Category Archives: security

3 Reasons MSPs Must Evolve Beyond Endpoint Detection and Response

Endpoint protection is a critical component of a security strategy. But it’s not enough.

Today’s threat landscape is so wide and varied, it requires round-the-clock monitoring, full visibility into IT environments and a multilayered approach to keep hackers at bay. For MSPs, this creates a sizable opportunity to protect clients with a comprehensive security strategy that goes beyond endpoint detection and response.

But most MSPs are still too focused on endpoint detection and response, which can leave parts of the network unprotected. A lot of threats today are stealthy, disguising themselves and hiding until the right time to strike, and traditional environments aren’t set up to stop such threats because they’re often split into silos containing applications that perform specific tasks. The silos don’t communicate with each other, making it impossible to assemble a contextual view of threats and slowing down investigation and response.

MSPs can improve their clients’ security posture with a unified security approach that includes central visibility and monitoring, the ability to investigate threats that at first may appear harmless, and fast response capabilities. Here are three compelling reasons to deliver detection and response beyond the endpoint:

1. New threats demand new approaches
Security breaches have increased 67 percent in the past five years, growing 11 percent in the last year alone, according to Accenture. Yet two thirds of organizations say they have multiple security tools, which limits their effectiveness to detect and respond to threats.

Companies need technology that detects trouble at all levels of the network, uses machine learning to sift through massive volumes of threat data and identify previously undetected threats, and promptly responds to an attack by isolating threats and mitigating the risk of infection.

2. Slow response worsens attacks
The longer it takes to detect an attack, the higher its impact. Many malware variants work stealthily for months, spreading infection, stealing data and sending it out to a command and control server long before they are detected and stopped.

Without the tools to identify threat indicators, detection is slow and ineffective. Verizon estimates that a solid majority of breaches — 68 percent — take 197 days to discover. That’s six and a half months! By then, a lot of damage can be done, potentially compromising private employee, customer and partner data, as well as intellectual property.

3. In-house resources are scarce
Perversely, as the threat landscape gets more dangerous, it’s harder for businesses to obtain the necessary skill to combat threats. Cybersecurity professionals are scarce and expensive, which is why MSPs need to step in with managed security solutions to protect their clients’ environments.

Trend Micro helps MSPs accomplish this feat with Worry-Free XDR, which offers detection and response beyond the endpoint – correlating data automatically across email and endpoint in one console. The solution provides full visibility into customer’s environments, ensuring MSPs can move beyond the endpoint to offer clients the protection that today’s digital world demands.

The post 3 Reasons MSPs Must Evolve Beyond Endpoint Detection and Response appeared first on .

The Importance of the Network in Detecting Incidents in Critical Infrastructure

As we saw in my last blog, the network plays a key role in defending critical infrastructure and IoT. The devices that we are connecting drive our business, enabling us to make smarter decisions and gain greater efficiency through digitization. But how do we ensure those connected devices are acting as intended? From an industrial operations perspective, we need to know that plant operations are nominal, irrespective of cyber threat. The network is well positioned to assist us in detecting misbehaving devices.

Network telemetry for visibility

In order to have assurance of business operations, it is critical to have visibility and awareness into what is occurring on the network at any given time. Network telemetry offers extensive and useful detection capabilities which can be coupled with dedicated analysis systems to collect, trend and correlate observed activity. In the security world we can infer much from network telemetry, from malware behaviour and reconnaissance, to data exfiltration. It is even possible to infer to some extent what is contained in encrypted traffic.  Not only can we use this traffic for detection, but also for investigation. Having a historical record of communication also assists with investigating incidents. We can see, for example, what other hosts may have talked to a command and control server, or we can look at any lateral movement from a host.

The first step is to collect Netflow, which is a unidirectional sequence of packets with some common properties that pass through a network device.  These collected flows are exported to an external device, the NetFlow collector. Network flows are highly granular; for example, flow records include details such as IP addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces.

Exported NetFlow data is used for a variety of purposes, including enterprise accounting and departmental chargebacks, ISP billing, data warehousing, network monitoring, capacity planning, application monitoring and profiling, user monitoring and profiling, security analysis, and data mining for marketing purposes.

For most network devices (including many ruggedized devices used in OT environments), Netflow is simply an option you can turn on sending this data to a Netflow collector. Lower-end switches may not have this option; however, a span port can send traffic to a Netflow Sensor to accomplish this task. Gathering network telemetry visibility is the first step for organisations. The next steps are to utilise tools that can analyse the traffic and look for behavioural anomalies. For more advanced use cases, Encrypted Traffic Analytics (ETA) offers insights into encrypted traffic as well.


Accelerating detection through smarter tooling

The problem of scale in IoT, is also evidenced in security incident detection and response, where we have more traffic to review, and accordingly, more events. We need tools to help us, and Machine Learning (ML) and Artificial Intelligence (AI) based tooling are important technologies, particularly when it comes to network behaviour. Devices, as opposed to humans, tend to have very defined behaviour, so leveraging ML and AI to observe and baseline this behaviour offers high fidelity alert sources.

Machine Learning in Network Security

Leveraging context for better results

To really accelerate detection and lower our median time to detect, we need all our tools to work together. In the previous post we discussed network context and understanding what a device policy should be, at scale. What if we could leverage that same information to assist with detection? Understanding contextual information and what a device’s policy should be, can help increase fidelity of behavioural alerts. Investigators also benefit from having this information integrated into their tools, which helps speed investigations.

Stay tuned for the next blog post in the series which will explain the last key issue – The network’s key role in how we respond to incidents. November is Critical Infrastructure Security and Resiliency Month, so head over to our Trust Center to learn more about  critical infrastructure protection.


The post The Importance of the Network in Detecting Incidents in Critical Infrastructure appeared first on Cisco Blogs.

Experts found undocumented access feature in Siemens SIMATIC PLCs

Researchers discovered a vulnerability in Siemens SIMATIC S7-1200 programmable logic controller (PLC) that could allow attackers to execute arbitrary code on vulnerable devices.

Researchers discovered an undocumented access feature in Siemens SIMATIC S7-1200 programmable logic controller (PLC) that could be exploited by attackers to execute arbitrary code on affected devices.

The feature was discovered by a team of researchers from the Ruhr-University Bochum in Germany composed of Ali Abbasi, Tobias Scharnowski and Thorsten Holz.

The medium-severity flaw was tracked as CVE-2019-13945 and received a CVSS score of 6.8, the issue is hard to exploit because requires a deep knowledge of the operating system used by the Siemens SIMATIC S7-1200

The Siemens S7 is considered one of the most secure controllers in the industry, it is used in power plants, traffic lights, water pumps, building control, production lines, aviation systems, and many other critical infrastructures. 

The researchers focused their analysis on the firmware integrity verification process implemented in the Siemens SIMATIC S7-1200 PLC.


The mechanism is triggered on boot and leverages the bootloader code that is stored on separate SPI flash memory. The teams of researchers discovered that the hardware undocumented access mode was present in the bootloader code since 2013.

“There is an access mode used during manufacturing of S7-1200 CPUs that allows additional diagnostic functionality. Using this functionality requires physical access to the UART interface during boot process.” reads a security advisory published by Siemens. “Siemens is working on a solution and recommends specific countermeasures until the solution is available “

The access feature was implemented to provide additional diagnostic functionality and it could be accessed by an attacker who has physical access to the device.

The attacker could access the feature by sending a special command via the universal asynchronous receiver-transmitter (UART) interface the boot process, before the PLC firmware is loaded.

The attack could leverage the feature to achieve arbitrary code execution in the boot stage.

The experts have developed a proof-of-concept (PoC) exploit that allows writing data to the flash chip by leveraging the PLC’s firmware update feature. 

The experts reported the flaw to Siemens in March and the company confirmed that it is working on a fix.

The advisory published by Siemens includes the following specific workarounds and mitigations that customers can apply to reduce the risk:

The team of experts will present the results of its research in December at the Black Hat Europe conference in London.

Pierluigi Paganini

(SecurityAffairs –SIEMENS SIMATIC, PLC)

The post Experts found undocumented access feature in Siemens SIMATIC PLCs appeared first on Security Affairs.

This Week in Security News: APT33 Botnets Used for Extreme Narrow Targeting and Microsoft’s Patch Tuesday Arrives with A Patch for An IE Zero-Day

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the APT33 threat group that is using live C&C servers for extremely narrow targeting. Also, read about Trend Micro’s complete smart factory solutions and November Patch Tuesday updates.

Read on:

Trend Micro Enhances Protection for Industrial Orgs

This week, Trend Micro announced its complete smart factory solutions, designed to provide enhanced visibility and protection for embattled industrial control system (ICS) environments. The solutions will secure across all layers of Industry 4.0, mitigating this growing area of cyber risk to keep operations running.

Faster and More Accurate Malware Detection Through Predictive Machine Learning

Machine learning gives traditional cybersecurity solutions the edge it needs to catch destructive threats such as ransomware before it gets deployed in a system, which saves organizations’ time, money, and reputations.

Microsoft’s November 2019 Patch Tuesday Arrives with a Patch for an IE Zero-Day

Microsoft has released the November 2019 Patch Tuesday security updates. This month’s updates include a patch for a vulnerability in the Internet Explorer scripting engine that hackers have been seen exploiting in the wild.

Amazon Patches Ring Video Doorbell Pro Vulnerability that Threatens Network Security

Researchers at Bitdefender discovered a vulnerability in Amazon’s Ring Video Doorbell Pro that, if exploited, could allow a threat actor to get network or Wi-Fi credentials. Amazon fixed the issue back in September, but the vulnerability was only recently disclosed.

ASP.NET Service Provider Targeted by Ransomware Attack

Less than a week after ransomware attacks disrupted operations of various Spanish companies and government services in the Canadian territory of Nunavut, another company has disclosed that that they were hit by an attack, this time involving the encryption of the customer data of, a popular hosting service provider for the web application framework ASP.NET.

BlueKeep Exploit Will Get an Update Following Recent Attacks

Reports from security researchers have shed light on the recent BlueKeep attacks that installed cryptocurrency miners on compromised devices. In November, Kevin Beaumont noticed that his honeypots kept crashing and later determined that the cause was the BlueKeep exploit module. These blue screen of death (BSOD) crashes in the honeypots were the issues that helped Beaumont discover the real-world attacks.

YouTube Videos Promise Private Key Generator for Bitcoin Addresses, Lead Users to Info-Stealing Trojan Instead

YouTube videos were being used in a scam to deliver an information-stealing Trojan called Predator the Thief (detected by Trend Micro as TrojanSpy.MSIL.PREDATOR.AA). Discovered by security researcher Frost, the threat actors use the videos to promote a tool that can generate a bitcoin address’ private key.

New 5G Flaws Can Track Phone Locations and Spoof Emergency Alerts

Security researchers at Purdue University and the University of Iowa have found nearly a dozen 5G vulnerabilities, which they say can be used to track a victim’s real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether.

DDoS Attacks That Employ TCP Amplification Cause Network Congestion, Secondary Outages

Over the past month, threat actors have been using a relatively non-conventional approach to mount a flurry of distributed denial-of-service (DDoS) attacks through Transmission Control Protocol (TCP) amplification.

APT33 Mounts Focused, Highly Targeted Botnet Attacks Against U.S. Victims

The Iran-linked, espionage-focused advanced threat group known as APT33 has been spotted using more than a dozen obfuscated botnets to carry out narrowly targeted attacks against government and academic targets. As of last month, researchers counted 10 live bot C2s in active operation.

There Is a Skills Shortage, but It Isn’t Your Real Problem

Without automated event correlation and analysis, the skills problem ceases to be a crisis. Bill Malik, vice president of infrastructure strategies at Trend Micro, discusses how organizations can use automation, a managed detection and response tool (like MRDR) and a cross-platform discovery and response tool (like XDR) to help alleviate the information security skills gap.

