The world of cybersecurity is an ever-changing one of constant preemptive preparation, where companies are forced to hunt for any kinks in their defenses to ensure that they’re as protected as possible. Working as an ethical hacker allows information technology graduates to come into the job market and aid companies in finding those kinks so that they can remain safe in a world of increasing cybercrime. As the world of cybersecurity grows more linked with everyday life, it’s important to know what awaits those entering this job market.
Ethical hacking is a skilled trade, reserved for those that know their way around design and programming. The average salary for ethical hacking offers a wide range - between $24,760 and $132,322. There are also many freelancing opportunities for one-time or part time positions, which can offer multiple opportunities and flexible pay. For graduates looking to deal with school loans or simply wishing to jumpstart their finances, the high ceiling of earning averages provides an excellent opportunity
Ethical hacking is one of the swiftest growing areas for information technology graduates, if for no other reason than for demand. The increasingly connected internet of things is forcing companies to have a powerful online presence, which then needs to be defended. As more and more companies become connected to the internet, the need for ethical hackers to test their defenses increases as well.
Graduates are likely to have been focusing on one or two subjects while going through their collegiate career. Ethical hacking provides an excellent way to diversify the skills one has learned, as well as providing opportunities to grow in acclaim. Many ethical hacking positions may require brief training courses that will end with the ethical hacker being rewarded with certification and verification of skills. While often optional, this is highly recommended, as certified ethical hacking professionals earn significantly more than their non-certified peers.
Ultimately, many experts believe ethical hacking to be one of the most prominent fields of information security analysis in the future. Ethical hac
As technological solutions to cybercrime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.
The targets of attacks also change with the times. Hacking websites and bank accounts is old-hat, some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.
It’s sad, but well known that the average consumer doesn’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack. However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions such as HVAC, fire security, doors and windows, etc. along with more convenience focused building automation systems, would prioritize cyber security. This is not always the case, and can lead to a potentially disastrous situation for the homes and organizations that implement Building Automation Systems (BAS) and the companies that manufacture, install, and maintain them.
Siegeware and BAS attacks
When attackers combine ransomware with BAS vulnerabilities, we get Siegeware. The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems, and even physical access, and will only rescind control once a ransom has been paid.
Gaining access to the BAS means the attacker becomes the digital overlord of the building. By controlling the automated system that governs the functionality of the building, they control the building itself. They can turn off ventilation, heating, fire suppression systems, and potentially extend influence to other digital functionality of the building.
The hacker can access seven systems remotely once he hijacks the BAS:
Lighting control systems
Fire detection and alarm systems
Automated fire suppression systems
Integrated security and access control systems
Heating, ventilation, and Air conditioning
Power management and assurance systems
Command and control systems
The consequences of losing control of these systems may range from discomfort to potentially life-threatening situations.
An emerging threat
Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack. Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.
BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. But vulnerabilities exist in any connected system, and when the network is compromised the prospect of physical danger becomes very real.
With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. To make things worse, many of these buildings are connected to the internet where anyone with the correct username and password can access it. As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using defaul
Keeping an organization’s IT assets secure in this day and age is a challenge. The sands of the information security landscape are constantly shifting, and it can be difficult for practitioners to find solid footing; to identify those initiatives that will net the greatest return on security spend. Each day seems to bring another emerging concern in the threat landscape. The organization itself often seems to work against us, wanting to expand our already too-broad attack surface by embracing new technologies, connecting with partners, or acquiring other businesses entirely.
In such a climate it can be easy to allow our attention to be drawn to the expanding edge or our environment and the newest threats to be found there. Advanced Persistent Threats (APT), supply chain risks, and cloud/container platform issues, to name a few, are more recent additions to our list of concerns. And let’s be honest, as technologists we are drawn to the new, the novel, the esoteric – because it is interesting. While there are real risks to be addressed here, they may not represent the greatest area of exposure for your users and information assets or the best ROI.
Over the past four years of performing research for monthly threat briefings there are three themes that constantly arise which, if mastered, can greatly reduce the information security risk to the enterprise. These are:
Keep systems and software components up to date. This includes regular patching as well as upgrading platforms when they are no longer supported. Two key components of a success patching program are making sure that all devices in the environment are (1) identified and (2) under management.
Enforce the principle of least privilege. User accounts, applications, service accounts and network resource permissions must all be taken into account and kept up to date. The use of segmentation and micro-segmentation strategies are an excellent additional layer of control to apply.
