From: CSOOnline.com by: Lucian Constantin
Security vendor Kaspersky Lab has updated its antivirus products to fix an issue that exposed users to traffic interception attacks.
The problem was found by Google vulnerability researcher Tavis Ormandy in the SSL/TLS traffic inspection feature that Kaspersky Anti-Virus uses to detect potential threats hidden inside encrypted connections.
Like other endpoint security products, Kaspersky Anti-Virus installs a self-signed root CA certificate on computers and uses it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This allows the product to decrypt and then re-encrypt connections between local browsers and remote servers.
Ormandy found that whenever the product generates an interception certificate it calculates a 32-bit key based on the serial number of the original certificate presented by the website and caches this relationship. This allows the product to present the cached leaf certificate when the user visits the same website again instead of regenerating it.
The problem, according to Ormandy, is that a 32-bit key is very weak and an attacker could easily craft a certificate that matches the same key, creating a collision.
He described a possible attack as follows: "Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef. Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates it's own certificate and key for. On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let's say attacker.com). Now mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com."
This implies that the attacker -- Mallory in Ormandy's example -- has a man-in-the-middle position on the network that allows him to redirect the user accessing mail.google.com via DNS to a rogue server under his control. That server hosts and presents a certificate for a domain called attacker.com.
Under normal circumstances the browser should display a certificate error, because the certificate for attacker.com does not match the mail.google.com domain accessed by the client. However, since the browser will actually see the interception certificate generated by Kaspersky Anti-Virus for mail.google.com, and not the original one, it will establish the connection without any error.
The 32-bit key is so weak that certificate collisions would also occur naturally during normal browsing. For example, Ormandy found that the valid certificate used by news.ycombinator.com has the same 32-bit key calculated by Kaspersky Anti-Virus as the certificate for autodiscover.manchesterct.gov.
According to the researcher, Kaspersky Lab pointed out that there is an additional check being performed on the domain name in addition to the 32-bit key. This makes attacks harder, but not impossible.
"We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. The company fixed the issue on Dec. 28, he said.
Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. However, their implementations have often resulted in security issues. That's because performing certificate validation correctly is not easy and is something that browser vendors themselves have perfected over many years.
From: CSOonline.com By: Thor Olavsrud
As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.
"2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."
The ISF says the top four global security threats businesses will face in 2017 are the following:
- Supercharged connectivity and the IoT will bring unmanaged risks.
- Crime syndicates will take quantum leap with crime-as-a-service.
- New regulations will bring compliance risks.
- Brand reputation and trust will be a target.
"The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations," Durbin says. "In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target's weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events."
The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.
Supercharged connectivity and the IoT bring unmanaged risks
Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.
Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.
MORE ON CSO: 6 products that will protect your privacy "The thing for me with 2017 is I describe it as an 'eyes-open stance' we need to take," Durbin says. "We're talking about devices that never ever had security designed into them, devices that are out there gathering information. It's relatively simple to hack into some of these things. We've seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they're designed to link."
Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.
"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."
"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."
Crime syndicates take quantum leap with crime-as-a-service
For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.
"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."
And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.
"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."
He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.
New regulations bring compliance risks
The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.
In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it's coming from, what it's being used for, where and how it's being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.
"The challenge in 2017 for organizations is going to be two-fold," Durbin says. "First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?"
"The scope of it is just so vast," he adds. "You need to completely rethink the way you collect and secure information. If you're an organization that's been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you're protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I've spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you're taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to."
Brand reputation and trust are a target
In 2017, criminals won't just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull's eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.
"With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization's reputation than ever before," Durbin says. "In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we're no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come."
While most information security professionals will point to people as the weakest link in an organization's security, that doesn't have to be the case. People can be an organization's strongest security control, Durbin says, but that requires altering how you think about security awareness and training.
Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop "stop and think" behavior and habits.
"2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain," Durbin says. "They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior."
Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.
From: The Verge By: Rachel Becker
Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.
THE RECOMMENDATIONS ARE LARGELY TOOTHLESS
First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.
The FDA has been warning the healthcare industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly-secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.
“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”
“AS HACKERS BECOME MORE SOPHISTICATED, THESE CYBERSECURITY RISKS WILL EVOLVE.”
The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.
Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don’t have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won’t have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.
This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA’s Schwartz agrees, writing in a blog post: “This is clearly not the end of what FDA will do to address cybersecurity.”
From: CSO Online By: Gage Skidmore
There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.
Here's what security vendors and analysts are predicting for the year ahead.
John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.
“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.
He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.
Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.
“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.
Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.
Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.
“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”
What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).
John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.
“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.
