Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Crypto-Mining Malware Attacks on iPhones Up 400%: Report Tue, 16 Oct 2018 06:47:45 -0500 Crypto-mining malware attacks against iPhones went up 400% in the last two weeks of September, security firm Check Point notes in a new report.

Crypto-mining attacks have intensified over the past couple of years, fueled by a massive surge in the price of crypto-currencies. Threats range from botnets to fileless malware and malicious programs that abuse NSA-linked exploits for propagation. Industrial systems are frequently hit as well.

Mobile users are being targeted as well, either with Trojans that can steal crypto-currencies or with various types of miners.

While most of these attacks target Android, iPhone users weren’t spared either, as Check Point reveals. Amid a four-fold increase in crypto-mining malware assaults on iPhones, attacks on Safari users also intensified, the security firm reveals.

The attacks used the Coinhive mining malware, which emerged as the leading threat in December 2017 and has remained the top malware ever since. At the moment, Coinhive impacts 19% of organizations worldwide.

“Crypto-mining continues to be the dominant threat facing organizations across the world. The attacks on Apple devices are not using any new functionalities. The reason behind the increase is not yet known, but serves to remind us that mobile devices are an often-overlooked element of an organization’s attack surface,” Check Point says.

While the Coinhive mining code was at the top of the most active malware list, it wasn’t the only crypto-currency related malware there. Cryptoloot (Coinhive competitor), with Jsecoin (JavaScript miner), and XMRig (open-source CPU mining software) are also present on the list, on the third, fifth and eighth position, respectively.

Other malware families present on the list are Dorkbot, a worm that supports remote code execution, the Andromeda bot, Roughted malvertising campaign, Ramnit banking Trojan, Conficker worm, and the Emotet Trojan.

The top 3 most exploited vulnerabilities in September, were in Microsoft IIS WebDAV, OpenSSL, and PHPMyAdmin.

“CVE-2017-7269 is the most popular exploited vulnerability for the 7th consecutive with global impact of 48% of organizations. In second place [is] CVE-2016-6309 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations,” Check Point notes.

Related: Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

Related: Crypto-Miners Slip Into Google Play

Copyright 2010 Respective Author at Infosec Island]]>
Most SMBs Fold after Cyber Attacks: Here’s How to Protect Yours Fri, 12 Oct 2018 05:53:00 -0500 Many small-to-medium businesses (SMBs) think they’re flying under the radar of cyber-attackers. But in reality, perpetrators specifically target smaller, more vulnerable businesses because of their lack of security expertise and fragile infrastructure, and because they often provide easy entryways to larger companies with whom the SMBs work. Even more alarming, more than 60 percent of SMBs go out of business within six months of devastating attacks, like ransomware and distributed denial of service (DDOS).

In this digital era, where cyber-attacks happen at all times around the world,  SMBs are often the hardest hit, although their breaches may not make headline news. According to a report by Verizon, 61 percent of data breach victims were small businesses. And as Hiscox’s Cyber Preparedness Report 2017 notes, small businesses lose an average of $41,000 per cybersecurity incident.  

The challenge is that SMBs typically have a shoe string IT & security budget and very limited expertise with cutting-edge tools. For instance, a local mom-and-pop store typically has a firewall and anti-virus for their security posture. So DDOS attacks, point-of-sale malware and phishing scams can very easily lead to a huge payout for attackers. Moreover, it is not always easy for business owners to understand what and how to protect their assets from constantly evolving cyber threats.

How MSSPs can help SMBs affordably protect themselves

Small businesses today tend to focus on doing the basics to protect endpoints and servers, which includes staying current on anti-virus updates and security patches for systems and applications. In these organizations, there may be just one person working part-time handling IT. Security is secondary and perhaps an afterthought.

Security breaches can be devastating to a small business that has significant resource constraints. The goal, therefore, is to deliver more data protection at less cost, based on thoughtful risk assessments and business-specific needs. A smart, affordable way for SMBs to protect themselves is by aligning with Managed Security Service Providers (MSSPs), who offer key services such as:

  • Outsourced, advanced-level 24x7 monitoring of security events and management. This is a cost-effective alternative to having dedicated in-house staff managing security events.
  • Deep threat intelligence covering a wide security landscape, such as device management, breach monitoring, data loss prevention, insider threat detection, phishing attacks, web exploits, and more.
  • Incident response to contain and eliminate cyber threats in near real-time and keep your business running.
  • Flexibility of deployment. The MSSP’s services should be available over the internet, via on-premise systems that are managed remotely, or through a hybrid model. SMBs may choose to implement some security capabilities in-house alongside other services from their trusted MSSP.
  • Consulting on industry specific requirements and know-howpertaining to your business. This helps the MSSP   implement  best-practice processes and the right technologies for you.

MSSPs are an increasingly popular choice for SMBs who need a simple, cost-effective solution for cyber threat protection  that leverages the latest innovations and provides 24x7 access to security experts. According to Market Research Engine, global managed security services market revenues could surpass $45 billion by 2022, expanding at a compound annual growth rate (CAGR) of 14.5 percent between 2016 and 2022.

MSSPsare a great resource for either supplementing your existing security team or starting your security practice. However, not all managed security services solutions are created equal. Each provider has different strengths and levels of support for incident management and response, and engagement with your business.

How to choose the best MSSP for your business

Many SMBs have a tendency to pick a security bundle from the managed service provider (MSP) who manages their systems, backups, software upgrades, and routine operations. However, this may not suffice. Not all MSPs have the right cybersecurity service offerings and businesses can’t afford to gamble on using providers that may end up delivering inadequate coverage and cause them to incur excess costs.

Five criteria to look for when choosing an MSSP:

  1. Employs state of the art tools, technologies, well-documented processes and workflows, and clearly articulates the level of interaction they’ll have with your business.
  2. Provides complete visibility of your sensitive data and transparency into the data movements within their environment.
  3. Understands specific issues and requirements pertaining to your industry. Different industries, such as finance, healthcare, and retail, have their own security concerns and benefit from an MSSP that has extensive experience in their area.
  4. Demonstrates compliance with your business’ and partners’ requirements.
  5. Helps you stay ahead of advanced threats by bringing collective knowledge from other customers and sources, such as threat intelligence, government alerts, etc., to educate your team on the latest security issues. This is critical as many data breaches result from employees opening phishing emails, and lost or stolen credentials.

Empirical data shows SMBs have high security-related risks that can be extremely detrimental, compared to larger organizations. Given resource constraints and skills limitations, it is best to align yourselves with MSSPs that can provide superior 24x7 protection and support at affordable prices, freeing you to safely focus on your core competency.

About the author: Arun Gandhi has more than 17 years of experience with startups and global brands in the service provider and enterprise segments. He is currently Director of Product Management and Marketing at Seceon, responsible for driving strategic go-to-market initiatives, positioning, customer use cases, and executive engagements with customers & partners.

Copyright 2010 Respective Author at Infosec Island]]>
How Can Businesses Protect against Phishing Attacks on Employee Smartphones? Thu, 11 Oct 2018 07:41:00 -0500 Smartphones have become synonymous with everyday business operations, enabling employees to store important contact details, browse the web and reply to emails while on the move. However, the ubiquity of such devices has led scammers to increasingly target them with a variety of phishing attacks – all designed to convince individuals to part with sensitive personal and corporate information.

With banking details, phone numbers and email addresses all commonly stored on them, a successful attack on an employee’s smartphone could have devastating consequences, both for that individual and for your organisation. This threat is even more daunting considering that the click rate for suspicious URLs on mobile has increased 85% year-over-year since 2011.

With this in mind, it is vital that business leaders educate themselves on the types of attacks that today’s scammers are using, and advise employees on how best to protect themselves.

A new school of phish

Almost everyone has seen a dubious email hit their inbox at one time or another, seemingly from a legitimate source such as PayPal or Apple. At a cursory glance, these emails can look like the real thing, but tell-tale signs like frequent spelling errors and obviously false email addresses can help users identify a disguised phishing attack. 

Unfortunately, these signs can be far less obvious when received on a mobile device, as email headers and URLs are often hidden. As such, it’s worth encouraging employees to double-check the sender’s details, take note of impersonal address and avoid clicking on any suspicious links. 