Constantly train users on security culture and safe computing practices. User training and awareness cannot be limited to phishing emails or social engineering alone. Topics should include physical security related issues (locking doors, desks, and cabinets), challenging strangers for credentials when appropriate, responsible data distribution practices and how to report suspected oversights. Ultimately this must be a paradigm shift; an exercise in building an organizational culture that emphasizes security and the priority of reporting suspected indicators of incidents in a consequence-free climate.
Often, the root cause of a security incident can be traced back to failures associated with one or more of these three points rather than some fringe security exposure. Environments are dynamic, and it is unlikely we can ever be certain that we have 100% coverage for any security practice or solution we put in place; especially over time. As a result, when asked by customers what they should be focusing on, I always recommend they consider these practices critical, foundational elements of their security program and work to validate and improve upon the effectiveness of these capabilities on an ongoing basis.
The truth is that such core security practices not particularly interesting and focusing on the fringe of the threat landscape is far more appealing. The idea that we are on the front lines, in a fight again
They say that bad things always come in threes. The adage may testify to little but the popularity of superstition, but for security executives today, this notion regrettably passes muster. Crime, complexity and cost are three foes that every CISO must face, and while most companies think crime is the enemy, in many cases it is the latter two heads of this “cyber-cerberus” that deliver the most certain bite.
Here’s why: There’s not much we can do to wish cyber criminals away. The rising tide of threat actors will continue as the world goes digital, and we will need to be vigilant. But as an industry, there are things we can do to control complexity (and in turn cost), and it’s time that we start working together to reduce their impact. How do we do that? Well, let’s take a closer look at these three components.
Everyone knows about enemy number one: crime
Unless you have been living under a rock for decades, you know that cyber crime is one of the world’s largest problems. We’ve read statistics on breaches and seen countless companies in the headlines. Undetected attacks increase the numbers even more. IoT botnets, state-sponsored attacks, machine-learning malware, and the rise of ransomware make CISOs agree that cybercrime is undergoing a vigorous evolution. Sadly, crime has been with us since the dawn of civilization and is not going away anytime soon. This enemy is a constant.
Which brings us to a hidden enemy - complexity
With so many barbarians at the gate, protection, detection and response has become ensnared in a painfully involuted multiplicity of requirements and solutions. Cyber security practitioner groups suggest 14-18 controls to get started. SANS defines 20 security measures as “critical.” Fortune 500 firms typically engage 50+ security vendors. One global bank cited 170+ vendors at the Blackhat security conference last year. Plus, there are at least 32 government and industry bodies dedicated to cyber regulations.
There are well over 1000 individual security solutions in the market for CISOs to consider, and dozens one must review for any particular purchase. Vendor research, trial periods, internal reviews and integration requirements grow exponentially as products are added.
Even when you finally determine the products you need, they must be tuned, serviced and regularly upgraded by skilled engineers. There are so many individual challenges to integration of security solutions that I couldn't list them all here. And the cycle of new products, responding to new threats—it never ends. All of this complexity leads to the biggest enemy that we need to focus on.
Our most insidious enemy is, of course, cost
It’s important for CISOs to remember that their company is not in the business of cyber security—they make airplanes, design toasters, perform financial services or focus on something else, unrelated to security. I have never met a single business executive who preferred to divert resources from the core business to spend more on security...not one. The CISO who achieves results at lower cost and restores money to the core business will be recognized as a true partner in the business and be rewarded with a bigger seat at the table.
Today, adequately responding to the threat ecosystem costs hundreds of thousands of dollars annually for the typical company, and many millions for large enterprises. Monitoring and maintaining defenses requires specialized engineering roles that come with six-figure salaries, if you can even find the talent.
Hello again to another weekly security roundup. This week, I have a slightly different spin on the roundup in that the net has been slightly widened to include broader technology topics from more than just this last week. However, all of the articles were written by ladies. With that, let’s dive straight in.
A beginner's guide to test automation
If you’re new to automated testing, you’re probably starting off with a lot of questions: How do I know which tests to automate? Why is automated testing useful for me and my team? How do I choose a tool or framework? The options for automated testing are wide open, and you may feel overwhelmed.
If so, this is a great article on how to get started.
When I’m faced with something to test – be it a feature in a software application or a collection of features in a release, my general preference is weighted strongly towards exploratory testing. When someone who doesn’t know a great deal about testing wants me or my team to do testing for them, I would love to educate them on why exploratory testing could be a strong part of the test strategy.
Strengthen your security posture: start with a cybersecurity framework
The 2017 Equifax data breach is expected to break all previous records for data breach costs, with Larry Ponemon, chairman of the Ponemon Institute, estimating the final cost to be more than $600 million.
