersecurity and data protection, but if you were to ask his young son what he did, the answer would be, ‘Dad catches hackers”.

In 2008 Brian founded Ireland’s first Computer Emergency Response Team. He’s also an adviser for Europol’s European Cybercrime Centre, and he runs his own independent security consultancy, BH Consulting, with a team based across the globe.

We cover a wide variety of topics during the interview, including the genesis of the Irish Emergency Response Team, running a company and managing a team, and why the cybersecurity industry needs more accountability.

A key part of our discussion is about people.  For many years, people have been deemed “the weakest link” when it comes to security.  Brian has an interesting take on why this isn’t the case. It’s really worth a listen.

Also in this episode is our regular “On This Day” feature. This is when my co-host Ben and I jump into the DeLorean and visit a significant cybersecurity event in the past.

This time we’re travelling back to the year 2000 which is when the “ILOVEYOU” worm or the “Love Bug”, or indeed the “Love letter for you” cyber attack ended up infecting over 10 million personal Windows computers.   Discover the unique story behind this attack, and the additional part of the story, which happened only a few days ago.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Listen to previous episodes of the Security Stories podcast right here

The post People Are The Strongest Link appeared first on Cisco Blogs.

3 reasons why Cisco Stealthwatch is the Michael Jordan of Network Traffic Analysis tools

The Last Dance, a 10-part docuseries about the historic career of NBA legend, Michael Jordan, came to an end recently. I was glued to my TV watching, and re-watching, these captivating hour-long episodes. It was chock full of uncut, never before seen footage that had sports fans around the world hooked. As a millennial who did not get the privilege of living through the Jordan-dominant era of the 90’s, I had accepted that Michael Jordan was the greatest of all time, but did I really believe it? I didn’t get to witness him firsthand- so probably not.

I am here to tell you how foolish that was. MJ was different.

The most striking thing about MJ was that he could do it all. His speed and athleticism at his size was something the NBA had never witnessed. The sport was dominated by one trick ponies, one-dimensional big men who could stand at the rim and score. MJ would out-smart you, out-score you and out-work you. Mike also became a better player in his later years. The young athlete stunned crowds during his first year out of UNC (the alma mater of our very own Chuck Robbins) and continued this success all the way through to his final years in the NBA. Like a fine wine, MJ got better with age– so much so that he won an MVP award at age 35! The last part of MJ’s game that struck me was his fearless lockdown defense, both on the perimeter and at the rim. Nothing got past Mike.

Source: ESG Master Survey Results, The Threat Detection and Response Landscape, April 2019

As the series came to an end, I couldn’t help but think- Cisco Stealthwatch is a lot like Michael Jordan. Here are 3 reasons why:

Just like Mike, Stealthwatch can do it all.

Cisco Stealthwatch is a Network Traffic Analysis (NTA) tool that looks at your network telemetry to deliver alerts, saving your organization time and resources. Stealthwatch is available in various deployment models that allow protection for all kinds of workloads – on-prem infrastructure, your data centers, switches and routers. In addition to an on-prem deployment as a hardware or virtual appliance, Stealthwatch is also available as a SaaS delivered model that can be deployed for both private network monitoring and public cloud monitoring. It can even ingest telemetry that is native to various public cloud platforms like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). No matter what your network looks like, Stealthwatch has a solution for you.

I also noticed that Mike kept getting better. He learned about his opponents, found their weak points and exploited those weaknesses. He tuned his own game to those around him and got better each and every day. Stealthwatch is no different.

Stealthwatch gets better over time with dynamic entity modeling

Stealthwatch is constantly learning. Stealthwatch uses a process called dynamic entity modeling to learn about your resources and classify them into various roles, groups and more. After deployment, the solution learns over the course of a few days what is happening on your network. It establishes a baseline for “normal” behavior, and triggers alerts to notify users of anomalies. Stealthwatch also uses Talos, the largest non-governmental threat intelligence organization in the world, to enhance its threat detections. Network telemetry is correlated with the global risk map from Talos, a database full of known Indicators of Compromise (IoCs), different types of malware, open TOR doorways and more. This allows Stealthwatch to generate high-fidelity actionable alerts that allow your SOC team to focus on other tasks. In summary, Stealthwatch is more effective over time. Just like Mike.

Perhaps the most effective part of MJ’s game was his defense. During his illustrious NBA career, MJ earned one Defensive Player of the Year award, a tough feat to achieve for a player of his stature. He stopped players at the perimeter before they became a problem. He played bigger than his position and bodied larger defenders trying to exploit him in the paint. Stealthwatch can do all of this, but better.

Stealthwatch provides end-to-end threat detection

Stealthwatch is an ideal tool for users who need to monitor various capacities of traffic in their networks. It can be used as a threat hunting system to detect malware and malicious activity before it becomes a breach. It can also be used to monitor east-west traffic to ensure compliance and generate alerts for potential port scanning, data exfiltration and more. In its public cloud deployment model, it can monitor unique cloud data such as VPC and NSG flow logs and keep your cloud workloads secure. Both Stealthwatch models can even detect threats in encrypted traffic.

Stealthwatch is the Michael Jordan of the Network Traffic Analysis market. Its end-to-end visibility, behavior-based machine learning over time, and ability to cover all of your on-prem and cloud assets make it the premier NTA tool.

Sign up today for a 2-week visibility assessment, or check out our SaaS-based 60 day free trial

The post 3 reasons why Cisco Stealthwatch is the Michael Jordan of Network Traffic Analysis tools appeared first on Cisco Blogs.

This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia’s most advanced cyber-espionage units.

Read on:

How the Cybercriminal Underground Has Changed in 5 Years

Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shadowserver, an Internet Guardian, Finds a Lifeline

In March, internet security group Shadowserver learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. 

#LetsTalkSecurity: No Trust for the Wicked 

This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Principles of a Cloud Migration – Security W5H – The HOW

Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time – security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud.

What’s Trending on the Underground Market?

Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals. Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities.

Is Cloud Computing Any Safer from Malicious Hackers?

Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out.

Smart Yet Flawed: IoT Device Vulnerabilities Explained

The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the “things” in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that “smart” can also mean vulnerable to threats.

Cyberattacks Against Hospitals Must Stop, Says Red Cross

Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic – and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others.

Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code

Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management. Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers.

Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652

Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time

A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.

Qakbot Resurges, Spreads through VBS Files

Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro’s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April.

CSO Insights: SBV’s Ian Keller on the Challenges and Opportunities of Working Remotely

The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward.

NSA Warns of New Sandworm Attacks on Email Servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Forward-Looking Security Analysis of Smart Factories <Part 2> Security Risks of Industrial Application Stores

In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology.

Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology

This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective.

21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac

If you brought a Mac home from the office, it’s likely already set up to meet your company’s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac.

Surprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers appeared first on .

NSA warns Russia-linked APT group is exploiting Exim flaw since 2019

The U.S. NSA warns that Russia-linked APT group known as Sandworm Team have been exploiting a critical flaw in the Exim mail transfer agent (MTA).

The U.S. National Security Agency (NSA) is warning that Russia-linked APT group tracked Sandworm Team has been exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA) software since at least August 2019.

The CVE-2019-10149 flaw, aka “The Return of the WIZard,” affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The issue could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The flaw resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

“Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.” reads the advisory published by the NSA. “The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

“NSA adds its encouragement to immediately patch to mitigate against this still current threat.”

GRU Main Center for Special Technologies (GTsST) hackers of 

Hackers belonging to the Unit 74455, under the Russian GRU Main Center for Special Technologies (GTsST), are exploiting the Exim issue after an update was issued in June 2019.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.” states the advisory.

Below a sample “MAIL FROM” exploitation command published by the NSA:

Russian state-sponsored hackers leverage the vulnerability to download a shell script from a domain under their control and use it to “add privileged users, disable network security settings, update SSH configurations to enable additional remote access, execute an additional script to enable follow-on exploitation.”

NSA recommends patching Exim servers immediately by installing version 4.93 or newer.

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.” concludes NSA. “Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version from https://exim.org/mirrors.html.”

NSA’s advisory also includes Indicators of Compromise and instructions on how to detect exploit attempts and unauthorized changes.

Unfortunately, the number of vulnerable Exim installs exposed online is still high, querying Shodan for installs exposed online we can more than 2,481,000 servers, with more than 2,400,000 servers running the patched Exim 4.93 release. 

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post NSA warns Russia-linked APT group is exploiting Exim flaw since 2019 appeared first on Security Affairs.

The Benefits, and Potential Challenges of, Cloud Email Platforms

Welcome to the second installment of our look into the future of the email security market! In our previous entry, we looked at the continued relevance of the Secure Email Gateway (SEG) and discussed how Cisco’s Cloud Email Security (CES) provides our customers with versatile and comprehensive configuration and security options. This time, we’ll be exploring the simplicity and appeal of emerging cloud email security technologies.

The simplification of anything is always sensational. This was true when noted British philosopher Gilbert Chesterton wrote it in 1903 and a little over a century later, it still rings true today. Now, it’s cloud technologies that offer a way to sensationally simplify the administration and operation of key business technologies. From the office applications we all use on a daily basis, it is now a viable option for administrators to move keystone technologies such as their Identity and Access (Active Directory and LDAP) or their Email server (Exchange) to the cloud.

This allows your administrators to leverage the scale, resilience, and upgradability inherent in cloud architectures to simplify their operational practices and maximize their use of expensive skills and resources on higher-value activities. After all, it’s far more effective for your email administrator to focus on the email policies that are unique to your business instead of worrying about the availability and scale of your Exchange server — never mind the nightmare of applying the latest and greatest security patches!

However sensational this is, simply moving your Exchange server to Office 365 (O365) does not mean that all the concerns of the past are gone. Email continues to hold its title as the number one threat vector. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) recently announced that between January 2014 and October 2019, they had received complaints totaling over $2.1 billion in actual losses from Business Email Compromise (BEC) scams targeting Microsoft Office 365 and Google G Suite. BEC, also known as Email Account Compromise (EAC), is a form of fraud in which criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds from a business to a fictitious supplier. The cybercriminals behind this invest in developing and designing phishing kits that target these cloud platforms, and in the words of the FBI “particularly Office 365 given its dominant market share.”

So, what can be done?

Put simply, the base security in Office 365 needs some augmentation. Microsoft offers several options to enhance the base security of the product via additional Advanced Threat Protection (ATP) 1 or 2 plans, or the Enterprise E5 offer.  These add additional security around areas such as Safe Attachments, Safe Links/URLs, Phishing Protection as well as reporting and visibility options. The very existence of these products from Microsoft points to the need for customers to consider their security and how best to adjust that security to fit their specific needs.  Naturally, there are options available from other vendors, including Cisco, to help address this need!

In this era of APIs, Microsoft has built Office 365 from the ground up with cloud capabilities like the Graph API that allow for the enrichment of native functionality. In fact, Gartner recently created a market category to track these solutions, which they’ve dubbed the Cloud Email Security Supplements (CESS) market segment. Moreover, Gartner also recommends a CESS to address gaps in the advanced threat capabilities of existing solutions. In our next blog, we will be examining in more detail what supplementary security is and the problems it addresses.

If you would like to learn more about how Cisco Cloud Email Security can improve your approach to cloud email security, be sure to check out the following:

Top Three Reasons Offi­ce 365 Customers Choose Cisco Email Security

Your Complete Office 365 Cloud Email Guide

Email Security Buyer’s Guide

The post The Benefits, and Potential Challenges of, Cloud Email Platforms appeared first on Cisco Blogs.

The New Era of Business Continuity – What does it mean today?

Businesses were already undergoing hugely impactful changes as employees were increasingly working outside the office, and applications were rapidly expanding to the cloud. This transformation has recently accelerated on a massive scale – with the exodus of employees out of the office and into their homes, and a subsequent rush to push many more applications into the cloud to help facilitate a seamless remote worker experience.

In light of this, the term ‘business continuity’ has taken on a whole new meaning. We must still aim to minimize downtime in the event of an incident, but we must now do so with our workforce largely outside of the traditional confines of the office.

Business continuity now extends beyond just keeping the business running to preserving your employees’ ability to be productive no matter where they are and what they are doing. And of course, making sure their devices, applications, data, and your network remain secure in the process.

Expanding support for customers

As a leader in both networking and security, Cisco has been able to provide a significant amount of support for our customers over the past several months. For example, we quickly expanded our free Webex offerings and increased usage counts for existing customers at no extra charge.

But of course, with rising IT demands comes a greater need for security. The new normal of working from home has opened us up to many new cybersecurity concerns. So we are also offering extended free trials and expanded usage counts for several of our security technologies to help organizations safeguard their infrastructure during these unprecedented times.

Our recent work in provisioning customers to meet these new challenges has culminated in the creation of the Cisco Secure Remote Worker solution. Cisco Secure Remote Worker consists of four integrated technologies that protect your users on any device, wherever and whenever they choose to work.

Together, Cisco AnyConnect, Cisco Duo, Cisco Umbrella, and Cisco AMP for Endpoints enable organizations to: 1) grant secure access to the network, 2) verify users trying to connect to corporate applications, and 3) defend against threats across multiple devices. Today I will focus on two critical components of the Cisco Secure Remote Worker solution – secure access with Cisco AnyConnect and multi-factor authentication with Cisco Duo.

Enabling secure network access with VPN

A virtual private network (VPN) uses encryption to securely connect employees to corporate resources over public networks. The Cisco AnyConnect VPN authenticates the user trying to access the network and can assess a device’s security posture before allowing a connection.

Although it’s often viewed as a legacy security technology, the VPN is once again top of mind as organizations scramble to accommodate new remote connectivity challenges. The increased demand for network access, coupled with the complexity of delivering consistent security everywhere it’s needed, is forcing organizations to look differently at their VPN implementation. Cisco AnyConnect goes way beyond just the basic VPN functionality to serve as a vital component of an enterprise security strategy.

Cisco AnyConnect empowers remote workers with frictionless, highly secure access to the enterprise network at any time, with any device, from any location. The AnyConnect Secure Mobility Client not only provides VPN access, but also offers enhanced security through various built-in modules, including:

  • Endpoint posture and compliance checks
  • Web security to block users from accessing risky websites
  • Visibility into endpoint flows
  • Off-network roaming protection with Cisco Umbrella

Additionally, Cisco AnyConnect integrates with other technologies such as Cisco AMP for Endpoints to provide comprehensive threat protection. A complete, secure access solution like Cisco AnyConnect can go a long way in ensuring business continuity.

Bolstering security with MFA

A second critical component for business continuity today is multi-factor authentication (MFA). For optimum security, VPN and MFA should go hand in hand. We were surprised to find in our recent CISO Benchmark Study that only 27% of respondents are currently using MFA to secure their environments.

Multi-factor authentication can protect your applications by using a second factor to verify user identity before granting access. It is especially important to use if organizations have implemented single sign-on options for employees.

You can extend your business continuity and security by using the Cisco Duo MFA solution to verify users trying to connect to your environment. Duo provides an easy way for authorized users to connect using a second validation factor such as their smartphone. It can also inspect the security of the devices accessing your resources.

Layering strong MFA on top of a VPN defends against credential theft, reduces the risk of a data breach, and helps organizations meet regulatory compliance requirements. According to Tristan Hammond, IT infrastructure manager at online retailer Threadless, “Our overall experience with Duo has been extremely easy – that’s not something that always happens in the technology world.”

MFA is a key component of a zero-trust security model. It becomes even more crucial as more applications move into the cloud, since it can provide consistent, secure access across both on-premises and cloud applications.

Integration for streamlined security

Another benefit of Cisco AnyConnect and Cisco Duo is that they are integrated with each other, and with many other Cisco and third-party offerings, through our Cisco SecureX platform. Cisco SecureX makes our technologies stronger by allowing them to share intelligence and work together to provide greater visibility, threat protection, and security automation. This is critical since 42% of respondents in our 2020 CISO Benchmark Study said they are suffering from cybersecurity fatigue.

Keep your business on track

Business continuity means many things now, but having strong solutions for secure access can make a big difference in putting you on the right path to preserving the integrity and vitality of your business. Visit our business continuity and remote worker planning sites for further information on how to keep your business secure during difficult times.

For more information

Read more about our Cisco Secure Remote Worker solution

Discover how Cisco is enabling business continuity for its own employees

Learn how Cisco is scaling its own VPN infrastructure

Register for the free Cisco Live 2020 digital event

The post The New Era of Business Continuity – What does it mean today? appeared first on Cisco Blogs.

Cisco is Building a Bridge to Secure Access Service Edge

By Jeff Reed, SVP of Product, Security Business Group
In partnership with Scott Harrell, SVP/GM of Cisco Intent-Based Networking Group

As leaders of Cisco’s Networking and Security organizations for the last eight years, Scott Harrell and I have had the opportunity to oversee many innovative developments from our dual perspectives. In fact, each of us has had the other’s role, which provides us with unique views into the future of secure networking. Recently we had the opportunity to rethink how networks and security will become even more intricately intertwined as organizations change the way they connect their distributed workforce to applications and data resources.  

The main macro-trend we considered is the transition to multi-cloud, resulting in data and applications that are literally located everywhere. In parallel, an increasingly distributed workforce requires secure access to applications with optimal performance. The rapid adoption of SD-WAN for connecting to multi-cloud applications provides enterprises with the opportunity to rethink how access and security are managed from campus to cloud to edge. With 60% of organizations expecting the majority of applications to be in the cloud by 2021 and over 50% of the workforce to be operating remotely, new networking and security models, such as Gartner’s Secure Access Service Edge (SASE), provide a vision for managing the new normal.  

The Journey to SASE

Gartner’s concept of Secure Access Service Edge provides the ability to identify end users, devices, IoT/OT systems, and edge computing locations and provide direct and secure access to applications hosted anywhere, including data centers and cloud-based services. Specifically, Gartner says that SASE “…is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.”*

The goal of SASE is to provide secure access to applications and data from your data center or cloud platforms like Azure, AWS, Google Cloud, and SaaS providers based on identities—specific individuals, groups of people at certain office locations, devices, IoT, even services. Service edge refers to global point of presence (PoP), IaaS, or colocation facilities where local traffic from branches and endpoints is secured and forwarded to the appropriate destination without first traveling to data center focal points. By delivering security and networking services together from the cloud, organizations will be able to securely connect any user or device to any application with the best experience.