Is your company taking steps and using solutions to alleviate the information security skills shortage? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: APT33 Botnets Used for Extreme Narrow Targeting and Microsoft’s Patch Tuesday Arrives with A Patch for An IE Zero-Day appeared first on .

New TA2101 threat actor poses as government agencies to distribute malware

A new threat actor tracked as TA2101 is conducting malware campaigns using email to impersonate government agencies in the United States, Germany, and Italy.

A new threat actor, tracked as TA2101, is using email to impersonate government agencies in the United States, Germany, and Italy to multiple families of malware, deliver ransomware, and banking Trojans.

The phishing campaigns delivering malicious attachments were observed since the end of October. According to Proofpoint researchers, the news threat actor has been impersonating the United States Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency.

“Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.” reads the analysis published by ProofPoint. “Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.”

Between October and November 2019, the TA2101 threat actor carried out a malspam campaign against targets in Germany that impersonates the German Federal Ministry of Finance (“Bundeszentralamt fur Steuern”).

The spam messages pretend to be a notification from the above agencies that informs users of a tax refund. The emails use malicious Word attachments that claim to include instructions on how to request a refund.

Once the user opened the attachment and enabled the macros, the malicious code will install the Cobalt Strike pentesting tool or the Maze Ransomware on the victim’s computer.

The threat actors also targeted IT support companies to compromise their MSP and use it to deliver the Maze Ransomware to its clients.

Another campaign observed by ProofPoint aimed at German users impersonating the German internet service provider 1&1 Internet AG.

On October 29, Proofpoint observed dozens of emails attempting to deliver weaponized Microsoft Word attachments with Italian lures impersonating the Italian Ministry of Taxation, the “Agenzia delle Entrate“.

This bait email pretends to inform citizens about a message sent by the agency to inform the recipients about new activities related to the contrast to the tax evasion.

Proofpoint also observed a campaign using emails pretending to be sent by the United States Postal Service. The spam messages contained malicious Word doc attachments named “USPS_Delivery.doc”.

The campaign is similar tot he one that hit the Italy campaign, the messages ask users to enable the macros to decrypt the alleged RSA encrypted content.

If a user enabled the macros in this campaign, the macros will download and execute the IcedID banking Trojan on the victim’s computer.

“These spoofs are notable for using convincing stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers. Most recently, the actor has attacked US organizations spoofing the United States Postal Service.” concludes Proofpoint. “The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.”

Pierluigi Paganini

(SecurityAffairs – TA2101, hacking)

The post New TA2101 threat actor poses as government agencies to distribute malware appeared first on Security Affairs.

There is a Skills Shortage, But it isn’t Your Real Problem

During my undergraduate days, I recall hearing that the Bell System was slow to deploy automated dialing. While smaller local phone companies allowed callers to dial a number directly from their phone, the Bell system continues to rely on switchboard operators into the 1930s. In fact, early phones did not have numbers to dial at all – you simply toggled the handset switch and asked the operator, when she came on (female switchboard operators were believed to be more patient and polite than men) she would plug your line into the line of the person you wanted to call.

Smaller phone companies adopted automation to compete profitably – they avoided the cost of the switchboard and the operator by letting people dial their own calls. They traded off the investment in physical infrastructure for the software switch. The Bell companies deferred this transformation to recoup their investment in their installed base of switches and trained operators. It wasn’t until they performed a study of call growth rates that they decided to change. Bell learned that as more people installed telephones and made more calls, by the 1950s every man, woman, and child in North America would have to work as a switchboard operator to deal with the volume. Bell began deploying direct dial numbers, although the exchange names lingered. Our home number was Normandy 1-2345, which became 661-2345. Over time, long distance dialing (outside of the local exchange) and international direct calling, with Area codes and country codes, became the new normal. (For years, the most popular issue of the Bell Systems Journal in our college library was the one describing the paired tones used to automatically connect and route commands across the international supervisory networks. Or so I’m told.)

Today we have millions of open jobs in information security. What jobs are unattended? One client speaking at a conference last month said that when they migrated their in-house and collocated data centers to a cloud-only topology, the volume of events doubled – from one billion per day to two billion per day. No amount of hiring will mitigate that problem. Without automated event correlation and analysis, the skills problem ceases to be a crisis. It becomes a lifestyle.

Recent research shows that in the first quarter of 2019 we saw a new piece of malware every 0.3 seconds, and a unique vulnerability every 3 seconds. The total volume of patches in the first quarter of 2019 exceeded 5,100 across all patchable software products. No organization can keep up with that volume of change, even if its operations could afford the multiple configurations needed for validation and failover, and could tolerate frequent interruptions to perform the installations. There is a shortage of skilled operators who could do all the patching, but here again, the real problem isn’t staffing. Without a mechanism to deploy patches non-disruptively and automatically, the real problem only gets worse.

Some would say that while they want to be notified about vulnerabilities and attacks, they would rather not use automation to remediate the problems. Their claim is that it is too risky to allow information security software to take over a person’s job. This is true when the software permits too many false positives. With reliable ML-augmented capabilities, and a layered approach, automation can dramatically simplify the volume problem.

Yes, there is a staffing shortage. But organizations can use automation and a managed detection and response (MDR) capability to handle the volume of events. Organizations can use a cross-platform discovery and response tool (XDR) to aggregate and consolidate events dramatically, reducing the demand on people and improving the accuracy and timeliness of protection from threats. The tool should be proven, reliable, and suppress false positives. That will resolve one root cause of the information security skills shortage.

Want to learn more? Read about Trend Micro’s XDR at

Let me know what you think! Provide your feedback below, or reach me @WilliamMalikTM.

The post There is a Skills Shortage, But it isn’t Your Real Problem appeared first on .

Canadian intelligence agencies CSE and CSIS are divided on Huawei 5G ban

The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) are divided over the ban of Huawei 5G technology.

The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) agencies are divided over the ban of Huawei 5G technology. Canada, along with the US, the UK, New Zealand, and Australia formed the so-called Five Eyes intelligence-alliance.

In November 2018, The Wall Street Journal reported that the US Government urged its allies to exclude Huawei from critical infrastructure and 5G architectures.

Currently, the Chinese supplier is already prohibited from bidding on government contracts and core network equipment.

According to the Globe and Mail reported Wednesday, the Canadian government asked the intelligence agencies to evaluate the risks related to the adoption of the Huawei 5 equipment for the national telecommunication infrastructure. The agencies were also tasked to evaluate the economic impact for the Canadian telecoms and consumers in replacing and blacklisting Huawei equipment.

The Globe and Mail revealed that according to an unnamed source, the CSIS and the CSE have a different opinion on the ban of Huawei 5G technology.

While CSE suggests the full ban of Huawei 5G equipment from the national infrastructure the CSIS believes the risks associated with the deployment of the Chinese technology can be mitigated with the effective validation and monitoring of the equipment.

“The office of the minister of public safety, Ralph Goodale, declined to comment on Huawei specifically as it relates to its evaluation of emerging 5G technologies.” reported the AFP press.

“But it said in a statement that the government’s review “includes the careful consideration of our allies’ advice” and it “will ensure that our networks are kept secure.””

The relationship between the Chinese and the Canadian government deteriorated following the arrest in Vancouver of a senior Huawei executive on a US warrant that took place in December and the arrest of two Canadian citizens in apparent retaliation.

Experts pointed out that the ban could cost Canadian telecom firms millions of dollars and two of the largest wireless carriers in the country, Bell and Telus, plans to use Huawei equipment in the upcoming 5G infrastructure.

Rogers, the nation’s top carrier announced the use of 5G equipment from Ericsson.

Pierluigi Paganini

(SecurityAffairs – Huawei 5G, cyberespionage)

The post Canadian intelligence agencies CSE and CSIS are divided on Huawei 5G ban appeared first on Security Affairs.

Finding the malicious needles in your endpoint haystacks

Accelerate Threat Hunts and Investigations with Pre-Curated Complex Queries

Security teams often lack the ability to gain deep visibility into the state of all their endpoints in real time. Even with a bevy of tools at their fingertips, once an incident occurs, conducting investigations can be likened to searching for a needle in a haystack. Teams struggle to make well informed remediation decisions fast enough, finding themselves asking questions like, what should I be searching for? Where specifically in my environment should I zero-in? Which datasets matter? Which are irrelevant? The struggle is real. As we all know, the longer a threat runs wild, the more havoc it stands to wreak on your environment. Between the intense time-pressure, endless datasets to sift through, and ambiguity associated with not knowing where or how to start, incident investigations can feel like frenzied wild goose chases.

Many teams have adopted threat hunting to take a more proactive and preventative (rather than purely reactive) approach to managing their security hygiene. With 43% of organizations performing continuous threat hunting operations in 2018, versus just 35% in 2017, the practice is undoubtedly growing in scope and popularity. However, this begs the question: what’s holding back the remaining majority – the other 57% – of organizations? The reality is that although many teams want to threat hunt, they simply don’t know how to get started, or erroneously believe that they don’t have the personnel, time, and resources to dedicate to the endeavor. But fortunately, that’s no longer the case…

Know everything. About every endpoint. Right now.

Cisco recently rolled out a powerful new advanced threat hunting and investigation capability in Cisco® AdvancedMalware Protection (AMP) for Endpoints called Orbital Advanced Search that gives users the ability to search across all endpoints for forensic information and malware artifacts. Think of this as the ultimate search engine for all your endpoints – with over a hundred pre-canned queries provided, Orbital makes security investigations and threat hunting simple by allowing you to quickly run complex queries on hundreds of attributes in near real-time on any or all endpoints. For example, it allows you to type in queries like:

  • Show me all computers that are listening on certain ports – something that certain variants of malware will do when they are waiting on instructions from a C&C on what to do.
  • Show me all processes that are running in memory but do not have a file on disk – something that is rarely seen with innocuous processes, and thus strongly indicates the possible presence of fileless malware trying to escape scanning and analysis hiding out in your environment.
  • Show me all the users logged in – if a user is logged into systems in a department that the user doesn’t belong in, or if the user is logged into multiple machines at one time, this could indicate a breach.

Orbital gives you deep visibility into what’s happening on any endpoint at any time by taking a snapshot of its current state, and the search options are limitless; users can immediately perform advanced searches via the 100+ curated queries that come with the tool or create their own custom queries. Whether you’re threat hunting, conducting an incident investigation, IT operations, or vulnerability and compliance assessments, Orbital gets you the answers you need about your endpoints fast.

How does it work?

Whether you are investigating an incident or proactively hunting for threats Orbital can help you simplify and accelerate these tedious processes in the following ways:

  1. Forensics snapshots. We can capture snapshots of data from endpoints such as running processes, open network ports and a lot more at the time of detection or on demand. It’s like “freeze framing” activity on an endpoint right to the moment. This allows you to know exactly what was happening on your endpoint at that point in time.
  2. Live search. Run complex queries on your endpoints for threat indicators on demand or on a schedule, capturing the information you need about your endpoints in near real time.
  3. Predefined and customizable queries. We provide over a hundred predefined queries that you can quickly run as they are or customize them as needed. These queries are simply organized in a catalog of common use cases and mapped to the MITRE ATT&CK.
  4. Storage options. The results of your queries can be stored in the cloud or sent to other applications such as Cisco Threat Response for further or future investigations.