But some more sophisticated scams can be even less obvious and, again, can be extremely damaging when targeting a mobile device. For example, spear-phishing attacks occur when a scammer creates an email that perfectly imitates genuine correspondence, often from senior members of staff within the same organisation. 

In these cases, the scammer will research company websites and social media channels to build a comprehensive profile of an employee to fool unsuspecting users. The scammer will usually target junior members of teams, requesting confidential information or encouraging them to click on links that will download malware, which can be particularly disastrous on Android phones, which tend not to have the rigorous in-built security that their iPhone counterparts do. Always advise staff members to check with your IT department or managed service provider before engaging with correspondence like this. 

However, it’s not just email that modern hackers are utilising. Social media has now become the go-to platform for phishers who want to extract crucial company information from unsuspecting staff. For a hacker, social media is a great place to start building a picture of exactly who you are in preparation of launching a phishing attack, and some have even resorted to sending suspicious links via messenger platforms. Investigating the privacy settings on such sites (and ensuring they are consistent across mobile, apps and desktop) is a worthwhile exercise to ensure you’re prepared.

Other mobile apps that facilitate remote working, such as Google Docs and Dropbox, have also grown increasingly vulnerable to phishing scams, with Google Docs falling victim to a large-scale attack which affected around 1 million users in 2017. Using a link, the scam diverted users from a Google page to a third-party site, where password information was claimed. Combatting such scams can be achieved by implementing two-factor authentication to add an extra layer of defence to your security measures.

Preventing mobile phishing

Education is extremely important when considering ways to combat phishing attempts, as learning to spot the warning signs can prevent your or your company’s data from falling into the wrong hands, and this is more prescient when considering your mobile devices. 

A strong enterprise mobility management strategy can help organisations to manage their apps and social media accounts that have access to your data, and secure personal information on employees’ smartphones. They should complement this by ensuring that their file transfer procedures are completely secure. 

Mobile devices are only going to become a more central component of our working lives in the future, so ensuring that the safeguards are in place to protect your vital information now will go a long way to preventing potential phishing scams in the future.

About the author: Matt joined Intercity Technology in 2015 from Imerja Limited, as one of the company’s founders. He worked there for 12 years as technical director and previously operations & services director. With over 25 years’ business and technical experience in providing IT solutions, Matt’s expertise covers the design, implementation, support and management of complex communications networks.

Copyright 2010 Respective Author at Infosec Island]]>
Lessons from Cyber Essentials – Going Back to the Basics Thu, 11 Oct 2018 07:32:00 -0500 Whether it’s phishing attacks or zero-day exploits, businesses are facing an increasing number of cyber threats every day. And when these attacks are successful, businesses can face both reputational and monetary consequences. In fact, a 2018 report from Ponemon found that businesses have to fork out an average of $3.9 million when hit by a data breach. However, there are some simple steps that organisations can follow to achieve cyber resilience and understanding the UK Government’s Cyber Essentials scheme is a great start. 

Launched in 2014, the scheme sets out five simple and effective cyber security measures that businesses of all sizes can implement to reinforce their defences against malicious attacks. Four years on, these measures are just as relevant as ever.

Configure and monitor firewalls to secure your internet connections

Any device that protects the network edge of your organisation, such as a router or firewall, needs to be configured and kept up to date. As key points of access to the wider network, these can be easy targets for hackers if their settings are not adjusted from their factory defaults. Having a trained member of IT staff that can approve and document inbound traffic allowed by network rules, and remove any that are no longer needed, is a simple way to better secure your internet connections. 

Ensure security for your devices and prevent automatic software installation

Most Windows-based devices and operating systems will have a minimum level of basic security measures built in as standard. However, as these default settings are altered or third-party software is installed, the risk of these devices being targeted by hackers increases as the potential attack surface broadens. Again, this can be prevented by implementing simple best practices across an organisation. 

This includes the disabling of guest accounts, removal of unnecessary admin rights, and ensuring that all accounts are secured by robust passwords. It’s also important to disable the Autoplay function on Windows Operating Systems to ensure that software on removable media isn’t authorised to be installed automatically. 

Adobe Flash, Acrobat Reader and Java are some of the most prolific third-party software packages that pose a threat to Windows devices. Wherever possible, Java should be removed and it’s essential that Adobe applications are updated with the latest releases. One way to minimise the risk that third-party applications pose is to implement application control to prevent users from installing potentially damaging third-party software. 

Finally, many Windows PCs connect to public WiFis or untrusted networks, outside of the protection of a corporate system. As such, an endpoint firewall should be enabled on each device, adhering to the same rules as those applied to network-edge security devices. 

Control who has access to data and services 

Of the five goals set out by Cyber Essentials, ensuring that administrative accounts are not used on devices with internet access can be the hardest to achieve. This is because admin rights are often required to perform certain tasks when running legacy applications. 

Businesses can circumvent this difficulty by using a third-party privilege solution which can remove administrative privileges without affecting a user’s experience. This can help ensure that logged-in users retain standard user privileges while affording necessary additional rights to applications and processes. 

The Cyber Essentials scheme also advises the creation of uniquely named accounts for each user, limiting administrative accounts to a small number of trusted employees, and forbids the sharing of administrative logins. New user accounts should also be approved and documented with a business case. 

Following these guidelines can provide your organisation with the high-levels of security needed to protect your most valuable data and applications, and help meet the requirements of the Cyber Essentials scheme. 

Guarding against malware

To protect against malware strikes, it’s important to have several layers of security in place – the most important measure being whitelisting. This is simply a method of preventing users from installing and running applications that may be compromised with malware. 

To implement whitelisting, an administrator is first required to create a list of applications trusted to run and operate on a corporate device. Any application that tries to run that is not approved will instantly be prevented from doing so. 

This is a particularly strong prevention technique as it can still work even if the malware avoids detection. Application whitelisting is relatively easy and quick for any organisation to implement and maintain – all the while ensuring that they are protected.

However, it is important to remember that application whitelisting, along with firewalls, can be rendered ineffective if antivirus software is misconfigured. Therefore, it’s essential that any device connected to a wider corporate network, is reinforced through malware protection software.

Keep your software patched

It may seem simple, but it’s worth remembering that updating devices regularly will go a long way towards safeguarding your business and important data – for example, whenever a new patch or update is released by a manufacturer or developer. To make this easier, operating systems, programmes, devices and apps should be set to automatically update. Again, Cyber Essentials provides clear guidance on this, requiring that operating systems and third-party software are updated within thirty days of a patch being released. In the case of security patched, these must be installed within a fortnight of their release. 

The Cyber Essentials scheme provides some of the easiest ways to achieve cyber resilience. IT leaders across all organisations should be working to weave in these steps into the fabric of their businesses, to ensure that their company can evolve and face an ever-growing pool of threats with confidence.

About the author: Andrew has been a fundamental part of the Avecto story since its inception in 2008. As COO, Andrew is responsible for Avecto's end-to-end customer journey, leading the global consultancy divisions of pre-sales, post sales and training, as well as customer success, support and IT.

Copyright 2010 Respective Author at Infosec Island]]>
Security Gets Messy: Emerging Challenges from Biometrics, New Regulations, Insiders Thu, 11 Oct 2018 06:32:29 -0500 Over the coming years, the very foundations of today’s digital world will shake – violently. Innovative and determined attackers, along with seismic changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments.  Only those with robust preparations will stand tall.

Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future – a dangerous attitude to take.

Biometrics Offer a False Sense of Security

Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and promising added security for corporate information. But organizations will sleepwalk towards a degradation of access controls as this sense of security turns out to be false: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.

Demands for convenience and usability will drive organizations to move to using biometric authentication methods as the default for all forms of computing and communication devices, replacing today’s multi-factor approach. However, any misplaced trust in the efficacy of one or more biometrics will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

The problem will be compounded by the wide and confusing array of proprietary technologies produced by different vendors. As there are no common global security standards for biometrics, it is inevitable that some technologies will be vastly inferior to others. The question then becomes: which are secure today? And will that continue to hold true tomorrow… and the day after?

Existing security policies will fall well short of addressing the issues as new devices infiltrate organizations, from the boardroom down. Failure to plan and prepare for this major change will leave some organizations sleepwalking into a situation where critical or sensitive information is protected by a single biometric factor which proves vulnerable.