While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.
Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public's support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.
Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.
“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”
Civilian “casualties” in the Cyber Cold War
Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments' confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”
"Trump’s administration will create a fundamental shift in concerns as it pertains to security." -- Carson Sweet, CTO, CloudPassage
He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.
“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities — often ones in the private software we all use every day,” he said.
If 2016 was the year hacking went mainstream, 2017 will be the year hackers innovate, said Adam Meyer, chief security strategist at SurfWatch Labs. Meyer analyzes large and diverse piles of data to help companies identify emerging cyber-threat trends. "2017 will be the year of increasingly creative [hacks]," he said. In the past, cybersecurity was considered the realm of IT departments, Meyer explained, but no longer. As smart companies systematically integrate security into their systems, the culture hackers too will evolve.
"Cybercriminals follow the money trail," Meyer said, and smart companies should adopt proactive policies. Ransomware attacks grew quickly, he said, because the attacks are "cheap to operate, and many organizations are not yet applying the proper analysis and decision-making to appropriately defend against this threat."
SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)
It's equally cheap to identify internal vulnerability to hacks and to apply preventative best practices, Meyer said. But for many companies it's not as easy to understand the cybersecurity threats most likely to impact business. To help, TechRepublic spoke with a number of prominent security experts about their predictions for near-future cybersecurity trends likely to impact enterprise and small business in 2017.
Cyber-offense and cyber-defense capacities will increase - Mark Testoni, CEO at SAP's national security arm, NS2
We will see an increased rate of sharing of cyber capabilities between the commercial and government spaces. Commercial threat intelligence capabilities will be adopted more broadly by organizations and corporations... High performance computing (HPC), in conjunction with adaptive machine learning (ML) capabilities, will be an essential part of network flow processing because forensic analysis can't stop an impending attack. HPC + adaptive ML capabilities will be required to implement real-time network event forecasting based on prior network behavior and current network operations... [Companies will] use HPC and adaptive ML to implement real-time behavior and pattern analysis to evaluate all network activity based on individual user roles and responsibilities to identify potential individuals within an organization that exhibit "out of the ordinary" tendencies with respect to their use of corporate data and application access.
Ransomware and extortion will increase - Stephen Gates, chief research intelligence analyst at NSFOCUS
The days of single-target ransomware will soon be a thing of the past. Next-generation ransomware paints a pretty dark picture as the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan. We have already seen this start to come to fruition with the recent attack on the San Francisco Municipal Transport Agency, where over 2,000 systems were completely locked with ransomware and likely spread on its own as a self-propagating worm. As cybercriminals become more adept at carrying out these tactics, there is a good chance that these attacks will become more common.
As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks are on the rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. As leading manufacturers and grid power producers transition to Industry 4.0, sufficient safeguards are lacking. Not only do these IoT devices run the risk of being used to attack others, but their vulnerabilities leave them open to being used against the industrial organizations operating critical infrastructure themselves. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure. Not only is the potential scale of these attacks larger, most of these industrial firms do not have the skills in place to deal with web attacks in real-time, which can cause long-lasting, damaging results. This alone will become one of the greatest threats that countries and corporations need to brace themselves for in 2017 and beyond.
Industrial IoT hacks will increase - Adam Meyer, chief security strategist at SurfWatch Labs
Internal threats will increase - James Maude, senior security engineer at Avecto
As organizations adopt more effective strategies to defeat malware, attackers will shift their approach and start to use legitimate credentials and software - think physical insiders, credential theft, man-in-the-app. The increased targeting of social media and personal email bypasses many network defenses, like email scans and URL filters. The most dangerous aspect is how attackers manipulate victims with offers or threats that they would not want to present to an employer, like employment offers or illicit content. Defenders will begin to appreciate that inconsistent user behaviors are the most effective way to differentiate malware and insider threats from safe and acceptable content.
SEE: Threat intelligence: Forewarned is forearmed (Tech Pro Research)
A big part of the challenge with cyberattacks is how businesses think threats can be filtered at the perimeter. Be warned that this is not the case. Attackers are aware of how to directly target users and endpoints using social engineering. The industry needs to be more proactive in thinking about how to reduce the attack surface, as opposed to chasing known threats and detecting millions of unknown threats. With an increasingly mobile workforce and threats coming through both personal and business devices and services, the impact of perimeter defenses has decreased. Security needs to be built from the endpoint outwards.