Common use cases

Orbital Advanced Search can help you do the following important tasks better, faster:

  1. Advanced Threat Hunting: Search for malicious artifacts across any or all your endpoints in near real-time to accelerate threat hunts.
    1. Mature organizations – Streamline workflows for seasoned teams that already perform continuous threat hunting operations and get beyond atomic and computed IOCs and into the really interesting stuff, like registry keys, process PID exploits, and all kinds of attacker TTPs cataloged with Threat Grid and the MITRE ATT&CK.
    2. Novice Threat Hunters – Empowers teams that don’t have threat hunting programs in place to begin to threat hunt without requiring them to hire additional staff or rip and replace their security stack.
  2. Incident Investigation: Get to the root cause of incidents faster to accelerate incident investigation and remediation efforts.
  3. IT Operations: Track software inventory, disk space, memory, computer utilization, and other IT operations artifacts quickly and expediently – good threat hunting tools can also be used to enhance IT operations.
  4. Vulnerability and Compliance: Easily check the status of Operating Systems for things like software version levels to validate patch management to ensure that your endpoints are in compliance with current policies.

Threat Hunting Versus Incident Response

An additional bonus to threat hunting is that it breeds familiarity with tools and techniques that come into play when an incident or breach does occur, effectively training teams to be better incident responders. Since both disciplines deal directly with threats in your environment, the skills exercised when threat hunting are arguably one and the same as those associated with incident response. The only difference is that whereas incident response is reactive and involves known evidence of a threat in your environment, threat hunting is a proactive practice that is carried out without evidence. Since practicing threat hunting sharpens investigative skills and response times, teams that threat hunt are naturally better equipped to react like pros when faced with real incidents. The ‘Hunting for hidden threats’ whitepaper in Cisco’s Cybersecurity Report Series covers this topic in more detail and is a great place to learn even more.

Whether you’re new to threat hunting, are a seasoned veteran who wants to streamline operations and take your threat hunting program to the next level, or merely want to accelerate incident remediation, the solution to your woes has arrived. Test drive Orbital Advanced Search today with a free trial of Cisco AMP for Endpoints, or register for one of our Threat Hunting Workshops to get hands-on experience threat hunting, investigating, and responding to threats so that you can become a pro at finding the malicious needles in your digital haystacks.

The post Finding the malicious needles in your endpoint haystacks appeared first on Cisco Blogs.

OpenText acquires Carbonite for $1.42 billion

Waterloo-based OpenText, an information management software company, officially confirmed its acquisition of Carbonite, a cloud-based data protection and security software solution provider.

The total purchase price is US$1.42 billion. Currently, outstanding Carbonite shares are set to be purchased for US$23.00 per share in cash, although this offer has not yet commenced. The acquisition cost also includes all of Carbonite’s outstanding debt.

Carbonite marks another key acquisition made by OpenText to enhance its security services. Through the acquisition, OpenText is looking to strengthen its security offerings in data loss prevention, digital forensics, endpoint security portfolio.

OpenText’s other significant acquisitions include Guidance, the makers of the enCase forensics software.

“This acquisition will further strengthen OpenText as a leader in cloud platforms, complete end-point security and protection, and will open a new route to connect with customers, through Carbonite’s marquee SMB/prosumer channel and products,” said Mark J. Barrenechea, OpenText chief executive officer. “We are very excited about the opportunities that Carbonite will bring, and I look forward to welcoming our new customers, partners and employees to OpenText.”

In its press release, OpenText wrote that it expects a significant expansion of cloud revenues, cloud margins, and cash flows in fiscal 2021.

The transaction is expected to close within 90 days.



Welcome to the New Zero Trust

Complexity, opacity and the gatekeeping of knowledge are tactics often used to appear sophisticated or intelligent. They can also be used to intimidate.

In security and technology, complexity can lead to critical gaps in visibility and an extended attack surface – with too many vendors and solutions to interconnect and manage. Additionally, many enterprises are operating with limited budgets, too many projects with conflicting priorities, projects creating disparity between different technology teams; all supported by a limited security team (or an IT or networking team doing double duty). As a result, complexity creep has risen to counteract our best security efforts.

At Cisco, we’re seeking to eliminate that complexity and close knowledge gaps with simplicity in how we execute and deliver security, as well as transparency in how we talk about it. The security industry is often guilty of using buzzwords and jargon that can add to the growing complexity and shifting priorities as enterprises attempt to follow best security practices defined by the industry.

Zero Trust: The Concept, Defined

To that end, let’s start with defining and simplifying the most popular buzzword, ‘zero trust’ – it’s about never implicitly trusting, but always verifying someone or something that is requesting access to work resources.

It’s not about getting rid of the perimeter – but rather tightening security on the inside.The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.

–Wendy Nather, Head of Advisory CISOs, Summarized from Zero Trust: Going Beyond the Perimeter


  • Users, devices and applications were located behind a firewall, on the corporate network
  • All endpoints accessing resources were managed by the enterprise
  • Systems managed by enterprises could all inherently trust one another, and trust was often based on network location

The new zero trust is about:

  • Gaining visibility to intelligently inform policy, and enabling BYOD (bring your own device) or IoT (Internet of Things) devices for business agility
  • Continual reestablishment of user, device and application trust
  • Continuous monitoring and threat containment

Protecting the Workforce, Workloads & Workplace

With all of that in mind, what exactly are you trying to protect?

Enterprises are complex by nature. They have vast IT ecosystems, with many different vendors, software and infrastructure spread across the multi-cloud and on-premises. They have many different types of users – employees, contractors, customers, etc. – everywhere across the world – often using their own personal devices to work. They have applications that talk to each other via APIs, microservices and containers. And they still have enterprise networks that devices regularly access, including IoT.

That’s why we’ve simplified things – by classifying each area of your enterprise IT as equally important to protect using a zero-trust security approach.

  1. Zero Trust for the Workforce – Ensure only the right users (employees, contractors, partners, etc.) and their secure devices (BYOD) can access applications (regardless of location).
  2. Zero Trust for Workloads – Secure all connections within your applications (when an API, micro-service or container is accessing an application’s database), across the multi-cloud (cloud, data centers and other virtualized environments).
  3. Zero Trust for the Workplace – Secure all user and device connections across your enterprise network, including IoT (types of devices may include: servers, printers, cameras, HVAC systems, infusion pumps, industrial control systems, etc.).

For complete zero-trust security, you need to address each area of your IT ecosystem – securing access across all environments, in a consistent and automated way.

Enter the Cisco Approach to Zero Trust

Cisco’s approach does not implicitly trust a request – but rather establishes trust for every access request, regardless of where the request is coming from. It secures access across your applications and network, while extending trust to support modern enterprises with BYOD, cloud apps and hybrid environments.

Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:

  1. Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
  2. Enforcing trust-based access policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
  3. Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities

For the workforce, Duo Security protects against phishing, compromised credentials or other identity-based attacks with multi-factor authentication (MFA) to verify user identities and establish device trust before granting access to applications. 

For workloads, Tetration secures hybrid, multi-cloud workloads and contains lateral movement with application segmentation. Identify vulnerabilities in software versions and block communication to reduce your overall attack surface.

For the workplace, Software-Defined Access (SD-Access) provides insight into users and devices, identify threats and provides control over all connections across the enterprise network, including IoT devices.

Extending Trust

While this is a good starting place, other solutions in the Cisco Security portfolio can extend the zero-trust security model further. Cisco’s framework is built to integrate seamlessly with your existing infrastructure and investments using an open API model, standards-based platform and strong technology partnerships to ensure that everything across your environment is protected – securing your enterprise as you scale.

Those strong partnerships include major players in the industry, including Microsoft, Amazon Web Services (AWS), Google and many more.Extending trust to integrate with third parties for better visibility and consistent policy enforcement is key to making a zero-trust approach practical and effective for modern enterprises.

Benefits of a Zero-Trust Security Approach

Overall – this framework provides the benefits of a comprehensive zero-trust approach:

  • Increased visibility – Get insight into the contextual data behind access requests, including users, user endpoints and IoT devices connecting and talking to your applications and network
  • Reduced attack surface – Mitigate risks related to identity attacks (stolen or compromised passwords, phishing) and lateral attacker movement within your network (in the event of a breach – contain the impact of the initial breach)
  • Broad coverage – Zero-trust security for not just the workforce, but across workloads and the workplace for complete coverage and a consistent approach to securing access and enforcing policies, regardless of where data or applications are located


Learn more about Cisco Zero Trust. Or, sign up for a free trial of Duo, demo Tetration and learn more about SD-Access to start your zero-trust journey today.

Did you hear? Cisco was named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019read the report.



The post Welcome to the New Zero Trust appeared first on Cisco Blogs.

This Week in Security News: Amazon Echo Hacked at Pwn2Own Tokyo 2019 and Ransomware Attacks Hit Spanish Companies

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a ransomware that is attacking Spanish companies and how nearly 50 adware apps were found on Google Play. Also, read about how an Amazon Echo was hacked on the first day of Pwn2Own Tokyo 2019.

Read on:

Facebook Portal Survives Pwn2Own Hacking Contest, Amazon Echo Got Hacked

Amazon Echo speakers, Samsung and Sony smart TVs, the Xiaomi Mi9 phone, and Netgear and TP-Link routers were all hacked on the first day of ZDI’s Pwn2Own Tokyo 2019 hacking contest.

New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

In October 2019, Trend Micro discovered a new exploit kit named Capesand, which attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer. Based on our investigation, it also exploits a 2015 vulnerability for Internet Explorer.

Inside the Microsoft Team Tracking the World’s Most Dangerous Hackers

Microsoft’s latest win over cloud rival Amazon for the lucrative military contact means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. Now in this corner of Washington state, dozens of engineers and intelligence analysts are watching and stopping the government-sponsored hackers proliferating around the world.

Halloween Exploits Scare: BlueKeep, Chrome’s Zero-Days in the Wild

On October 31, Chrome posted that a stable channel security update for Windows, Mac, and Linux versions of Chrome will be rolled out in order to fix two use-after-free flaws in audio and PDFium. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a statement advising users and administrators to apply the updates.

A Stranger’s TV Went on Spending Spree with My Amazon Account – and Web Giant Did Nothing About it for Months

After a fraudster exploited a bizarre weakness in Amazon’s handling of customer devices to hijack an account and go on spending sprees with their bank cards, it was discovered that it is possible to add a non-Amazon device to your Amazon customer account and it won’t show up in the list of gadgets associated with the profile.

Ransomware Attacks Hit Spanish Companies, Paralyzes Government Services in Canadian Territory of Nunavut

A ransomware campaign recently hit companies in Spain, including Cadena Sociedad Española de Radiodifusión (SER), the country’s largest radio network. In another part of the globe, threat actors managed to infect government systems with ransomware in the Canadian territory of Nunavut.

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network.

Unpatched Remote Code Execution rConfig Flaws Could Affect Millions of Servers and Network Devices

Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have recently been disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.

California DMV Data Breach Exposed Thousands of Drivers’ Information, Agency Says

A data breach at the California Department of Motor Vehicles may have exposed some drivers’ Social Security number information to seven government entities, according to the DMV. The breach affects about 3,200 individuals over at least the last four years, the agency said in a statement.

49 Disguised Adware Apps with Optimized Evasion Features Found on Google Play

Trend Micro recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are no longer live, but before they were taken down by Google, the total number of downloads was more than 3 million. This Trend Micro blog discusses solutions and security recommendations for protecting against adware apps.

CVE-2019-2114: Patched Android Bug That Allows Possible Installation of Malicious Apps

An Android bug that could allow threat actors to bypass devices’ security mechanisms was discovered by Nightwatch Cybersecurity. Successful abuse of the bug can allow threat actors to transfer a malicious application to a nearby Near Field Communication (NFC)-enabled device via the Android Beam. The bug affects Android version 8 (Oreo) or higher.

Surprised by the devices that were hacked on the first day of Pwn2Own Tokyo 2019? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Amazon Echo Hacked at Pwn2Own Tokyo 2019 and Ransomware Attacks Hit Spanish Companies appeared first on .