Gartner considers SASE to be a vision of a future secure networking model for enterprises to strive for—it’s not currently a reality from any vendor. Cisco has been moving down this path for several years through key acquisitions in networking (Meraki, Viptela) and security (OpenDNS, CloudLock, Duo) as well as many internally developed innovations. Today, SASE is best represented by the convergence of cloud-managed SD-WAN and cloud-delivered security, two foundational capabilities that Cisco has developed extensively.

Today, more than 20,000 organizations have begun the journey to SASE by deploying Cisco SD-WAN and more than 22,000 have deployed Cisco Umbrella’s cloud security services.  

Challenges to Realizing SASE

Moving to a SASE model will be a gradual process as enterprise IT rethinks how to connect a remote workforce to the distributed information resources they need. Flexibility will be fundamental as IT chooses among multiple security and networking capabilities that best fit their operations, regulatory requirements, and types of applications. Security services can be predominately delivered from the cloud to provide consistent access policies across all types of endpoints. However, globally-distributed organizations may need to apply security and routing services differently according to regional requirements.

Beyond the architectural choices that enterprises will need to make, IT needs to consider how to streamline procurement of security and networking services. Today these technologies typically have separate buying cycles, which may slow SASE adoption. Secondly, licensing structures are different for networking, which are typically throughput-based, versus security services, which are based on protecting a wide variety ofusers and endpoints. As IT strives to move from on-premise towards a hybrid or cloud-first approach, there will be an increasing demand for “as-a-service” consumption models that offer more flexibility for procurement.

Between Networking, Security, and Zero Trust Network Access, Cisco is Building a Bridge

Cisco has many of the SASE capabilities already in place, with additional integration among current solution sets well underway.

Networking: Cisco SD-WAN is a cloud-delivered overlay WAN architecture with application optimization to deliver predictable application performance in multi-cloud environments. A full security stack is built in, and offers firewall, IPS/IDS, AMP and URL Filtering. Analytics and Assurance deliver the visibility and insights over any type of connectivity to deliver the best experience.

Cloud Security: Cisco Umbrella unifies secure web gateway (SWG), DNS-layer security, firewall, and cloud access security broker (CASB) functionality in one a single integrated cloud-native platform. Built as a micro-services-based architecture with dozens of points of presence around the world, Umbrella provides the scale and reliability needed to secure today’s remote workforce. Powered by threat intelligence from Cisco Talos, the largest non-governmental threat research team in the world, Umbrella was recently ranked #1 in the industry for security efficacy.

Zero Trust Network Access: To verify identity and protect access to resources, Cisco’s Duo and Software-Defined Access (SD-Access) enable a zero trust network access architecture to be extended anywhere people work. Duo provides protection for your workforce, while SD-Access protects your workplace. Ultimately, IT is less concerned about where the security functions are implemented and can focus more on the policies that they need to enable throughout the enterprise.

Foundational capabilities of this SASE model include an API-based, programmable architecture that provides flexibility to encompass many types of enterprise use cases, including support for third-party ecosystem partners.

Crossing the Bridge to SASE

Moving to a SASE model will be a gradual process as enterprise IT rethinks how to connect a remote workforce to the distributed information resources they need. Flexibility will be fundamental as IT chooses among multiple security and networking capabilities to best fit their operations, regulatory requirements, and types of applications. The bridge that enterprises choose to evolve their infrastructure to a SASE model should be structured on a cloud-native, micro-services architecture. Achieving the benefits of SASE will be more difficult to achieve if existing on-premises technology is merely shifted to virtual machines running as cloud services. Cloud security and networking services will only become more critical as enterprises cross the bridge to employ Secure Access Service Edge networking to solve disruptive information management challenges.

To learn more about how Cisco is enabling organizations to build a bridge to the SASE networking and security model, you’ll want to attend Cisco Live! June 2 – 3, 2020. To date, there are already over 80,000 registered attendees for Cisco Live! You won’t want to miss this virtual event from the comfort of your office. Register today at https://www.ciscolive.com/us.html.

*Source: Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, et al., 30 August 2019.

The post Cisco is Building a Bridge to Secure Access Service Edge appeared first on Cisco Blogs.

Remote work and the threat landscape

Last month, after the dust had settled from the move from office to remote workwe took a look at ways you could improve your security postureIn it, we discussed how you can shore up older and personal devices now being used for work taskshow to reduce your security footprint with company-sanctioned software, and ways to ensure that connections back into the company network are secure.  

This month, we decided to take a look at some of the trends we’ve seen in shifting threat landscape, including attackers who are adapting their techniques to take advantage of new opportunitiesWhen you understand what they’re doing, it’s easier to mount a better defense against new trends in the threat landscape. 

The great migration  

Before diving into what attackers are up to, let’s take a look at just how significant the shift to remote work has beenTo do this, we took a look at traffic running through Cisco Umbrella’s DNS servers to see where it was coming from, giving us a snapshot of internet activity. In particular, we looked at distinct IP addresses, sorting them into remote and office groupings. The following chart shows the trend for the total number of IP addresses known to be remote each week. 

Figure 1 Volume of remote workers seen in Umbrella DNS traffic

In mid-March, we can see a marked increase in remote connections. While it’s interesting to note an inverse correlation between office-based connections to Umbrella (declining) and remote connections (increasing), even more interesting is by how much remote connections increased.  

Comparing the first and last weeks of March, the number of remote workers had effectively doubled. This means that IT teams have been dealing with setting up a lot of remote workers.  This can potentially spread resources thin and, given the number of new remote connections, requires attention to look out for threats in this expanded environment. (Note: new Umbrella customers who have recently signed up to our Umbrella trial have been filtered out in the above chart.) 

A topical shift in spam 

It’s not news that spammers leverage the latest big stories in their emails in order to help spread their wares. The pandemic has been no exception. As reported by Talos on a number of occasionsthreat actors have used it in a wide variety of malicious campaigns. 

Some campaigns have sent out malicious emails that appear to share government information on the pandemic, while others claim to contain information regarding government stimulus paymentsThis shift to pandemic-related campaigns is so pronounced that malicious spam campaigns focusing on package delivery have pivoted to claim that deliveries have been postponed due to the pandemic: 

Figure 2 Package delivery spam with pandemic theme

What’s interesting is not just the variety of email scams and tricks being peddled on the threat landscape, but the volume of pandemic-related spam campaigns. To determine just how much spam contained pandemic-based themes, Talos looked at distinct emails sent out that contained the terms “pandemic,” “COVID-19,” and “corona.” 

Figure 3 Percent of observed emails tracked by Talos containing pandemic themes

While emails containing these key words first began to grow in early February, there is a clear increase in mid-March, when the pandemic was constantly in the headlines and coinciding with the migration to remote work discussed above. At its peak, more than 20 percent of all email observed by Talos referenced the pandemic. (Note: the regular dips in the chart coincide with weekends. It’s also worth noting that a portion of ham or marketing emails were also mentioning the pandemic during this time.) 

Malicious domains 

In early April, researchers from Umbrella took a look at the increase in malicious domains that bad actors were leveraging to carry out attacksAccording to Umbrella researchers, on March 19th, enterprise customers connected to 47,059 domains that contain “covid or corona” in the name. Of these, four percent were blocked as malicious.  

We decided to revisit this data to see what has happened two months laterBy May 19th, this number had increased to 71,286 domains, where 34 percent of them were blocked as malicious.

Figure 4 Percentage of pandemic-related domains flagged as malicious

Despite this being a marked increase from March, late April appears to be the point where the most malicious activity took place. During this time the percentage of domains blocked as malicious frequently crossed 50 percent, even peaking as high as 75 percent. While this declined in early May, the percentage of malicious domains regularly sat between 30-40 percent in mid- to late-May.  

Protect against the trends 

Overall, bad actors have upped their activity with pandemicrelated themes surrounding malicious spam and domains. The good news is that the systems required to protect your organization from these security risks haven’t shifted much.   

For starters, Cisco Umbrella’s cloud-based services can protect users from malicious internet destinations. The malicious domains that have been registered in the last few months are all flagged as malicious within Umbrella’s DNS infrastructure, preventing users with your organizations from connecting to them and becoming compromised. 

Similarly, Cisco Email Security is well equipped to identify and filter the influx of pandemicrelated spam aimed at your user’s inboxes. The advanced phishing protections and machine learning capabilities within can quickly identify these malicious spam campaigns, not just by the topic, but by understanding and authenticating email identities and behavioral relationships, filtering out spam emails and prevent attacks. 

Also, we discussed last month, Cisco has expanded and extended trial offerings on a number of security products. Umbrella has one such offering, as does AMP for Endpoints, which can be used to secure the additional remote desktops now on the company network. AMP can help you gain visibility and control of remote devices, allowing you to see where a threat came from, where it’s been, what it’s doing, and if necessary, isolate compromised endpoints. 

Finally, to secure that remote connection back into the company network, consider using Cisco AnyConnect Secure Mobility Client with Duo Security. AnyConnect can simplify secure access to the company network, while Duo can ensure that the person logging into your network is who they say they are.  

Free and expanded offerings for Umbrella, AMP, AnyConnect, and Duo are all available through our Cisco Secure Remote Worker page. 

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

The post Remote work and the threat landscape appeared first on Cisco Blogs.

Cisco Remote Access VPN architecture for Amazon Web Services (AWS)

Today applications are evolving and moving to the public cloud. Amazon Web Services (AWS) offers different types of services to host these applications in the cloud. Customers are opting for hybrid cloud services because it provides the optimum architecture for application hosting and performance. This change in cloud architecture introduces a big challenge of providing a secure connection to the remote workers.

Cisco provides a comprehensive solution by offering Cisco Adaptive Security Application (ASAv) and Cisco Next-Generation Firewall in the AWS marketplace. These virtual appliances can integrate with the Cisco security portfolio and provides unmatched remote access VPN architecture for AWS.


Figure 1: Components of the Cisco Secure Remote Worker

  • Cisco AnyConnect Secure Mobility Client: Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off-premises, without creating a headache for your IT teams. Simplify management with a single agent.
  • Cisco Duo: Cisco Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Cisco Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administrative, visibility, and monitoring.
  • Cisco Umbrella Roaming Security Module: Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname both on and off your network or VPN.
  • Cisco Advanced Malware Protection (AMP) Enabler: Cisco AnyConnect AMP Enabler module is used as a medium for deploying Advanced Malware Protection (AMP) for Endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base. This approach provides AnyConnect user base administrators with an additional security agent that detects potential malware threats happening in the network, removes those threats, and protects the enterprise from compromise. It saves bandwidth and time taken to download, requires no changes on the portal side, and can be done without authentication credentials being sent to the endpoint. AnyConnect AMP Enabler protects the user both on and off the network or VPN.
  • Cisco Identity Services Engines (ISE): Cisco AnyConnect Secure Mobility Client offers a VPN posture module and an ISE posture module. Both provide the Cisco AnyConnect Secure Mobility Client with the ability to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. The administrator can then restrict network access until the endpoint is in compliance.
  • Cisco Adaptive Security Application (Virtual Appliance): The Cisco Adaptive Security Appliance (ASA) is a security appliance that protects corporate networks and data centers. It provides users with highly secure access to data and network resources – anytime, anywhere. The remote users can use Cisco AnyConnect Secure Mobility Client on the endpoints to securely connect to the resources hosted in the Data Center or the Cloud.
  • Cisco Next-Generation Firewall / Firepower Threat Defense (Virtual Appliance): The Cisco Firepower NGFW helps you prevent breaches, get visibility to stop threats fast, and automate operations to save time. A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall by adding capabilities like application visibility and control, Next-Generation IPS, URL filtering, and Advanced Malware Protection (AMP).

Scalable and Resilient Remote VPN architecture for AWS (Single-VPC & Multi-AZ)

Due to layer-2 abstraction in the cloud, it not possible to provide native firewall high availability, firewall clustering, and VPN clustering. AWS offers native services like AWS route53, AWS route tables that enable DNS based load balancing.

Figure 2: Cisco Remote Access VPN scalable design using AWS Route53

Traffic Flow:

  • The remote access VPN user initiates a VPN connection using a hostname (example: answamivpn.com), and the DNS server returns an IP address. AWS route53 monitors all the firewalls using AWS route53 health checks
  • Remote user makes the connection to the firewall
  • Access the resources hosted in AWS

Recommendation for the architecture shown in figure 2:

  • Each availability zone (AZ) should have multiple firewalls (ASAv or NGFWv)
  • Each firewall should have a dedicated VPN pool (i.e. separate VPN pool for each firewall)
  • VPN pool should be outside of VPC CIDR range, avoid overlapping networks
  • Control traffic using AWS route table
  • Enable weighted average load balancing on AWS route53
  • AWS route53 should track firewalls public IP/elastic IP using port 443
    • Cisco Duo: Multi-factor authentication
    • Cisco Umbrella Roaming Security Module: DNS layer security and IP enforcement
    • Cisco AMP enabler: File and Malware analysis
    • Cisco ISE: Authentication and Posture
    • SWC: Visibility

The architecture shown in figure 2, is a scalable and resilient design for a single VPC deployment. This architecture is based on the principle of a distributed architecture. In the case of a multiple VPN architecture, we recommend deploying bigger firewall instances (example: C5.2xl 0r C5.4xl) in a centralized VPC.

Scalable and Resilient Remote VPN architecture for AWS (Multi-VPC & Multi-AZ)

In the case of a multi-vpc architecture, we recommend deploying multiple instances of bigger firewalls in a centralized VPC (known as security-hub VPC) and the connect security-hub VPC to spoke VPCs using AWS Transit Gateway.

The AWS transit gateway can have the following types of attachments:

  • VPC attachment (used for VPC and AWS Direct Connect (DX) connection)
  • VPN attachment (used for IPsec connectivity to DC)
  • Peering connection (used for peering two AWS transit gateway – not shown in this architecture)

Figure 3: Cisco Remote Access VPN for multi-vpc architecture

Traffic Flow:

  • The remote access VPN user initiates a VPN connection using a hostname (example: answamivpn.com), and the DNS server returns an IP address. AWS route53 monitors all the firewalls using AWS route53 health checks.
  • Remote user makes the connection to the firewall.
  • Access the resources hosted in AWS.

Recommendation for the architecture shown in figure 3:

  • Each availability zone (AZ) should have multiple firewalls (ASAv or NGFWv)
  • Each firewall should have a dedicated VPN pool (i.e. separate VPN pool for each firewall)
  • VPN pool should be outside of VPC CIDR range, avoid overlapping networks
  • Control traffic using AWS route table
  • Enable weighted average load balancing on AWS route53
  • Use AWS Transit Gateway for interconnecting VPC
  • For a hybrid cloud architecture, terminate VPN on the firewalls at the edge in the secure hub vpc or use VPN attachment on the AWS transit gateway.
  • AWS route53 should track firewalls public IP/elastic IP using port 443
    • Cisco Duo: Multi-factor authentication
    • Cisco Umbrella Roaming Security Module: DNS layer security and IP enforcement
    • Cisco AMP enabler: File and Malware analysis
    • Cisco ISE: Authentication and Posture
    • SWC: Visibility

Detailed information on the architecture described in figure3 is available this video: https://www.youtube.com/watch?v=ReI6I0eWyKc

Secure Remote Worker Design Guide (Published – April 2020)

In addition to the above information, we recommend checking out our Cisco Secure Remote Worker design guide that addresses a specific use case of remote access VPN connection covered in the SAFE Internet Edge Architecture Guide. The design for remote access VPN connections includes the Cisco AnyConnect Secure Mobility Client, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP) for Endpoints.

Design Guide: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remoteDe-worker-design-guide.pdf

Thanks,
Anubhav Swami (CCIEx2: 21208)
Security Solutions Architect
Cisco Systems Inc.
Cisco Blog: https://blogs.cisco.com/author/anubhavswami
YouTube Channel: https://www.youtube.com/anubhavswami
Anubhav Swami

 

 

 

 

Reference links:
Cisco SAFE design guide for AWS: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/secure-aws-design.pdf
Cisco SAFE Cloud Architecture Guide: https://www.cisco.com/c/dam/en/us/solutions/collateral/design-zone/cisco-validated-profiles/safe-secure-cloud-architecture-guide.pdf
Cisco SAFE secure remote worker: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remote-worker-design-guide.pdf
Cisco Stealthwatch Cloud: https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html
Cisco AMP for Endpoints: https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html
Cisco Duo: https://duo.com/
Cisco Umbrella: https://umbrella.cisco.com/
Cisco ASA: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html
Cisco Next-Generation Firewall: https://www.cisco.com/c/en/us/products/security/firewalls/index.html
Amazon Web Service: https://aws.amazon.com/
Amazon Load Balancer: https://aws.amazon.com/elasticloadbalancing/
Amazon Route53: https://aws.amazon.com/route53/
Amazon Route Table: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
Amazon Transit Gateway: https://aws.amazon.com/transit-gateway/

Cisco Live Sessions:
NGFWv and ASAv in AWS and Azure (BRKSEC-2064): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1542224327848001r3qI
Deploy ASAv and NGFWv in AWS and Azure (LTRSEC-3052): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1564527389250001ckvR
ARM yourself using NGFWv and ASAv in Azure (BRKSEC-3093): https://www.ciscolive.com/global/on-demand-library.html?search=Anubhav%20Swami#/session/1560880389440001ntSs

YouTube Videos:
YouTube Channel: https://www.youtube.com/anubhavswami

The post Cisco Remote Access VPN architecture for Amazon Web Services (AWS) appeared first on Cisco Blogs.

Automated Threat Remediation in AWS with Stealthwatch Cloud

Stealthwatch Cloud is first and foremost known for its overall visibility and high fidelity security threat detection.  These detections range on a spectrum from on-premises endpoints to public cloud workloads and everything in-between.

Where it relates to public cloud workload protection in AWS, many of our customers believe that there should be the option to take action on a threat if deemed of significant criticality.  Some customers may find significant prioritization in activity such as an AWS workload suddenly acting as a server on the Internet for the first time ever whereas others may be more concerned about an overly permissive configuration causing an AWS workload to become brute-forced.

Whatever the scenario, the ability to take action is incredibly valuable to a Security Operations team or Incident Responder.  Stealthwatch Cloud users have a great deal of flexibility when it comes to responses and actions that the system can take once an Alert of importance triggers in the system.  There are built-in options for everything from email to syslog, chat system notifications to vendor-agnostic webhook support.  There are also cloud native service supported features such as public cloud provider storage bucket support and in the case of AWS, the ability to directly integration with the AWS Simple Notification Services or SNS as its commonly referred to.