Business security spending will increase - Ed Solis, Director of Strategy & Business Development at CommScope
Security is part of every business and IT discussion these days and it will only become more intense in 2017. We see an increase in the demand for video for surveillance, both for government and private businesses. This issue includes physical security—securing the building, people, and assets—as well as network and data security... In 2017, security conversations will continue to intensify around not only securing data and networks but physical security as well-think buildings, people, and assets. We also expect to see an increased demand for video surveillance across the public sector and private business.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
Security will no longer be an afterthought - Signal Sciences' Co-Founder & Chief Security Officer, Zane Lackey
2017 will be a critical year for security, starting with how it's built into technology. DevOps and security will change the way they work together as they realize the need to integrate with each other in order to survive. With IoT on the rise, security will continue to be the primary obstacle preventing consumers from fully welcoming connected devices into their homes and lifestyles. Consumers and businesses are getting smarter and security vendors will be held more accountable in keeping them safe.
From: Securitybrief NZ by: Kane Lightowler http://bit.ly/2hplRiD
The ineffectiveness of traditional antivirus (AV) , which catches less than half of noteworthy malicious events, is causing untold damage to organisations worldwide. The harm is unnecessary as next-generation antivirus (NGAV), the natural evolution of AV, will protect computers from the full spectrum of modern cyber attacks.
So let us re-think endpoint defences and provide a checklist of items to consider while making the decision to transition to NGAV.
Traditional antivirus was designed and built before the cybercrime explosion, and the speed at which tools and techniques are now changing. Modern attacks often utilise techniques that leverage built-in tools and scripts, much different from the days where attacks were almost always malicious binaries.
Beyond considering the kinds of attacks, organisations need the ability to protect themselves quickly rather than waiting for their vendor to push out signatures, hoping that the endpoints receive an update before that malicious email lands in employees’ inboxes.
To reduce cyber risk, IT needs an endpoint-security approach that goes beyond malware and incorporates next-generation features that target the tactics, techniques and procedures frequently used by both mass scale opportunistic attackers and advanced threats specifically targeting an organisation.
The following checklist will help IT to assess the capabilities of a current antivirus solution and provide guidance for migrating to a more mature posture. While an organisation might have unique requirements or constraints, the list will ease their shift to next-generation anti-virus.
#1 Full range of protection
Modern attackers generate malware faster than traditional AV stops it. They are mastering techniques that don’t even require malware. An endpoint security solution should protect against all attacks, not just threats that involve running a malicious executable. Beyond the initial execution blocks, there should be strong protection against particularly useful adversarial techniques like thread injection and ram scraping.
In evaluating an NGAV solution, make sure it protects against:
Known malware and variants including malware-based ransomware Obfuscated, evasive or previously unknown malware Compromised (exploited) legitimate software (Flash, Silverlight, etc) Malicious scripts and interpreted code like PowerShell, Visual Basic, Perl, Python, Java Memory-resident and file-less attacks Document-based attacks (PDFs and macros) Remote login attacks and the malicious use of valid software (living off the land).
#2 Extensible cloud security intelligence and analytics
As attackers evolve and adapt their tactics and techniques, organisations need to employ new analytic capabilities and attack intelligence to properly defend themselves – without having to redeploy security infrastructure. An NGAV should feature:
A cloud backend for high-powered analysis and the application of vendor intelligence Multiple inspection engines that focus on reputation, behaviour, and event relationships Configurable detection sensitivities to prioritize important events and reduce unnecessary alerting Open and extensible threat feeds for third-party attack intelligence and for leveraging security investments already made Community-based intelligence sharing and the network effect of benefiting from attacks other users witness. **
#3 Visibility and context into attack and detection events**
After an attack attempt, IT needs to understand what happened so they can contain and control the situation, prevent further damage and improve the overall security posture. The right context helps to do all that quickly and easily. If each attack doesn’t make for stronger defence, we recommend a reconsideration of IT’s approach. An NGAV solution should provide:
Insight into how the threat started, even before it was detected (root cause) Visibility into where else in the organisation this threat might exist (scope) Guidance on what’s needed to recover and how to close gaps (education and maturity) Data sharing data within the ecosystem (SIEM, etc) (integration and automation).
#4 Integrated rapid-response
Not every attack can be prevented. Skilled attackers can use stolen credentials and native system tools such as PowerShell to infiltrate a machine without using malware. These attacks can still be detected, and when they are IT needs to be able to respond quickly.
An NGAV solution should make it easy to: delete malware or temporary files across the organisation; stop network activity for a specific process; quarantine a system and isolate it from the network; and blacklist files from executing anywhere in the environment.
#5 Lightweight operations
We have all experienced antivirus grinding our computer to a halt while it scans the drive. Thankfully, those days are gone. Next-generation antivirus should be lightweight on the system and easy to administer so it doesn’t slow users down.