Consolidate your Security in the Cloud with Cisco Umbrella


What makes a great partnership? Open communication and a passion for constant advancement are two important elements. Our customers have helped us continuously innovate, and together, we’re transforming how security is delivered. Over the past 12+ months, we embarked on a journey to take Cisco Umbrella to a new level.

DNS has always been at our core — starting as a recursive DNS service (OpenDNS) in 2006, then moving into the enterprise security space in 2012 with the release of Umbrella. Enforcing security at the DNS layer was something brand new at the time. People started to see how valuable it was to have a single view of all internet activity across every location, and it was an incredibly effective way to block threats at the earliest possible point (and who doesn’t love fewer alerts to investigate!?). Add in the fact that it’s delivered from the cloud and can be deployed enterprise-wide in minutes…you can start to see the appeal it has.

As we saw more applications and infrastructure move to the cloud, more people working off-network (and “forgetting” to turn on that pesky VPN), and the move to more direct internet access at remote offices, we heard more from our customers about what they needed from a security service. It wasn’t just about DNS-layer security — they often needed more. We’re excited to share that we’re now delivering more. Much more.

Now, Umbrella offers secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality — in addition to the DNS-layer security and threat intelligence from Investigate — all in a single, integrated cloud console. All of this is available in a new Umbrella package: Secure Internet Gateway Essentials.

By unifying multiple security services in the cloud, we are now able to offer our customers greater flexibility, sharper visibility, and consistent enforcement, everywhere your users work. The goal is simple ­– if we can simplify your security operations and reduce complexity, then you can reduce risk and accelerate secure cloud adoption.

Here are a few examples of innovations that we’re introducing as part of this:

Bye Security Silos, Hello Consolidation

It can be an overwhelming endeavor to help your organization transition to the cloud and secure direct internet access. It takes skill and a considerable amount of resources. How many office locations are you tasked with securing? We’ve heard loud and clear that it’s not sustainable for you to build a separate security stack in each location. By moving those core security services to a single cloud solution, you’ll be able to deploy the right level of security consistently across your organization. And you have the flexibility to deploy it as needed — you’re not forced to proxy everything or deploy in a specific way. For example, you could start with DNS for fast protection everywhere and leverage additional security services (secure web gateway, firewall, CASB, etc.) wherever you need them.


“I like the simplicity of Cisco Umbrella from a management perspective, but I also enjoy the complexity of the advanced layers of protection that Cisco Umbrella provides. This one product has truly transformed our ability to protect our entire workforce, regardless of location.” – Ryan Deppe, Network Operation Supervisor, Cianbro Corporation


Well-known Technology, Brand New Approach

IPSec tunnels have been around forever. But, we set out to do something different based on what we’ve heard from you. Cisco developed a new technology for IPSec tunnels that minimizes downtime and eliminates the need to build secondary tunnels with a patent-pending approach using Anycast technology for automated failover. A single IPsec tunnel can be deployed to send traffic to Umbrella from any network device, including SD-WAN. This integrated approach combined with Anycast routing can efficiently protect branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.

Real-time Detection of DNS Tunneling

Even though we’ve been a leader in DNS-layer security for years, we won’t rest on our laurels. We’re watching attacker tactics and quickly adjusting ours — DNS Tunneling is one example. DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic (i.e. HTTP) over port 53. There are legitimate reasons why you would use DNS tunneling, but attackers have been using it for data exfiltration and command and control callbacks. To better identify and stop this, we’ve added advanced detection capabilities, real-time heuristics, signature, and encoded data detection to Umbrella.

Deeper Web Control, Retrospective Alerts on Malicious Files

Our new secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities such as content filtering at the URL-level, blocking applications or app functions, HTTPS decryption (either for select sites or all), file inspection with Cisco Advanced Malware Protection and antivirus, sandboxing unknown files with Cisco Threat Grid, and retrospective alerts on files that subsequently display malicious behavior. Think about it — file behavior can change over time or could put mechanisms in place to evade initial detection. If a file is initially determined to be safe by Threat Grid and downloaded from the web, but later is deemed to be malicious, you can now see that in Umbrella.

All of these Umbrella enhancements are designed to help your organization accelerate cloud adoption with confidence — you need assurance that your users will be secure wherever they connect to the internet and that’s exactly what we’re focused on delivering for you. If you want to learn more, join our Security Virtual Summit on November 12th and check out Jeff Reed’s blog to hear about other Cisco Security innovations.

The post Consolidate your Security in the Cloud with Cisco Umbrella appeared first on Cisco Blogs.

The death of the network perimeter and the firewall? Not so fast.

Welcome to The Future of Firewalling, Part 1…

For over two decades, the firewall has been the de-facto tool that facilitated secure connectivity between different networks. Firewalls were traditionally designed around the idea that internal traffic and users were inherently trustworthy and external traffic wasn’t. Thus, the firewall was deployed to create a trust boundary – or perimeter – between networks. This network perimeter became the logical security control point to protect an organization’s network, data, users, and devices. What’s more, all network traffic (whether originating from the corporate headquarters, its data center, or remote workers) was funneled through this single control point, making it easy to maintain that trust boundary and establish consistent control. Life was good.

Then the world went digital

And when it did, the way we worked, consumed data, and exchanged ideas transformed. The introduction of the “cloud” further compounded things: many of our business-critical applications started moving from our data centers and premises-based networks to places we no longer owned or controlled. At the same time, our branch offices started directly connecting to the Internet to consume services that are now more frequently hosted outside our data centers. And users began accessing more and more resources from their personal devices everywhere but in the office.

As our networks have become far more interconnected, the notion of a single perimeter or control point no longer exists. The industry has been abuzz for some time about the “dissolving perimeter” and whether the firewall is even necessary anymore. I would argue that not only is the firewall more relevant than ever, we now need more firewalls everywhere – on our premises networks, at branch offices, at the gateway and within our data center, in the cloud, on devices, and even within our application workloads.

From macro to micro

Instead of a single perimeter we now have multiple “micro-perimeters” across a variety of networks, devices, users, and data. Typically, each of these new “perimeters” is secured by adding different point technologies, which require a lot of manual intervention just to get going. Couple that with the significant shortage of available talent to manage all these new devices and we’ve got an even bigger challenge. As a result, organizations are struggling to operationalize their disparate security solutions to maintain consistent policies and uniform threat visibility. Network complexity? Check. Network security complexity? Check. Misconfigurations and inconsistencies leading to exposures and breaches? Check mate!

And while we’re struggling to get a handle on all this complexity, our adversaries continue to unleash more sophisticated threats more frequently across more threat vectors. In fact, the average reported rate of data breaches was 46% in 2018, up from 24% in 2017, according to the 2018 Global Threat Report. This steep climb in reported breaches is a testament to the increasingly sophisticated methods bad actors are using to infiltrate our networks; the growing rate of their success shows just how ineffective the status quo is against modern threats.

And here we are

It has become painfully obvious that we’ve lost visibility and control. We no longer have a good understanding of where our users and data go nor how exposed our businesses are. It’s hard to determine what’s communicating with what, or if we’ve even been breached, until it’s too late. And the pace of change is accelerating as more businesses embrace digital transformation, creating a perfect storm of opportunity for motivated hackers. And a perfect headache for those of us tasked with security. Where do we start to get a handle on it all?

It’s time to rethink the firewall

The importance of the firewall hasn’t diminished – in fact it’s more relevant than ever – but we need to think differently about it. We must go beyond form factors and physical or virtual appliances to embrace firewalling as a functionality. Firewalling needs to be about delivering world-class security controls – the key elements for preventing, detecting, and stopping attacks faster and more accurately – with common policy and threat visibility delivered where you need it: in the data center, in the cloud, at the branch office. So you’re protected everywhere.

At Cisco, we’ve been hard at work bringing that vision into reality, so you can build your strongest security posture for today and tomorrow. Stay tuned to The Future of Firewalling blog series to hear about it. And visit to learn more about Cisco Next-Generation Firewalls.

Coming soon:

The Future of Firewalling, Part 2: Don’t let complexity ruin your security

The post The death of the network perimeter and the firewall? Not so fast. appeared first on Cisco Blogs.

Relentless Breach Defense Endpoint Protection Platform + Endpoint Detection and Response

As evasive and complex as today’s threats have become, it’s no wonder security professionals in organizations of all sizes are ripping out their legacy antivirus completely in favor of Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) technologies. Endpoint Protection Platform (EPP) delivers next generation antivirus that stops today’s complex attacks. Endpoint Detection and Response (EDR) offers more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints quickly. The question then becomes, which should you choose? And why can’t you have both?

We believe you can AND we believe it should simplify your security operations. That’s why we’ve brought EPP and EDR capabilities together in a single cloud-delivered solution called Cisco® Advanced Malware Protection (AMP) for Endpoints. It is relentless at stopping breaches and blocking malware, then rapidly detects, contains, and remediates advanced threats that evade front-line defenses. Moreover, it’s easy to deploy, easy to use and leverages your existing security investments to help you address threats beyond the endpoint. That’s what we call relentless breach defense and here’s three ways Cisco AMP for Endpoints does this.

#1. Block threats. Before they target you.

How effective you are at protecting your endpoints really depends on how good the threat intelligence you’re acting on. That’s why at Cisco, we employ machine learning and automation to spot malware activity fast, malware attack prevention to block ransomware, exploit prevention to stop fileless malware and a variety of other protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence group on the planet. We find more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than anyone else. Whether a threat begins on the Internet, in an email, or on someone else’s network. Our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across our endpoint ecosystem and our entire security platform.

#2. Know everything. About every endpoint.

We simplify threat hunting and investigation with our newly announced endpoint detection and response (EDR)capabilities that automate advanced investigative queries across any or all of your endpoints. Whether you are doing an investigation as part of incident response, threat hunting, IT operations, or vulnerability and compliance, we get you the answers you need. We have preloaded scripts so you can leverage the expertise of our Talos threat hunters or even customize your own. These queries are organized in a catalog of common use cases, even aligning with the Mitre ATT&CK. We provide deeper visibility on what happened to any endpoint at any given time by taking a snapshot of its current state – you can think about this as a “freeze-framing” activity on a device right to the moment when something malicious was seen. And we continuously monitor and analyze the behavior of your endpoints, giving you the information you need to investigate and respond to the riskiest threats quickly and confidently. If a file that appeared clean upon initial inspection ever becomes a problem, we can provide a full history of the threat’s activity to catch, isolate, contain, and remediate at the first sign of malicious behavior.

#3. Respond completely. With security that works together.

Threats are not one dimensional and neither should your defenses be. That’s why we built our endpoint security with out-of-the-box integrations with the rest of the Cisco security platform to block, detect, investigate and respond to threats across your entire environment – not just your endpoints. With security that works together, we help you streamline your security operations, making security investigations faster and easier. You will get to the root cause fast, and automate actions to stop a threat in its tracks. We empower you to respond to attacks at the first sign of malicious behavior using one-click isolation of any endpoint, everywhere. Importantly, we have broader control beyond just the endpoint. We instrument our endpoint security to leverage threat intelligence from web, email, cloud and network security solutions; and multi-factor authentication integration for Zero-Trust, creating security defenses that work together for more effective protection and response against the most challenging threats with less time, effort, and cost to do so.

Channel your inner threat hunter: register for one of our Threat Hunting Workshops. You’ll get hands on experience threat hunting, investigating and responding to threats so you and be relentless at breach defense too.


The post Relentless Breach Defense Endpoint Protection Platform + Endpoint Detection and Response appeared first on Cisco Blogs.

Establishing Device Trust to Secure the Workforce

Challenges of Protecting Endpoints

With an estimated 70% of breaches starting on endpoints – laptops, workstations, servers, and mobile devices – organizations need visibility into the devices connecting to applications both on the network and in the cloud. Organizations need the ability to establish trust in the devices connecting to resources containing sensitive information.