Even non-enterprise-level organizations suffer severe consequences for data breaches. According to the National Cyber Security Alliance, mid-market companies pay more than $1 million in post-attack mitigation, and the average cost of a data breach to an SMB is $117,000 per incident. While estimates vary, approximately 60% of businesses who suffer a breach are forced to shut down business within 6 months.
My last blog on DNS cache poisoning only covered the superficial aspects of this long-standing issue. This installment aims to give a bit more technical detail, and expose some of the tactics used by the "bad-actors" looking to leverage a poisoned DNS cache against you and your network. In a worst-case scenario, the results of a poisoned DNS cache could lead to more than just a headache: civil liability, phishing, increased DNS overhead, and other kinds of nightmares are too easy to overlook with this type of 'attack'.
So, you may be wondering, "What exactly makes a DNS cache poisoning attack so dangerous, and what can we do to prevent it?" Well, as outlined in my first article, not answering DNS requests on the web is a great place to start. If you're only running an internal DNS infrastructure, your attack-surface is much lower. However, this comes with a caveat; "internal-only" DNS attacks are much harder to detect, and can often go weeks or months before even the keenest of sysops recognize them. This has to do with the fundamental structure of DNS. Let me explain.
Fundamental structure of DNS
In a typical DNS server (e.g. Windows DNS, or BIND) there is little mechanism (e.g. NONE) to provide any sanity checking. In its simplest form, a DNS query will look to its local database (the 'cache') first, upon finding no answer for the request it will then send a lookup request to its configured DNS server (the one you hopefully manage) and see if it can find an answer for the request.
If this lookup fails a 2nd time, there is a 'forwarder' configuration that kicks in, and the request goes to a list of pre-specified DNS hosts that your server will send the request to, looking for a resolution to the name. If this final 'forward' lookup fails, the final lookup happens out on the internet, on one of the 'Root' nameservers that share a distributed list of all the DNS hosts that make up the TCP/IPv4 internet. If this final lookup fails, the original requesting client is returned with a 'DNS Name not found' answer, and the name will not resolve. At any point during this journey, a "faked" response can be issued, and the initiator will accept it. No questions asked.
Problems with the model
This model is good when we can trust each one of the segments in the process. However, even during the early days of the web - there were some issues that became apparent with the way DNS works. For example, what if the root servers are unavailable? Unless your local DNS server has a record of ALL of the domains on the web, or one of your 'forwarders' does - the DNS name will not resolve. Even if it is a valid domain, DNS will simply not be able to lookup your host.
There was an "attack" on several of the root servers in the late 1990's. Several of the root servers were knocked offline, effectively taking down the internet for a large portion of the USA. It was during this outage that many network operators realized a large oversight of the DNS system, and a push was made to distribute control of these systems to a variety of trustworthy and capable internet entities. At the time of this attack, much of the internet name resolution duties fell to a single entity: Yahoo. A DDoS of Yahoo effectively killed the internet. Sure, we could still get to our desired hosts via IP, but e-mail, for example, was not as resilient. It was a great learning lesson for the web community at-large.
This was just a denial-of-service at the highest level of the infrastructure. What would happen if the localized database on every computer in your organization had different "answers" for DNS lookups? Instead of consistent
Do you docker? Without a doubt, containers are one of the hottest concepts in application delivery and security these days. And that’s a very good thing. Containers have tremendous advantages over the way we have done things in the past. But how should containers influence a threat detection and response strategy? Do I need a larger “container security” strategy to get started deploying my apps using container architectures?
The short answer to these questions is “No.” But let’s explore that a bit more.
What is a container?
A container is an evolution of virtualization. Traditionally, virtualization requires entire “guest operating systems” to be deployed on a hypervisor or host operating system. This was an amazing breakthrough as it blew up the traditional relationship between hardware and operating systems, enabling the deployment of different application building blocks in different VMs on the same or different hardware. Thus it created new ways to build and scale applications. This transition changed how we think about compute resources, moving us from “pets” to “cattle”. Yet each VM carried along with it an entire operating system worth of overhead.
Containers fix this problem by virtualizing only the application and all the associated dependencies it has (shared libraries, file systems, etc.), allowing many more containers to ride on a single operating system. This makes them much, much more efficient. They also have the advantage of being portable across operating systems; they are truly platform agnostic.
Docker security and Kubernetes security are simply the most well known
There are many kinds of containers, Docker is only the most popular. In addition to the containers themselves, most deployments benefit from orchestration and management tools. Kubernetes is the most well-known of these, and Swarm and Mesos are others. These tools handle all aspects of the container lifecycle, helping build consistent container images, deploy them into production, monitor their performance, and decommission them when the time comes.