#6 A platform that grows with assets, users, systems and teams
Different assets require different strategies for protection. Servers, for example, don’t change often and have highly restrictive protection policies. Meanwhile, developers need more flexibility. A solution should adapt to the organisation’s needs and be part of a platform that provides a growth path to a better security posture over time.
An NGAV should be part of a platform that provides: group-based policy that applies different security strategies to different systems; an upgrade path to advanced incident response and threat hunting for SOCs and IR teams; an upgrade path to default-deny and lockdown policies for sensitive or high-risk systems; and an upgrade path to app control, device control, and file integrity monitoring for servers and critical systems.
From: CSO online by: Ryan Francis http://bit.ly/2hbw029
Not unlike any other threat analyst, Marc Laliberte's email inbox fills up minute by minute. Some of which has made its way past the spam filter. The WatchGuard employee decided to finally act upon a certain phishing attempt in hopes of teaching the bad guys a lesson.
Spear phishing is a type of phishing attack in which the perpetrator customizes their attack to a particular individual or group of individuals. The attacker gathers information on the victim and then tailors the attack to be more likely to fool the target. The would-be attack arrived as an email appearing to come from the finance employee’s manager, requesting an urgent wire transfer.
Thanks to proper security awareness training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel.
How to respond to ransomware threats In most cases, companies don't have the time or resources to follow the bread crumbs back to the perpetrator. But in this case Laliberte set out to learn as much as he could by playing along with the attacker. He responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.
The email’s source address was a seemingly random seven-digit number at gmail.com. The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.
Laliberte did some digging and found that the phone number provided by the attacker was registered as a landline through Level 3 Communications with an area code matching Jacksonville, Fla. He suspected that the attacker probably was never physically located in Jacksonville, instead, he likely used a forwarding service to send and receive text messages through this number. Attackers commonly leverage the global nature of internet and telephony services to hide the true location of their attacks.
Laliberte texted the attacker using a disposable phone number. A day later, the attacker replied and quickly got to the point, requesting an urgent fund transfer as payment for a shipment of WatchGuard Fireboxes arriving the following week. He kept the attacker on the hook by alluding that a money transfer was possible and asked for further details.
The attacker asked for a wire transfer of $20,000 to a man he claimed was in New York. Some quick research revealed that there were no fraud references related to the provided name. The attacker also sent account and routing numbers for the wire transfer itself. While providing bank account details adds legitimacy to transactions, it also increases the authorities’ ability to track payments in fraud investigations, making it risky for attackers to do. It appeared that the account details provided likely belonged to a compromised account that the attacker could quickly transfer money out of.
At this point, Laliberte had gathered all of the information the attacker would voluntarily share, but still had no clear picture of where he was located. However, the attacker did expect a wire transfer confirmation message. He masked the IP address (as seen below) of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link.
*220.127.116.11 - - [22/Apr/2016:22:25:06 +0000] "GET /verify HTTP/1.1" 404 194 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"
When the attacker visited the link, it redirected him to the honeypot server where Laliberte logged his source IP and browser User-Agent data. The attacker’s source IP was registered to Airtel Networks Limited, a mobile Telco out of Nigeria. The User-Agent data told Laliberte that the attacker was connected to the honeypot using an iPhone running iOS 9.3.1. This confirmed the hypothesis that the attacker was using a forwarding service to receive text messages through the Jacksonville phone number.
Though the attacker was in Nigeria, he used a bank account (TD Bank) that required a permanent US address, meaning the account was either compromised or the attacker had an accomplice in the US (often called a mule) who could retrieve any transferred money. Laliberte contacted TD Bank to allow them to begin an investigation on attempted fraud by someone with access to the provided account.
This spear phishing attempt makes it clear just how big of a problem these attacks are today. No spear phishing protection is perfect. Even with technological solutions like DMARC or S/MIME, phishing messages will still slip through and reach employees, he said. It is critical that IT professionals train their users on how to spot and report attempted phishing attacks. With the growth of spear phishing, organizations need to update their training programs to help employees learn how to spot these more convincing, targeted email scams.
From: Dark Reading by: Kelly Sheridan
New data analyzing SEC disclosures found 83% of publicly traded companies worry most about the risk of brand damage via hacks exposing customer or employee information.
Public businesses fear the possibility of losing customer or employee's personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks, a new study published by the International Association of Privacy Professionals (IAPP) found.
The IAPP Westin Research Center studied US Securities and Exchange Commission (SEC) Form 10-K disclosure statements from more than 100 publicly traded companies. The forms are where businesses share risk factors that could prove concerning to investors.