With SNS built-in support in Stealthwatch Cloud, users are able to directly interact with the AWS infrastructure and take automated operational actions on workloads, configurations and services to mitigate both risk and threats in real-time.  This allows a Security Administrator to implement a proactive set it and forget it approach to implementing appropriate remediation actions for security Alerts that are of urgent criticality to them.  Actions can be in the form of insertion of Access Control List (ACL) rules, workload instance state manipulation or other infrastructure service configurations.  Programmatically speaking, the sky is the limit with how Stealthwatch Cloud can perform a mitigation task within the AWS public cloud environment.

To demonstrate this incredibly useful feature and workflow within Stealthwatch Cloud, I have created a tutorial on how to perform automated remediation in AWS on a breached workload by programmatically inserting VPC Network ACLs (NACLs) to block offenders in real-time as they attempt to exploit an overly-exposed EC2 instance.

Here is a diagram of the Proof of Concept workflow:

The intent of this tutorial is to primarily be a Proof of Concept to demonstrate to Stealthwatch Cloud customers how easily they can implement an automated remediation workflow into their daily operations of the solution.  The idea is that an Administrator can choose one or more alerts that of high criticality to them that they’d like to be remediated automatically should Stealthwatch Cloud detect relevant threat activity.  Stealthwatch Cloud will send out a message to an AWS Simple Notification Service (SNS) topic which will trigger a Lambda.  The Lambda will then parse the Stealthwatch Cloud Alert telemetry and take action on any workload necessary to effectively block threats in real-time.  This is achieved through the insertion of VPC Network ACLs to block attackers as they attempt to exploit an overly exposed workload, in this case an AWS EC2 instance.

As Network ACLs do not scale past 200 ACLs, each with 20 rules per in AWS, this is again primarily meant to be a Proof of Concept to demonstrate the immense programmatic potential to using this workflow and integration to take action on any AWS service, configuration or workload to remediate risk and exposure without manual intervention.

Example of the end result of Network ACL’s being created automatically to block offenders attempting to exploit an exposed workload:

Click here to view the tutorial.

The post Automated Threat Remediation in AWS with Stealthwatch Cloud appeared first on Cisco Blogs.

21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac

Nowadays, Macs are part of the work-from-home workforce during the COVID-19 pandemic. If you’ve brought a Mac from the office to home, it’s likely your IT department has already set it up to meet your company’s security policies. But what if you’re enlisting a Mac already at home to do duty for your company? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time.

Here are 21 tips for staying secure, private, and productive while working from home on your Mac—while also making sure your personal “helpdesk” is in place, should you run into problems while doing your work.

How to guard against viruses and cyber threats on your Mac

While good security habits are important for all Mac users (since, contrary to popular opinion, Macs are as vulnerable to malicious attacks as PCs), you need to take special care when working from home on your Mac because you’ll be interacting with your company’s applications and platforms over the internet. Start your “security upgrade” with the Mac itself, to keep it free of viruses and malware. Make sure your security checklist includes the following:

Secure Your Mac. Ensure your Mac is in a secure, safe place, where family members can’t shoulder surf or use it, then set up a work account on your Mac (separate from your personal account), complete with a unique, complex password (disable automatic login), with only work-approved apps active on the account. Set the Mac to automatically lock one minute after sleep or your screen saver begins. Then turn on the Mac’s Firewall (if it’s not already on) and enable Stealth Mode, which will block incoming network requests from test applications.

    1. Keep Up to Date. Keep your Mac OS system, Web browser, and main work apps (e.g., Microsoft Office) up to date. Application updates often contain security improvements as well as bug fixes.
    2. Be Communication-Cautious. Use your messaging and email apps only for work, so as not to contaminate them with unexpected communications from friends, family, or strangers. Be particularly aware of phishing emails with potentially bad links and attachments, or with buttons to “help you log into” online accounts to allegedly adjust or renew some crucial account data. Credential data theft can be a doorway not only to the data on your Mac, but to your company’s online systems.
    3. Install Antivirus. Install endpoint security software on your Mac, if you don’t already have it. The solution should protect you from Web threats and when downloading files, and in the event something malicious lands on your disk, its scanning technology will help you remove the infection. The best endpoint protection will protect you and your files proactively from ransomware as well.

Trend Micro Mac Endpoint Security solutions include:

  • Trend Micro Ad Block One. Blocks ads and popups in your Safari browser.
  • Trend Micro Antivirus One. Protects your Mac from adware, ransomware, spyware, and malware.
  • Trend Micro Antivirus for Mac. Offers a full-protection solution for your Mac. When you install Antivirus for Mac, your endpoint security includes the Trend Micro Toolbar for Web Threat Protection, Fraud Buster for protection from phishing in Microsoft Outlook, and Folder Shield for protecting sensitive files from encryption by ransomware.

How to guard your privacy on Mac

Next, you need to make sure your work remains private. This means creating a “chain of privacy” that extends from your Mac over the internet to your company’s servers, so that each link in the chain is “locked” to ensure your company data remains private.

    1. Harden Your Mac. Enable FileVault (which encrypts your data), making sure you secure but remember your login password or recovery key; otherwise your data will become inaccessible. This ensures that if your Mac is stolen, the thief won’t have access to your company’s data.
    2. Protect Your Router. Most routers come with default settings (Admin and Password), which can make your router vulnerable to hacker attacks. Change the default Admin and Password on the router to strong, unique alphanumeric strings.
    3. Encrypt Your Network. Use an Ethernet connection from your Mac to the router; or if you must, a WPA-2 encrypted Wi-Fi connection with unique password access. And consider moving your family and their devices to the guest network, if your router supports the same WPA-2 protection for guests.
    4. Deploy Network Security. Deploy a network security solution, to protect all the smart devices in your home network, since a breach on any device (e.g., your smart speaker, your security camera) could affect the privacy of all your devices, including your work Mac. The network security solution should enable you to block incoming connections from remote-access software and to manage your family’s devices.
    5. Use a VPN. This ensures a secure and private tunnel between the Mac on your home network and your company’s servers, encrypting your data from the moment it’s transmitted.
    6. Use Strong Authentication. Use strong authentication whenever possible, both locally on your Mac and for online account logins. This can include Single-Sign On (SSO) solutions, PINs, Facial Recognition and Multi-factor Authentication (MFA) tools.
    7. Use Secure Video Conferencing. For team conference calls/video meetings, make sure your chosen solution has end-to-end encryption and proper access controls. Consider using headphones to better privatize your teammates’ conversation.
    8. Use a Password Manager. This ensures the privacy of all your company login credentials, since you don’t want to store them in your browser, where they can be hacked.
    9. Use Cloud Sync; Encrypt and Detach Local Backups. You’re probably accustomed to using iCloud for cloud sync/backup, but if you’re already using Microsoft Office, consider using OneDrive for Business, since it’s integrated with Office. And don’t use a USB memory stick for backup. Instead, when you’re doing your weekly local backup via Time Machine, use a hard drive that can be disconnected and locked when your backup is finished.

Trend Micro Mac Privacy/Security solutions include:

  • Trend Micro Home Network Security. Ensures your network and all the smart devices on it are secure, while providing Android and iOS apps to manage the network.
  • Trend Micro VPN Proxy One / WiFi Protection. VPN Proxy One protects your Mac and iOS devices with an emphasis on Privacy, while WiFi Protection emphasize Security across all four platforms, including Mac, iOS, Windows and Android devices.
  • Trend Micro Password Manager for Mac. Trend Micro’s Password Manager is available for Mac, Windows, iOS, and Android devices. Synch your passwords across all platforms.

Tips and tricks to maximize your Mac

Working from home means contending with home distractions (though working in the office has its own set of distractions too). Staying productive therefore includes setting good work and break habits, physically optimizing your work-from-home Mac setup, and keeping your Mac in good working order. Effective and productive remote working, when it comes setting up good work habits, using efficiency maximizing tools, and separating work from home activities, is a whole topic in itself. Here we include only those tips that directly affect the healthy operation and optimization of your Mac:

    1. Deploy a Second Display. Hook up a large or second monitor to your Mac, for increased workspace. New MacBook users on Catalina MacOS can also attach an iPad with iOS 13 via Sidecar for use as a second monitor.
    2. Hook Up iPhone Calling to Your Mac. For efficiency’s sake, when your iPhone and Mac are on the same Wi-Fi network, you can make phone calls with your Mac by tying it to your iPhone and its cellular plan. The microphone and speakers of your Mac will be enlisted in the call. Ensure your Mac’s Contacts app includes your business contact cards and for easy Mac-assisted calling to your associates.
    3. Use Dictation. Now’s the chance for you to use the built-in dictation tools on your Mac (and iOS) to speed up writing letters, emails, memos, etc.
    4. Use Web Apps. Use the Web version of your office apps when possible; e.g., Microsoft Office 365, which includes Web Outlook, Word, Calendar, People, Sharepoint, Planner, Notes, OneDrive, etc. for efficient collaboration, reverting to the installed desktop apps when necessary. This can reduce the data footprint on your Mac.
    5. Periodically Optimize Your Mac. Every computer slows down over time, especially when doing heavy-duty work, due to system and application clutter, as well as duplication of files. Your home Mac may also be a bit short on memory and CPU power, so periodic use of Mac optimization tools, Apple’s or a third-party’s, can help ensure your Mac stays up to speed for maximum productivity.

Trend Micro Performance tools include:

  • Trend Micro Cleaner One Pro for Mac. This solution can help you monitor and clean the Memory, CPU, and Network Usage on your Mac. Its System Optimizer tools include complete file cleanup and a shredder for junk, big, and duplicate files, as well as a tool for controlling apps upon startup.

How to get remote computer assistance for your Mac

Finally, should things go wrong at any time with your working Mac setup, you need to make sure to have a work-from-home “Help Desk” in place for when you need it. This can include the following:

    1. Enlist your IT Department. Easy connection and a contact to your IT Department for device, network, and app requirements, as well as tech support for problems that may arise during your workday, is critical.
    2. Utilize Vendor Helpdesks. Use the community forums and chat services of your Mac, network, and app vendors. Apple provides its own Mac Support, along with Mac Service and Repair for Macs under warranty or for customers with AppleCare+.
    3. Purchase Support Services. Optional support services you for purchase can help ensure the top-notch security and operation of your Mac, your network, and your workflow.

Trend Micro Solutions include:

  • Trend Micro Home Support. You can obtain technical support for all your Trend Micro-centric application needs using Trend Micro’s eSupport page, also known as Home Support. Note too that Air Support, which includes app log transfer, online engineer help, and email, can be initiated through the Trend Micro apps themselves through the Help screen.
  • Trend Micro Premium Support Services. Trend Micro provides both Premium Service and Ultimate Service Bundles, which includes support for your Mac. Services include 24×7 emergency assistance, problem fixing, virus and spyware removal, and PC security and health check service for up to 4 devices with Trend Micro Security installed, including Trend Micro Antivirus for Mac.

That’s it! These tips should get you started on the road to staying secure, private, and productive, while running smoothly, as you work from home on your Mac. During the COVID-19 pandemic, many of us are doing just that. Now is the time to keep your working Mac working for you!

The post 21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac appeared first on .

Securing the Connected World with Support for The Shadowserver Foundation

If the first few months of 2020 have taught us anything, it’s the importance of collaboration and partnership to tackle a common enemy. This is true of efforts to fight the current pandemic, and it’s also true of the fight against cybercrime. That’s why Trend Micro has, over the years, struck partnerships with various organizations that share a common goal of securing our connected world.

So when we heard that one of these partners, the non-profit Shadowserver Foundation, was in urgent need of financial help, we didn’t hesitate to step in. Our new $600,000 commitment over three years will help to support the vital work it does collecting and sharing global threat data for the next three years.

What is Shadowserver?

Founded in 2004, The Shadowserver Foundation is now one of the world’s leading resources for reporting vulnerabilities, threats and malicious activity. Their work has helped to pioneer a more collaborative approach among the international cybersecurity community, from vendors and academia to governments and law enforcement.

Today, its volunteers, 16 full-time staff and global infrastructure of sinkholes, honeypots and honeyclients help run 45 scans across 4 billion IPv4 addresses every single day. It also performs daily sandbox scans on 713,000 unique malware samples, to add to the 12 Petabytes of malware and threat intelligence already stored on its servers. Thousands of network owners, including 109 CSIRTS in 138 countries worldwide, rely on the resulting daily reports — which are available free of charge to help make the digital world a safer place.

A Global Effort

Trend Micro is a long-time partner of The Shadowserver Foundation. We automatically share new malware samples via its malware exchange program, with the end goal of improving protection for both Trend Micro customers and Shadowserver subscribers around the world. Not only that, but we regularly collaborate on global law enforcement-led investigations. Our vision and mission statements of working towards a more secure, connected world couldn’t be more closely aligned.

As COVID-19 has brutally illustrated, protecting one’s own backyard is not enough to tackle a global challenge. Instead, we need to reach out and build alliances to take on the threats and those behind them, wherever they are. These are even more pronounced at a time when remote working has dramatically expanded the corporate attack surface, and offered new opportunities for the black hats to prosper by taking advantage of distracted employees and stretched security teams.

The money Trend Micro has donated over the next three years will help the Shadowserver Foundation migrate to the new data center it urgently needs and support operational costs that combined will exceed $2 million in 2020. We wish the team well with their plans for this year.

It’s no exaggeration to say that our shared digital world is a safer place today because of their efforts, and we hope to continue to collaborate long into the future

The post Securing the Connected World with Support for The Shadowserver Foundation appeared first on .

Why Endpoint Security Matters in Protecting Remote Workers – Part 1

As customers secure their remote workers, they tell us they are getting better visibility, better efficacy and getting time back!

Enabling your workforce to work securely on any endpoint, anywhere, at any time is more important now than ever before. And as such, Cisco has recently offered a new Cisco Secure Remote Worker solution that unifies user and endpoint protection at scale, making it easy to verify, enable secure access and defend remote workers at anytime from anywhere. Cisco AMP for Endpoints is a key component of and plays a critical role in this new solution.

To best describe this critical role, we recently conducted an endpoint survey to get our customer’s thoughts on the value that AMP for Endpoints brings to their business, and therefore to the Secure Remote Worker solution. This first blog of a 4 blog series summarizes the top 3 business values our customers highlighted. Later, in the next 3 blogs we will provide an in-depth look at each one of these values and demonstrate why they are so effective.

Now let’s look at these top 3 business values from the endpoint survey; each described in challenges, why it’s important to customers, the customer comments and how AMP for Endpoints helps.

Business Value #1: Better visibility into endpoints

Customer challenge:  My endpoints are under constant attack through phishing attempts, advanced persistent threats (APTs) and exploits. I want to arm my team with actionable insights.

Why it’s important: If you can’t see what’s in your endpoints, you really don’t know what malware exists or what malware type is there. If not, your team will spend an inordinate amount of time attempting to eradicate threats and be subject to lateral movement.

How Cisco helps: AMP for Endpoints, as part of the Cisco SecureX platform, provides seamless integration with other security technologies, backed by Talos threat intelligence, to help you block, detect, investigate, and respond to threats across your entire environment – not just at your endpoints.

Business Value #2: Better efficacy

Customer challenge:  I want tools refined enough and accurate enough so I can understand what malware may be on my endpoints so my team can take the appropriate action.

Why it’s important: I don’t want my team wasting time on false positives and I want to see accurate clear threat intelligence so my team can determine what the priority level is and what steps to take and feel confident about it. And clearly the process needs to be in sync with best practices such as the MITRE ATT&CK framework.

 How Cisco helps: Block known threats automatically using machine learning, exploit prevention, file reputation, antivirus, and a wide array of other attack prevention techniques that will stop both fileless and file-based attacks in their tracks – as proof of this Cisco AMP for Endpoints earned high marks in malware protection tests, while achieving the lowest false positives in the first AV Comparatives Business Main Test Series for 2020. You can count on AMP for Endpoint delivering consistent security efficacy, enabling you to get superior protection from advanced threats.

Business Value #3: Get time back

Customer challenge: I want my team to spend less time on each incident in their everyday workflows so they can do more with less effort.

Why it’s important: With better tools that are complementary to my security infrastructure and that actively leverage automation, enables my team to maximize our security investments, and respond faster to threats on my endpoints instead of spending time on manual, error prone tasks.

How Cisco helps: AMP for Endpoints, and the underlying platform, enable you to increase the efficiency and precision of your existing resources via automation. You can multiply your threat hunting capabilities by connecting your security infrastructure to get more value from your existing investments. This provides you with the best ability to orchestrate and automate your threat response capability in a timelier manner, and thus gives you time back to focus on more strategic efforts.

For the next entry in this series

In the next blog entry of this series we will provide a deep dive into the first of the 3 business values described above and demonstrate how our customers are getting the results they need.

In the meantime, please visit the TechValidate Survey to see examples of what our customer’s challenges were, and in their own words, express how they were able to achieve their business goals with Cisco AMP for Endpoints as part of the Cisco SecureX platform.

The post Why Endpoint Security Matters in Protecting Remote Workers – Part 1 appeared first on Cisco Blogs.

How the Cybercriminal Underground Has Changed in 5 Years

Cybercriminal Underground

The cybercrime economy is one of the runaway success stories of the 21st century — at least, for those who participate in it. Estimates claim it could be worth over $1 trillion annually, more than the GDP of many countries. Part of that success is due to its ability to evolve and shift as the threat landscape changes. Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, we’ve seen a major shift to new platforms, communications channels, products and services, as trust on the dark web erodes and new market demands emerge.

We also expect the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shifts in the underground

Our latest report, Shifts in the Cybercriminal Underground Markets, charts the fascinating progress of cybercrime over the past five years, through detailed analysis of forums, marketplaces and dark web sites around the world. It notes that in many product areas, the cost of items has dropped as they become commoditised: so where in 2015 you expected to pay $1000 per months for crypting services, today they may be as little as $20.

In other areas, such as IoT botnets, cyber-propaganda and stolen gaming account credentials, prices are high as new products spark surging demand. Fortnite logins can sell for around $1,000 on average, for example.

The good news is that law enforcement action appears to be working. Trend Micro has long partnered with Interpol, Europol, national crime agencies and local police to provide assistance in investigations. So it’s good to see that these efforts are having an impact. Many dark web forums and marketplaces have been infiltrated and taken down over the past five years, and our researchers note that current users complain of DDoS-ing and log-in issues.