Easier, safer: benefits of containers, as they relate to security
The isolation provided by containers enables us to better scale and modularize our applications into smaller pieces. But what does it do for our security? LOTS! But containers don’t fundamentally change anything we need to do in the threat detection and response area.
Containers make it extremely easy to reduce our attack surface area. In fact, Docker containers use a “Docker file” that defines many things, including what IPs, ports, and protocols the container can use for communication. Because containers are intended to be used for modular workloads, it isn’t difficult to determine what these ports and protocols should be, making it simple to realize the idea of providing only essential access while keeping things simple
Another key security advantage of containers is, of course, the isolation they provide. If the application inside your container falls victim to an attack, the attacker will find themselves in a very restricted area with only a small part of the application code and user data present. In fact, management connectivity via SSH and the like is often unnecessary in containers, making them even harder to access remotely. Of course, lateral movement or privilege escalation may be possible when vulnerabilities are present. But even if containers are compromised, they have huge advantages. Because they are designed to be ephemerial, remediation of an infected container can be as simple as blowing it
Hello again, back to your regularly scheduled weekly security news, views, and opinions roundup.
So without further ado, let’s jump straight into it.
Pwned GPS eatches
A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches open to attackers.
The culprit, a common backend API between watches and other devices which allowed attackers to eavesdrop and track users wearing the watches.
Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.
In your average hotel key card is a chip that contains nothing more than a tiny little radio wave processor and a small amount of data storage – around 1KB. Nothing else. Not even a battery. But when it comes into contact with a reader (on your hotel room door), the chip pulls just the amount of power it needs to spring to life, telling the door to unlock. This is basic Radio Frequency Identification technology (RFID) and it’s been around for a long time. And although it’s certainly evolved - some cards are more secure than others - RFID fundamentally remains unchanged since it first came into use in 1983.
Your reputation is one of the most powerful assets you can have as a successful businessperson. Having a reputation for honesty and quality can be the key to locking down major clients or building a standing in a fledgling market. Alternatively, having a poor reputation can be detrimental to the point of completely running you out of business.
In this day and age, online reputation management is a critical component to building and growing a successful business. People will analyze how a business is described online just as often (if not more than) as they will in more traditional ways, such as word of mouth. Strong business reviews and a solid online reputation can be a substantial driver for business.
Taking steps to manage and promote your personal and business reputation is now an important component to success. Especially when it comes to web domains, management of things such as search results and reviews is a game changer. Below are things to look out for and be aware of as you assess your current reputation management efforts for your business:
For individuals working in the business world, the management of personal information online has the power to influence the types of jobs that will be attainable and the number of doors that will open up. This information can take many forms, including personal files, emails, and social media accounts. Basically anything that can help a stranger identify you could be considered personal information.
One problem that many young professionals run into is the oversharing of information or the lack of valuable privacy settings. Mismanagement of these things can lead to an excess of (potentially compromising) personal information being available to job interviewers, managers, or potential clients. Just imagine being a sales manager attempting to lock down a new client when a photo of you overly intoxicated and hugging a friend’s toilet emerges on one of your social media profiles.
Even bigger problems can arise if this information is either lost or stolen. For instance, malicious users could trash your reputation and personal credibility by becoming an active participant in unsavory blogs or online discussions. Regardless of whether or not you were actually involved, it could take a great deal of time to clean that up.
Many of the same issues have the potential to arise for businesses when managing their online reputation. In addition, things such as numerous negative online reviews or awkward search results can have a profound negative impact on a business. Many potential clients are significantly influenced by their initial review and Google searches of your business. If what they find is bad, your business could be in trouble.
Because of this, negative items, such as hubbub about a poor manager with many negative reviews that has since been fired, can come back to haunt businesses over the years. To help combat this, many large companies are hiring online reputation management services. These services can help to promote the positive aspects of your business and redirect internet traffic over time to represent a more balanced and realistic view of the company.
Working on monitoring things like incidents that impact IP addresses can help online reputation security professionals track and protect
Jaime Blasco and Chris Doman collaborated on this blog.
Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.
Alien Labs initially identified Xwo being served from a server serving a file named xwo.exe. Below are the initial technical findings of Xwo, while all associated indicators are in our Xwo OTX Pulse.
Xwo’s relation to MongoLock & XBash:
MongoLock is a ransomware that wipes MongoDB servers and demands a ransom paid to the attackers to recover their database. Both Xwo and MongoLock use similar Python-based code, command and control (“C2”) domain naming, and have an overlap in C2 infrastructure.
Unlike MongoLock, Xwo does not have any ransomware or exploitation capabilities, but rather sends stolen credentials and service access back to the C2 infrastructure.