Curious how you can determine if you can trust the endpoints that are connecting to your business resources? Ask yourself a few quick questions:

  • Are you able to automatically notify users of out-of-date software to reduce your help desk tickets or block devices that have been compromised? Or automatically quarantine malicious files from infecting your entire network?
  • Can you enforce endpoint controls for risky devices or corporate-owned devices? What about contractor devices or external third parties connecting to your network?
  • Can you enforce access policies based on the application risk or whether the device is a known healthy device that meets security guidelines?


Establishing Trust in Endpoints

In order to effectively establish trust in user devices, organizations should have device-based policies in place to prevent access by any risky or unknown devices. By validating the device is both healthy and meets security policies, you can ensure they’re trustworthy – key components of the Cisco Zero Trust security approach for the workforce.

Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:

  1. Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
  2. Enforcing trust-based policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
  3. Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities

With Duo and Cisco® Advanced Malware Protection (AMP) for Endpoints, organizations have the tools in place to effectively establish trust in users’ devices connecting to protected applications. The ability to prevent, detect and respond are key elements when considering device trust in a zero-trust security approach for the workforce.

Trust Through Protection and Detection

Establishing trust extends beyond managing the status of the device to include inspecting the device and controlling access based on risk evaluations to ensure only devices that are healthy and meet your security controls are able to gain access to your corporate systems. With Duo Trusted Endpoints, you can enforce controls and policies to keep risky endpoints from accessing your applications. This includes devices that are unmanaged; don’t meet OS requirements; status of enabled security features (configured or disabled); full disk encryption.

AMP for Endpoints offers endpoint protection, advanced endpoint detection and response capabilities and a holistic view of your endpoints, regardless of operating system. AMP continuously monitors and analyzes all file and process activity within your network to find and automatically block threats that other solutions miss. It has more than 15 built-in protection and detection mechanisms to prevent threats from compromising your business. With a few clicks in AMP’s browser-based management console, the file can be blocked from running on all endpoints. AMP knows every other endpoint the file has reached, so it can quarantine the file for all users.

Available Soon – Integration between Duo Security and AMP for Endpoints

Adding AMP for Endpoints as a Trusted Endpoint in Duo provides the ability to protect applications from devices that have been flagged by AMP as an infected endpoint containing malware. This prevents access to any application that contains sensitive data reducing the risk of data loss.

Duo’s access policies will allow admins to entirely block access to devices flagged by AMP without blocking the user entirely, permitting them to access applications from an alternate device to ensure continued productivity.

The automatic isolation and blocking of compromised devices provides organizations the ability to quickly remediate potential threats, reducing their risk surface without completely interrupting user productivity.

How Duo detects and responds to potential threats from endpoint devices

Duo and AMP provide organizations with comprehensive tools to prevent, detect and respond to potential threats from endpoint devices, helping to establish trust in those devices.

Learn more about Cisco Zero Trust,  and get started with a free trial of Duo and Cisco AMP for Endpoints to start establishing trust in your endpoints today.


The post Establishing Device Trust to Secure the Workforce appeared first on Cisco Blogs.

Trend Micro Discloses Insider Threat Impacting Some of its Consumer Customers

We recently became aware of a security incident that resulted in the unauthorized disclosure of some personal data of an isolated number of customers of our consumer product.  We immediately started investigating the situation and found that this was the result of a malicious insider threat. The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent.  

We immediately began taking the actions necessary to ensure that no additional data could be improperly accessed, and have involved law enforcement.   

Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls.    

That said, we hold ourselves to a higher level of accountability and sincerely apologize to all impacted customers for this situation. Based on the current status of our investigation, we believe that all of the consumers who were potentially affected have already received individual notices from Trend Micro, but we will continue to investigate and provide further notices in the event that any further affected customers are identified. 


In early August 2019, Trend Micro became aware that some of our consumer customers running our home security solution had been receiving scam calls by criminals impersonating Trend Micro support personnel.  The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack. 

Although we immediately launched a thorough investigation, it was not until the end of October 2019 that we were able to definitively conclude that it was an insider threat. A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed.   

Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor. We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation.  


If you have purchased our consumer product, you should know that Trend Micro will never call you unexpectedly. If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support using our official contact details below. 

We encourage you to please contact us for further assistance if you need any help related to any technical issues that may have arisen from interaction with the scammers.  These technical assistance support services, as with all support services, are already covered by your active license subscription. 


  • We would like to reassure our business and government customers that our investigations have shown no indication that the criminal has accessed any enterprise customer data. 
  • While every maliciously accessed data set is one too many, our investigation has shown that this security incident affects less than 1% of Trend Micro’s 12 million consumer customers. 
  • Our investigation further shows that the criminals were only targeting English-speaking customers, and we have only seen data accessed in predominantly English-speaking countries.  


Official contact information for Trend Micro technical support in your region can always be found at Please contact us if you have any questions or concerns. 


[Update November 6, 2019: The estimated number of consumer customers affected is 68,000.]



The post Trend Micro Discloses Insider Threat Impacting Some of its Consumer Customers appeared first on .

PPT Template: Build Your 2020 Security Plan

The end of the year is coming, and it's time for security decision-makers to make plans for 2020 and get management approval. Typically, this entails making a solid case regarding why current resources, while yielding significant value, need to be reallocated and enhanced. The Definitive2020 Security Plan PPT Template is built to simplify this task, providing security decision-makers with an

Securing Your Future by Innovating Today

At a time when cybercrime costs three times more than natural disasters globally1, the demands on security are constantly growing. Whether you’re asked to protect a workforce that roams anywhere, a workplace that is digitized, or workloads that run wherever, your disparate security solutions are creating discord and an untenable level of complexity.

At Cisco, we’ve been on a quest to change that, and we believe we’re uniquely positioned to redefine security. As you’re innovating to build your future, we’re innovating to keep it secure — by creating a comprehensive platform approach and continuously evolving our security technologies.

That’s why I’m excited today to share some of the recent innovations across our security portfolio. With a cloud-powered platform approach in mind, these enhancements are designed to break down silos between SecOps, NetOps, and ITOps and free up your time by:

  • Simplifying your firewalling experience with more consistent policy management with cloud-native environments and cloud-based logging.
  • Accelerating your cloud adoption with new secure web gateway and firewall services in the cloud, deployed through a single IPsec tunnel.
  • Future-proofing your security with an industry-validated zero-trust approach for your workforce, workloads, and workplace, while integrating threat context.
  • Simplifying your breach defense experience with more visibility and actions for threat response, plus new services delivered by Cisco experts to help augment your team.


Security Operations made easier so you can focus on what matters


Experience the future of firewalling

As you’re moving applications into the cloud, the NetOps’ job is expanding to include cloud-native firewalls. Securing all control points across this multicloud environment should not feel like reinventing the wheel. We’re simplifying the experience and enabling NetOps to maintain consistent policies across firewalls, and into the cloud, starting with support for AWS, with more cloud providers roadmapped. Additionally, to help you easily maintain consistent policies as you’re adopting SD-WAN, we’ve simplified policy management for Meraki MX, one of our SD-WAN solutions. Just a few clicks, that’s all it takes to seamlessly harmonize policies across your hybrid environment.

We’re also improving visibility and making compliance easier with cloud-based logging for our NGFWs. This new capability aggregates and centralizes the on-prem and cloud logs so you can search, filter, and sort them, accelerating investigations while ensuring your organization complies with industry regulations.

The increased user connectivity to the cloud creates new demands for faster speeds, so we’re raising the bar with our appliances as well. The latest models of our NGFWs offer a 3X performance boost over previous appliances and optimize the performance-to-price ratio to keep your network — and business — running smoothly and securely.

Accelerate cloud adoption securely

To help you transition to the cloud successfully— and protect any user, anywhere they connect to the internet — while saving a considerable amount of resources, we’ve consolidated a broad range of security services into a single, cloud-delivered security solution and dashboard. Alongside DNS-layer security, CASB, and interactive threat intelligence services, we’ve added secure web gateway and firewall services to our cloud security solution to deliver deeper visibility and control over all ports and protocols, even encrypted web traffic.

The secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities like decrypting and scanning files on any site, filtering out inappropriate or malicious URLs, sandboxing unknown files, and blocking applications or app functions.

With this comprehensive set of functionalities, you can rely on us for the full security stack at smaller branches as you adopt SD-WAN. A single configuration in our networking product dashboards deploys DNS-layer security across hundreds of network devices, including SD-WAN. Additionally, a single IPsec tunnel deploys secure web gateway and firewall from any network device, including SD-WAN. Our integrated approach and Anycast routing can efficiently protect your branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.

Secure access with a zero-trust approach

We have been working over the past year to create a more comprehensive zero-trust framework. Based on customer feedback, we focused on securing three key pillars: workforce, workloads, and workplace. We are thrilled that Forrester recognized our strides and named Cisco a leader in the recently released Forrester Wave among Zero Trust eXtended Ecosystem Platform Providers. As the analyst report noted, “Cisco excels in zero trust with a renewed and targeted focus … and is well-positioned as a prominent zero-trust player.”

We continue to innovate in this space and are reducing risks based on device trust by integrating our threat-detection capabilities with multi-factor authentication. The majority of breaches originate on the endpoint, but what if ITOps could establish trust in a user device before it’s allowed any access to sensitive resources? By safeguarding against vulnerable or compromised endpoints and blocking their access, you’ll be able to better detect and respond to malware threats as well as prevent data breaches.

Adopt breach defense everywhere

Taking endpoint defense one step farther, we added the ability to isolate an endpoint, which stops malware from spreading while giving SecOps time to remediate without losing forensics data, or simply giving ITOps time to troubleshoot an unknown issue. Making breach defense less overwhelming, endpoint isolation empowers incident investigators to uncover endpoint data that wasn’t available before — using advanced search with more than 300 query parameters, such as listing applications with high memory utilization.

Malware is also a growing problem at the network level because adversaries have learned to hide behind encrypted traffic. We’ve extended the capability to analyze encrypted traffic behavior into the cloud, providing higher fidelity of threat protection and enabling cryptographic compliance. At the same time, we’re simplifying investigations, giving you deeper visibility at multiple layers, and helping you respond quicker across different vectors by integrating network security analytics with our unified threat response application.

If you need help preparing for and responding to attacks, you can augment your team with our incident response services, now part of Talos. You know Talos as the team who’s constantly researching new threats on your behalf, and now they can integrate that intel even faster across our entire portfolio — benefitting not only retainer customers but everyone. For even leaner teams that need next-level support, we’re adding managed threat detection and response services to help you leverage your Cisco Security investments 24x7x365.

Several of these innovations are industry firsts, and we’re excited to offer customers new ways to better manage their growing business demands. I encourage you to take a closer look at these enhancements and discover how they can make your security an enabler rather than a barrier.

Get Started

Ready to experience for yourself how Cisco can simplify your experience, accelerate your success, and secure your future?




1 Allianz Risk Barometer, 2019


The post Securing Your Future by Innovating Today appeared first on Cisco Blogs.

This Week in Security News: Pwn2Own Adds Industrial Control Systems to Hacking Contest and Cyber Crooks Target ESports

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Among news from this week, learn about Pwn2Own’s new hacking contest that will take place in Miami next year. Also, as October was Cybersecurity Awareness Month, read about best practices for keeping your family safe online.

Read on:

3 Ways for MSPs to Increase Their Managed Security Footprint

Small and midsize businesses compromise a bulk of the managed service providers (MSPs) customer base — but they have a limited understanding of cyber attacks that can cause millions of dollars in remediation, recovery and reputational costs. This Trend Micro blog discusses 3 security service opportunities MSPs can explore with their existing customer base.