Cybercriminals have been forced to take extreme measures as trust erodes among the community, for example, by using gaming communications service Discord to arrange trades, and e-commerce platform Shoppy.gg to sell items. A new site called DarkNet Trust was even created to tackle this specific challenge: it aims to verify cybercrime vendors’ reputations by analysing their usernames and PGP fingerprints.

What does the future hold?

However, things rarely stay still on the cybercrime underground. Going forward, we expect to see a range of new tools and techniques flood dark web stores and forums. AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals.

Some emerging trends are less hi-tech but no less damaging. Log-ins for wearable devices could be stolen and used to request replacements under warranty, defrauding the customer and costing the manufacturers dear. In fact, access to devices, systems and accounts is so common today that we’re already seeing it spun out in “as-a-service” cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.

Post-pandemic threats

Then there’s COVID-19. We’re already seeing fraudsters targeted government stimulus money with fake applications, sometimes using phished information from legitimate businesses. And healthcare organisations are being targeted with ransomware as they battle to save lives.

Even as the pandemic recedes, remote working practices are likely to stay in many organisations. What does this mean for cybercrime? It means more targeting of VPN vulnerabilities with malware and DDoS services. And it means more opportunities to compromise corporate networks via connected home devices. Think of it like a kind of Reverse BYOD scenario – instead of bringing devices into work to connect, the corporate network is now merged with home networks.

Tackling such challenges will demand a multi-layered strategy predicated around that familiar trio: people, process and technology. It will require more training, better security for home workers, improved patch management and password security, and much more besides. But most of all it will demand continued insight into global cybercriminals and the platforms they inhabit, to anticipate where the next threats are coming from.

Fortunately, this is where Trend Micro’s expert team of researchers come in. We won’t let them out of our sight.

The post How the Cybercriminal Underground Has Changed in 5 Years appeared first on .

Bugs in open-source libraries impact 70% of modern software

70 percent of mobile and desktop applications that today we use are affected at least by one security flaw that is present in open-source libraries.

According to the Veracode’s annual State of Software Security report, 70 percent of mobile and desktop applications being used today have at least one security flaw that is the result of the use of an open-source library.

Experts pointed out that every library could be affected by one o more issues which will be inherited from all the applications that use them.

According to Veracode’s annual State of Software Security report, almost any modern application includes open source libraries that implement functionality that would be extremely tedious to write from scratch.

The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.

The use of open-source libraries is quite common, for example most JavaScript applications contain hundreds of libraries.

“Our research found that most JavaScript applications contain hundreds of open source libraries – some have over 1,000 different libraries. In addition, most languages feature the same set of core libraries.” reads the post published by Veracode. “JavaScript and PHP in particular have several core libraries that are in just about every application.”

Most of the vulnerabilities affecting the applications analyzed by the researchers were present in the Swift, .NET, Go, and PHP open-source libraries.

“But not all flaws are equal. Some security issues are relatively exotic
or difficult to exploit while others may be much more significant to
their application. It’s this sorting of the zebras from the horses to
which we now turn.”
continues the report.

Swift is widely used in the Apple ecosystem, it has the highest density of vulnerabilities, but it has an overall low percentage of flawed libraries.

.NET has the lowest percentage of flawed libraries on a population that is more than 17 times larger than Swift.

Go has a high percentage of libraries with flaws, the good news is that it has an overall low number of flaws per individual library. Compared with Go, PHP has a higher rate of flawed libraries, but more double the density of flaws in a given library.

open-source libraries flaws

Cross-site scripting (XSS) is the most common vulnerability affecting open-source libraries, it is present in 30 percent of them. Other major issues are insecure deserialization (23.5 percent) and broken access control (20.3 percent). Insecure deserialization was a rare issue flaw among in-house applications.

“The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).” continues the post.

Experts pointed out that addressing security vulnerabilities in open-source libraries is so difficult.

“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.

“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”

Pierluigi Paganini

(SecurityAffairs – open-source libraries flaws, hacking)

The post Bugs in open-source libraries impact 70% of modern software appeared first on Security Affairs.

Cisco fixed a critical issue in the Unified Contact Center Express

Cisco has released several security patches, including one for a critical issue, tracked as CVE-2020-3280, in the call-center software Unified Contact Center Express.

Cisco released a set of security patches, including one for a critical flaw in its call-center software Unified Contact Center Express, tracked as CVE-2020-3280.

The CVE-2020-3280 vulnerability is a remote code execution issue that resides in the Java remote management interface for Unified CCE.

“A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system.”

An unauthenticated, remote attacker could exploit the issue to execute arbitrary code as the root user on a vulnerable device.

The issue could be exploited by supplying a malformed Java object to a specific listener on an vulnerable system

Administrators should update their Unified CCE installs as soon as possible.

The good news is that Cisco is not aware of attacks in the wild that exploited the flaw.

Pierluigi Paganini

(SecurityAffairs – Unified CCE, hacking)

The post Cisco fixed a critical issue in the Unified Contact Center Express appeared first on Security Affairs.

U.S. Elections: Effectively Balancing Access and Security

For a Democratic Party desperate to unseat President Trump in November, the primary election process has been filled with large-scale technology failure, official miscalculations, voter annoyance and public embarrassment, not to mention piles of money spent in pursuit of an improved 21st-century process that turned out to be worse than what they had. They might […]… Read More

The post U.S. Elections: Effectively Balancing Access and Security appeared first on The State of Security.

Unc0ver is the first jailbreak that works on all recent iOS versions since 2014

A team of hackers and cyber-security researchers have released a new jailbreak package dubbed Unc0ver for iOS devices.

A team of cyber-security researchers and hackers have released a new jailbreak package dubbed Unc0ver (from the name of the team that devised it) that works on all recent iOS versions.devices, even those running the current iOS 13.5 release.

Jailbreaking an iOS mobile device it is possible to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.

By default, Apple does not allow users to have full control over their iPhones and other iOS devices, citing security reasons.

The Unc0ver team today released Unc0ver 5.0.0, the latest version of their jailbreak, which can root and unlock all iOS devices, even those running the latest iOS v13.5.

The jailbreak exploits a zero-day vulnerability in the iOS operating system that was discovered by Pwn20wnd, a member of the Unc0ver team, and that has yet to be addressed by Apple.

Pwn20wnd states that #unc0ver v5.0.0 will be a big milestone for jailbreaking because it is the first zero-day jailbreak released since iOS 8 that was released in September 2014.

Other jailbreak applications released since iOS 9 used 1-day exploits and and did not work on the current iOS version.

The new Unc0ver 5.0.0 jailbreak can be used from iOS, macOS, Linux, and Windows devices.

The Unc0ver team published instructions on their website.

“unc0ver is designed to be stable and enable freedom from the moment you jail​break your device. Built-in runtime policy softener allows running code without Apple’s notarization and pervasive restrictions.” reads the website.

“unc0ver Team strongly cautions against installing any iOS software update that breaks unc0ver as you can’t re-jail​break on versions of iOS that are not supported by unc0ver at that time.”

The Unc0ver team tested the jailbreak on iOS 11 through iOS 13.5, the software did not work on iOS versions 12.3 to 12.3.2 and 12.4.2 to 12.4.5.

What makes this jailbreak outstanding is that according to Pwn20wnd it doesn’t impact Apple’s iOS security features.

Let’s see when Apple will release security updates to address the zero-day vulnerability exploited by the Unc0ver team.

Pierluigi Paganini

(SecurityAffairs – Unc0ver, jailbreak)

The post Unc0ver is the first jailbreak that works on all recent iOS versions since 2014 appeared first on Security Affairs.

This Week in Security News: New Bluetooth Vulnerability Exposes Billions of Devices to Hackers and Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about a new security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device. Also, learn about two malware files that pose as Zoom installers but when decoded, contain malware code.

Read on:

Forward-Looking Security Analysis of Smart Factories <Part 1> Overlooked Attack Vectors

Trend Micro recently released a paper showing the results of proof-of-concept research on new security risks associated with smart factories. In this series of five columns, Trend Micro will explore the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This first column introduces the concept of “smart manufacturing,” and explains the research methods and attack vectors that are unique to smart factories.

Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

Trend Micro found two malware files that pose as Zoom installers but when decoded, contain malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows threat actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Adobe Releases Critical Out-of-Band Security Update

This week, Adobe released four security updates, one of them being an out-of-band security update for Adobe Character Animator that fixes a critical remote code execution vulnerability. All these vulnerabilities were discovered by Mat Powell of Trend Micro’s Zero Day Initiative and were not found in the wild.

QNodeService: Node.js Trojan Spread via Covid-19 Lure

Trend Micro recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.

ShinyHunters Is a Hacking Group on a Data Breach Spree

In the first two weeks of May, a hacking group called ShinyHunters went on a rampage, hawking what it claims is close to 200 million stolen records from at least 13 companies. Such binges aren’t unprecedented in the dark web stolen data economy, but they’re a crucial driver of identity theft and fraud.

Netwalker Fileless Ransomware Injected via Reflective Loading

Trend Micro has observed Netwalker ransomware attacks involving malware that is not compiled but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks.

Beware of Phishing Emails Urging for a LogMeIn Security Update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate.

Phishing Site Uses Netflix as Lure, Employs Geolocation

A phishing site was found using a spoofed Netflix page to harvest account information, credit card credentials, and other personally identifiable information (PII), according to a Twitter post by PartnerRe Information Security Analyst Andrea Palmieri. Trend Micro looked into the malicious site, hxxp://secure-up-log.com/netflix/, to learn more about the operation and found that the sites have geolocation features.

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion modern devices to hackers. The attacks, dubbed Bluetooth Impersonation Attacks or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.

#LetsTalkSecurity: Fighting Back  

This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the third episode of #LetsTalkSecurity featuring guest Katelyn Bowden, CEO & founder of The BADASS Army. In this week’s episode, Rik and Katelyn discuss fighting back and more. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Fraudulent Unemployment, COVID-19 Relief Claims Earn BEC Gang Millions

An infamous business email compromise (BEC) gang has submitted hundreds of fraudulent claims with state-level U.S. unemployment websites and coronavirus relief funds. Behind the attacks is Scattered Canary, a highly organized Nigerian cybergang that employs dozens of threat actors to target U.S. enterprise organizations and government institutions. Researchers who tracked the fraudulent activity said the gang may have made millions from the fraudulent activity.

Factory Security Problems from an IT Perspective (Part 1): Gap Between the Objectives of IT and OT

The manufacturing industry is undergoing drastic changes and entering a new transition period. Today, it may be difficult to find companies that don’t include Digital Transformation (DX) or the Internet of Things (IoT) in their strategies. Manufacturing companies need to include cybersecurity in both the information technology (IT) domain and the operational technology (OT) one as well. This three-part blog series discusses the challenges that IT departments face when assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges.

What did you think about this week’s #LetsTalkSecuirty episode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: New Bluetooth Vulnerability Exposes Billions of Devices to Hackers and Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers appeared first on .

Vulnerability Spotlight: Memory Corruption Vulnerability in GNU Glibc Leaves Smart Vehicles Open to Attack

By Sam Dytrych and Jason Royes.

Executive summary

Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.

 These vehicles also frequently integrate both mobile and cloud components to improve the end-user experience. Functionality such as vehicle monitoring, remote start/stop, over-the-air-updates and roadside assistance are offered to the end-user as additional services and quality of life improvements.

 All these electronic and computer systems introduce a lot of different attack vectors in connected vehicles – Bluetooth, Digital Radio (HD Radio/DAB), USB, CAN bus, Wi-Fi and, in some cases, cellular. However, like any other embedded system, connected vehicles are exposed to cyber attacks and security threats. Some of the threats that connected vehicles face include software vulnerabilities, hardware-based attacks and even remote control of the vehicle. During some recent research, Cisco’s Customer Experience Assessment & Penetration Team (CX APT) discovered a memory corruption vulnerability in GNU libc for ARMv7, which leaves Linux ARMv7 systems open to exploitation. This vulnerability is identified as TALOS-2020-1019/CVE-2020-6096.

Read More >>

The post Vulnerability Spotlight: Memory Corruption Vulnerability in GNU Glibc Leaves Smart Vehicles Open to Attack appeared first on Cisco Blogs.

Your Network Has Left the Building – How do you secure it?

Your network has left the building. It’s no longer sitting in the server room down the hall where you can keep an eye on it. And it’s no longer safely tucked behind your corporate firewall. Instead, it’s in the cloud. It’s inside your users’ smartphones. And especially now, your corporate network is in people’s homes.

Today’s security teams have to mind various areas of their network and cloud infrastructure, remote users and endpoints, and applications running everywhere in order to remain secure. And as soon as new technology is developed or widely used, attackers find ways to take advantage of it – making security vigilance even more critical.

In our recent 2020 CISO Benchmark Study, we asked security professionals which areas of their environment they find most challenging to defend. According to the study:

  • 52% find mobile devices and data stored in the public cloud very or extremely challenging to defend
  • 50% find private cloud infrastructure very or extremely difficult to defend
  • 41% find data centers and network infrastructure very or extremely difficult to defend
  • 39% say they are really struggling to secure applications

While the moves to mobile and cloud seem to pose the biggest challenges, the data shows that the rest of your security concerns haven’t gone away either.

So how do you do it all?

How do you protect some of the newer technologies that have become part of your environment while still paying attention to things like your traditional data center and network infrastructure to make sure they are not breached? And how do you do this amidst unprecedented remote worker hurdles and a dramatic shortage of skilled cybersecurity professionals? Here are some examples of how Cisco can help you protect the challenge areas outlined above.

Mobile

In order for security to work, it has to work across all the devices your employees are using. Cisco’s endpoint security combines a variety of security technologies to make sure your users’ mobile devices are protected, and in turn, do not compromise the corporate network. For example, Cisco AnyConnect and Cisco Duo enable users to securely access your network or applications using managed or unmanaged, mobile or traditional devices. And Cisco Umbrella and Cisco AMP for Endpoints defend these devices against threats from the first line to the last line of defense.

In response to current challenges, we have also launched the Cisco Secure Remote Worker solution to help organizations address the recent rise in remote and mobile workers. The intent is to better enable IT and security teams to quickly provision remote workers without sacrificing cybersecurity. The offering includes extended free trials and expanded usage counts to help alleviate today’s tremendous IT and security demands. Learn more about how this offering can enable secure access for a distributed workforce and help you defend against malware across the network, endpoints, cloud, and applications.

Cloud

Cisco’s cloud security protects your assets and data in the cloud from multiple angles. It helps secure private, public, and hybrid clouds to facilitate your transition to a multicloud environment. With Cisco’s cloud edge security, you can: 1) secure cloud access, 2) protect cloud users, data, and applications, and 3) extend in-depth visibility and threat detection into the cloud.

Data Center

Today’s application workloads are more dynamic, moving across on-prem and multicloud environments. This requires a new strategy for data center security that can protect workloads wherever they go. The Cisco Secure Data Center solution provides several layers of security through in-depth visibility, segmentation, and threat protection. The solution brings together key technologies that let you see, segment, and secure your data as it travels across your environment and into the cloud.

Applications

Related to data center security is application security. Cisco’s application security brings continuous, adaptive protection closer to your applications to give you greater insight and control over what is running in your environment. The security follows your applications to ensure protection without hindering productivity and innovation. This allows you to understand application behaviors, automate micro-segmentation, and use security analytics to speed detection.

Network

Perhaps the trickiest area to summarize is network security due to the ever-expanding components that make up today’s “network.” You need a next-generation firewall that can keep up with your expanding infrastructure and sophisticated attackers. You need a way for authorized users to securely connect to the network. And once they’re logged in, you need multiple layers of protection to prevent them from abusing their privileges or being compromised by malware.

Bringing it all together

While we secure many areas of the corporate environment, we don’t do so in silos. Our security products all work together – and with the customer’s infrastructure, including third-party technologies – to provide more cohesive, automated defenses. By taking a platform approach to security, Cisco SecureX results in greater visibility, collaboration, and protection across all threat vectors, access points, and areas of your infrastructure. This reduces complexity while enabling a zero-trust security strategy.

For more information

Explore our entire security portfolio and review the 2020 CISO Benchmark Report for more information on how to protect various areas of your environment.

This post is part of a series covering topics and data from our 2020 CISO Benchmark Report. Read previous posts here, and be sure to check back soon for more!

The post Your Network Has Left the Building – How do you secure it? appeared first on Cisco Blogs.

The Future of the Email Security Market: The Importance of the Secure Email Gateway

Welcome to the first in a series of blogs on the future of the email security market and how you can leverage the latest technologies to secure your cloud email deployments. Our goal is to make these blogs easy to consume and publish them on a regular basis.

While much of the content we will cover here will be about new and emerging ways to protect cloud mailboxes, it’s important to start with a view of the continued relevance of the Secure Email Gateway (SEG). The SEG technology space, and Cisco’s Cloud Email Security (CES) in particular, is still a valuable part of the enterprise content security strategy. It’s strength lies in its versatility and comprehensive configuration options that can produce unparalleled efficacy when tuned by knowledgeable administrators and engineers.

Cisco Email Security: Strengthening the Email Pipeline

 

The graphic above illustrates just how comprehensive Cisco’s gateway offering is. In the top left, we can see connection-time protections that are only possible with SEG products. Administrators have long accepted that essential mail server hardening was not sufficient to protect their environments from attacks like directory harvesting. With the move to O365 administrators no longer have to perform infrastructure maintenance like patching, but well-resourced security organizations still value granular connection time controls to defeat complex attacks that target the infrastructure rather than user’s mailboxes. The Connection and Content Filtering engines referenced in the graphic above when correctly configured are well-positioned to mitigate this kind of attack.

This is just one example of the kind of protection that Cisco’s Cloud Email Security (CES) allows customers to bring with them when they migrate away from on-premises email servers. Experienced CES administrators are adept at crafting message filters to deal with targeted campaigns and emerging threats that have not yet been identified up by research groups or content scanning engines. The ability to narrow these rules to groups and individual users is powerful in the hands of security operations engineers who require scalpels to meet the varying demands of their departments. These often require specialized policies that address particular needs while maintaining the integrity of their email communications. The availability of multiple quarantines addresses shortcoming of the junk folder-centric Microsoft approach for those who need a more nuanced set of tools.