The sample was created via PyInstaller and the original Python code can be easily recover using python_exe_unpack and uncompyle6. The python script of Xwo contains code copied from XBash:
Figure 1: Xwo code (left) copied from Xbash (right)
As of this report, it is unclear if Xwo relates with same adversary known as “Iron Group”, or if they have repurposed public code. Based on our research to date, a potential relationship may exist between Iron Cybercrime Group and Rocke. We are unable to assess the relationship with acceptable confidence as of this report.
Command and Control:
Following execution, Xwo first performs an HTTP POST request with a random User-Agent from a hardcoded list of choices, and then receives instructions from the C2 domain with an encoded public network range to scan:
Nothing gets the AppSec / InfoSec community abuzz quite like a good old 0-day vulnerability.
I mean, what’s not to love here? These vulnerabilities involve the thrill of adversaries knowing something we don’t, giving them a path to sail through our defenses to break into that sweet data inside. They are the James Bond of the security space — suave, sexy, and deadly.
However, once we get past the veneer of the 0-day mystique, we are quickly reminded that the far bigger threat to our software comes more from the known vulnerabilities that are floating around in public available for all to see and exploit.
Known security vulnerabilities: hidden in plain sight
While there are always going to be those exploits kicking around in the darker corners of the hackerverse and require an effective threat intelligence solution, the vast majority of vulnerabilities for both commercial and open source products end up on security advisories like the National Vulnerability Database (NVD), the popular U.S. government-backed database that analyzes reported software vulnerabilities (CVE’s).
For years now, we have been seeing a moderate yet steady climb in the number of software vulnerabilities (CVEs) being reported. However, the count for 2017 more than doubled the previous year’s number, spiking from 6,447 to 14,714 CVEs in the books. Hardly a fluke - 2018 recorded 16,555 vulnerabilities.
I have theorized on why we are seeing more of these vulnerabilities coming to light, due in part to bug bounties and corporate sponsorship for research into open source security efforts. Frankly, more money being thrown at the problem is helping to play a positive role in making software safer, but it only tells a part of the story.
Where do software security vulnerabilities go once they are discovered?
While the NVD is generally considered to be the authoritative listing for vulnerabilities and is where many security folk and developers go to search for known vulnerabilities, their details, and their fixes. Not all, but most known vulnerabilities can be found there, and that’s the good news.
The bad news is that the information pertaining to these vulnerabilities is spread out across multiple sources, making the job of keeping track of them considerably more difficult.
Not every vulnerability makes its way directly to the NVD through the standard CVE route. Vulnerabilities reach the CVE, another U.S.-government-backed organization run by the non-profit MITRE Corporation, through reports from security researchers, project maintainers, or companies in the case of commercial software.
When a vulnerability is discovered by a researcher, the common practice is to notify the vendor or project maintainer and then reach out to the CVE to reserve an identification number. Information about what has been found to be vulnerable and how to exploit it is withheld during a grace period, (typically 60-90 days) which is meant to allow the product/project’s team time to develop a fix for the vulnerability.
Vulnerabilities reported for commercial products like Microsoft’s Win
I search long and hard each week to find the best and most interesting security stories. These aren’t just news stories, but also interesting blogs and experiences people share.
One thing I’ve felt (I say feel because I don’t have scientific proof to back this up) is that fewer people are blogging regularly. Of those that do regularly blog, many have left their blogs and moved over to Medium - and I have nothing against Medium, I just don’t want my list to end up being just a bunch of Medium articles every week. The second thing is that a lot of people end up sharing their thoughts on a social media platform, such as a long post on LinkedIn or Facebook. Or worse still - they have a Twitter thread.
I could link to Twitter threads, but I feel these don’t accurately convey the message in the same way a blog does.
For example, Magen Wu has a great Twitter thread on career success. About how she feels she wasted time comparing herself to others and setting goals she wasn’t necessarily aligned to. With some good comments from others.
The question I guess I’m asking is that are social media platforms taking away from blogging, and given the short life span of tweets in particular, does it lessen knowledge sharing? Should I start a “Tweet threads I Hearted this week”. All are important questions.
While you ponder on that, here’s your regular dose of security things I hearted this week.
Creating an Android open source research device on Your PC
While this was written last August, I only just saw this article on creating a virtual Android device on a PC to conduct open source research.
This Spyware data leak is so bad we can't even tell you about it
A consumer spyware vendor left a lot of incredibly sensitive and private data, including intimate pictures and private call recordings, for all to see on a server freely accessible over the internet. And it still hasn’t taken the data down.