Microsoft: Russian Hackers Are Targeting Sporting Organizations Ahead of Tokyo Olympics

Microsoft said that a group of well-known Russian government hackers has targeted at least 16 national and international sporting and anti-doping organizations ahead of next year’s Tokyo Olympics. Microsoft said the attacks involved spear-phishing, password spraying, exploiting internet-connected devices, and the use of both open-source and custom malware.

Current and Future Hacks and Attacks that Threaten Esports

Esports has evolved from niche entertainment into a highly lucrative industry, and its growing popularity and increased funds have opened the door for cybercriminals looking for an opportunity to make a profit. In its recent report, Trend Micro predicts four threats that will target the growing esports industry over the next few years.

AutoIT-Compiled Negasteal/Agent Tesla, Ave Maria Delivered via Malspam

Trend Micro has recently discovered a malicious spam campaign that has AutoIT-compiled payloads trojan spy Negasteal or Agent Tesla, and remote access trojan (RAT) Ave Maria or Warzone. In this blog, Trend Micro discusses best practices businesses and users can use to protect against Negasteal, Ave Maria and other highly complicated threats.

Breaches at NetworkSolutions,, and

Top domain name registrars, and are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed.

Home and Away, All Year Round: How Can I Keep My Kids Safe Online?

With kids spending more time on internet-connected devices outside of the home, how do you make sure they’re safe online? In light of October being Cybersecurity Awareness Month, Trend Micro shares best practices for keeping your family safe online.

A New Playground for Cybercrime: Why Supply Chain Security Must Cover Software Development

Most organizations see supply chains as providers of physical goods and services, but there’s another crucial part of this ecosystem which some organizations may be overlooking: the software supply chain. The software supply chain opens a threat vector via which cybercriminals can infiltrate organizations, so it’s vital that IT security teams gain visibility and control of their organization’s code.

Misconfigured ElasticSearch Database Exposed Almost 7.5 Million Adobe Creative Cloud Users’ Records

A misconfigured cloud-based ElasticSearch database has exposed almost 7.5 million Adobe Creative Cloud user records that include email addresses, member IDs, information on installed Adobe products and subscription statuses, and whether or not they are Adobe employees.

Pwn2Own Adds Industrial Control Systems to Hacking Contest

The Zero Day Initiative will bring ICS Pwn2Own competition to the S4x20 conference in Miami in January, giving researchers an opportunity to hunt for bugs in popular ICS software and protocols. This is the first time Trend Micro’s Pwn2Own, now in its twelfth year, has added ICS tech to its lineup.

Cyber Crooks Take Aim at Their Next Big Target: ESports Tournaments and Players

Researchers at Trend Micro detail the ways in which the multi-billion dollar competitive online gaming industry could be vulnerable to malicious campaigns including DDoS attacks, malware and extortion.

Defending Systems Against Cryptocurrency Miner Malware

Cryptocurrencies have gained recognition as a legitimate currency because of their perceived anonymity and the online market’s speculation of their value. With increased use of internet-connected devices, online transactions using cryptocurrencies are expected to rise. Unfortunately, cybercriminals have already cashed in on its growing value and popularity.

Phishing Campaign Targets Humanitarian and Other Non-Governmental Organizations

Threat actors launched phishing attempts against several humanitarian and non-governmental organizations, including aid arms of the United Nations such as the United Nations Children’s Fund (UNICEF) and the UN World Food Program, as well as other groups like the International Federation of Red Cross and Red Crescent Societies.

Report: Over 20% of Phishing Campaigns Target Microsoft Users

Almost 4,000 domains and 62 phishing kit variants used to target Microsoft users were uncovered within an observation window of 262 days, according to a new report. This supports what Trend Micro reported in its 2019 Midyear Security Roundup, where it found that the number of blocked unique phishing URLs that spoofed Microsoft increased by 76% from 2018 2H to 2019 1H.

The First Steps in Effective IoT Device Security

A new study from Gartner estimates that 5.8 billion enterprise and automotive internet of things (IoT) endpoints will be in use by 2020. Undoubtedly, daily operations and production have become easier and safer, thanks to these devices. But what are the risks involved in embracing this new technology?

Chinese Hackers Compromise Telecom Servers to Spy on SMS Messages

A group of Chinese hackers carrying out political espionage for Beijing has been found targeting telecommunications companies with a new piece of backdoor malware, dubbed “MessageTap,” which is designed to spy on text messages sent or received by highly targeted individuals.

Looking forward to seeing industrial control systems (ICS) as a category at Pwn2Own Miami? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Pwn2Own Adds Industrial Control Systems to Hacking Contest and Cyber Crooks Target ESports appeared first on .

Remote Access Trojans

You’re working for a high-profile technology company, close to releasing a market-changing product to the public. It’s a highly contested space, with many competitors, both domestic and international. There’s also a lot of buzz in the media and online speculation on the scope and impact your new product will have. And it goes without question that customers are keen to know more about the upcoming game-changer.

Your goal is to keep the secrets under wraps until the public announcement. Unfortunately, your surprise is about to be spoiled. It happens sometimes, as much as we work to prevent it—from accidental embargo slips to insider leaks. But in this case, it’s arguably the worst-case scenario: Your company has been breached and information about the product was stolen.

It’s unfortunate, but such breaches are not an uncommon occurrence—it’s something security professionals are far too familiar with. They occur across sectors, yet the way the data is stolen often includes familiar patterns. There are plenty of possible suspects, and untangling their motives is difficult. But in this cybersecurity game of “Clue,” we’re less concerned if it were Mrs. Peacock or Professor Plum. We want to know what the weapon was and how to prevent future murders.

There are a variety of useful weapons in an attacker’s arsenal. Downloaders, administration tools, and infostealers all often play a part in such an attack. But the go-to tool in many scenarios like this today are remote access trojans, often referred to as a “RATs.”

The anatomy of a RAT

A RAT is a swiss army knife of sorts. Distributed through familiar vectors, such as malicious downloads and email attachments, many RATs include all the weapons mention above, and more, making it easier for an attacker to leverage each component when carrying out an attack. In short, a RAT consolidates a number of tools into one package.

There is a lot of variation from RAT to RAT. Some are generalist tools, meant to be used across a variety of attack scenarios. Others are highly tailored to a specific attack. Some RATs use predetermined proxies to help mask an attacker’s ultimate location. Other RATs may leverage command-and-control (C2) infrastructure to do the same.

While the functionality and infrastructure used by a given RAT will differ, what follows are common features found within many RATs. To illustrate an attack, let’s take it back to our tech company breach, showing how an attacker can leverage a RAT to gain access to, and steal, sensitive files on your upcoming product.

Gather system information

The attacker managed to breach the defenses in your company using a phishing email that included a link to the RAT. However, that doesn’t mean that they will immediately know where they are on the network. They’ll naturally want to learn more about the computer they compromised. Is it an administrative assistant’s desktop, a laptop belonging to finance, or a web server? Performing reconnaissance on the system helps the attacker learn how deep into an organization they have penetrated, if they need to move laterally, or if they’re reached their intended target. Some reconnaissance tools even allow an attacker to scan other systems, gathering information about them.

Steal usernames and passwords

The attacker got onto one machine, but it wasn’t the intended target. They’d compromised a computer belonging to someone in the engineering group, but the materials they were after resided on a shared server. To move laterally, they may want to try searching for login credentials on the system they’ve already compromised. Many RATs include the ability to scrape saved and cached passwords, and once the usernames and passwords are in hand, the attacker can attempt to log into the shared server.

Log keystrokes

The attacker scanned the compromised computer looking for the login credentials, but no luck. Good news? Yes, but it’s only a minor setback. Many RATs include information-stealing components like keyloggers, meaning all the attacker has to do is enable it, and wait for the user of the compromised system to log into the shared server. When they enter login credentials, the attacker can capture them, and later attempt to log into the server themselves.

Download further malware

The attacker was able to obtain login credentials; however, their attempt to log in failed. (Perhaps your company uses multi-factor authentication?) To get to that shared engineering server, the attacker is going to have to call in reinforcements. They’ve identified a vulnerability on the shared server, and they need an attack toolkit to exploit it and gain access. Given how networks vary widely, many RATS include the ability to download further tools to assist them in gaining further access. In this case, the RAT operates like a downloader, pulling down an attack toolkit that allows the attacker to progress.

Accessing and uploading files

The attacker managed to gain access to the shared server, traversed its directory structure, and located documents that outline your new product’s features. The next step is to exfiltrate those files. Most RATs contain the ability to upload files to a predetermined location. This is often done with help of a proxy or through a C2 infrastructure, thus covering the attacker’s tracks as they steal the documents in question.

Recording audio, video, and taking screenshots

There may be times that an attacker isn’t satisfied with simply stealing design docs. Perhaps they obtained a slide deck, but it lacks context in certain slides. In order to learn more, they might want to return their attention to the initially compromised computer and have the RAT to record audio and/or video. The RAT might overhear the engineer speaking to a coworker or capture a video of a presentation meeting that discusses the product. RATs can often take screenshots as well, capturing critical documents on display.

Other uses

This is just one scenario where a RAT could be used end-to-end in an attack. RATs can be used in other situations as well. For instance, what if an attacker is hoping to exfiltrate financial data? A RAT can be leveraged to scrape banking details from a compromised computer or collect credit card numbers using a keylogger.

What’s important to highlight is that most RATs provide command line access to the systems that have been compromised. If adequate administrative rights are gained on these computers, an attacker can use a RAT to do just about anything that he or she desires.

Notable RATs

RATs have been around for a long time, and many prominent RATs have come and gone. Some recent RATs that have been prevalent on the threat landscape include Orcus RAT and RevengeRAT, which have been used by a variety of threat actors. Another commonly seen RAT is ExileRAT, which has been used in attacks with possible espionage-related motives, and shares a C2 infrastructure with the LuckyCat family of threats.

Not all RATs are built from the ground up either. Some are semi-legitimate tools, repurposed or reconfigured for malicious use. Two such examples include Imminent RAT and Remcos.

There are a number of attack groups monitored by Talos Intelligence that use RATs in their malicious campaigns. The SWEED threat actor often used Agent Tesla, the Panda threat actor has been seen dropping Gh0st RAT, and the Tortoiseshell group, who was recently caught scamming veterans, uses a RAT called IvizTech.

To catch a RAT

So the attacker managed to get into your network and obtain your product plans this time. How do you prevent them from doing it next time?

Fortunately, there isn’t anything particularly special about the way a RAT gets onto a system. They’re distributed in much the same way as other types of malware: they’re sent by email, dropped by droppers, set up as the payloads for exploit kits, along with other common attack vectors. Consider the following:

  • A good endpoint protection application is very useful in protecting against RATs. AMP for Endpoints blocks malware at point of entry, then detects, contains, and remediates advanced threats.
  • Monitoring network traffic for unauthorized activity is also important. Cisco Stealthwatch is the most comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure.
  • Many RATs encrypt their traffic, as we discussed in last month’s Threat of the Month blog, so be sure you can monitor such traffic as well. Encrypted Traffic Analytics provides insight into threats in encrypted traffic, without the need for decryption, using network analytics and machine learning.
  • Being able to connect to C2 domains is vital for many RATs to function. Blocking known malicious domains can go a long way in stopping a RAT in its tracks. Cisco Umbrella uses DNS to stop threats over all ports and protocols—even direct-to-IP connections—preventing connections to attacker’s servers.
  • Multi-factor authentication products can prevent an attacker from logging into a system if they manage to obtain login credentials. Verify users’ identities with applications such as Cisco Duo.
  • A good email security solution, as well as a strong network perimeter, will help to ensure that RATs are blocked outright. Cisco Email Security is your best defense against such attacks via email, while Cisco’s Next-Generation Firewall can stop attacks at the network boundaries.
  • A web security appliance with data loss prevention (DLP) features will also assist in cases where a RAT gets in and is attempting to steal sensitive information through the network. The Cisco and Digital Guardian DLP solution is a high-performance, comprehensive security solution for data in motion.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

The post Remote Access Trojans appeared first on Cisco Blogs.