New Regulations Increase the Risk and Compliance Burden

Organizations will wrestle with an incredibly burdensome risk environment, with complex, conflicting and confusing regulatory demands overwhelming existing compliance mechanisms. Demands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.

By 2020, we expect the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling ‘attack surface’ which must be protected fully while attackers continually scan, probe and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information – including customer details and business plans – that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties who will transmit, process and store it in multiple locations. Most organizations will see penalties for non-compliance reach material levels.

Balancing potentially conflicting demands, while coping with the sheer volume of regulatory obligations, may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points

Increasing pressure on trusted professionals will lead some to divulge their organization’s weak points.  Those entrusted with protecting information will be targeted or tempted to abuse their position of trust. Financial temptation, coercion and simple trickery will combine with reduced employee loyalty – taking the insider threat to a new dimension.

The relentless hunt for profits and never-ending change in the workforce will create a constant atmosphere of uncertainty and insecurity that has the effect of reducing loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from ‘cashing-in’ corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now – or in the future – face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, it is not only the organizational crown jewels that are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercrime or hackers, puts a very high value on the most secret of secrets – the penetration test results and vulnerability reports that comprise the ‘keys to the kingdom’. Organizations reliant on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find those mechanisms inadequate.

Preparation Must Begin Now

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The threats listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Could a Credit-Like Security Score Save the Cyber Insurance Industry? Thu, 11 Oct 2018 06:14:00 -0500 In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”

Cyber insurance is an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions. The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, between 1975 and 2015, the value of these assets, mostly uninsured, climbed from 17 percent to 84 percent.

What’s the Problem?

A major issue affecting insurance agencies is that cyber insurance coverage is not as universal as one would expect, especially amongst smaller enterprises.  To understand the enterprise technology risk, a questionnaire that is completed by the policy holder enterprise applicant (not always accurate) and major reliance on third-party external ratings of the applicant enterprise that is an outside-in view only (excludes cloud security views which are increasing in importance) may or may not be accurate. 

Smart enterprises and their security service providers are masking their environments from their external third-party rating firms to generate artificially higher scores This is done by implementing firewall rules that drop all outbound traffic to these third-party honeypots and also filters inbound scanning from these third-party firms.  These underwriting processes do not consider the true internal state of the enterprise and are at best limited point-in-time views.  What insurers fail to consider in an ever-changing threat level is that they may lose millions in underwriting policies over time to this constantly changing technology risk paradigm if they continue to rely on outdated approaches.  

In the Public Accounting Industry, when doing a financial audit of the firm (that includes technology reviews) no one relies only on management answers to questions and there is a strong verification process that the numbers are accurate and the controls are in place.  Insurers need to incorporate internal verification processes into their underwriting and on-going premium coverage process moving forward. 

What Next?

To move beyond this current, less-than-optimal state, insurers need more automation as part of their underwriting, streamline the process, better balance between premiums and risk, and make available policies that better cover the full range of assets potentially impacted by cyber peril.  In addition, insurers need to consider moving from point-in-time assessment to continuous assessment of their potential policy holders as the risk changes daily, based on the human factors and the threat landscape.  The individuals completing a large questionnaire (100 to 200 questions) are not 100% sure that their answers are correct, nor that the processes are consistently in place or enforced.  In addition, the third-party external ratings that Insurers use is like driving looking at the rear-view mirror.  All the data that is shown are past views that are reflective of how things were done in the past.  If the company had poor technology (CIO) and security (CISO) management that has been replaced, the external ratings do not reflect the future expected operation. 

External Ratings scoring logic assumes that technology management will not change.  In addition, the External ratings do not look at cloud security directly today as they do not have visibility into those environments unless there is a public facing website.

Introducing a Credit-Like Score for Security

One way to develop this is through the use of a ‘CyberPosture’ score, a security equivalent of a credit score; an easy to understand scoring of one’s current hybrid infrastructure security posture. 

Insurers now have the opportunity to provide the potential policy holder (customer) with an easy to deploy assessment technology (deployment and assessment within hours) that covers on-premises servers, cloud servers and cloud accounts, and containers that provides a detail understanding of their inside-out security level against benchmarks and provides a CyberPosture score it is in their best interest to implement this solution during the underwriting process and over time develop enhanced (more profitable) policies that change premiums and/or reduces coverage as the CyberPosture score changes during the premium coverage period.  The secondary benefit would be that this CyberPosture score would be available to the policy holder executive management team and board members to have an independent view of the cyber risks of the organization.  Today, a majority of the credit cards provide continuous free credit score reporting to their members (this follows that same logic).

In conclusion, enterprises and their security service providers have learned how to game the external third-party risk ratings which do not account for future enterprise risk models since the models do not consider technology/security leadership changes nor look at internal security risks (and/or cloud security risks) which in many enterprises represent the larger risks and potential control failure that generate cyber insurance claims.  It is in the best interest of the insurers to quickly adopt proactive underwriting and continuous monitoring solutions that provide a true representation of the applicant enterprise to minimize risk and maximize profit in new policies that are underwritten moving forward and the CyberPosture score provides one of those paths forward.

About the author: Joseph (Joe) Kucic is Cavirin’s Chief Security Officer, bringing to Cavirin over 20 years of enterprise and security experience. At Cavirin he is responsible for hybrid cloud infrastructure security strategies with CSOs, CIOs and CISOs and their teams across both enterprises and managed service providers / global system integrators.

Copyright 2010 Respective Author at Infosec Island]]>
Preview: SecurityWeek's 2018 ICS Cyber Security Conference (Oct. 22-25) Tue, 09 Oct 2018 09:59:36 -0500 Hundreds of professionals from around the world will meet in Atlanta, Ga., on October 22-25, for SecurityWeek's 2018 ICS Cyber Security Conference, the largest and longest-running conference dedicated to industrial and critical infrastructure cybersecurity.

The ICS Cyber Security Conference brings together industrial control systems users and vendors, security solutions providers, and government representatives to discuss critical issues facing operators of industrial networks.

Throughout the four day conference, presentations, training sessions and workshops will help participants improve their knowledge on how to efficiently protect SCADA systems, programmable logic controllers (PLCs), distributed control systems (DCS), engineering workstations, and field devices.

The exchange of technical information, details about actual incidents, insights, and best practices will help representatives of energy, manufacturing, transportation, water, utilities, and other industrial and critical infrastructure organizations address the issues they currently face.

The ICS Cyber Security Conference, set to take place at the InterContinental Buckhead Atlanta, will kick off on Monday, October 22, with a day dedicated to extended workshops and breakout sessions focusing on technology and strategy. The workshops include Red Team/Blue Team training, and a hands-on workshop by Palo Alto Networks and CyberX on defending ICS and SCADA networks.

The other sessions of day one will focus on risk assessments, vulnerability research, enhancing security using the ATT&CK Frameworkpathing of critical systems, zero trust networking applied in ICS, the risk posed by physical access controls, defense strategies for robotic systems, and securing applications using a local certificate authority.

The second day begins with representatives from Rockwell Automation, Schneider Electric and Siemens discussing the current state of cybersecurity in the ICS Manufacturer's Panel.

Next, Robert M. Lee and Marc Seitz of Dragos will present their research on Xenotime, the group that created the Triton/Trisis ICS malware. Participants will also learn from ARC Advisory Group's Larry O'Brien about the best approach for selecting cybersecurity vendors for operation technology (OT) environments.

On Wednesday, Andrea Carcano of Nozomi Networks will share details of research into the Triton attack, and Dr. Alex Tarter of Thales will discuss how the British Ministry of Defence protects critical infrastructure through a methodology called ‘Cyber Vulnerability Investigations’. On the same day, representatives from Sony's security team will discuss security in manufacturing environments, and Edna Conway, CSO for Cisco's Global Value Chain, will have a fireside chat with Microsoft Cybersecurity Field CTO Diana Kelley on supply chain security.