Last year, as in years prior, was a year full of cyber-attacks. But what was interesting was the trend of small and medium businesses being targeted more often. Generally, those types of businesses have either rested in the false impression that they’re not a big enough target or didn’t have plentiful valuable information hackers are seeking. The reality is the opposite and the stakes couldn’t be higher.
You’ve probably heard the phrase, “small businesses are the lifeblood of our economy.” A powerful word like lifeblood is defined as an indispensable factor that gives something its strength and vitality. That is to say, they are critical to the health of our national economy and prosperity. And as we’ve all seen on TV, in order to protect our own physical health, it’s important to “know your numbers” as the ad says.
Well, this should hold true for small businesses. We’re not talking about physical health, but something just as important, cyber health. But how many businesses are currently measuring their cyber health numbers? A better question to ask is how do you even do it? And what can you do with it? Is there a standard out there that’s recognized by industry peers and cyber insurers alike?
AT&T, a leader in world-class security solutions, has pondered these same questions and has come up with a solution to answer some of them. Cybersecurity Rating from AT&T, is exactly what the doctor ordered. This new solution, powered by BitSight, will equip small business owners with actionable data that can help protect data and assets, but also help you maintain a pulse on your own cyber health. And it’s perfect for business owners who don’t have large IT staffs, or who lack some of the technical expertise necessary to stay ahead of today’s evolving cyber-threat landscape.
Cybersecurity Rating helps an organization maintain an effective security posture by providing valuable insight into vulnerabilities with data collected by Bitsight over the last seven years. Cybersecurity Rating is non-intrusive and does not disrupt your network. Results are grouped into the following categories of risk vectors: compromised systems, diligence, user behavior, and data breaches. It helps a business owner answer the question of just how protected it is against cyber risk.
So, with these numbers in hand, as a business owner, you now have the ability to make data-driven, informed decisions about cyber risk mitigation, or cyber risk transfer through a cyber insurance policy. The cyber insurance market is rapidly expanding, especially in the small and medium business space, because it’s a relatively new concept, but also referring to the earlier point about perceived permeability. Cyber rating products like Cybersecurity Rating will become even more important as cyber insurers gather more cyber risk actuary data and develop more effective policies that address the unique threat landscape faced by small and medium businesses.
More cybersecurity help is on the horizon to help navigate these menacing cyber-attack waters. Proposed legislation like HR 1648, cyber-awareness training for employees, and comprehensive risk management products like Cybersecurity Rating can help to facilitate a deeper conversation about uncomfortable topics like cybersecurity, risk of data breaches, and cyber insurance.
It’s akin to going to the doctor’s office after the holidays, but since you have all of your data and you know your numbers, you’re really just seeking a recommendation for a good gym. It should be easy to find one tha
The Internet Weather Report is a look at what’s happening on the vast network AT&T oversees as evaluated by the AT&T CSO team. So on the 2/21/19 Internet Weather Report, for example, here was the situation overall:
Matt Keyser, Principle Technology Security, AT&T typically leads the discussion with a couple of guests for commentary. He covers the most probed ports and the most sources probing, ranking them and comparing them with the previous week. Then he dives into the interesting stories. For example, on the 2/21 episode, Matt drilled into the scans on port 8080, which looks to be exploiting a common bug in a couple of Netgear routers.
It’s a great resource for InfoSec practitioners and researchers alike! John Hogoboom. Lead - Technology Security, Security Platforms, and Stan Nurilov, Lead Member Of Technical Staff, Security Platforms, also present the Internet Weather in other episodes. To subscribe to watch the Internet Weather Report each week and other features, subscribe to the AT&T Tech Channel.
This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.
As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors. Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving as partial stage1’s. Of these samples, there was one specific sample that stood out to me. A Gh0stRAT variant, this sample not only changed the Gh0stRAT header from “Gh0st” to “nbLGX”, it also hid its traffic with an encryption algorithm over the entire TCP segment, in addition to the standard Zlib compression on the Gh0stRAT data. Some key functionality is below:
Can download more malware
Cleans Event logs.
[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC
In addition to a standard malware analysis blog post, I’d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future.
Before we begin the analyses, I’d like to clarify on some of the terms used.
Stage1 - Typically the first contact or entry point for malware. This is the first part of the malware to arrive on a system.
SMB Malware - Any malware that uses the SMB protocol to spread. SMB is typically used for file sharing between printers and other computers, however in recent years malware authors have been able to leverage this protocol to remotely infect hosts.
RAT - Remote Access Trojan. This type of malware allows for the complete control of an infected computer.
Gh0stRAT - An open source RAT used primarily by Chinese actors. A more detailed analysis of the standard Gh0stRAT can be found here.