Cisco Named a Leader in the 2019 Forrester Zero Trust Wave

“Cisco has adopted a zero-trust strategy and is well-positioned as a prominent zero-trust player.”

– The Forrester Wave™: Zero Trust eXtended
Ecosystem Platform Providers, Q4 2019

In today’s modern work environment, where access happens everywhere, security is increasingly complex. With users, devices and clouds moving outside the traditional network, the perimeter has greatly expanded and created gaps in visibility – making organizations more susceptible to an attack. To reduce organizations’ vulnerabilities, Cisco has been working to build the most comprehensive and integrated security platform that covers customers whether they are working at headquarters, at a branch office or on-the-go.

A key pillar of that platform is zero-trust. With this model, we move from allow all users, devices and workloads by default to one where organizations do not trust anything inside or outside their network perimeter. Access is only granted to authorized users, devices and workloads after establishing trust and preventing threats—all without a decline in the user experience.

Cisco has been investing in and building the most expansive zero-trust framework in the industry for securing access across the workforce, the workplace and the workload. It is what customers require in this evolving work environment, and the market is taking note. With that, I am proud to share that Cisco has been named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report.

“[Cisco] spent significant time and expense to realign much of its security portfolio to enable or enhance zero trust for its customers.”

– The Forrester Wave™: Zero Trust eXtended
Ecosystem Platform Providers, Q4 2019

We believe this recognition is validation of Cisco’s multi-year zero-trust vision and strategy. We have long led this market with SD-access and segmentation technologies in our network infrastructure. With the acquisition of Duo last year, we were able to add an additional layer of security with its authentication and adaptive policy technology and extend trusted access to multi-and hybrid-cloud environments. Then with the addition of Tetration, we have been able to ensure that our customers’ cloud applications remain secure.

These products have come together to create the most comprehensive framework for securing access across three key fronts:

  • Workforce – Using multi-factor authentication (MFA) and contextual user access policies, Duo allows organizations to verify an employee’s identity to ensure they are who they say they are and add more checks on the trustworthiness of devices through security health inspections.
  • Workplace – With SD-Access, we are protecting the workplace by securing all connections into and across the network by using segmentation, so that users and devices are only getting access to what they need access to do their job and function.
  • Workload – Workloads are dynamic, moving across private, hybrid cloud and multi-public cloud environments. With Tetration, you can automate enforcement of highly specific segmentation policy for applications in your multi-cloud environments.

With Cisco Zero Trust, you can ensure secure, trusted access wherever it happens. Start your zero-trust journey today by signing up for a free Duo trial; demoing Tetration and learning more about SD-Access.

Download the report today!
The Forrester Wave™: Zero Tru
st eXtended Ecosystem Platform Providers, Q4 2019 




The post Cisco Named a Leader in the 2019 Forrester Zero Trust Wave appeared first on Cisco Blogs.

3 Ways for MSPs to Increase Their Managed Security Footprint

Managed service providers looking to increase their business often face the choice of whether to focus on finding new customers or expanding their existing base. But there’s a growing opportunity making the latter option especially appealing.

The small and midsize businesses that comprise the bulk of the MSP customer base have a limited understanding of cyber attacks–an ever-escalating threat that can cause millions of dollars in remediation, recovery and reputational costs. SMBs need guidance to strengthen their cyber defenses, and MSPs are best positioned to address this need by delivering affordable managed security services.

Moreover, adding services for existing customers costs less than client prospecting. Existing customers don’t need to be pitched: If an MSP effectively deploys their services right, customers will trust them to deliver value and support their business goals, making them more willing to adopt the provider’s services.

With that in mind, here are three security services opportunities MSPs can explore with their existing customers:

1. Managed Email Services

Businesses increasingly rely on cloud-based applications such as Office 365 and Google Drive services to run operations. These services have built-in cyber protection, but it’s not enough to fully safeguard businesses against the previously unknown digital dangers that make up 95% of threats in the wild.

MSPs can deliver added protection for email and file-sharing platforms as a managed service, supplementing it with awareness and training programs that educate employees on cybersecurity. Cyber attacks frequently succeed because many end users have a poor understanding of security risks–for example, unwittingly clicking infected URLs or attachments that cause security breaches. With proper instruction on cyber dangers, users are much less likely to make these mistakes.

2. Protection Beyond the Endpoint

Endpoint detection and response remains a critical need, but only addresses part of the problem. Threat actors have become savvier at breaking into networks to disrupt operations and steal data in various ways–a lot of threats hide in the network unnoticed, waiting to strike.

Addressing these threats requires a multilayered approach to security that includes visibility and quick incident response capabilities. MSPs can help businesses via managed security services that are administered from a central console and deliver multiple layers of protection at the endpoint and beyond–servers, cloud workloads, email and the network itself.

3. Perimeter and Network Protection

Managed unified threat management (UTM) services with comprehensive security capabilities is another area where MSPs can play an essential role. Managed UTM further strengthens a company’s defenses against cyber attacks with features such as managed firewall, HTTPS scanning, URL filtering, intrusion detection, and protection against malware, email-borne threats and distributed denial of service (DDoS) attacks.

The ideal managed UTM solution should provide easy deployment and simple management from a single location. MSPs that deliver UTM services add significant value to customers by enhancing their security posture against cyber attacks that can disrupt operations and incur significant costs.

MSPs can increase their customer footprint by taking advantage of Trend Micro’s MSP Program. It helps providers add managed security services to their portfolio, boosting their business prospects and fortifying their clients against the cyber threats of today–and tomorrow.

The post 3 Ways for MSPs to Increase Their Managed Security Footprint appeared first on .

This Week in Security News: Trend Micro Acquires Cloud Conformity and Apple Removes Malicious iOS Apps from App Store

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s recent acquisition of Cloud Conformity. Also, read about a fake photo editing app on Google Play and the 17 malicious iOS apps removed from Apple’s app store.

Read on:

Trend Micro Acquires Cloud Conformity

Trend Micro recently acquired Cloud Conformity, an innovative Cloud Security Posture Management (CSPM) company. The acquisition instantly broadens the cloud services Trend Micro can secure and resolves often overlooked security issues caused by cloud infrastructure misconfiguration. Hear our VP of cybersecurity, Greg Young, explain the specific benefits of this acquisition for developers in this vlog.

Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing

Despite Google’s recent updated permission requests in Android applications restricting access to SMS and CALL Log permissions, Trend Micro recently found an app on Google Play named “Yellow Camera” that poses as a photo editing app. The app is embedded with a routine that reads SMS verification codes from the system notifications and in turn activates a Wireless Application Protocol (WAP) billing.

Apple Removes 17 Malicious iOS Apps from App Store

Researchers have uncovered 17 apps on Apple’s official App Store infected with malware. Apple has since removed the apps from the App Store – but a “significant” number of iOS users could have installed them, researchers said.

The Shared Responsibility Model

Security in the cloud works using the Shared Responsibility Model. Mark Nunnikhoven, vice president of cloud research, shares how this model dictates who is responsible for any operational task in the cloud, and how the number one threat in the cloud today is service misconfigurations, which often arise when there’s a misunderstanding of who is responsible for an area of responsibility.

Sodinokibi Ransomware Gang Appears to Be Making a Killing

The Sodinokibi ransomware-as-a-service operation appears to be making a killing, with proceeds flowing both to the gang behind the malware as well as dozens of affiliates.

The Cloud: What It Is and What It’s For

From powering video streaming, web-based apps, customer relationship management (CRM) systems, mobile banking, inventory, and big data analyses, the cloud is helping empower businesses of all sizes to focus on innovation rather than infrastructure. This blog from Trend Micro discusses the ins and outs of cloud computing and how it’s changing the way we work.

Chrome and Firefox Will Now Alert You About Data Breaches Involving Your Accounts

Mozilla has launched Firefox 70 for Windows, Mac, and Linux with new features such as social tracking protection, a Privacy Protections report, and a native data breach notification service for your saved logins.

Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds

Researchers at Security Research Labs (SRL) demonstrated how applications (called Skills in Amazon Alexa and Actions on Google Home) can be used to exploit security issues in the way certain device functions are operated through the apps. To show how threat actors can eavesdrop on the device’s owners, the researchers used a variation of the techniques used to steal data.

Ransomware Cripples German Automation Company, BEC Operators Arrested in Spain

Trend Micro report covers two noteworthy incidents that took place in Europe: a ransomware attack crippling a German automation company and business email compromise (BEC) operators getting arrested in Spain.

FTC Bars Company from Selling “Stalking” Apps

The Federal Trade Commission said it barred the developer of three “stalking” apps from selling the products until the company can ensure they’re used legally. Software maker Retina-X Studio market apps used to monitor employees and children. But federal regulators said the apps, called MobileSpy, PhoneSheriff and Teen Shield, were often installed by hackers without users’ knowledge or consent.

European International Airport Workstations Infected with Persistent Anti-CoinMiner Malware

XMRig cryptocurrency miner malware has been found running in more than half of the workstations in a European international airport, despite having an industry-standard anti-virus installed. Reports said Cyberbit discovered the campaign running in the background while undergoing a standard installation of an endpoint product.

The Banking and Finance Industry Under Cybercriminal Siege: An Overview

The need for 24/7-connected smart devices has driven the banking and finance industry to adapt, especially with the wider adoption of the internet of things (IoT) among businesses and users. In this analysis, Trend Micro discusses the evolving attacks and threats that cybercriminals use to compromise financial companies, their third-party partners and suppliers, and their customers.

Underground Intrusion Specialists Team Up with Ransomware Groups

A new report highlights how “access-as-a-service” providers and ransomware groups have come together to compromise and victimize targets. Trend Micro shares best practices for organizations to implement to protect against these attacks in its recent blog.

Trend Micro Picks Up Cloud Conformity for $70 Million

As part of the acquisition, all Cloud Conformity staff will join the company, Trend Micro confirmed. The company added that existing Cloud Conformity customers will further grow Trend Micro’s current 16,000 hybrid cloud customer base. Trend Micro has also made Cloud Conformity immediately available to its customers.

Putting the Eternal in EternalBlue: Mapping the Use of the Infamous Exploit

In 2017, EternalBlue was the driving force behind one of the nastiest ransomware outbreaks on record. And despite available fixes, it is still being used by malware today—from ransomware to widespread cryptocurrency miners. Learn about EternalBlue activity over the past two years in Trend Micro’s recent analysis.

How to Get the Most Out of AWS re:Invent 2019

More than 50,000 people attended last year’s conference, and, undoubtedly, more will attend AWS re:Invent 2019. But a little preparation can go a long way to ensure you pack in as many of the sessions and meetings as possible. Mark Nunnikhoven, vice president of cloud research, shares his recommendation on how to make the most of time spent at the conference.

Bug Bountie$ = Patches (How?)

In this episode of The SecureWorld Sessions, we hear from Brian Gorenc who runs the Zero Day Initiative (ZDI), which is the largest vendor agnostic bug bounty program in the world. Gorenc discusses the process of how security vulnerabilities are discovered, reported, and fixed.

Surprised by the sudden influx of fake and malicious mobile apps posing as legit apps? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Acquires Cloud Conformity and Apple Removes Malicious iOS Apps from App Store appeared first on .

A New Playground for Cybercrime: Why Supply Chain Security Must Cover Software Development

Most organisations see supply chains as providers of physical goods and services. The supply chain management function in these companies usually provides the governance framework to reduce third-party risks and prevent hackers from stealing data, disrupting daily operations and affecting business continuity. But there’s another crucial part of this ecosystem which some organisations may be overlooking: the software supply chain.