On the last day of the conference, Colonel Mark Gelhardt, Former CIO for President Clinton, will talk about his time at the White House and the lessons learned. Attendees will also learn about the actual meaning of “anomaly detection” and “machine learning” in the context of ICS threat monitoring, and they will find out how security researchers and automation vendors can work together on reporting and patching vulnerabilities. Another interesting presentation comes from the Department of Homeland Security, whose representatives will talk about Russian cyber activity on US critical infrastructure.

Each day of the conference also features various case studies, technical sessions, and strategy sessions, including on insider threats, side-channel attacks on ICS, preventing attacks on the power grid, cybersecurity programs at nuclear plants, best practices, threat detection, and the threat posed by IT malware.

In addition to amazing content, there will be several receptions and parties to give delegates the chance to network and discuss in a relaxed environment.

Check out the complete agenda for the 2018 ICS Cyber Security Conference

Copyright 2010 Respective Author at Infosec Island]]>
Russian Hackers Spy on Military Targets, Governments: Report Tue, 09 Oct 2018 09:55:24 -0500 In 2017 and 2018, a Russian cyber-espionage group believed to be government-backed has engaged in covert attacks targeting military and government organizations in Europe and South America, Symantec warns. 

Tracked as APT28 but also referred to as Fancy Bear, Swallowtail, Strontium, Sofacy and Sednit, the group was accused of targetingthe Democratic National Committee (DNC) during the 2016 Presidential elections in the United States. 

Unlike the 2016 attacks, however, the campaigns the group has conducted this year and the last were low-key intelligence-gathering operations, a new Symantec report reveals. 

The assaults, the security firm says, hit a well-known international organization, as well as military targets and governments in Europe, a government of a South American country, and an embassy belonging to an Eastern European country.

According to Symantec, between 2007 and 2016, Fancy Bear had conducted intelligence-gathering operations, and the targeting of DNC marked a major change in the group’s activity. Also in 2016, the group targeted the World Anti-Doping Agency (WADA)and leaked confidential drug testing information.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering,” Symantec notes. 

Despite the recent change in tactics, the actor remains focused on expanding its tools portfolio. Last week, ESET revealed that Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkitin a malicious campaign. 

The hackers updated other tools as well over the past couple of years, including XTunnel(Trojan.Shunnael), which was specifically built to compromise the DNC network. The malicious tool was completely re-written in .NET. 

Some security researchers attribute the Zebrocy malwareto Fancy Bear, but Symantec claims that another group is responsible for this threat, namely Earworm (aka Zebrocy). 

Active since at least May 2016 and focused on military targets in Europe, Central Asia, and Eastern Asia, the group is apparently involved in operations that differ from those of Fancy Bear. Despite that, Symantec did notice command and control (C&C) overlaps between the two groups, which suggests a potential connection between them. 

“It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools. This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets,” Symantec concludes. 

Related: Russian Cyberspies Use UEFI Rootkit in Attacks

Related: Sofacy Attacks Overlap With Other State-Sponsored Operations

Copyright 2010 Respective Author at Infosec Island]]>
NIST and the Small Business: Addressing Cyber Insecurity Tue, 09 Oct 2018 07:03:56 -0500 In August, President Trump signed the NIST Small Business Cybersecurity Act, directing NIST to develop a streamlined version of its Cybersecurity Framework to protect small businesses (SMBs) who have traditionally been unable to invest in their own IT security resources. At the same time, an increasing number of businesses are requiring vendors within their supply chain to adopt the NIST framework.

Securing the systems of small businesses is a very real concern, for the businesses themselves as well as for the private and public organizations working with this sector. Unaware of their own susceptibility and lacking appropriate IT resources, SMBs are an excellent target for hackers. In fact, the real danger is that small businesses can unwittingly become launching pads for much larger attacks on government sites and Fortune 500 companies.

Fortunately, the existing NIST framework can help small businesses to identify, prioritize, and mitigate risk. NIST has a guide (NISTIR 7621, Revision 1, Small Business Information Security: The Fundamentals, Celia Paulsen and Patricia Toth, 2016) that helps SMBs understand risk assessment and determine their vulnerabilities.

The NIST framework encompasses five key functions: Identify, Protect, Detect, Respond, and Recover. In this article, we’ll explore what SMBs must consider to implement NIST successfully, including identifying, classifying, and quantifying risk; assigning roles and responsibilities within the company; and developing policies and procedures for their cybersecurity program.

Identify Your Risks  

A key challenge for businesses is knowing where their risks lie. In order to create a plan, you must start by making a list of your critical business assets and practices. If you are a small bank, for instance, maintaining 24/7 access to online banking might be critical. Another concern might be protecting the confidentiality and integrity of your data. And what about having sufficient cash flow? These concerns become the top priorities you must manage to stay in business. Other goals, such as having a nice website or hiring a marketing person, probably take a back seat to online access, data confidentiality, and cash flow. Only you, as management, can determine what matters most to your business.  

A business’s current state of risk must be determined through a comprehensive risk assessment. A full risk assessment includes threat, vulnerability, and impact analyses, all of which are important to defining an overall risk strategy. Because risk can be addressed in different ways—such as altering risky behavior, developing countermeasures to threats, reducing vulnerabilities, or developing controls—these assessments establish the baseline for determining the most cost-effective strategy to address risk.

Determining the current state of risk also provides the basis for a gap analysis.  A gap analysis gathers data about your business environment, which is then analyzed according to the risk management strategy, classification and tolerance. Existing controls must be inventoried, tested and evaluated to determine the extent to which they meet the desired objectives for risk mitigation. This will provide the basis for deciding whether these controls are sufficient; need to be strengthened, modified or replaced; or whether additional controls must be added.

Risks evolve on a daily basis, and you are only as secure as your weakest point. If you have a dead bolt on your front door, but your back door is not locked, you are not secure! Invest in good business practices that will go a long way in protecting your data. Small business owners need to consider risk across operations, including data privacy, company laptop use, website and cloud services, and outsourcing.

Determine the Impact

For management, business impact is the bottom line of risk.

A BIA (business impact analysis) is an exercise that determines the consequences of losing the support of any resource to an organization. BIAs are a critical part of the risk assessment process, and an important tool for developing a strategy to address potential adverse impacts. A BIA should generate input for asset classification based on business value, determining the difference between acceptable and actual levels of potential impact that must be addressed by the cybersecurity strategy.

Classify Your Risks

All risks are not created equal. What constitutes low, moderate, or high risk in your business? Your strategy for risk management has to start with defining your tolerance of risk. For example:

  • Low risk: What would happen if your website was offline for less than two hours? You may decide that you can live with the loss of two hours of sales, or that a two-hour outage will not seriously compromise your business reputation.

  • Moderate risk:  What if your website was down for four hours? While that might put a dent in your sales projection, you could probably still survive as a business and recover.

  • High risk: Could your business survive being offline more than four hours? This might result in an irretrievable financial loss and a fatal blow to your business’s reputation. (Can you imagine being down for even four minutes?)

For every identified risk, you have to define the parameters of what you can accept, what makes you nervous, and what you cannot accept: low, moderate, and high. While you can certainly come up with more complex and extensive impact scales, our advice is to keep it simple. You can always mature the model and implement sophisticated metrics later, but sometimes more complicated is just that.

Quantify Your Risk

Usually the prioritization of risk, and the amount of money and resources that must be allocated to protect against it is relative to the cost of the loss due to the risk materializing. To provide a real-world example, the process is like determining how much insurance you would need on your home in case of fire, flood, or other disaster.

We recommend creating a ledger of all the risks. Determine your tolerance for each identified risk, consider the cost and then spend accordingly. For instance, if your car is worth $5,000, then purchasing a $100,000 insurance policy is overkill. Prioritizing your business risks is similar. If loss of data affects your reputation, which may be hard to quantify in dollars but could have a major impact on your ability to grow your business, then don’t skimp on measures to protect your reputation. Once you have defined your objectives and priorities, you can decide how to manage risk effectively at an acceptable cost.

Assign Roles and Responsibilities

Once the BIA is complete, management can assess the spectrum of risk and create a strategy for achieving the identified security goals, whatever they may be: protecting data privacy, providing redundancy, securing sufficient insurance policies, etc.

The typical approach to building a cybersecurity program is to create a standalone program, in a silo. This outdated approach must be replaced with integrated risk management—an approach that integrates all business units and stakeholders, including non-security personnel.