Despite being a Gh0stRAT sample, this variant is very different than your standard Gh0stRAT sample. One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1. Instead, dropped on my honeypot was a full exe that served as the dropper.
From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently. Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell.
RSA has come and gone, and things are settling down into a normal routine. I did write a post-RSA blog which covered the highlights and trends I observed.
Because of RSA and the subsequent week of getting through the backlog of emails and work, the news list has piled up with over 141 separate news items lined up in my list. But don’t worry, I’ll only share the ones I truly hearted.
Device and account security checklist
Bob Lord has put together a great resource to help people and companies better secure themselves and their organisations. Even if you’re a security expert, it’s worth checking out and sharing the checklist with friends and family.
On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CISO.
Actors have been launching phishing campaigns that abuse several brands of well-known real estate franchises with the intent of capturing targeted real estate agents' email credentials. While this type of targeting in the real estate sector is not new, this post highlights the in-depth tactics, techniques, and procedures (TTPs) used. The TTPs and imagery used in the PDF are used to lure people in. Credential harvesting websites can be used for situational awareness to defend against these attacks.
Pros-for-hire no better at writing secure code than compsci beginners
Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all.
Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn't do so securely unless asked, and even then didn't always get it right.
Most folks who work with servers know the monthly drill:
Patches are released by manufacturers -> Patches are tested -> Patches are deployed to Production. What could possibly go wrong?
Anyone who has ever experienced the nail-biting joy of patching, and then awaiting a restart, knows exactly what could go wrong. Does anyone remember the really good old days when patches had to be manually staged prior to deployment? For those of you who entered the tech world after Windows NT was retired, consider yourself lucky!
If you think about it, most organizations that patch on a monthly basis are considered to have an aggressive patching strategy. As evidenced by the legendary Equifax breach, some organizations take months to apply patches. This is true even when the organization has been forewarned that the patch is a cure for a vulnerability that is being actively exploited, also known as a “Zero-day” vulnerability.
Patching is never a flawless operation. There is always one server that just seems to have problems. What is the first response when this happens? Blame the patch, of course! After all, what else could have changed on the server? Plenty, actually.
Sometimes, removal of the patch doesn’t fix the problem. I have seen the patch still held responsible for whatever has gone wrong with the server. I am not blindly defending the patch authors, as there have been too many epic blunders in patching for me to exhibit that kind of optimism and not laugh at myself. But what can we do to avoid the patch blame game?
The simple solution is to restart the servers before deploying patches. This is definitely an unorthodox approach, but it can certainly reduce troubleshooting time and “patch blame” when something goes wrong. If you restart a server, and it doesn’t restart properly, that indicates that an underlying problem exists prior to any patching concern.
This may seems like a waste of time, however, the alternative is usually more time consuming.
If you patch a server, and it fails at restart, the first amount of time you will waste is trying to find the offending patch, and then removing the patch. Then, upon the subsequent restart, the machine still fails. Now what?
Even if we scale this practice to 1000 servers, the time is still not wasted. If you are confident that your servers can withstand a simple restart, then restart them all. The odds are in your favor that most will restart without any problems. If less than 1% of them fail, then you can address the problems there before falsely chasing the failure as a patch problem.
Once all the servers restart normally, then, perform your normal patching, and feel free to blame the patch if the server fails after patching.
The same approach could also be applied to workstations in a corporate environment. Since most organizations do not engage automatic workstation patching on the corporate network, a pre-patch restart can be forced on workstations.
Patching has come a long way from the early days when the internet was young and no vulnerabilities existed (insert sardonic smile here). The rate of exploits and vulnerabilities have accelerated, requiring more immediate action towards protecting your networks. Since patches are not without flaws, one easy way to rule out patching as the source of a problem is to restart before patching.
The NIST Cybersecurity Framework (CSF) has only been around for four years and while developed for critical infrastructure, resulting from Executive Order 13636, it has been widely adopted across both private and public sectors and organizational sizes. It is used inside of the US government, with 20 states using it (at last count). In addition, international organizations such as the Italian government, as well as private sector organizations including technology and education are using the framework.
Why is this?
If there’s one overarching theme of the NIST CSF when it comes to implementation, it’s that there’s no one-size-fits-all solution. Your risk profile, regulatory requirements, and financial and time constraints are unique, and the NIST CSF allows each organization to take these factors into account when implementing the CSF. Moreover, implementation is not an all-or-nothing proposition. Without the restrictions of a formal compliance regulation to hold you back, you are free to implement the NIST framework in whatever way best fits your business needs. Once you establish your unique, current profile and target profile, you can use the gaps between them as a tool to help prioritize improvement actions, based upon your budget and resources.