The chief privacy officers, chief legal counsel, and other experts in privacy and privacy law on IAPP's research advisory board were struggling to quantify privacy risk for their companies and clients. IAPP decided to study this via the SEC disclosures, according to IAPP research director Rita Heimes.
"It's tough to come up with a value for privacy risk," she explains. "We decided to determine whether companies think [privacy] is a risk to the bottom line, and provide more definition that way."
Among the companies that disclosed privacy risk, 83% cited reputational harm as the top digital risk factor. This surpassed civil litigation (60%), regulatory enforcement (51%), and remediation (50%). Less than half (43%) cited the risk of failing to comply with privacy laws and regulations.
Brand damage causes more immediate damage than lawsuits, which can drag on for long periods of time.
"Trust is the biggest threat because it applies to both the employee and the customer, depending on whose data is being misused or exposed," Heimes says. "Once that trust factor is undermined, it can have a ripple effect, leading to financial harm, embarrassment, or drop in employee retention."
Another risk factor is loss of corporate resources, Heimes continues. Anytime someone mishandles personal data, it takes a lot of time away from business operations and as a result, employees have to work on planning recovery and preventing future incidents.
One in five companies warns investors that if it becomes the victim of a data breach, the liability could exceed insurance coverage. The same amount say an attack could distract management, and other employees, from their core business responsibilities.
The fear of privacy risk varies across industries, says Heimes. Businesses offering products known for being secure, like software, operating systems or cloud services, run a tremendous risk if personal information is lost.
"If their products are vulnerable to attack and data can be easily mishandled, that makes the product or service inherently less valuable," she explains. "We perceived technology companies and social media platforms as being far more likely to write elaborate, sophisticated, and knowledgeable privacy disclosures" compared with organizations like energy companies, which are more concerned with system failure.
Heimes says she was surprised there wasn't greater unease about the role of vendors and other third parties in using PII. Less than half (47%) of respondents were concerned about information mishandling by business partners, vendors, and other organizations.
"There was less mention of third parties disclosing data than I think is reflective of reality," she notes. "This is significant and many companies have begun to step up paying attention to how vendors handle their data."
That is likely to change over time, however, she notes.
There are steps businesses can take to mitigate the risk of information loss, she says. It's not enough to simply buy software tools; the human factor is most important.
Investing in people and helping them understand privacy best practices can prevent the misuse of PII. The workers who collect, store, and make decisions about how to handle user data need to be aware of privacy issues and make informed choices, Heimes says.
Ever wonder how much malware is being detected daily? In 2016, that number is 323,000 as detected by Kaspersky Lab.
This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.
“We determined this year’s malware growth was mostly caused by a huge increase in the number of downloaders distributed via email,” said Vyacheslav Zakorzhevsky, head of the anti-malware team at Kaspersky Lab. “In most cases these downloaders deliver ransomware on the attacked machines. In 2016, the number of these malicious programs was 3.6 times bigger than in 2015—the result of a cybercriminal’s efforts to hide malware from detection by security solutions. In addition, our constantly improving machine-learning technologies allow us to detect and discover even unknown threats.”
Woburn, MA – December 6, 2016 – According to Kaspersky Lab, the number of new malware files detected by its products in 2016 increased to 323,000 per day. This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.
The Kaspersky Lab cloud malware database, includes discoveries by Astraea—a machine-learning based malware analysis system working inside the Kaspersky Lab infrastructure. Over a fifth of the malicious objects included in the cloud database were discovered and identified as malicious by Astraea. The database now carries a billion malicious objects, including viruses, Trojans, backdoors, ransomware and advertisement applications and their components.
The percentage of malware discovered and added automatically to the Kaspersky Lab cloud database by Astraea has been growing steadily over the last five years: from 7.53 percent in 2012, to 40.5 percent in December 2016. The proportion is growing in line with the number of new malicious files discovered daily by Kaspersky Lab experts and detection systems. This has increased from 70,000 files per day in 2011 to 323,0001 per day in 2016.
“One billion unique malicious files is a remarkable milestone. It shows the scale of the cyber-criminal underground, which has developed from several small forums offering customized malicious tools, to the mass production of malware and tailored cyber-criminal services,” said Zakorzhevsky. “It also highlights the quality and evolution of our automated malware analysis technologies. Out of these billion files, more than 200 million have been added by the Astraea machine-learning system. Our advanced systems now not only detect the vast majority of known malware we get on a daily basis, but also discover unknown threats. Although the remaining 800 million files have been added by other internal detection systems, or by experts, the contribution to the Kaspersky Lab cloud database by machine-learning systems is substantial and will continue to grow.”