These examples do not cover all of the use-cases and benefits of CES for cloud email customers (for that, you can explore the user guides and product video), but they do illustrate a key message. The SEG space offers granular, customizable controls that are incredibly powerful in the hands of well-trained administrators and engineers.

If yours is one of the organizations who don’t require the granular controls and customization of SEG and simplicity is the most appealing aspect of moving to the cloud, then follow us as we continue this series by examining emerging cloud email security technologies.

In the meantime, read more about the layered approach to email security that makes Cisco Email Security an industry leader.

The post The Future of the Email Security Market: The Importance of the Secure Email Gateway appeared first on Cisco Blogs.

Japan suspects HGV missile data leak in Mitsubishi security breach

Japan continues to investigate a cyberattack that hit this year Mitsubishi Electric Corp., it suspects a possible leak of data including details of a prototype missile.

Japan is still investigating a cyberattack that was disclosed by Mitsubishi Electric Corp. early this year.

In January, the company disclosed a security breach that might have exposed personal and confidential corporate data, at the time, it claimed that attackers did not obtain sensitive information about defense contracts.

Mitsubishi revealed that personal data on some 8,000 people also might have been leaked.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and the Ministry of Defense.

Now, the authorities suspect a data leak that could have exposed details of a prototype missile.

“The suspected leak involves sensitive information about a prototype of a cutting-edge high speed gliding missile intended for deployment for the defense of Japan’s remote islands amid China’s military assertiveness in the region.” states the AP press agency.

“The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.”

The advanced prototype missile was designed to be deployed in Japan’s remote islands as a deterrence to military activities conducted by China in the area.

Chief Cabinet Secretary Yoshihide Suga announced that the Defense Ministry is investigating “the possible impact of the information leak on national security.”

Mitsubishi Electric

The Defense Ministry was working on a prototype of supersonic missile known as HGV, a technology also being studied by the U.S., China, and Russia.

In January, the two media outlets attributed the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.

Other Japanese defense contractors were hit by cyber attacks, including NEC Corp. , Pasco Corp. and Kobe Steel Ltd.

Pierluigi Paganini

(SecurityAffairs – Mitsubishi, hacking)

The post Japan suspects HGV missile data leak in Mitsubishi security breach appeared first on Security Affairs.

VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director

VMware has addressed a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, that affects its Cloud Director product.

VMware has patched a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, in its Cloud Director product.

The vulnerability is a code injection issue that could be exploited by an authenticated attacker to send malicious traffic to Cloud Director, which could allow executing arbitrary code.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the security advisory published by VMware.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.”

According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

The vulnerability impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware vCloud Director 9.1.0.4, 9.5.0.6, 9.7.0.5 and 10.0.0.2 addresses the issue. VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.

The vulnerability was discovered by Tomáš Melicher and Lukáš Václavík of Citadelo.

A couple of weeks ago, VMware addressed vulnerabilities impacting the vRealize Operations Manager (vROps) product, including two recently disclosed Salt issues.

Earlier this month, VMware has addressed a critical information disclosure flaw, tracked as CVE-2020-3952, that could be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.

The CVE-2020-3952 vulnerability has received a CVSSv3 score of 10, it resides in the vCenter Server version 6.7 on Windows and virtual appliances.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-3956, hacking)

The post VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director appeared first on Security Affairs.

Adobe fixed several memory corruption issues in some of its products

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush05/19/202005/19/2020
APSB20-28 Security update available for Adobe Audition05/19/202005/19/2020
APSB20-27 Security update available for Adobe Premiere Pro05/19/202005/19/2020
APSB20-25 Security update available for Adobe Character Animator 05/19/202005/19/2020

The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.

Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure. 

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution. 

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.

Pierluigi Paganini

(SecurityAffairs – memory corruption flaws, hacking)

The post Adobe fixed several memory corruption issues in some of its products appeared first on Security Affairs.

Go Agentless – Increase flexibility and prevent comprise from mobile devices in real time with ISE and Frontline.Cloud

This post was authored by Sanjay Raja from Frontline.Cloud 

When determining risk, IT security often has a gaping hole around the assessment of mobile devices. It is challenging to include them in regular vulnerability management (VM) programs for a few reasons, including the fact that they frequently connect and disconnect with networks.

However, it is critical that these devices be included in any security assessment. Threat actors continue to develop new malware designed to exploit even the smallest flaws in mobile devices. In addition, most legacy vulnerability assessment solutions, unfortunately, are not able to assess vulnerability and threat risk before these devices can connect to the network.

Also, leveraging Network Access Control (NAC) with a solution that can provide a real-time understanding of risk can take advantage of policies that restrict access to high-risk or under attack assets. The ability to share greater contextual information, risk posture, and endpoint detection across security and network management platforms can provide IT security and network administrators with better controlling access to sensitive resources.

Effectively Assessing Risk for Mobile Devices Without Agents

One of the most significant challenges to securing mobile devices is installing agents on the device. Too many agents claim to be “lightweight” but end up with a significant negative impact on device performance. Many vulnerability management providers talk about how their agent is stripped down or customized to work on mobile devices. However, they are do not have comprehensive coverage and are still intrusive. This also does not change the fact you are managing yet another agent. Effective scanning of these devices for vulnerabilities and threats requires an agentless design that tracks devices even as they continually connect and disconnect from the network.

Digital Defense offers agentless vulnerability and threat management via the Frontline.CloudTM platform. Through an integration with Cisco Identity Services Engine (ISE) and leveraging the Cisco Platform Exchange Grid (pxGrid) framework, Frontline.Cloud can perform automated risk and threat posture assessment across multiple platforms, including dynamic assets and mobile devices, to limit the impact of high-risk or infected systems onto the network.

How it Works

Frontline.Cloud consumes mobile device information from Cisco ISE and combines it with vulnerability information already in the platform. Cisco ISE works with major MDM vendors and queries customer MDM servers for the necessary device attributes to create ACLs that provide network access control. In doing so, Cisco can make decisions on whether to deny or allow mobile devices access to the network based on authorized access policy. Cisco ISE can even classify mobile devices with limited access to certain network resources.

Cisco ISE can also obtain needed information from automatic scanning when a device connects to the network for the first time. Cisco ISE validates the information against existing device profiles and applies the appropriate security policies.

Proactive Device Scanning

The Cisco ISE/Frontline.Cloud integration offers a policy to allow Cisco ISE to request an immediate vulnerability scan when a new mobile device comes onto the network. That same policy can restrict access for the given device until Cisco ISE has received the data from Frontline.Cloud. It would then fall to other policies to determine what actions to take based on the findings. With Cisco ISE and Frontline. Cloud, real-time scanning intelligence data adds a level of granularity that allows the system to restrict access of a mobile device that may potentially introduce risk into the network.

To learn more about Cisco ISE/Frontline.Cloud and how it can help you with identifying and managing mobile device security risks click here.

 


Sanjay Raja runs field marketing and strategic technical partnerships for Digital Defense, Inc, a provider of next generation SaaS vulnerability management and threat assessment solutions. Prior to Digital Defense, Sanjay was Chief Marketing Officer for Lumeta Corporation, where he led the company to a successful acquisition in two years. Sanjay brings over 20 years of marketing, product management, partnerships, and engineering experience in cybersecurity, networking, performance management and cloud technologies. Sanjay has also held leadership roles in product marketing, product management, strategic alliances and engineering at RSA Netwitness, Cisco, HP Enterprise Security, Crossbeam Systems (acquired by Bluecoat Systems), Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.E.E and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP and Certified Product Manager via Pragmatic Marketing.

The post Go Agentless – Increase flexibility and prevent comprise from mobile devices in real time with ISE and Frontline.Cloud appeared first on Cisco Blogs.

Announcing Cisco Tetration SaaS Offering Available in Europe

No one could have imagined that our fast-paced lives would change so significantly.  With half of the planet on lockdown, these are some unprecedented times and we need to do whatever it takes to protect what is important to us in our personal as well as business lives. This also means as we shift ‘where’ we work from, security risks and threats are also shifting and unfortunately increasing.

18 months ago, we launched Cisco Tetration SaaS and ever since, we have only accelerated the journey to secure our customers application workloads. More than half of our customers now use SaaS for their workload security needs. The ease of deployment, no operational overhead and the ability to expand to rapidly support the growth and needs of your business, are some of the reasons why our customers prefer SaaS.  That flexibility combined with Tetration’s comprehensive visibility, automated policy discovery and enforcement, and advanced security analytics is a winning combination for your business.

Expansion in this new region will enable opportunities to drive security solutions, closer to customers.

While Cisco Tetration SaaS is available globally, our customers data resided in the United States. Data stored in region is critical for European customers with data residency requirements and regulations, such as those operating in healthcare, financial services and government.  In order to support those needs, and to meet the growing demands, we decided to expand our reach. With our expansion into Europe, customers will be able to store their data locally with the assurance that it will not move unless they choose to move it.

Here is how our customers and partners will benefit from Cisco Tetration SaaS in region:

“Securing our customers data is a top priority. We are doing our part to ensure our applications and access to it, is secure and compliant,” said Steve Erzberger, CTO Frankfurter Bankgesellschaft (Switzerland) AG. “Cisco Tetration SaaS offering available in region will enable us to secure our applications workloads and help us with our segmentation project, meeting GDPR requirements.”

“As more and more organizations embrace digital transformation, SasS offerings are essential to meet the demands of customers,” said Alain Kistler,Chief Managed Services Officer,  Netcloud. “Partnering with Cisco Tetration opens up new market opportunities to provide workload security for multi-cloud environments for the commercial markets locally.”

Organizations from Europe – enterprise, public sector, and startups now have a SaaS based workload security solution in their region and do not have to worry about data crossing the borders. It enables organizations of all forms and sizes, to take advantage of the security, scalability, ease of use and reliability of Cisco Tetration SaaS platform – to be able to innovate. iterate faster, and securely.

Cisco Tetration SaaS for European customers will now have an option to host data in Germany, with disaster recovery and data backup in Amsterdam, Netherlands. Both the POPs are in completely different fault domains and availability zones, so with something as minor as a link outage or big as a natural calamity, we got our customers workload security needs covered 24 x7.

These are unchartered territories and despite that, Tetration team worked round the clock to operate and expand their SaaS footprint in order to support customers who need their applications running securely. As some of our customers in healthcare, financial, manufacturing and other industries work – day and night – to meet the new demands of today, securing their application is one less thing they need to worry about, with Cisco Tetration.

New region in Europe is live with active customers and is ready to secure your workloads, no matter where they are.

To learn how we handle your data, visit:

Click here to learn how Tetration can help you.

The post Announcing Cisco Tetration SaaS Offering Available in Europe appeared first on Cisco Blogs.

Endpoint Security from Cisco Earns High Marks in Independent Malware Protection Test

We are very pleased to share the news that Cisco Advanced Malware Protection (AMP) for Endpoints earned high marks in malware protection tests, while achieving the lowest false alarms in the first AV Comparatives Business Main Test Series for 2020. This achievement demonstrates our steadfast commitment to delivering consistent security efficacy, enabling our customers to get superior protection from advanced threats.

The test series includes two types of tests, the Malware Protection Test and Business Real-World Protection Test. Cisco consistently showed a balance of high protection rates with very low false alarm across both tests. Here’s how.

The Malware Protection Test

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. We did very well, garnering a protection rate of 100% with zero false positive – performing better than Crowdstrike, Sophos, Fortinet, Kaspersky, Cybereason and FireEye among others. This test ran in March and consisted of having 1,192 recent malware samples thrown at us during that time. A passing score required a 90% or higher detection rate.

The Real-World Protection Test

The Real-World Protection Test examines how well the security product protects the endpoint in the most realistic way, using all protection capabilities at its disposal. We came in with 99.3% real-world protection rate. The whole idea here is to simulate what happens in the real world. In addition, products were also tested for false positive (FP) alarms on non-business applications to better determine the ability to distinguish good from bad. Cisco ranked in the lowest false positive group achieving a “Very Low” FP rate, performing better than Crowdstrike, VMware Carbon Black, Microsoft, FireEye, Cybereason and Panda. Vendors in the “Very High” FP rate had as many as 101-150 false positives.

To sum up, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. In the end, our customers benefit the most from our solution’s top-rated accuracy, reliability and consistency in protecting their endpoints from malware and other threats.

Beyond Testing: What Our Customers Are Saying

 We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. But real-world feedback from customers who are using our endpoint security solution is critical. Now let’s take a look at the following examples of what our customers are saying about how Cisco AMP for Endpoints has protected them against from two of the most dangerous threats to their environment: fileless malware and ransomware.

Fileless malware operates in the memory to avoid detection. Unlike traditional malware, these types of attacks do not have signatures, making them more difficult to detect and prevent. Fileless malware targets our day-to-day applications and can infiltrate the endpoints by exploiting vulnerabilities in software and operating system processes.

Tech Validate quote

To defend against threats that target vulnerabilities in applications and operating system processes, Cisco AMP for Endpoints uses our exploit prevention engine to monitor the memory structure before attacks even begin. Exploit prevention is a true preventive engine that does not require policy tuning, prior knowledge, or rules to operate. When it stops an attack, it stops the application from running and logs contextual data in the AMP for Endpoints device trajectory, allowing users to see exactly where and how the malware entered a device.

Ransomware is a type of malicious software that typically attempts to encrypt the files on a victim’s computer. Upon successful encryption, it demands payment before the ransomed data is decrypted and access returned to the victim. Ransomware attacks are typically carried out using a malicious payload that is distributed as a legitimate file that tricks the user into downloading or opening when it arrives as an email attachment.

Cisco AMP for Endpoints defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute. We detect threats by observing the behavior of the process at run time, allowing us to determine if a system is under attack, by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection, and stop them from running. As a result, we are able to quickly identify, block, and quarantine ransomware attacks on the endpoint.

Tech Validate quote

Beyond fileless malware and ransomware defense, Cisco AMP for Endpoints provides multiple, powerful protection capabilities that work together to protect the endpoint from advanced threats in-memory (e.g. exploit prevention), on-disk (e.g. next gen AV) and post-infection (e.g. Indication of Compromise or IOC). For details on our protection techniques, click here.

We also know that endpoint protection is only as good as the intelligence it acts on. That’s why we employ machine learning and multiple protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence organization on the planet. We discover more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than any other vendor. Whether a threat originates on the Internet, in an email, or on someone else’s network, our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across AMP for Endpoints and our entire security platform.

What’s Next?

AV-Comparatives’ testing is continuing through the rest of the year and we are looking forward to their ensuing reports.

In the meantime, experience threat hunting with AMP for Endpoints for yourself at one of our Threat Hunting Workshops or sign up for a free trial of AMP for Endpoints and take it for a test run.

The post Endpoint Security from Cisco Earns High Marks in Independent Malware Protection Test appeared first on Cisco Blogs.

Experts reported the hack of several supercomputers across Europe

Organizations managing supercomputers across Europe reported their systems have been compromised to deploy cryptocurrency miners.

Crooks have compromised supercomputers across Europe to deploy cryptocurrency miners, incidents have been already reported in the UK, Germany, and Switzerland. Rumors are circulating about a similar infection of a supercomputer located in Spain.

The supercomputers have shut down to investigate the security breaches.

On Monday, the German bwHPC organization announced that five of its supercomputers had to be shut down due to a cryptominer infection.

Below the message published by the organization:

“Dear users, due to an IT security incident the state-wide HPC systems

  • bwUniCluster 2.0,
  • ForHLR II,
  • bwForCluster JUSTUS,
  • bwForCluster BinAC, and
  • Hawk”

Another system that was reportedly infected early last week, is the ARCHER supercomputer at the University of Edinburgh.

“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.” reads the status page for the system.

“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system.”

The organization reset SSH passwords in response to the incident.

On Wednesday another supercomputer was compromised the system was located in Barcelona, Spain and the infection was reported by security researcher Felix von Leitner.

“More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.” reported ZDNet.

“The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.”

Other similar incidents made the headlines, on Saturday a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany was infected with a malware.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also reported a cyber incident and it shut down any external access to its infrastructure in response to the security breach.

“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the centre has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS.” reads the security advisory.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” says CSCS-Director Thomas Schulthess.”

Today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has released technical details of a malware involved in these incidents.

Researchers from security firm Cado Security also released Indicators of Compromise (IoCs).

ZDNet, citing the opinion of a security researcher, speculates that threat actors have exploited the CVE-2019-15666 vulnerability to gain root access to the supercomputers then deploy a Monero (XMR) cryptocurrency miner.

Other experts speculate that the supercomputers were hacked by nation-state actors because they were involved in the research on the COVID-19 outbreak.

Pierluigi Paganini

(SecurityAffairs – supercomputers, hacking)

The post Experts reported the hack of several supercomputers across Europe appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

Tetration and AWS = Win-Win for Cloud and Workload Protection

There are many benefits to using a cloud provider like Amazon Web Services (AWS). Better capacity planning with the flexibility to scale up or down to adjust to your business needs, the ability to rapidly deploy applications globally to better serve your customers, and a pay-as-you-go, consumption model, where you pay for only the computing resources you consume.

When deploying applications in public cloud, it important to understand the Shared Responsibility Model. In short, it places responsibility for security in the hands of both the cloud provider and the customer. The cloud provider is responsible for the security of the cloud and its infrastructure that runs the cloud-based services and the customer is responsible for securing their applications, workloads, and data hosted in the cloud.

However, as more organizations move their applications and workloads to the cloud, the complexity of their environment increases.  They can lose visibility into their cloud-based workloads, and those blind spots can be fatal.  No matter how secure a cloud provider is, inconsistent protection and lack of comprehensive visibility and control can leave organizations vulnerable.  Gartner estimates through 2025, 99% of cloud security failures will be the customer’s fault.*

As organizations embrace the cloud model, they’re investing in infrastructure that’s more dynamic and distributed, and as a result, security must become more dynamic as well. Fundamentally, to be protected, organizations must have visibility and control over their environments.  With on-premise data centers, it was challenging enough to protect critical applications, workloads, and data from attack, breach, and theft.  The hybrid cloud, public cloud environment makes the complexity of securing your entire environment much more challenging.

What can you do to address this complexity? Focus on protecting the workload with a product designed for that use case – Cisco Tetration.