Software is the lifeblood of the modern enterprise, so it’s vital that IT security teams gain visibility and control of the code that flows through their organisation, before it becomes a major cyber risk.

Software is eating the world

It’s now eight years since Netscape co-founder and entrepreneur Marc Andreesen wrote the highly influential article Why Software is Eating the World. In the intervening time, digital transformation has, if anything, made application development even more important to business success. There aren’t many organisations on the planet today who aren’t using such capabilities to respond to ever-evolving customer demand for unfettered access to innovative services and products, across multiple devices.

Yet here’s where the problems start: to gain a competitive edge, developers will often use openly shared code and libraries to quickly embed functionality without having to re-invent the wheel. Unfortunately, security is too often an afterthought, with little or no consideration given to the potential threat of using these shared repositories.

Under the radar

The software supply chain therefore opens up a useful threat vector via which cyber-criminals can infiltrate organisations. These attacks are not actually a new phenomenon — in fact, they’ve been around for years. They usually involve compromise of the original software via malicious tampering of its source code, its update server, or in some cases, both. The intention is always the same: to get into the network or host of a targeted entity as quietly as possible.

Very rarely do organisations think about extending the secure supply chain framework to either in-house or external application software providers and developers. That leaves a potentially major gap in protection that the bad guys are primed to exploit.

The most common attack methods include the injection of malicious code into source code for native or interpreted/just-in-time compilation-based languages such as C/++, Java, and .NET. Earlier this year three malicious Python libraries were uploaded to the official Python Package Index (PyPI) containing a hidden backdoor which would activate when the libraries were installed on Linux systems.

The three packages — named libpeshnx, libpesh, and libari — were authored by the same user, and had been available for download from PyPI for almost 20 months before being discovered by security researchers from ReversingLabs.

Securing the software supply chain

The good news is that there are a few simple steps that can be taken to mitigate these risks and ensure clean software development and build environments.

Maintaining and cross-validating the integrity of source code and all compiler libraries and binaries are good starting points. The use of third-party libraries and code must be vetted and scanned for any malicious indicators prior to integration and deployment.

Proper network segmentation is also essential for separating critical assets in the build and distribution (update server) environments from the rest of the network. Also key is the enforcement of strict access controls, with multi-factor authentication (MFA) applied to any release build servers and endpoints. Of course, these steps do not excuse the developers themselves from the responsibility of continuously monitoring the security of their systems.

Teaming up for success

Trend Micro has had capabilities to secure containers for some time; via image scanning service Smart Check and runtime protection built into Deep Security. But we understand that teaming up with third-party security providers can also be useful for our customers. That’s why we recently announced a partnership with Snyk, a developer-first open source security vendor. This deal, over two years in the making, is the result of a technology-focused mutual respect between the two firms which will result in unrivaled end-to-end container security capabilities.

As part of the agreement, Trend Micro will identify vulnerabilities at build time with SmartCheck as well as providing shields in runtime via intrusion prevention (IPS) and network firewall capabilities. Meanwhile, Snyk will fix flaws at source through developer workflows, engagement, and automated remediation.

The result is that organisation’s software supply chains can be enhanced rather than hindered by security. Teams working flat out at secure continuous delivery will be able to provide a launchpad for digital success, rather than exposing the organisation to unnecessary extra cyber-related risk.

The post A New Playground for Cybercrime: Why Supply Chain Security Must Cover Software Development appeared first on .

What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF?

Website owners rely on web hosting providers to get their websites up and running online. 

But here’s the thing that may stumble some website owners: Hosting providers are only responsible for protecting the server in which websites are hosted, but customers will need to protect their own websites within the server. 

Bottom line: Web hosting providers are not responsible for the security of websites themselves.

What some web hosting providers may not realize is that the level of security that a web hosting service offers is extremely important to a prospective customer.

Depending on their needs, customers may be looking to see whether a web hosting provider offers SSL, backups, DDoS mitigation, firewalls, and more. 

Web hosting providers may choose instead to focus on offering content management systems (WordPress, Drupal, Joomla etc.) rather than any web security tools. 

This blog post will discuss some of the concerns web hosting providers may have in partnering with a security vendor specifically to offer a WAF (Web Application Firewall). What are some barriers to entry and how can Cloudbric make the transition smoother compared to other WAF vendors?

1) Extremely long learning curve 

First, web hosting providers may be worried about the deployment and management requirements that come with installing and utilizing a WAF. 

Before they can extend security to their customers, web hosters are faced with a slight learning curve when configuring a WAF for the first time or when creating custom policy rules that fit their security needs.

Regardless of the WAF vendor that a web hoster ultimately partners with, there will be some kind of learning curve. Luckily WAF security vendors like Cloudbric seek to minimize management requirements by providing flexible deployment models.

With API integrations available for web hosting providers, these web hosting companies can easily integrate Cloudbric’s APIs into their WAF service sign up process to offer WAF as an add-on security service into their hosting plans. 

2) Perceived need for multiple security personnel needed to deploy and maintain WAF

The primary business model that web hosting providers profit the most is from hosting websites on their servers. They have thousands of clients they manage and must keep happy.

Some of their responsibilities include guaranteeing high reliability/uptime in addition to providing technical support. 

Depending on the size of the web hosting firm, web hosters may feel like they need a big security team to deploy and maintain WAF. However, there are many security vendors out there that offer fully managed WAFs such as Cloudbric. 

The management of WAF can be very low which allows IT personnel to just “set it and forget it.” This means web hosters do only the minimal work but at the same time still benefit from having an additional source of monthly revenue by extending web application security to their customers.

3) Complex UI/UX

UI/UX is extremely important to almost every software user out there. For WAFs, it’s no different. Most web hosting providers want a seamless experience when using a WAF console in order to manage customers and disseminate threat information easily. 

Furthermore, end users themselves should be able to login to their own dashboards and understand their web attacks and perform basic security settings such as IP blocking.

One added benefit for web hosting providers is expending far fewer resources to reach those insights.

Cloudbric’s user-friendly WAF console makes it easy for web hosting providers to manage all client websites.

Learn more by requesting a demo with Cloudbric. 

4) Upkeep costs

For web hosters, there is always the fear of additional upkeep costs, upgrades, and other “hidden” costs.

Most web hosters are interested in making a return on investment (ROI) but will need to consider the total cost of ownership should they choose to provide WAF to their customers as an add-on security service. 

(Contact us to get a quote and see for yourself  how Cloudbric offers the cheapest WAF compared to other vendors.)

The total cost of ownership includes more than just the product purchase. For WAFs, there might be installation fees and upkeep fees to worry about. Upkeep costs may include hardware or software updates. 

Fortunately, with cloud-based options like Cloudbric, there is zero hardware required to install or maintain an exclusive WAF. 

Furthermore, there is no need to worry about management costs such as day-to-day tasks including any configurations, policy updates etc. Cloudbric’s security team of experts can handle all of this for web hosting providers. 

Finally, signature updates for the WAF technology itself are also not necessary because Cloudbric uses signature-free and AI techniques to detect threats.


For web hosting companies with a low-profit margin, adding complementary security services to their paid hosting plans can create new streams of revenue. 

Web hosting companies may be interested in distributing WAF to their customers but are hesitant to do so due to perceived barriers to entry. 

However, as we explored in this blog post, these barriers such as a need for a specialized security team, complex UI/UX, and upkeep costs, can all be addressed with the right WAF vendor.

If you’re a web hosting service provider, and if you’d like to talk to one of our security experts in more detail,  fill out the form below! No commitments whatsoever. 


The post What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF? appeared first on Cloudbric.

Banks, Arbitrary Password Restrictions and Why They Don’t Matter

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.

I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening:

People are Upset About Arbitrary Restrictions

This is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week:

It feels wrong because 5 digits presents an extremely limited set of different possible combinations the password can be. (There's something a little off with the maths here though - 5 digits would only provide 100k permutations whereas 5 characters would provide more in the order of 1.5B.)

That said, Westpac down in Australia certainly appears to be 6 characters:

Which puts us well north of a billion possibilities again. Want more? CommBank will give you 16 characters:

On the one hand, it's a damn sight more generous than the previous two banks yet on the other hand, why? And while I'm here questioning CommBank's logic, what the hell is going on with this:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

1Password has an open letter to banks on precisely this because its awful advice steeped in legacy misunderstandings of both technology and human brains. That open letter is often used as a reference to persuade banks to lift their game:

So on the surface of it, the whole thing looks like a bit of a mess. But it's not necessarily that bad, and here's why:

Password Limits on Banks Don't Matter

That very first tweet touched on the first reason why it doesn't matter: banks aggressively lock out accounts being brute forced. They have to because there's money at stake and once you have a financial motivator, the value of an account takeover goes up and consequently, so does the incentive to have a red hot go at it. Yes, a 5-digit PIN only gives you 100k attempts, but you're only allowed two mistakes. Arguably you could whittle that 100k "possibilities" down to a much smaller number of "likely" passwords either by recognising common patterns or finding previously used passwords by the intended victim, but as an attacker you're going to get very few bites at that cherry:

Next up is the need to know the target's username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical "spray and pray" account takeover attempts.

Then there's the authentication process itself and it reminds me of a discussion I had with a bank's CISO during a recent workshop. I'd just spent two days with his dev team hacking themselves first and I raised the bollocking they were getting on social media due to a new password policy along the lines of those in the tweets you see above. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?" Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy. You won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture:

Then there's the increasing propensity for banks to implement additional verification processes at key stages of managing your money. For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee. Obviously, SMS has its own challenges, but what we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage and that will always be more secure than authentication alone.

And if all of this fails? Banks like ING will give you your money back:

Now, compare all this to logging on to

Banks, Arbitrary Password Restrictions and Why They Don't Matter

How much sophistication do you think is behind those username and password fields in that vBulletin forum? Exactly, it's basic string-matching and this is really the point: judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison.

However, I disagree with banks taking this approach so let me now go and argue from the other side of the fence.

Banks Shouldn't Impose Password Limits

There are very few independent means by which we can assess a website's security posture in a non-invasive fashion. We can look for the padlock and the presence of HTTPS (which is increasingly ubiquitous anyway) and we look at the way in which they allow you to create and use passwords. There are few remaining measures of substance we can observe without starting to poke away at things.

So what opinion do you think people will form when they see arbitrary complexity rules or short limits? Not a very positive one and there are the inevitable conclusions drawn:

Hey [bank], does that 16 character limit mean you've got a varchar(16) column somewhere and you're storing passwords as plain text?

As much as I don't believe that's the case in any modern bank of significance, it's definitely not a good look. Inevitably the root cause in situations like this is "legacy" - there's some great hulking back-end banking solution the modern front-end needs to play nice with and the decisions of yesteryear are bubbling up to the surface. It's a reason, granted, but it's not a very good one for any organisation willing to make an investment to evolve things.

But beyond just the image problem, there's also a functional problem with arbitrarily low password limits:

I've been through this myself in the past and I vividly recall creating a new PayPal password with 1Password only to find the one in my password manager had been truncated on the PayPal side and I was now locked out of my account. This is just unnecessary friction.


So wrapping it all up in reverse order, arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.

But would I stop using a bank (as I've seen suggested in the past) solely due to their password policy? No, because authentication in this sector (and the other security controls that often accompany it) go far beyond just string-matching credentials.

Let's keep pushing banks to do better, but not lose our minds about it in the process.

Expanding bug bounties on Google Play

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

[Cross-posted from the Android Developers Blog]

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:

This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:

What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:

These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:


The post Cyber Security Careers Are in High Demand appeared first on Connected.