Who needs to be involved in the strategy for data protection? Your security department needs to engage HR, finance, physical security, and legal. These stakeholders need to develop and agree upon an appropriately crafted policy. What should the legal agreements and rules of behavior state? What types of procedures should be followed when adding or removing employees? What financial measures have to be in place to create incentives and deterrents for employees, third-party vendors, contractors and others?

Your policy should also consider who and what pose threats to your business. For instance, if protecting data is critical to your organization (and I can’t think of an organization in which it is not), you should consider from whom you are protecting that data. This list should include your employees, ex-employees, hackers, third-party vendors, and your hosting facility administrators.

Developing a Strategy

From the outset, is imperative that senior management defines, promotes, and enforces a clear risk management strategy. The key is defining the objectives, and starting with small, manageable goals that are achievable and realistic. Cumulative effort is essential to success. You will not go from no risk management program to a comprehensive, effective program overnight. Implementation will require hard work on everyone’s part.

A cybersecurity program built on the NIST framework should address all of the following:

  • Access control: Companies should adopt a good password policy, requiring complex passwords that change every 45 days. The Target store hack a few years ago was the result of that company allowing an HVAC company remote access without enforcing a 2-factor authentication.  Hackers compromised the HVAC company, and through them gained access to all Target’s credit card data.
  • Awareness training: This component requires relatively low investment and provides an excellent return on investment. Educate your employees on the basics of cybersecurity threats and offer them defensive strategies for navigating the internet. The DNC hack was reportedly the result of someone responding to a phishing email requesting Gmail credentials!
  • Layered defenses:  Starting with AV, encrypt your laptops, implement encrypted secure communications in your online exchanges and transactions, invest in security awareness, make full and incremental back-ups of your systems, patch your servers, and monitor your environment.

Once you have identified your risk areas, determined your risk tolerance, and created the roles responsible for the program from across the organization, you can determine an acceptable level of investment in cyber security. In most cases your strategy should include a combination of various measures, like diversifying your investment portfolio.

Next Steps: Implementing Your Strategy

To this point, we have focused on the Identify and Protect functions under the NIST framework. Next among the NIST functions is Detect, which recommends measures already familiar to many SMBs:  installing intrusion protections such as antivirus and firewall defenses and maintaining and monitoring system logs.

Finally, under the Respond function, the NIST guidelines recommend developing a disaster and incident response plan, outlining policies and procedures to follow if and when an incident occurs. If you have properly identified responsible roles within the organization, everyone has a role and is a stakeholder in this plan. (Also, this plan should be tested when things are going well, not in the midst of a crisis!) For instance, was your HR server compromised? The good news is that you =were able to detect the breach because you were using the right tools to monitor your environment. Now, what are the necessary response and recovery steps identified in your disaster and incident response plan? Do you shut down or isolate the server? Do you have a clean backup or a contingency plan for recovery? These questions and procedures should all be addressed –as part of your integrated risk management strategy.

Final thoughts and considerations

Developing a measured, thoughtful strategy to cybersecurity is like starting a crossword puzzle. You begin with the small, simple words you know, and once those pieces are in place, the larger, more complicated words became easier to figure out.

By first identifying potential risks, determining the impact of those risks, quantifying the possible cost to your business, and investing all employees as stakeholders in the IT security process, you can develop an integrated strategy to cybersecurity..

The NIST framework provides step-by-step instructions for navigating this process that should result in concrete plans and procedures. If you come to the conclusion that cybersecurity is a critical function for your business, consider investing in a partner to perform assessments, compile risk inventories, identify priorities, and implement custom plans, policies, and strategies designed to safeguard your small business for the long term.

About the author: Baan Alsinawi is the founder and president of TalaTek for the past 12 years. Ms. Alsinawi possesses a unique capacity to be a thought leader who sees the big picture, understands how technology can be leveraged, and knows how to build the right teams and solutions to manage it. Ms Alsinawi is a member of ISC2 , and is CISSP and ITIL certified.

Copyright 2010 Respective Author at Infosec Island]]>
Ransomware: Keep Safe and Stay Safe Tue, 09 Oct 2018 06:51:00 -0500 Ransomware has been a notable threat since the infamous Cryptolocker hit headlines back in 2013. 

Since then, multiple iterations, copycats, and a plethora of new ransomware families have entered the scene. Some of the more prolific, such as Locky, Cryptowall, Teslacrypt, and TorrentLocker, ebbed and flowed before dimishing in number of infections and volume of distribution, while others have declined further still, with crypto-currency mining appearing to fill the void in recent months. 

There are a number of reasons for this downward trend. A key factor may be the increased involvement of law enforcement agencies, particularly in those cases where the target holds sensitive information or the attack takes down key infrastructure. There has also been a rise in the number of cyber security organizations providing a level of prevention and mitigation against ransomware, as well as in the number of government initiatives such as those offering free decryption services for reverse-engineered ransomware. Finally, it's arguably simpler and less risky for cyber-criminals to turn their attention to easier, less noticeable gains, such as those that can be made by turning a victim's system into a digital currency miner. 

It's worth noting, however, that although there may be fewer campaigns, and although its effectiveness may have diminished over time, ransomware is still a significant threat and one that businesses and consumers alike should remain mindful of. 

The shape of ransomware

Ransomware can take one of two different forms. The first of these is file encryption ransomware, in which the attacker encrypts every file on a system except those which are system critical, before demanding payment, often in the form of Bitcoin. The second, system lockout ransomware, involves the use of an overlay, or fake boot-up screen, that demands the victim make a payment for the password needed to unlock the system. 

Although it tends to arrive via a phishing email, there have been instances in which a direct compromise of a server has occurred shortly before ransomware was delivered on to a system. Recent notorious examples that have made headlines around the world include WannaCry, NotPetya, and Bad Rabbit, in which attackers combined the ability to auto-propagate with a 'warn and install' ransomware to target a wide and dispersed range of systems and organizations across multiple regions. 

Recommended plan of action

What all types of ransomware have in common is that, should a system be compromised, the effects are obvious, and often immediate. 

If an organization is unfortunate enough to fall victim to a ransomware attack, however, there are steps it can take to minimize any potential damage. 

First, it would be strongly advised not to pay the ransom, and to do what the organization can to recover its files by other means. Taking regular backups of those files is best practice as, in the event of a compromise, it's possible to restore to a previously known secure state. 

If this isn't possible for any reason, a decryptor should be sought. Most of the time, ransomware self-identifies, which--helpfully--enables its victims to search specifically for decryptors of that particular family. Many anti-virus companies and security vendors post free decryptors on their websites. Projects such as No More Ransom are also often a good place to start. 

On occasion, an organization might feel that paying the ransom demand is the only way to recover files, although this can be fraught with danger. While many ransomware families 'offer' decryption after payment, this constitutes fraud and there is no guarantee that the files will actually be recovered. What's more, there's no way of knowing that the 'decryption tool' won't re-infect the system or leave a backdoor into it for future compromise. 

Finally, if there really is no other alternative, it can often be less of a risk to simply wipe the system and start over. 

Prevention is better than cure

With phishing being the primary delivery method, the easiest way to avoid a ransomware attack is to be on the lookout for suspicious emails. 

It's important not to open suspicious email attachments or click on suspicious links, for example. Just because it might says doesn't mean it isn't actually a link to; hover over the URL and observe what the link actually points to before clicking it. 

If an email has a document or PDF attached and asks for certain scripts to be enabled, or for a security warning for content to be accepted, this should only ever be done if the email came from a known and trusted sender. As the sender's email address may have been spoofed, it might be necessary to pick up the phone and call that person to check whether the email actually came from them. 

In addition, making sure that systems are reguarly patched and updated will prevent the exploitation of obvious vulnerabilities, and protect against those attackers that take a direct approach. 

Ransomware may not be the threat it once was, but it still poses a risk to the files and systems of businesses everywhere. With improved awareness, network hygiene, and general preparedness, however, organizations can minimize this risk and keep the attackers at arms' length. 

About the author: Richard Hummel has 10 years of experience in the intelligence field and is currently the Threat Intelligence Manager for NETSCOUT's ASERT. Previously, he served as Manager and Principal Analyst on the FireEye iSIGHT Intelligence’s Financial Gain team. He began his career as a Signals Intelligence Analyst with the United States Army.