Cisco Tetration addresses the cloud workload protection challenge in a comprehensive and scalable way. Tetration enables holistic workload protection for multi-cloud data centers through:

  • Scalable, consistent policy implementation for thousands of applications, spanning tens of thousands of workloads
  • Microsegmentation which allows the implementation of a zero trust whitelisting model
  • Detection of CVE’s (Common Vulnerabilities and Exposures) based on the installed software packages; proactively quarantine servers when vulnerabilities are detected
  • Ability to capture a million events per second and make policy decisions based on the behavior analysis of billions of flows, processes, and workload characteristics, allowing for real-time policy enforcement

Seems too good to be true – Well it is true.  Look at these free, technical resources to help you be successful.

Request a demo:  Want to see Tetration in action live?  Sign up here and we’ll come to you virtually. You’ll get all your questions answered in a customized session based on your needs.

Cisco Tetration Design & Implementation video playlist:  Learn how to use Tetration for workload security by watching this in-depth series.  It helps you understand the breadth and depth of Tetration’s cloud workload protection, microsegmentation, and visibility features.

Cisco Secure Cloud for AWS Design Guide: This lab-tested/validated design guide focuses on best practices for deploying Tetration in AWS.  It includes the following best practices on how to deeply:

  • Leverage the Tetration security dashboard for visibility into critical information like vulnerability score, process health score, attach surface score, forensics score, network anomaly score, and segmentation compliance score.
  • Leveraging Amazon EC2 tools to auto-provision Tetration sensors to provide visibility, segmentation, behaviors deviation, and software vulnerability data
  • Application Dependency Mapping to automatically discover the policies based on flow and other data received from workloads. Refine the discovered workload clusters and update the inventory filters to define policies to be enforced on our cloud workloads

 


*Smarter With Gartner, Is the Cloud Secure? October 10, 2019

 

The post Tetration and AWS = Win-Win for Cloud and Workload Protection appeared first on Cisco Blogs.

This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how researchers at Trend Micro used an app store to demonstrate hacks on a manufacturing facility. Also, learn about this month’s patch activity from Microsoft.

Read on:

How Two Researchers Used an App Store to Demonstrate Hacks on a Factory

When malicious code spread through the networks of Rheinmetall Automotive, it disrupted plants on two continents, temporarily costing up to $4 million each week. While awareness of these type of threats has grown, there’s still a risk that too many organizations view such attacks as isolated incidents, rather than the work of a determined attacker. Federico Maggi, a senior researcher at Trend Micro, set out to dispel that mindset.

#LetsTalkSecurity: Hacker Adventures  

This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the second episode of #LetsTalkSecurity featuring Jayson E. Street, Vice President at SphereNY. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

For the third consecutive month Microsoft issued a hefty list of Patch Tuesday security updates covering 111 CVEs with 16 making the critical list. This is the third month Microsoft has had more than 100 vulnerabilities listed in its monthly security rollup, but unlike the last few months, May’s list does not contain any vulnerabilities currently being exploited in the wild.

Principles of a Cloud Migration – Security W5H – The WHERE

Where do we add security in the cloud? Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. This blog puts the focus on your configuration, permissions, and other best practices.

Securing Smart Manufacturing

Trend Micro recently published a report that surveys the Industry 4.0 attack surface, finding that within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. In the current report on rogue robots, Trend Micro collaborated with the Politecnico di Milano to analyze the range of specific attacks today’s robots face, and the potential consequences those attacks may have.

Package Delivery Giant Pitney Bowes Confirms Second Ransomware Attack in 7 Months

Package and mail delivery giant Pitney Bowes suffered its second ransomware attack in seven months. The incident came to light after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company’s network. The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company’s computer network.

Tropic Trooper’s Back: USBferry Attack Targets Air-Gapped Environments

Trend Micro recently found that Tropic Trooper’s latest activities center around targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack. Trend Micro also observed targets among military/navy agencies, government institutions, military hospitals, and a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.

Texas Courts Won’t Pay Up in Ransomware Attack

A ransomware attack has hit the IT office that supports Texas appellate courts and judicial agencies, leading to their websites and computer servers being shut down. The office said that it will not pay the ransom requested by the cybercriminals. Specifically affected is the Office of Court Administration, which is the IT provider for the appellate courts and state judicial agencies within the Texas Judicial Branch.

New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability

Trend Micro found an application sample in April called TinkaOTP that seemed like a normal one-time password authentication tool. However, further investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows and Linux backdoor that 360 Netlab discovered in December 2019.

Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting (DOM XSS) vulnerability that could have been exploited to hijack accounts. The researcher says he discovered the vulnerability in the window.postMessage() method, which is meant to safely enable cross-origin communication between Window objects.

Cloud Security: Key Concepts, Threats, and Solutions

Enterprises may be migrating requirements to the cloud, starting fully in the cloud (going “cloud native”), or mastering their cloud-based security strategy. Regardless of what stage of the cloud journey a company is in, cloud administrators should be able to conduct security operations like performing vulnerability management, identifying important network events, carrying out incident response, and gathering and acting on threat intelligence — all while keeping many moving parts in compliance with relevant industry standards.

From Bugs to Zoombombing: How to Stay Safe in Online Meetings

Forced to now work, study, and socialize at home, the online digital world has become essential to our communications — and video conferencing apps have become our “face-to-face” window on the world. The problem is that as users flock to these services, the bad guys are also waiting to disrupt or eavesdrop on chats, spread malware, and steal data. In this blog, Trend Micro explores some of the key threats out there and how users can stay safe while video conferencing.

Surprised by Texas courts’ decision not to pay the ransom in its latest ransomware attack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday appeared first on .

Palo Alto Networks addresses tens of serious issues in PAN-OS

Palo Alto Networks addressed tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

Palo Alto Networks has issued security updates to address tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

One of the most severe vulnerabilities, tracked as CVE-2020-2018, is an authentication bypass vulnerability in the Panorama context switching feature. The flaw could be exploited by an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls.

“An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue.” reads the advisory published by the vendor.

This vulnerability does not impact Panorama configured with custom certificates authentication for communication between Panorama and managed devices.

The issue received a CVSSv3.1 Base Score of 9, it affects PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.12, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0.

Palo Alto Networks also addressed an XML external entity reference (‘XXE’) vulnerability, tracked as CVE-2020-2012, that could lead to information leak.

The flaw could be exploited by unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

The vendor also fixed a high-severity vulnerability, tracked as CVE-2020-2011, that could be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition to all Panorama services by sending specially crafted registration requests.

Other high severity issues affect the previous Nginx version used in PAN-OS software, some of them could be exploited without authentication.

Palo Alto Networks also addressed serious cross-site scripting (XSS) vulnerability in the GlobalProtect Clientless VPN can be exploited to compromise a user’s session by tricking the victims into visiting a malicious website.

The full list of vulnerabilities addressed by Palo Alto Networks is available here.

Pierluigi Paganini

(SecurityAffairs – PaloAlto Networks, hacking)

The post Palo Alto Networks addresses tens of serious issues in PAN-OS appeared first on Security Affairs.

Cisco Threat Response takes the leap with SecureX

Reimagine the grocery delivery experience

Even in typical times, grocery and household shopping is time consuming. Especially, if you need to visit multiple stores – a main supermarket for your basics, a specialty store to accommodate diet restrictions, and another for bulk items. In a fast-paced world – with time spent working, family caregiving, and other responsibilities – grocery shopping is a tedious but necessary chore…or is it? The evolution of acquiring groceries and household goods has been one to watch as grocery delivery services, such as Instacart and Shipt, is increasingly relevant. These companies have each built a platform with a network of grocery providers to solve the problem – a simple and efficient way for customers to purchase groceries without having to leave their homes.

Now let’s take grocery shopping to the next level. What if you didn’t even need to proactively browse items and put them in your Instacart grocery order. Imagine if your “smart” refrigerator had sensors to detect inventory levels, and connected to Instacart, your recipes, and meal planning apps. Groceries could be ordered automatically or on-demand based on the menu you’ve planned and what you actually need. One platform with all of your apps integrated and automated to simplify not only your grocery shopping experience but your entire cooking experience. This and many other platform experiences have been developing over the last several years to bring two (or more) sides of a connection together with more efficiency and use cases.

What does grocery shopping have in common with cybersecurity?

The cybersecurity industry is ripe for this type of innovation. We all know that the industry has historically been quite fragmented – at last count, an estimated 3000+ vendors are in this space and customers use, on average, 75 security tools[1]. What does that mean for your security teams? Multiple tools share limited context between them with incomplete, labor-intensive workflows. Going back to the grocery experience, this is akin to visiting seven different stores in one day to tackle a shopping list for each store, and hoping you don’t miss an item. Also consider high lifecycle costs associated with maintaining interoperability, which is often limited. When you need to take into account an ever-evolving threat landscape and attack surface, this trend is not sustainable.

A platform journey two years in the making

Nearly two years ago, Cisco Threat Response debuted to combat this problem for Security Operations teams. As a valuable add-on application to several Cisco Security products — at no additional cost – Threat Response accelerated investigations and remediation by aggregating and correlating intelligence and data across your security products, both Cisco and third party. Threat Response has helped nearly 9,000 customers simplify their security operations. As Don Bryant, CISO for The University of North Carolina at Pembroke, says, “Having a holistic security platform has helped us simplify and accelerate our security operations. All of our tools seamlessly integrated through Threat Response gives us one view into our layered protection and valuable time back.”

Cisco Threat Response application for threat investigation and remediation
Figure 1: Cisco Threat Response application for threat investigation and remediation

As background, Threat Response provides a visual, real-time answer for if, and how, threats have impacted your environment, so, you can take first-strike response actions in the same interface. Security operations teams use Threat Response to:

  • Aggregate global threat intelligence: Search, consume, and operationalize threat intelligence, both public and private sources, with one application.
  • Accelerate threat hunting and investigations: Visualize threats and incidents across multiple technologies in one view, then take response actions without leaving the console.
  • Simplify incident management: Coordinate security incident handling across technologies and teams by centralizing and correlating alerts and triaging those that are high priority.

Now we’re continuing our mission of simplifying security and building on Threat Response core capabilities with SecureX, a built-in platform experience included with Cisco Security products. SecureX will make life even easier for Security Operations, and will also benefit Network Operations and IT Operations. Let’s talk about this evolution.

Is SecureX just a cool new name for Threat Response?

Since we announced SecureX at RSA Conference in February, you might be wondering, what’s the difference between Threat Response and SecureX? Are they one and the same – and SecureX is just a sleek rebranding?

The short answer is no. If Threat Response is like the Instacart of today, SecureX is the reimagined seamless grocery shopping experience we’ve envisioned above. Whether it’s the grocery or cybersecurity industry, the goal is always simplification. SecureX builds upon Threat Response’s core concepts of integrating your security products – both Cisco and third-party tools – to simplify security operations. Leveraging the success of Threat Response with Security Operations teams, SecureX takes this foundation to the next level to drive collaboration between SecOps, NetOps, and ITOps. SecureX simplifies security through:

Unifying visibility across your entire security environment.

Enabling automation in workflows to maximize your operational efficiency by eliminating repetitive tasks and human error.

Adding more out-of-box interoperability to unlock new potential from your Cisco Security investments and cascade them across your existing security infrastructure.

SecureX connects your entire security infrastructure
Figure 2: SecureX connects your entire security infrastructure

Enhanced Threat Response capabilities, now part of SecureX

Now as a key component of SecureX, Threat Response is enhanced to unlock even more value from your investments. Here’s how:

  • You already know that Threat Response aggregates and correlates security context from multiple technologies into a single view, but now as SecureX threat response, users will have a customizable dashboard with ROI metrics and operational measures. And when you leave the dashboard, SecureX follows you to maintain contextual awareness and improve collaboration wherever you are in your Cisco Security infrastructure.
  • Users will now be able to cut down investigation time even further by automating threat hunting and investigation workflows. With the orchestration feature in SecureX, users can set up event-based triggers to periodically hunt for indicators of compromise, create or add to a casebook, and post a summary in a chat room for collaboration.
  • Threat Response had been rapidly growing its partner ecosystem, and SecureX not only expands the ecosystem instantly upon commercial availability but extends past it to include your core infrastructure. Together, our out-of-box interoperability with built-in and pre-packaged integrations from Cisco or select technology partners reduces the time spent integrating multiple technologies, or worse, working across multiple consoles. We’ll continue to support custom integrations via APIs, so any of the features of SecureX will work with your existing investments.

Similar to the reimagined grocery experience, SecureX brings greater efficiency and simplification in the midst of major market forces. The enhanced visibility, automation, and integrated platform capabilities with SecureX threat response further reduces mean dwell time by accelerating investigations and MTTR for SecOps. Without having to swivel between multiple consoles or do the heavy lifting integrating disjointed technologies, you can speed time to value and reduce TCO. SecureX will enable better collaboration across SecOps, NetOps, and ITOps – and ultimately simplify your threat response.

To get warmed up for SecureX access next month, activate Cisco Threat Response today!

[1] Momentum Cyber Cybersecurity Almanac 2019

The post Cisco Threat Response takes the leap with SecureX appeared first on Cisco Blogs.

Firewalling and VPN in the Remote Work Era

A cloud firewall vendor recently argued that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is “sounding the alarm around VPN security.” That scary-sounding statement is incorrect. It may get clicks, but it doesn’t benefit security practitioners protecting data and remote workers.

The U.S. Government is not sounding an alarm about VPNs. Rather, it is acknowledging the importance of security best practices in work-from-home operations. CISA’s recent VPN guidance recommends good security hygiene. Like security patching. And multi-factor authentication, to establish user identity before VPN access is granted. While those recommendations bear repeating, they are not new.

Even prior to the Covid-19 pandemic, global VPN use was rising. Cisco AnyConnect VPN is the world’s most widely used enterprise remote access VPN. AnyConnect supports smartphones, laptops, kiosks, and more. It is proven in both small offices and enterprises with over 100,000 users.

For years, Cisco has provided organizations with innovative solutions for secure connectivity. Only Cisco couples:

  • VPN scalability
  • Firewall reliability
  • Cisco Duo’s multifactor authentication
  • Cisco Umbrella’s DNS-based security that protects users, even when they’re off the VPN.

Additionally, many Cisco AnyConnect customers use its split-tunneling features. By policy, traffic can be split on-or-off VPN by application, or Cisco’s patented, DNS-based, Dynamic Split Tunneling (DST). DST can exclude low-risk browser traffic (like videoconferencing) from the VPN tunnel, maximizing VPN efficiency and network performance while lowering costs. Another AnyConnect differentiator is that it can natively assess endpoint posture (e.g., validating endpoint security software is up-to-date) before granting VPN access.

Additionally, Cisco has invested heavily in software-defined networking, SD-WAN, and security tools enabling zero-trust frameworks. Cisco is a bridge for organizations evolving their security posture to a zero-trust model. In fact, last year we were named a leader in the Forrester Wave Report for zero-trust.

Seeing a pattern? Cisco security has a depth of capabilities to meet diverse needs. Nowhere is that more evident in Cisco’s security portfolio than firewalling. Years ago, firewall only meant appliance. Today what’s most important is firewalling — intelligent control points everywhere — cloud-delivered Secure Access Service Edge (SASE), physical, virtual, and even workload-centric.

Cisco calls this flexible and comprehensive firewalling vision the future of firewall. Our approach protects multiple environments: traditional, micro-segmented, cloud, and de-perimiterized networks — as well as SaaS-delivered applications and micro services. Firewalling where you need it, unified with consistent policies, visibility, and threat correlation between endpoint and network security tools.

Firewalling is also foundational to Cisco’s recently-announced open platform approach to security. Our platform tools, like Cisco SecureX, integrate with our security products. They are not extra costs. SecureX reduces security complexity and shrinks administration time. For instance, based on load, SecureX can automate virtual firewall provisioning to grow remote access VPN capacity on demand. Additionally, our open platform unifies Cisco security tools and extends integration with third-party capabilities. The result is rapid identification, fencing, and remediation of incidents.

Returning to U.S. Government cyber news, the Trusted Internet Connections (TIC) 3.0 initiative’s Interim Telework Guidance grants government agencies greater flexibility for using SASE, Cloud Access Security Broker (CASB), and SD-WAN technologies. The acceptance of these new capabilities recognizes the rapid growth of roaming users, remote locations, and SaaS applications. It also acknowledges that backhauling all traffic via VPN to a head office is not always relevant, or practical.

It’s fun to read controversial statements about security. But it’s better to thoughtfully manage risk on your terms. For resources regarding security and connectivity using Cisco’s platform approach, please see these references:

Verify and secure your users:

Our firewalling and VPN solutions:

Platform tools included with all our security solutions:

Cisco SD-WAN:

The post Firewalling and VPN in the Remote Work Era appeared first on Cisco Blogs.

“The security industry doesn’t have to be this way”. Talking people powered security with Masha Sedova

Masha Sedova, cofounder of Elevate Security

This week’s episode of the Security Stories podcast was one of my favorites to record, for a few reasons.

Our interview is with a remarkable lady called Masha Sedova, who co-founded Elevate Security. Elevate uses data and analytics to invoke cultural and behavioural change in a company’s approach towards cybersecurity.  I met Masha at RSA when she had just been announced as finalist for the 2020 Innovation Sandbox award, which tells you something about how unique and interesting her solution is.

Before Elevate, Masha was a Security Executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. And it’s there where she had the idea for Elevate.

I have always loved that within the security industry, you really can make a difference. Masha saw something that could change, and had the courage to go out and set something up herself, rather than wait for someone else to do it. “The industry doesn’t have to be this way” is the mantle she had when she decided to go for it.

There’s many reasons why this was one of my favorite interviews.  For anyone tempted to listen, I would say – come for the unique insights into human behavior and why we make the security choices that we do sometimes.  And then stay for the discussion on setting up a business, as a woman, in the security industry.

During the interview, Masha recalls a specific and very personal example of gender discriminatory behavior she came up against whilst she was trying to raise investment three years ago.  This led to Masha creating a hiring policy in her organization which focusses on hiring more women, and embracing diversity as a rule.

It really struck a chord with me. Because this type of gender discrimination isn’t uncommon for women in the technology sector (dare I say most sectors). I myself can still recall, very vividly, when it’s happened to me. I know it’s happened to friends of mine.  It does stay with you, and it has lasting impact.

So I wanted to share this important message to say that it doesn’t have to be this way, and Masha is an example of the kind of leadership that’s required to ensure it doesn’t have to happen to anyone else. Thanks also to Masha’s co-founder Robert Fly, who had her back in that investor meeting.