Copyright 2010 Respective Author at Infosec Island]]>
Embracing Cybersecurity Best Practices, No Matter Where You Are Fri, 05 Oct 2018 07:16:42 -0500 Your cyber health should be on your mind as much as your physical health, if it isn’t already.

Whether you are at home, in town, in the workplace, or somewhere in-between, our dependence on digital connections has made any potential security gap a tempting target, both from external sources, and the people we may already know and trust. The systems, files, and data available on devices are inherently useful and sellable to someone, making you just as likely a target as your friends, family and colleagues.

With this week kicking off the National Cyber Security Alliance (NCSA) Cybersecurity Month initiative, now is the perfect time to make your home, and your remote workplaces, a haven for online safety.

Getting Comfortable with Cybersecurity

Every person who uses a piece of internet-connected technology, is at risk of their systems, files, and data being compromised or misused. This isn’t fearmongering. This is fact.

Our job as users, and providers, of these technologies, is to always strive to be a better steward in terms of use, access, and interactivity. Visibility, awareness, and alertness are the key!

Insider Threat Incidents Can Occur Anywhere

An insider threat is someone – typically an employee or vendor – with authorized access to critical information or systems who misuses that access either maliciously or accidentally, resulting in a negative outcome.

According to an independent survey conducted by the Ponemon Institute, roughly 63% of insider threat incidents were caused by user carelessness or negligence. We each must know what is happening and what is possible when we choose to connect to online services, neglect device and software maintenance, and share files and data.This is especially true when working remotely using a company owned device or accessing company systems, files, or data.

According to the annual Verizon security report, the top six threats include “using stolen credentials, keyloggers or other spyware, data-stealing malware, phishing, backdoor malware, and malware communicating with command-and-control servers.” Looking back, most of these threats start with an insider intentionally or accidentally opening the door to new threats.

What can we learn from this? Whether we are at home or in the office, we can’t get too comfortable and let our collective guards down. The moment we do could be the moment that we open a door to new risks or cause an insider threat incident.

Cybersecurity Tips for the Home Office

Here are some basic tips for improving your cyber health at home and on-the-go:

1. Connect with Consideration

How you connect to the internet is a critical first step to ensuring your safety while online. This doesn’t just mean ensuring that your WiFi is encrypted, guest access is off, and strong passwords are in place and are on frequent rotation…though these are all very important as well.

Your router and wireless access points are sophisticated pieces of hardware, and as such, often need updating to ensure that they function correctly with all connected devices. They also need frequent updates to remain secure.

Router hardware vendors like D-Link, Linksys and others, are increasingly pushing out firmware updates to their systems to keep up with new cybersecurity risks. It is up to you to ensure that these updates are installed, so make sure that you regularly log into these devices to see if an update is available

2. Manage Software & Devices Regularly

When a software update pops up on your computer or device, do you immediately install it, or do you exit out of it in frustration? More likely than not, it’s the latter, and that’s a big problem from a cybersecurity standpoint.

Keeping your software versions and hardware firmware and drivers up-to-date is crucial to minimizing risk of a cybersecurity incident. Malicious individuals often scope out older versions of software because of known gaps or bugs that enable them to have an easier entry point into systems.

This may be a bit of a no-brainer, but swift and frequent software updates is essential to keeping yourself safe. While it may be inconvenient, it is far more inconvenient to have to clean up after an incident!

Updates are also critical when it comes to your passwords. By regularly rotating your device and application passwords, using longer strings, setting up two-factor authentication, and never using a password more than once, you’re decreasing the risk that your password will be compromised

3. Be Aware While Sharing Data

How someone uses and share their data is quite possibly one of the biggest modern risks to individual and organizational cyber health. To better avoid an external breach, or being an insider threat incident waiting to happen, always be aware of what you are doing with the data that you have access to.

First, if you are working remotely, try utilizing your organization’s VPN (virtual private network), if there is one available. This will extend the security of the network at your office to your device to make sending and receiving data as secure as if you were directly on the office network.

Also, if you are about to use a third-party cloud storage service, you should first confirm if it is against your organization’s cybersecurity policy. The more systems, files, and services you interact with, the more variables of risk are at play!

Remember: Visibility, Awareness, and Alertness

Much like your physical health, there is no way to guarantee cyber health. However, by having visibility and awareness of the risks of all online interactions, and being alert to any potential threats, you can start to improve your cyber health, no matter where you are.

About the author: Mike McKee brings over 20 years of cross-functional, global experience in technology to ObserveIT. Previously, Mike led the award-winning Global Services and Customer Success organizations at Rapid7, served as Senior Vice President CAD Operations and Strategy at PTC, and Chief Financial Officer at

Copyright 2010 Respective Author at Infosec Island]]>
6 Ways to Use CloudTrail to Improve AWS Security Tue, 02 Oct 2018 05:42:00 -0500 These days it’s pretty commonplace knowledge that when it comes to clouds – being as dynamic and fast paced as they are – organizations need as much insight as they can get in order to recognize where any looming threats might be, what they are, and the necessary means to get some context about how these threats could potentially (read: inevitably) cause headaches.

As we know, Amazon Web Services (AWS) S3 breaches tend to be caused by a bucket being inadvertently exposed. Generally, the fault lies in being unaware of how buckets are being used and the corresponding configurations (and changes to those configurations). What is critical to know is whether or not the configurations are adequate to maintain the type of security necessary for the data being transacted in and through that bucket.

When it comes to their S3 buckets, the most important thing for cloud security managers is to have a purpose for their S3 buckets and know how they’re being used. One of the best ways of doing this is by using relevant data provided by CloudTrail logs, and factoring it into the continuous monitoring of your cloud activities.

CloudTrail identifies and tracks API calls being made on behalf of your AWS accounts. Logs encode the specifics of the calls being made, including important data like time of call, who made the call (even if it was done outside of your organization), the IP of where the call originated, success of the call, errors, and pretty much all other important information.

There’s no question that CloudTrail is an important element of AWS’s inherent cloud security tools. However, it can also be limiting unless it’s included as part of a comprehensive, end-to-end approach that identifies and evaluates everything happening in your cloud.

Unfortunately, a surprising number of organizations we talk with don’t even turn on CloudTrail, so they actually miss the several opportunities that it can provide.

Here are six, key best practices that will help your organization identify issues within your AWS accounts, and will optimize the benefits of using a host-based approach:

  1. Turn on CloudTrail across your entire AWS environment: Once turned on, you’ll have CloudTrail logging for all your AWS activities, irrespective of region.
  2. Require MFA for S3 bucket access: Hackers have this nasty habit of deleting CloudTrail logs in order to cover their tracks. With MFA turned on for S3 bucket access, the hacker will have an additional, and complicated, hurdle to cross. MFA is simple to implement and will ultimately save you major headaches later on.
  3. Enable S3 bucket logging: CloudTrail uses S3 buckets to capture and store AWS events. Enabling that logging for buckets ensures you can identify and track any and all access and usage. Seeing the unauthorized access and where they’re coming from will provide a great advantage in doing forensic analysis.
  4. Use least privilege for CloudTrail S3 buckets: This is all about restricting access to logs. Most people in your organization won’t need to see these logs anyway, so keeping a narrow list of admins will reduce the potential for misuse, phishing, dead account clean up, and other hacker targets that can result from widespread access.
  5. Encrypt logs at rest: This is a great way to maintain oversight over logs. Because users will have to decrypt CloudTrail files after they’re encrypted, it creates an additional, complex step in the process, and it demands that users who decrypt files must have permission both to decrypt and encrypt.
  6. Provision access with IAM policies: When you map access to groups or roles instead of specific people, you decrease the potential of unintentional access being granted. It also reduces the logistics of permission management and allows you better control over access points.

Managing security in AWS is not a set-it-and-forget-it type of proposition, but with proper management of CloudTrail, along with a host-based continuous monitoring solution, you’ll have the insight needed to be effective at combating threats. With more knowns, less unknowns, and knowing what you know and don’t know, you’ll be prepared to maintain your cloud environment’s security posture and keep your environment safe.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island]]>
“You’re Both Right…Now Go To Your Rooms!” Tue, 02 Oct 2018 03:37:00 -0500 Those of us on the security side of the DevOps vs. company security argument tend to only see one side of the story as the truth – the security side. But that’s not always true.