I have a few friends with daughters who are growing up, and I hope that soon, the world is open to whatever they want to do with their lives and careers.

Also in this episode, Ben talks about the resurgence of digital extortion scams, what they tend to include, and what to do about them.

And finally we have our ‘On this Day’ feature. For this, we go back into the cybersecurity archives and pick out significant events that happened around this time, however many years ago.  We’ve gone back to the 70s to talk about the first ever network attack, and we visited the 90s in the last episode to talk about the launch of Snort onto opensource, but for this episode we’re only going to go back 3 years, because, well we couldn’t not.

Because on May 12th 2017, something called WannaCry began to wreak havoc within computer systems across the world.  We revisit the timeline of the attack, how it all unfolded, and the significance that WannaCry still has today.

You can listen to Security Stories on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

The post “The security industry doesn’t have to be this way”. Talking people powered security with Masha Sedova appeared first on Cisco Blogs.

Getting more value from your endpoint security tool #2: Querying Tips for security and IT operations

As far back as I can remember, I have had a fascination with power tools. My father was an auto mechanic and he had a toolbox filled with both hand tools and power tools. As a youngster, I watched him wield them with confidence, knowing exactly which tool to use for the task at hand. I recall thinking “real, professional mechanics use compressed air powered tools”. As I mentioned in my last blog, he always took the time to teach me how to handle them and I realized that power tools offered efficiencies and saved tremendous amounts of manual labor. The adage holds about “working smarter, not harder”. Using a power tool, “Pops” was able to complete tasks quickly and without breaking a sweat.

The same holds true with cybersecurity tools today. With so many tools in our toolboxes and so many threats to combat, we need to drive for efficiencies – reducing the manual labor required to accomplish the goal of securing environments.

As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search, our power tool for Threat Hunting. Orbital Advanced Search enables you to search your endpoints for malicious artifacts such as suspicious registry and system file changes. Orbital has an entire section of its Catalog, mapped to the MITRE ATT&CK™ framework, and dedicated to Threat Hunting with descriptions of live and on-demand easy-to-run-queries to get you the information you need, fast.

Whether you plug your tools into air compressors or electrical outlets to be efficient, let the machine do the work, and be safe.

Let’s start with one threat hunting Catalog query that you can run daily.

Threat Hunting LogoYOU WANT TO: Check to see if any Windows logs have been cleared by a suspect user account.

Orbital Catalog Query to run: Windows Events Monitoring – retrieves data from Windows Event Logs including such things as time event received, time event occurred on the host, source of the event: application, security, system, setup, and many more.

WHY IS THIS IMPORTANT: Windows Event Logs can provide great insight into actions taken on a host as part of a breach. Finding those items can be challenging, unless you know what to look for. The Windows Event Monitoring search in Orbital Advanced Search is preconfigured to pull back events specific to Threat Hunting and can be customized with additional Event IDs to push your hunt even further. Queries such as these can power organizations to a more productive, more efficient way of working.

STEPS:

  1. Select the endpoints you wish to query
  2. Search the Catalog for “Windows Event Monitoring”
  3. Click the “+” to copy into your SQL query window
  4. Close the Query Catalog Window
  5. Click the Query button

QUERY RESULT: Each event should have an Account Name and a Domain Name field to identify who took the action logged. If the log is cleared by a suspect user account, you may have a problem and need to continue investigations.

FREQUENCY TO RUN: Daily for specific groups of systems

That’s it! It’s easy to get you started on your first threat hunt using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built threat hunting queries to streamline your endpoint threat hunting operations, from checking if malware has disabled the task manager to providing a list of listening ports on a host.

If you don’t already have Cisco AMP for Endpoints and are interested in trying Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.

Stay tuned, our next blog discusses Incident Investigation and how you can use Orbital Advanced Search to establish a timeline, determine installed programs on a host, if and what types of failed logins occurred, and, lastly, how to assess the damage.

The post Getting more value from your endpoint security tool #2: Querying Tips for security and IT operations appeared first on Cisco Blogs.

Balsillie, Trecroce, Padelford added to Digital Transformation Week lineup

Three more heavy hitters in the tech industry with extensive experience in digital transformation have joined the lineup for ITWC’s  Digital Transformation Week Conference in mid-July. Jim Balsillie, a former Chairman and co-CEO of Research In Motion (BlackBerry), will offer a keynote address on July 16, the closing day of the four-day virtual conference.  Loren…

The KonMari Method: Sparking Joy with a Tidy Security Closet

Japanese decluttering expert Marie Kondo has taken the world by storm with her book, “The Life-Changing Magic of Tidying Up”. The KonMari Method is a decluttering and organizing system that promises improvements in every aspect of your life. Marie Kondo meticulously goes through every item one by one to understand which items really “spark joy.” If something doesn’t spark joy, she recommends thanking it and letting it go.

It seems this underlying philosophy could be relevant to security. Think about this for a minute. Security organizations are grappling with anywhere from five to 50+ different security vendors. It is getting increasingly difficult to empower security teams to make decisions based on complete and actionable insights.

Imagine if we could “tidy up” security using the KonMari method.

Complexity is the worst enemy of security

Security expert Bruce Schneier summed it up best when he said, “Complexity is the worst enemy of security.”  Your teams are constantly undertaking ambitious projects to take the next exponential leap. And they have continued to onboard products from best-of-breed vendors to meet their evolving security needs. We have fallen into the trap of bolting on more and more security technologies. Over 30% of survey respondents in ESG’s 2020 Integrated Platform Report stated that their organization uses more than 50 different security products, while 60% said they use more than 25. This constant onboarding of new technology has led to a massive proliferation of siloed data sets and a lack of accountability from vendors. It is becoming increasingly difficult to enable a unified front-end experience for your team to collaborate effectively, which causes gaps in your security ecosystem. We’ve increased the level of complexity to the point where your teams are spending the majority of their time finding the needle in the haystack while the legitimate threats are left unattended. The siloed technologies fail to connect the dots and improve the fidelity of your alerts.

How does one deal with the increasing noise and the cacophony of alerts?

We need a new security paradigm; one that simplifies the way you secure your business so you can confidently pursue key initiatives such as digital transformation. The bottom line is that the simpler we can make our security platforms, the more secure you will be.

According to Marisa Chancellor, senior director of the Security & Trust Organization at Cisco, “If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.”

Isn’t it time to rewrite the rules?

At Cisco, we’ve are doing that with SecureX, an integrated platform approach that changes the way you experience your security environment. We believe that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it simpler and effective.

Taming the chaos

Coming back to the KonMari Method, your first step is to imagine your ideal security ecosystem. If you’re serious about tidying in a way that will change your team’s productivity, this step is critical. Visualize how your team members will collaborate with one another. Imagine how you could automate manual tasks. What will a day look like for your incident response teams? What role will analytics play in driving your decisions? These are the sorts of questions to consider before you tackle your cybersecurity tidying. Then, follow the guiding philosophy and evaluate your security choices to support your broader vision. Check out these practical recommendations from ESG analyst, Jon Oltsik, featured in the Cisco ESG Research Insights paper for CISOs:


  1. Commit yourself to tidying up :Assess current challenges across people, process, and technology. Leading platforms should go beyond technology alone, helping organizations increase staff productivity while streamlining operations. CISOs should look for current bottlenecks impacting areas like employee training, MTTD/MTTR, and process automation. This assessment should help produce a list of platform requirements beyond technology integration alone.
  1. Identify the players: Include IT and network operations in RFIs and product evaluations. Remember that security is a collective activity, dependent upon strong communications and collaboration between security and IT/network operations teams. Smart CISOs will work with IT peers to uncover current challenges and then seek solutions in RFIs, product evaluations, and testing/piloting that can be used effectively by both groups.
  1. Plan for the long term: Cybersecurity technology platforms will likely grow organically, integrating more product categories and capabilities over time. Therefore, platform research should go beyond what’s available today. CISOs should press vendors for a 24 to 36-month roadmap. Leading vendors should have comprehensive plans but also be willing to work with customers as new requirements arise. On the enterprise side, CISOs should create metrics so they can assess progress and create programs for continual improvement as they deploy cybersecurity technology platforms more broadly through phases.
  1. Ask your peers if it sparks joy: Reach out to the community. Note to CISOs: You are not alone—just about every other enterprise organization is going through a similar transition. CISOs should seek out guidance from other industry organizations of a similar size. In this way, organizations may be able to work together to press vendors on some industry-specific nuances that can be added to cybersecurity technology platforms over time.

                                                                                                                                                                                                                                                                                                                                                 Author: Jon Oltsik


Sparking joy with Cisco SecureX

Many of the aspects discussed above – such as automation, integration, collaboration, and a platform approach to security – are addressed by Cisco SecureX. Just as Marie Kondo advises individuals to evaluate every item and ask whether it sparks joy, organizations should reconsider their technology choices and ask whether they support an integrated, platform approach to security that will simplify and strengthen defenses. A security platform like Cisco SecureX ties together various technologies (including those from third parties) to unify visibility, enable automation, and strengthen security across network, endpoint, cloud, and applications. With Cisco SecureX, you can:

  • Reduce complexity and maximize portfolio benefits by adopting an integrated platform.
  • Create a foundation that allows you to meet the security needs of today and tomorrow.
  • Reveal the true potential of your tools and people by redefining your security experience through collaboration.

Let the tidying up conversations begin in your organization, and may your security stack soon resemble Marie Kondo’s perfectly organized linen closet. Consider products that fit into a platform that harmonizes your security architecture and brings you unparalleled joy. If that is not the case, thank the piece of technology for everything it’s given you, and politely say goodbye.

 

Learn more about Cisco SecureX and read the detailed ESG Research Insights Paper to find out why organizations should consider a more integrated cybersecurity approach.

 

 

The post The KonMari Method: Sparking Joy with a Tidy Security Closet appeared first on Cisco Blogs.

Zoom acquires Keybase to add end-to-end encryption to videoconferencing – Verdict

Zoom acquires Keybase to add end-to-end encryption to videoconferencing – Verdict Videoconferencing giant Zoom announced on May 7 that it is acquiring secure messaging and file-sharing service Keybase for an undisclosed amount. As the COVID-19 pandemic forced millions of people to work from home and the daily meeting participants on Zoom surged over the last few…

Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Dark Stealer

By Nick Biasini, Edmund Brumaghin and Nick Lister.

Executive summary

The threat landscape is littered with various malware families being delivered in a constant wave to enterprises and individuals alike. The majority of these threats have one thing in common: money. Many of these threats generate revenue for financially motivated adversaries by granting access to data stored on end systems that can be monetized in various ways. To maximize profits, some malware authors and/or malware distributors go to extreme lengths to evade detection, specifically to avoid automated analysis environments and malware analysts that may be debugging them. The Astaroth campaigns we are detailing today are a textbook example of these sorts of evasion techniques in practice.

The threat actors behind these campaigns were so concerned with evasion they didn’t include just one or two anti-analysis checks, but dozens of checks, including those rarely seen in most commodity malware. This type of campaign highlights the level of sophistication that some financially motivated actors have achieved in the past few years. This campaign exclusively targeted Brazil, and featured lures designed specifically to tailor to Brazilian citizens, including COVID-19 and Cadastro de Pessoas Físicas status. Beyond that, the dropper used sophisticated techniques and many layers of obfuscation and evasion before even delivering the final malicious payload. There’s another series of checks once the payload is delivered to ensure, with reasonable certainty, that the payload was only executed on systems located in Brazil and not that of a researcher or some other piece of security technology, most notably sandboxes. Beyond that, this malware uses novel techniques for command and control updates via YouTube, and a plethora of other techniques and methods, both new and old.

This blog will provide our deep analysis of the Astaroth malware family and detail a series of campaigns we’ve observed over the past nine to 12 months. This will include a detailed walkthrough of deobfuscating the attack from the initial spam message, to the dropper mechanisms, and finally to all the evasion techniques astaroth has implemented. The goal is to give researchers the tools and knowledge to be able to analyze this in their own environments. This malware is as elusive as it gets and will likely continue to be a headache for both users and defenders for the foreseeable future. This will be especially true if its targeting moves outside of South America and Brazil.

Read More >>

The post Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Dark Stealer appeared first on Cisco Blogs.

Securing Smart Manufacturing

IIoT

“Alexa, turn on the TV.”

”Get it yourself.”

This nightmare scenario could play out millions of times unless people take steps to protect their IoT devices. The situation is even worse in industrial settings. Smart manufacturing, that is, Industry 4.0, relies on tight integration between IT systems and OT systems. Enterprise resource planning (ERP) software has evolved into supply chain management (SCM) systems, reaching across organizational and national boundaries to gather all forms of inputs, parting out subcomponent development and production, and delivering finished products, payments, and capabilities across a global canvas.

Each of these synergies fulfills a rational business goal: optimize scarce resources across diverse sources; minimize manufacturing, shipping, and warehousing expense across regions; preserve continuity of operations by diversifying suppliers; maximize sales among multiple delivery channels. The supply chain includes not only raw materials for manufacturing, but also third party suppliers of components, outsourced staff for non-core business functions, open source software to optimize development costs, and subcontractors to fulfill specialized design, assembly, testing, and distribution tasks. Each element of the supply chain is an attack surface.

Software development has long been a team effort. Not since the 1970s have companies sought out the exceptional talented solo developer whose code was exquisite, flawless, ineffable, undocumented, and impossible to maintain.  Now designs must be clear across the team, and testing requires close collaboration between architects, designers, developers, and production. Teams identify business requirements, then compose a solution from components sourced from publically shared libraries. These libraries may contain further dependencies on yet other third-party code of unknown provenance. Simplified testing relies on the quality of the shared libraries, but shared library routines may have latent (or intentionally hidden) defects that do not come to life until in a vulnerable production environment. Who tests GitHub? The scope of these vulnerabilities is daunting. Trend Micro just published a report, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” that surveys the Industry 4.0 attack surface.

Within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. Industrial robots provide a clear example. Industrial robots are tireless, precision machines programmed to perform exacting tasks rapidly and flawlessly. What did industry do before robots? Factories either relied on hand-built products or on non-programmable machines that had to be retooled for any change in product specifications. Hand-built technology required highly skilled machinists, who are expensive and require time to deliver. See Figure 1 for an example.

Figure 1: The cost of precision

Non-programmable robots require factory down time for retooling, a process that can take weeks. Before programmable industrial robots, automobile factories would deliver a single body style across multiple years of production. Programmable robots can produce different configurations of materials with no down time. They are used everywhere in manufacturing, warehousing, distribution centers, farming, mining, and soon guiding delivery vehicles. The supply chain is automated.

However, the supply chain is not secure. The protocols industrial robots depend on assumed the environment was isolated. One controller would govern the machines in one location. Since the connection between the controller and the managed robots was hard-wired, there was no need for operator identification or message verification. My controller would never see your robot. My controller would only connect to my robot, so the messages they exchanged needed no authentication. Each device assumed all its connections were externally verified. Even the safety systems assumed the network was untainted and trustworthy. No protocols included any security or privacy controls. Then Industry 4.0 adopted wireless communications.

The move, which saved the cost of laying cable in the factory, opened those networks to eavesdropping and attacks. Every possible attack against industrial robots is happening now. Bad guys are forging commands, altering specifications, changing or suppressing error alerts, modifying output statistics, and rewriting logs. The consequences can be vast yet nearly undetectable. In the current report on Rogue Robots, our Forward-looking Threat Research team, collaborating with the Politecnico di Milano (POLIMI), analyzes the range of specific attacks today’s robots face, and the potential consequences those attacks may have.

Owners and operators of programmable robots should heed the warnings of this research, and consider various suggested remedies. Forewarned is forearmed.

The Rogue Robots research is here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security.

The new report, Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis, is here: https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems.

What do you think? Let me know in the comments below, or @WilliamMalikTM.

The post Securing Smart Manufacturing appeared first on .

3 ways to put the expanding perimeter on ISE and gain zero-trust

Security has been heating up for well over a decade. In 2013, we added fuel to the fire as the malware economy and large organizational breaches (not just incidents) hit the front page. We hunkered down and layered-in defenses with moats, walled perimeters and roving guards for when the bad dudes got in. And now we are losing our perimeter. We are losing control as massive trends, such as the cloud migration, a mobile workforce, and the addition of all those scary connected things, are pulling the perimeter apart. As this happens we’re often caught in the balancing act between driving the business forward by promoting connections with locking it down and providing protection.

To cool this phenomenon down, and to avoid locking down IT initiatives that are propelling business, organizations are rethinking how they look at access. We are realizing there was some truth in the old sect of security professionals who said to “trust no one,” and now we can add “trust no one thing.” From these cries arose the zero-trust framework.

Although not entirely new, it is becoming easier to achieve zero trust with advances in technology that are making it possible to continually authenticate and authorize access at many points within the network. We are now able to build security directly into the network and achieve a segmented network that continually authenticates the endpoint and authorizes access based on a least privilege model, to ensure endpoints only get the access they require to meet mission objectives.

Cisco Identify Services Engine (ISE) has been taking on secure access challenges for almost ten years. We recently performed a customer survey to find out how innovations within ISE are enabling a zero-trust approach in the workplace to manage the expanding perimeter and to build security and protection directly into the network.

3 ways to put the expanding perimeter on ISE and gain zero-trust

Asset Visibility: 75% of customers surveyed said the capability they value the most from ISE is knowing who and what’s on the network.

Gaining visibility is the first step. If we cannot correctly identify what is connecting, and gain endpoint visibility that is not only granular, but also dynamic with context that keeps up with the evolving threat landscape, it is impossible to enforce a policy that will control access to only what an endpoint requires to get the job done, and not risk disrupting business objectives.

Network Segmentation: 79% of respondents stated that the ability to use the network itself to enforce access policy was that value they achieve the most out of ISE.

Network segmentation is an outcome of effective asset visibility. Obtaining granular control of the endpoint, no matter where the endpoint is located, is difficult to achieve without granular visibility. In the past, the lack of visibility has been a major barrier to building zones of access based on trust. ISE implements segmentation precisely the way you intended and makes it easy to control policy consistently across wireless, wired, and VPN connections. Another 58% stated they achieve this value without buying more security products, which can increase CAPEX and often adds complexity with bolt-on solutions that do not recognize a platform approach.

ISE TV quote

Value without increasing costs: 79% agree that ISE significantly improved their security profile and reduced operational costs.

The organizations we partner with at Cisco have real challenges and a limited budget is one of them. The ISE team has been focusing on simplifying the user experience to ensure that customers can move to advanced use cases like network segmentation without increasing complexity and operational costs. And with a focus on interoperability and platform integrations, customers will be able to accelerate their protection as well as the value of existing solutions to gain an active arm of protection from passive security solutions without an increase in investment.

ISE TV quote

ISE has been cooling of network access and control for almost ten years, which explains why 95% of those surveyed said they would recommend ISE to a colleague or friend.

You can read more about the results of the survey here.
To learn more about ISE, visit https://www.cisco.com/go/ise

The post 3 ways to put the expanding perimeter on ISE and gain zero-trust appeared first on Cisco Blogs.

The MITRE ATT&CK Framework: Discovery

The Discovery tactic is one which is difficult to defend against. It has a lot of similarities to the Reconnaissance stage of the Lockheed Martin Cyber Kill Chain. There are certain aspects of an organization which need to be exposed in order to operate a business. In fact, all of the techniques at this time […]… Read More

The post The MITRE ATT&CK Framework: Discovery appeared first on The State of Security.

Getting Zoom Security Right – 8 Tips for Family and Friends

If you’ve read a newspaper or watched the news in the past few weeks, you’ll notice one common topic that all the major news outlets are discussing… COVID-19. Right now, many companies are trying to provide employee guidance during this worldwide pandemic, as governments ask those who can to work from home in an effort […]… Read More

The post Getting Zoom Security Right – 8 Tips for Family and Friends appeared first on The State of Security.

Teaming up with INTERPOL to combat COVID-19 threats

If the past couple of months have taught us anything, it’s that partnerships matter in times of crisis. We’re better, stronger and more resilient when we work together. Specifically, public-private partnerships matter in cybersecurity, which is why Trend Micro is always happy to reach out across industry, academia and law enforcement to offer its expertise.

We are again delighted to be working with long-time partner INTERPOL over the coming weeks on a new awareness campaign to help businesses and remote workers stay safe from a deluge of COVID-19 threats.

The new normal

All over the world, organizations have been forced to rapidly adjust to the new normal: social distancing, government lockdowns and mass remote working. While most have responded superbly to the challenge, there’s no denying that IT security teams and remote access infrastructure are being stretched to the limit. There are understandable concerns that home workers may be more distracted, and therefore likely to click on phishing links, and that their PCs and devices may not be as well protected as corporate equivalents.

At the same time, the bad guys have also reacted quickly to take advantage of the pandemic. Phishing campaigns using COVID as a lure have surged, spoofing health authorities, government departments and corporate senders. BEC attacks try to leverage the fact that home workers may not have colleagues around to check wire transfer requests. And remote infrastructure like RDP endpoints and VPNs are being targeted by ransomware attackers — even healthcare organizations that are simultaneously trying to treat critical patients infected with the virus.

Getting the basics right

That’s why Trend Micro has been pushing out regular updates — not only on the latest scams and threats we’re picking up around the globe, but also with advice on how to secure the newly distributed workforce. Things like improved password security, 2FA for work accounts, automatic software updates, regular back-ups, remote user training, and restricted use of VPNs can all help. We’re also offering six months free use of our flagship Trend Micro Maximum Security product to home workers.

Yet there’s always more to do. Getting the message across as far and wide as possible is where organizations like INTERPOL come in. That’s why we’re delighted to be teaming up with the global policing organization to run a new public awareness campaign throughout May. It builds on highly successful previous recent campaigns we’ve collaborated on, to tackle BEC and crypto-jacking.

This time, we’ll be resharing some key resources on social media to alert users to the range of threats out there, and what businesses and home workers can do to stay safe. And we’ll help to develop infographics and other new messages on how to combat ransomware, online scams, phishing and other threats.

We’re all doing what we can during these difficult days. But if some good can come from a truly terrible event like this, then it’s that we show our strength in the face of adversity. And by following best practices, we can make life much tougher for the cybercriminals looking to profit from tragedy.

The post Teaming up with INTERPOL to combat COVID-19 threats appeared first on .

This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how the operators of the Shade (Troldesh) ransomware have shut down and released more than 750,000 decryption keys. Also, learn about an attack using Zoom installers to spread a WebMonitor RAT malware.

Read on:

The Industry 4.0 Lab Never Ignores Brownfields – What POLIMI and Trend Micro Aim to Prove

It takes time for new technologies to penetrate the market and even the most innovative technology must be used safely and with confidence. Industry 4.0 technology is no exception. Engineers and researchers, including those at Politecnico di Milano (POLIMI) and Trend Micro, are currently investigating how to map ICT technology principles onto OT environments, including factory environments.

Shade (Troldesh) Ransomware Shuts Down and Releases Decryption Keys

The operators of the Shade (Troldesh) ransomware have shut down and, as a sign of goodwill, have released more than 750,000 decryption keys that past victims can now use to recover their files. Security researchers from Kaspersky Lab have confirmed the validity of the leaked keys and are now working on creating a free decryption tool.

Trend Micro’s Top Ten MITRE Evaluation Considerations

The MITRE ATT&CK framework, and the evaluations, have gone a long way in helping advance the security industry, and the individual security products serving the market. The insight garnered from these evaluations is incredibly useful but can be hard to understand. In this blog, read Trend Micro’s top 10 key takeaways for its evaluation results.  

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

A new type of mobile banking malware has been discovered abusing Android’s accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Dubbed “EventBot” by Cybereason researchers, the malware can target over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets. 

Principles of a Cloud Migration – Security, The W5H – Episode WHAT?

Last week in Trend Micro’s cloud migration blog series, we explained the “WHO” of securing a cloud migration, detailing each of the roles involved with implementing a successful security practice during the migration. This week, Trend Micro touches on the “WHAT” of security: the key principles required before your first workload moves.  

Critical WordPress e-Learning Plugin Bugs Open Door to Cheating

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. 

WebMonitor RAT Bundled with Zoom Installer

The COVID-19 pandemic has highlighted the usefulness of communication apps for work-from-home setups. However, as expected, cybercriminals look to exploit popular trends and user behavior. Trend Micro has witnessed threats against several messaging apps, including Zoom. In April, Trend Micro spotted an attack using Zoom installers to spread a cryptocurrency miner. Trend Micro recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT. 

Group Behind TrickBot Spreads Fileless BazarBackdoor

A new campaign is spreading a new malware named “BazarBackdoor,” a fileless backdoor created by the same threat actors behind TrickBot, according to BleepingComputer. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants. The social engineering attacks used to spread the backdoor use topics such as customer complaints, COVID-19-themed payroll reports, and employee termination lists for the emails they send out. 

Critical Adobe Illustrator, Bridge and Magento Flaws Patched

Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. If exploited, the most severe vulnerabilities could enable remote code execution on affected systems. Francis Provencher, Mat Powell, and an anonymous reporter were credited for discovering the flaws, all working with Trend Micro’s Zero Day Initiative.

Guidance on Kubernetes Threat Modeling

Kubernetes is one of the most used container orchestration systems in cloud environments. As such, like any widely used application, it is an attractive target for cybercriminals and other threat actors. In this blog, Trend Micro shares three general areas that cloud administrators need to secure their deployments against, as they can introduce threats or risks to their Kubernetes-driven containerization strategies.

Loki Info Stealer Propagates Through LZH Files

Trend Micro previously encountered a spam sample that propagates the info stealer Loki through Windows Cabinet (CAB) files. Recently, Trend Micro also acquired another sample that delivers the same malware, but through LZH compressed archive files. Trend Micro detects the attachment and the dropper as TrojanSpy.Win32.LOKI.TIOIBYTU.

Security 101: How Fileless Attacks Work and Persist in Systems

As security measures improve, modern adversaries continue to craft sophisticated techniques to evade detection. One of the most persistent evasion techniques involves fileless attacks, which don’t require malicious software to break into a system. Instead of relying on executables, these threats misuse tools that are already in the system to initiate attacks.

COVID-19 Lockdown Fuels Increase in RDP Attacks

The number of attacks abusing the remote desktop protocol (RDP) to compromise corporate environments has increased significantly over the past couple of months, according to Kaspersky. With employees worldwide forced to work from home due to the COVID-19 pandemic, the volume of corporate traffic has increased significantly, just as the use of third-party services has increased to keep teams connected and efficient.

What measures are you taking to secure your migration to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Shade Ransomware Shuts Down, Releases Decryption Keys and WebMonitor RAT Bundled with Zoom Installer appeared first on .

COVIDSafe App Teardown & Panel Discussion

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:

On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:

The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:

School from Home: “Square One” Basics

 School #FromHome: “Square One” Basics

With many schools around the globe postponing classes for long stretches or closing school outright for the rest of the academic year, the challenge of parenting just cranked up. After all, there’s no more schoolhouse—it’s your house. Whether you’re the parent of a kindergartener or a high school senior, or have a mix of children in between, there’s a good chance you’re trying to figure out how to continue learning online at home—while also dealing with the disappointments of missing friends, activities, and major events like sports, proms, and even graduations. It’s not easy, and without a doubt this is new to all of us.

We want to make it easier for you, even if it’s in some small ways. We started by asking you what roadblocks are getting in the way. This April, we reached out to parents across the U.S. and asked  . Your top two answers came across loud and clear: you’re struggling with establishing a routine and keeping children focused.

Looking for resources and ideas for bringing a little structure into online learning at home and how that fits into your day? We have you covered, so let’s start at square one—making sure that your online learning environment at home is secure.

 Start with a look at your devices

First, determine which device your child is going to use. Some school districts provide students with a laptop that the students keep for the school year. The security on these devices will more than likely be managed centrally by the school district. Thus, they’ll have their own security software and settings already in place. Moreover, such a centrally managed device will likely be limited in terms of which settings can be updated and what software can be added. If your child has a school-issued device, follow the advice of the school and its IT admin on matters of security tools and software. And if you have questions about security, reach out to them.

Security basics on your home computer and laptop

If your child is using a home computer or laptop, or sharing one with other members of the family, you’ll want to ensure that it’s protected. This includes a full security suite that features more than just anti-virus, but also firewall protection to keep hackers at bay, safe browsing tools that steer you clear of sketchy or unsafe websites, and perhaps even parental controls to block distracting apps and inappropriate websites. Another smart option is to use a password manager. There’s a good chance that you kids will need to create new accounts for new learning resources—and with those come new usernames and passwords. A password manager will organize them and keep them safe.

Video conferencing

Additionally, you’ll want to take a very close look at the video conferencing tools that your child might be using to connect with teachers and classmates (and even their friends after schooltime is over). First off, there are plenty of them out there. Secondly, some video conferencing tools have allegedly experienced security and privacy issues in recent weeks. Before downloading and installing a video conferencing tool, do a little online research to see how secure it is and what privacy policies it has in place.

Look for video conferencing tools that use end-to-end encryption so that the conference is protected from prying eyes and so that others can’t intrude upon the conversation uninvited. Look for articles from reputable sources too, as there have been further reports of privacy issues where certain user information has been shared with third parties while using the video conferencing tool. That’s good advice for any software, apps, or tools you may wish to add.

Use a VPN

Another way to protect yourself from intrusions while conferencing, or doing anything else online for that matter, is to introduce a VPN (virtual private network). Choose one that uses bank-level encryption to keep your personal data and activities private from hackers. It will also hide other information, like account credentials, credit card numbers, and the like. It’s a good move, and it’s easy to use.

Next up

Look for our upcoming articles where we’ll share some specific ideas that can help make homeschooling online a little easier.

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post School from Home: “Square One” Basics appeared first on McAfee Blogs.

Reassuring Words and Good Intentions Don’t Mean Good Security

Reassuring Words and Good Intentions Don't Mean Good Security

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach. It seems that not much has changed since then:

That last one is particularly apt here as it gets us on-topic with kids watches. Almost a year ago to the day, I wrote about a serious flaw in TicTocTrack watches that made it trivial to track kids, re-position them and even enable strangers to call their watch which would answer with zero interaction from the child. This wasn't the first instance of a tracking device on a kid going wrong, it was just the latest in a long line of them. To their credit, TicTocTrack rectified the flaw (insecure direct object references), communicated with parents and got back to business. Meanwhile, the whole kids-watch-security-train-wreck continued:

In that tweet, I concluded that "the pattern is alarmingly predictable" which foreshadowed what would inevitably be yet more incidents with yet more kids watches to come. TicTocTrack saw things differently:

The linked piece is titled "Cyber Resilience Key For iStaySafe" and is a short read wound up with a link to a PR company's email address. Amongst the reassurances of their investment in security is this paragraph:

In the following months, iStaySafe made significant investments both financially and by allocating staff resources to conduct a comprehensive penetration test of their software platform, mobile applications, sales website, all API’s and entire systems architecture. This investigation was conducted by a 3rd party C.R.E.S.T certified cybersecurity firm based in Brisbane to ensure that iStaySafe and subsidiary TicTocTrack has the best-practice cybersecurity and risk management protocols in place.

This is not at all unusual and it's from the same old "reassure customers of how seriously we take security" playbook. Many organisations assert precisely the same things: penetration tests, code reviews, ticks from certified bodies etc. A really key thing to understand here is that most of this is "point in time"; when the penetration test was conducted, everything was ok (or appropriately remediated). But the next day? Who knows. I don't mean to solely criticise TicTocTrack here, this is pretty standard PR which in my mind, didn't change a thing:

Sure enough, less than 2 months later, someone sent me my entire TicTocRecord pulled out via a flaw in their system:

[
  {
    "FirstName": "Troy",
    "LastName": "Hunt",
    "Email": "[redacted email]",
    "FamilyIdentifier": 3494,
    "PhoneNumber": "[redacted phone]",
    "ProfilePictureFilename": null,
    "CustomerType": null,
    "CRM_ContactId": "0",
    "ProfilePictureUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
    "ProfilePictureTimestamp": "0",
    "ProfilePicture": null,
    "ProfilePictureMIME": null,
    "Status": "Suspended",
    "ID": "[redacted email]",
    "CompositeID": "[redacted email]"
  },
  {
    "FirstName": "[redacted email]_temp",
    "LastName": "",
    "Email": null,
    "FamilyIdentifier": 3494,
    "PhoneNumber": "00000000000",
    "ProfilePictureFilename": null,
    "CustomerType": null,
    "CRM_ContactId": "0",
    "ProfilePictureUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
    "ProfilePictureTimestamp": "0",
    "ProfilePicture": null,
    "ProfilePictureMIME": null,
    "Status": "Temp",
    "ID": "[redacted email]_temp",
    "CompositeID": "[redacted email]_temp"
  }
]

Plus, they sent me my 7 year old daughter's record relating to her device:

{
  "DeviceName": "Elle",
  "DevicePhoneNumber": "+61473997091",
  "ICCID": "89610185002367820863",
  "IMEI": "357593061030345",
  "AlertPhoneNumbers": "",
  "AlertEmailAddresses": "||",
  "Avatar": null,
  "AvatarMIME": null,
  "AvatarUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
  "AvatarImageTimeStamp": "0",
  "DeviceTypeID": 4,
  "DevicePassword": null,
  "StaticMacData": "[]",
  "Active": true,
  "EffectDate": null,
  "AvatarImageName": null,
  "APN": "telstra",
  "SubscriptionType": "TTTSim",
  "ID": "3494|593061030345",
  "CompositeID": {
    "FamilyID": 3494,
    "DeviceID": "593061030345"
  }
}

Fortunately, that person was Gordon Beeming, a fellow Microsoft Most Valuable Professional who identified the vulnerability, contacted me privately, had the details passed on to TicTocTrack and then the flaw remediated before writing about it publicly a couple of weeks ago:

And the nature of the flaw? Take this URL:

/api/Users?$filter=(FamilyIdentifier%20eq%204236)

Now consider the filter in the query string and ponder: "what would happen if there was no filter"? Here's what Gordon wrote:

I thought what happens if I browse directly to that container without any filter, this pulled to my browser every user in their system

And that's how he ended up with every user in the system, including myself.

The point of all this is that despite the best of intentions (and I do believe their intentions are good), per the title of this post those good intentions and reassuring words do not mean that a security incident won't occur. Obviously, they also don't mean that one won't reoccur and any assertion to the contrary puts us back at the same November discussion in the tweets above (and we now know how that worked out).

So, should you not buy a kids tracking watch due to the inherent risks? I'm not saying that any more than I'm saying you shouldn't buy a connected sex toy; by all means, if one of these devices provides value to you and you're conscious of the privacy risks and willing to accept them, then do it. But for me, my own personal risk assessment puts a lot of weight in the old mantra of "you cannot lose what you do not have" so no, I wouldn't buy either.

Further to this, Jeremy Kirk has written about the incident today including comments from TicTocTrack on their decision not to disclose the exposure of their customer database in January this year. That's a bit tangential to the purpose of this blog post so I won't delve into it here, but leave your thoughts on that in the comments below. Here's their statement from the cyber resilience page mentioned earlier, just for context:

iStaySafe will continue to operate in an open, transparent and honest manner

Protecting users from insecure downloads in Google Chrome

Update (04/06/2020): Chrome was originally scheduled to start user-visible warnings on mixed downloads in Chrome 82. These warnings, as well as subsequent blocking, will be delayed by at least two releases. Console warnings on mixed downloads will begin as scheduled in Chrome 81.

At this time, we expect to start user-visible warnings in Chrome 84. The Chrome Platform Status entry will be kept up-to-date as timing is finalized. Developers who are otherwise able to do so are encouraged to transition to secure downloads as soon as possible to avoid future disruption.


Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.

Secure IT: Shop Safe Online

Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

  1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

  2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

  3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.

  4. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

  5. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

To recap:

  • Visit and use sites you know and trust
  • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
  • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
  • Look for anything that is not familiar to your known experience with the site.
  • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
  • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
  • If a site offers a second factor to authenticate you, use it.
  • Check all your payment card statements regularly to look for rogue purchases.
  • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

Safe shopping!

The post Secure IT: Shop Safe Online appeared first on Connected.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

Protecting Critical Infrastructure

In this blog, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency.

The post Protecting Critical Infrastructure appeared first on Connected.

The Internet Wants YOU: Consider a Career in Cyber Security.

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The Internet Wants YOU: Consider a Career in Cyber Security. appeared first on Connected.

Cyber Security Careers Are in High Demand

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety.  Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.

Read this next:

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:

 

The post WPA2 Hacks and You appeared first on Connected.