Traditionally, DevOps and security have butted heads. One side sees security and policy as a roadblock to successful development. The other side feels that developers ignore or downplay the importance of what they’re trying to do and what they’re trying to protect. Similar to two siblings arguing, organization leaders (parents) simply tell them to deal with each other and send them “off to their rooms,” instead of trying to address the underlying problem.

This causes a stalemate, where some security is applied and some is worked around or ignored. In these situations, no one is happy, as development speed and efficiency is less than ideal – and the ideal security policy isn’t being implemented either.

The argument in favor of security is easy to understand – but there are often solid arguments on the development side, too – and it would benefit security professionals to understand these arguments and learn how to ensure both sides get what they want. Understanding and addressing development’s needs can help improve your company’s processes – to the benefit of all.

A Common Misconception

A myth among security professionals is that developers want no security in place at all. That is simply not the case. Developers want to ensure the security of the apps they’re building; however, they want to do so in a way that aligns with their need for speed and agility.

Security is a goal for both teams. It’s the level and amount of security – and how much control each team must surrender in order to achieve security – where differences arise.

In fact, in order to secure their applications, developers want to identify and remove vulnerabilities. What they don’t want, however, is for security policies to become a hindrance and prevent them from collaborating and developing software in an efficient and cost-effective way.

Being secure is not a tough sell – but asking someone to change the way they work for the sake of security is.

Put Yourself In Their Shoes

As a developer, you need security to be something that operates behind-the-scenes. Developers are not hired to be security experts – and they don’t want to have to learn to become one. That’s the job of security teams. Developers will be more willing to accept security policies and tools if they don’t have to think about them, change how they do things, or spend any effort to make them work.

As you think about it from their point of view, it’s easy to see that the traditional way of implementing security has no place in today’s development world. Organizations need to be agile and flexible to be effective; this is true of developers – and is also true of security professionals.

Modern security solutions need to be enablers of DevOps teams – making it easier for them to build, deploy and operate secure applications in an efficient manner. Security solutions also need to be ready to grow with your company’s success. No company wants to have to adjust their methods and processes to account for success.

An Automated Solution

Security professionals need to embrace automated security solutions to answer this common developer complaint. The automation of security protocols can be a way to resolve the security vs. development conflict.

With the speed that potential attacks change on a regular basis – and the way that DevOps embraces continuous integration and delivery tools, services can be created and modified so often that it becomes impossible to manually review and ensure each one is configured, deployed and communicating as intended – or are being operated in compliance with the latest corporate security policies.

Automated tools can find security issues or configuration errors in the background – not affecting the way developers work – and then act to eliminate or correct them. It quickly becomes easy to identify and protect vulnerable containers that could be externally accessible. By doing this, potential attacks and breaches are prevented.

Automated security can also keep your systems up-to-date on the latest attacks and potential issues. It does this behind-the-scenes, so your development environments are constantly protected, regardless of whether they’re on-premise, or in a private or public cloud. Just as importantly, automation ensures development is not interrupted each time there is an update.


Security automation ensures that developers’ arguments are listened to and met – and that teams do not have their efforts limited because of the need to remain compliant. A wise person once said there are three sides to every story: yours, mine – and the truth. Those of us who live and breathe security would do well to remember that, especially when it comes to DevOps.

About the author: Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts during the company’s initial fast-paced growth period, and is focused on Tufin’s product leadership. Reuven is responsible for the company’s future vision, product innovation and market strategy. Under Reuven’s leadership, Tufin’s products have received numerous technology awards and wide industry recognition.

Copyright 2010 Respective Author at Infosec Island]]>
DNC Phishing Scare Was a Training Exercise Gone Awry: Lessons Learned Tue, 02 Oct 2018 01:37:00 -0500 It seemed like déjà vu’ all over again. Echoing one of the most talked about successful phishing attacks of all time, the Democratic National Committee (DNC) once again had cause to raise concern recently believing that it was the intended target of a new phishing campaign. And, given upcoming elections in the US, the DNC had every reason to take the threat of attack seriously. The then-known evidence and facts seemed to point to a motivated attacker was building a sophisticated phishing campaign, including a credential harvesting webpage “target[ing] the Democratic Party’s voter file, known as Votebuilder.” Even the FBI, the DNC’s CISO, and outside security companies believed the trail pointed to a malicious attack…. Except it wasn’t malicious. And it wasn’t an attack… at least not in the traditional sense.

As experts and the media had more time to study the evidence, it became clear that all of the fear and excitement was over simulated phishing test conducted by the Michigan Democratic Party. Oops…

What Went Wrong?

As you can imagine, the answer is: “A few things.” First and foremost, there was a lack of communication. The simulated phishing test was conducted by a third-party contractor that was hired by the Michigan Democratic Committee – which is not authorized to conduct the testing; and is technically a separate group from the DNC. The New York Times stated, “The blunder was caused by a lack of communication between the national committee and one of its state branches, the officials said. The Michigan Democratic Party had hired hackers to simulate an attack known as phishing, but did not inform the national committee.”

And, not only did they not communicate appropriately about the testing, the way the group went about setting-up the scenario had all the hallmarks of a real phishing attempt, and none of the signs (or benefits) of a training campaign. The Times again reported that they registered new domains specifically for the event, and the landing page “very closely mimicked the infrastructure you’d see actual hackers using,” said Bob Lord, CISO for the DNC, “At the time that it was detected by outside parties, it did not exhibit any of the characteristics of a training system.”

The sad truth is that all of the drama could have been avoided if they had only followed a few well-known best practices. Instead, it seems that they took a more maverick approach and ended-up with an embarrassing outcome. Unfortunately, while this is much bigger from a media perspective than many of the stories I’ve heard before, the embarrassing situations are generally the foreseeable result for people who try to conduct simulated phishing tests in a caviler way.

Avoid Embarrassment by Knowing Goals & Scope

Here’s how you and your organization can avoid this type of embarrassment: it’s all about understanding your goal and scope. If your goal is just to see where problems might be (without education), then you are essentially doing a penetration test (we’ll leave that goal aside for now). But, if you are wanting to shape behavior, then education is key. And with education comes the need for clear communication, processes, and systems.

After you’ve clarified your goals, it is critically important to engage your stakeholders. This includes validating your goals, methods, processes, and ground rules. It’s very clear that, in the recent DNC snafu, stakeholders were NOT engaged or informed. That single missing element was what led to all of the other confusion and the associated waste of time, energy, and resources.

Best Practices Matter

As the security vendor providing the world’s most popular platform for conducting simulated phishing and social-engineering testing, we know that maverick missteps like the ones leading to the confusion last week can taint the entire idea of conducting simulated phishing exercises. Fortunately, though, embarrassing issues like that can easily be sidestepped by adhering to best practice advice. Doing so results in a win-win for all involved; embarrassment is banished, employee behavior related to phishing is improved, and the organization becomes more resilient.

So, what’s the upside of this situation for the DNC? At least they got to test their incident response plan and know that the security community is on the lookout for bad actors and bad actions. You know how sometimes members of your local neighborhood watch group are suspicious of your brother-in-law’s sketchy van parked near your house? You’ll be thankful for them when they notice real threats. But, in the meantime, it’s best to curtail all of the drama through clear communication and processes.

About the author:Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Variations in State Data Breach Disclosure Laws Complicate Compliance Wed, 26 Sep 2018 02:11:47 -0500 Incident Response Planning Can Ease the Pain

New data breach notification laws are good news for consumers, better news for attorneys, but not very good news for businesses already struggling to stay on top of a constantly evolving regulatory landscape. For companies, these laws mean increased workloads and expenses.

Local, state, and federal laws governing businesses have been in place for years. While updates to them are often routine and expected, regulatory compliance burdens have exploded over the past few years due to a raft of new consumer protection laws, principally those covering data breach protection.

Just a few months ago, Alabama became the last state to pass a law requiring companies to notify individuals when their personal information is exposed as a result of a data breach.

Even though all 50 states now require businesses and other organizations to notify consumers when a breach occurs, the laws, of course, are mostly different. While people must be notified when their personal information is breached, the definitions of “personal information” vary widely from state to state. Such variation creates more work and cost for businesses.

In addition to the varying definitions of “personal information”, the scope of these laws is also inconsistent. Like GDPR, many state laws apply not only to businesses operating in the state, but also to businesses who suffer a breach which includes personal information belonging to individuals that reside in the state. For example, a company operating in Nebraska may also be subject to the breach notification requirements of Florida, Texas, New Hampshire, Ohio and any other states where their customers reside. This significantly complicates disclosure requirements.

Here’s a glimpse into the variations. While most laws require individuals to be notified when their electronic records are breached,only eight states require notification when paper records are compromised. In some states, companies must report breaches to the Attorney General’s Office even if only one record is breached. In other states, reporting does not apply unless a minimum number of records —250, 500 or 1000 — is breached.

Globally, the legal complexities assume even greater proportions. For example, the European Union’s General Data Protection Regulation (GDPR), which came into effect recently, requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Union.

GDPR applies to all companies operating in Europe and all companies with a website or app that captures and processes the data of EU citizens. Failure to comply with the law could result in substantial fines: up to €20 million or 4 percent of a company’s global revenue, whichever is higher. 

Consumers in the Crosshairs

Consumers, of course, have several good reasons to worry about data breaches and the security of the companies they do business with. Cyber-attacks on huge corporations can result in identity theft, credit card and bank fraud, and even healthcare fraud.

Two cyber-attacks stand out: Equifax and Yahoo. Last year’s attack on credit reporting agency Equifax exposed the personal information of about 143 million people — nearly half of US population.

The Yahoo breaches — dating back to 2013 and 2014 but only disclosed in 2016 —  were perhaps the biggest in US history, and potentially affected 1.5 billion account holders.

These and other breaches have seriously weakened people’s trust in businesses of every size and description.

A recent survey of 5,000 US consumers by CarbonBlack revealed that 72 percent of people would consider leaving a financial institution if it were hit by ransomware. Seventy percent said they would consider leaving a retailer, and 68 percent said they would consider leaving a healthcare provider.

Incident Response and Regulatory Compliance

While there are many elements involved in meeting breach disclosure requirements, incident response (IR) can play a central role. Primarily because it is data-driven, works in real-time, and delivers measurable results.

IR consists of pre-breach planning and post-breach action, both of which can help organizations prevent/detect breaches, comply with breach disclosure laws and regulations, notify all stakeholders within appropriate timeframes, and take appropriate measures.

IR and data breach disclosure spans three distinct phases: detection, investigation, and auditing.

Detection is the most basic element. Many organizations get into deep legal and public relations trouble because they failed to detect a breach that happened two or three months beforehand — and therefore failed to contain and stop the damage.

Following a breach comes the investigation phase. What was breached? When did the breach start? How much damage has been caused? Is the breach still active? These and other vital questions must be answered as soon as possible.

This is where proper auditing comes into play. Without such auditing, an organization is forced to assume the worst — that the breach affected everything.

Post-breach, incident response procedures and processes play an equally vital role. Assuming an organization has a well-documented audit trail of what was breached, when, and where, the next step is to notify all stakeholders as quickly as possible. Those stakeholders include internal and external legal teams, as well as C-level executives.

With the right processes, procedures and technology in place, IR provides the glue to understand, remediate and communicate the details of a data breach. Knowing what happened and what data was impacted if the first and most important step in being able to meet disclosure law requirements and comply with tight notification deadlines.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Copyright 2010 Respective Author at Infosec Island]]>
Are Colleges Teaching Real-World Cyber Security Skills? Tue, 25 Sep 2018 01:24:13 -0500 The cybersecurity skill shortage is a well-recognized industry challenge, but the problem isn’t that there are too few people rather that many of them lack suitable skills and experience. Cybersecurity is a fast-growing profession, and talented graduates are in very high demand. Cyber degree programs are rapidly opening up at colleges across the country, and students are racing to enroll, eager to join one of the most challenging and financially rewarding fields. Yet, there seems to be a growing chasm between what graduates learned in school and what the market demands. In my personal experience as a cybersecurity training consultant, I hear time and again how frustrated SOC managers are with finding qualified SOC analysts. They report they get plenty of resumes, but rarely come across a candidate who has the right skills and experience to take a seat in the SOC and handle the challenges of a high-pressure sec ops environment. So, the real challenge of the cybersecurity skill shortage is making sure new recruits are prepared for the real world.

Cyber security skills are lacking

As cyber threats are multiplying in number and becoming much more complex and sophisticated, the need for young professionals with the cyber security skills to fill those positions is also growing rapidly. According to Forbes, Cybersecurity is a lucrative field with average salary currently at $116,000, nearly three times the national median income for full-time wage positions. But money is not the only thing that attracts people to the cybersecurity realm.  A recent survey found that among the top reasons for choosing this profession are the reputation for integrity, as well as for being a leader in a challenging and prominent discipline.

Accordingly, the number of cybersecurity education programs and students is exploding. Based on public US Government data, approximately 3,000 educational institutions are currently training future cybersecurity practitioners and according to the rate of growth, by 2021 there will be over 100,000 graduates in the United States alone. Colleges are increasingly recognizing the need to adapt computer science education for tomorrow’s occupational and technology needs. Innovative institutions of higher education are setting up cybersecurity degree programs, to set themselves apart and prepare their students for rewarding careers.

Yet, there is a deep incongruence between academia and the field. This month the SANS 2018 Security Operation Center Survey was published and reported some eye opening findings. It revealed that 62% of surveyed organizations reported they lackskilled cybersecurity staff. The skill shortage was also cited as the leading challenge hampering SOC capabilities. Mark Aiello, president of Cyber 360, a staffing firm specializing in finding skilled cybersecurity professional to fill vacancies says, “Talent is so scarce that it typically takes eight to 12 months to fill cybersecurity jobs”. The authors of the SANS survey also state that for most organizations, “hiring skilled security staff is challenging and expensive”. It seems to be, that the problem isn’t too few applicants, but rather that most candidates have inadequate skill sets and experience.

Practice Makes Perfect

SOC analysts must have a large amount of formal knowledge and the analytic abilities to derive actionable insights from the data collected by the company’s various security tools. Moreover, the analyst is expected to use human behavioral and business context to identify threats and make decisions about how to respond to keep the organization safe. However, most junior security staff enter the cybersecurity job market with only theoretical knowledge of what “security” is, lacking practical analytical methodologies, detection techniques and more advanced specialized skills. New graduates often lack the practical analysis and synthesis skills, which leaves them unprepared to face the challenges they will meet in the cybersecurity world.

The 2018 SANS survey states that “gamification of the SOC via simulations, exercises, training or any other form of targeted practice is becoming the standard operating procedure for providing a SOC skill set and an effective way of retaining skilled staff”. Institutions of higher education are starting to address the deep asymmetry between frontal instructionand practical exercises by incorporating a cyber range into their cybersecurity curricula.

Cyber ranges produce cybersecurity excellence

Innovative higher education institutions are determined to prepare their students with highly relevant knowledge and practical skills that are valued in the workplace. Cyber ranges are virtual environments used for cyberwarfare training and the development of cyber technologies. A cyber range offers hands-on training in which students can fully experience attacks in a simulated environment. This realistic experience strengthens the analyst’s performance and ability to respond to the most menacing emerging threats. In addition to gaining formal and theoretical knowledge, the range allows students to gain the hands-on experience employers value most and enter the job market well prepared and with a strong competitive edge over other job candidates. A cyber range enables colleges and universities to constantly challenge their students and faculty and can also support cybersecurity academic research.

Cybersecurity education is prospering and attracting larger numbers of students each year. Ambitious students are looking for leading-edge programs where they will be challenged and gain valuable knowledge and experience that will prepare them for their careers as cybersecurity professionals. Students realize that theoretical knowledge alone is not enough to prepare them to take part in defending an organization under cyberattack. Make on-campus cybersecurity simulation labs an integral part of the syllabus and arm your students with as much hands-on experience as possible from their first semester through to graduation.

About the author: Adi Shua is the Range Product Manager at Cyberbit.

Copyright 2010 Respective Author at Infosec Island]]>