The NIST CSF allows you to establish or build upon your foundation by identifying what needs to be protected, implementing safeguards, and detecting, responding to, and recovering from events and incidents. In the simplest terms, NIST CSF defines outcomes based upon your unique threats and risks, as well as how you manage risks within your organization:
Know what you have and what you are facing
The NIST CSF calls on organizations to identify your data and the devices that store, transmit, and process information. This means you must have an inventory of data, the devices, the applications, and the underlying infrastructure that process and store that data.
Now that you know what data you have, you can identify threats and vulnerabilities in the environment. This allows you to focus on protecting the ‘riskiest’ assets or what is most valuable to your organization.
Put protection measures in place
Once you know what you need to protect, put measures in place to safeguard that data. Taking the approach of "We have a firewall. Our data is protected" is long gone. A layered approach to security is imperative protecting the connectivity layer, the application layer, and the device itself.
Monitor, monitor, monitor
There are always changing circumstances, even with the most mature security programs. That is why you must continually monitor the environment to detect events and potential incidents. Not only must you monitor but you must improve your monitoring strategy and technologies that you use. Detection must be efficient and effective - your organization can fall into one of these two buckets: you have been breached and you know it or you have been breached and you don’t know it. Continually optimize and tune the technologies and processes you have in place. You cannot respond to what you can’t detect.
Have a plan
Like we all know, it’s not if you get breached, it’s when. Having a formal, tested response plan that is known by the organization, its stakeholders, and responders is crucial.
With or without a security operations center, and whether your network is on premises, in the cloud, or a hybrid, you need to determine which events and indicators correlate with cyber attacks. Organizations these days face a wider range and greater frequency of cyber threats than ever before. These threats can be from APTs (advanced persistent threats), cyberwarfare, promiscuous attacks through bots and botnets, script kiddies, malware-as-a-service via the Dark Web, or even internal attacks from entities within your organization. Everything from distributed denial of service attacks (DDoS) to cryptojacking, from man-in-the-middle attacks to spear phishing, from ransomware to data breaches hit businesses of all sizes and in all industries constantly and every single day. It’s perfectly normal to find it all to be overwhelming!
But implementing the right tools and practices can help you make sense of all of the cacophony. That’s where cybersecurity analytics can be useful. Several years ago, security analytics became something of a buzzword, but it’s as relevant now as ever.
Cybersecurity data analytics explained
So what is it exactly? It’s actually quite simple.
Security analytics isn’t one particular type of tool or system. It is a way of thinking about cybersecurity proactively. It involves analyzing your network’s data from a multitude of sources in order to produce and maintain security measures. It’s all about aggregating data from every possible source and finding the “forests” that all of those “trees” of logs and other recorded details are a part of. Of course, being able to identify the “forests” can make it easier to not only put out “forest fires” of cyber attacks, but also prevent “forest fires” in the future.
Security analytics sources and tools
Here are some of the different types of data sources which can be used in your cybersecurity analytics practices:
Logs from network security appliances, such as firewalls, IPS, and IDS
Network traffic and its patterns
Identity and access management logs
Mobile devices and storage mediums connected via WiFi, Ethernet, and USB
Business specific applications
There are some types of tools which your network can deploy which pertain to cybersecurity analytics. They include:
Code analysis applications to find vulnerabilities in software and scripting
File analysis tools to explore files in ways which may go beyond malware detection
Log analysis applications for firewalls, IDS, IPS, networked print devices, servers, and endpoints
SOC (security operations center) specific applications to organize data in a way which is useful for their functions
DLP (data loss prevention) tools
Security analytics use cases
Properly implemented cybersecurity analytics can not only improve your network’s security posture, but also help your organization with regulatory compliance needs. There are many industry-specific regulations which require log data collection and activity monitoring. HIPAA and PCI-DSS are just a couple of them.
It can even help show your organization’s stakeholders and management which security measures and policies are useful and worthy of investment.
Using an analytics approach and the right tools have the benefit of being able to
RSA is arguably the biggest business-focussed cyber security event of the year. As over 40,000 security professionals completely take over the Moscone Centre in San Francisco.
Of course, one of the biggest changes this year was a case of the blues - as AlienVault made its transition into AT&T Cybersecurity. There were smiles all around, and the now blue blinky sunglasses remained a favourite across our two booths.
However, it’s not the last we’ll see of our little Alien mascot, who will live on in Alien Labs.
There was also a ‘bullet time’ camera setup in the South Booth. I’m sure there’s a technical term for it, but I only know it as bullet time - the technique popularised by the Matrix movies, where multiple cameras are setup and take a photo at the same time, giving attendees the chance to have their photo taken while being beamed up by the UFO above.
RSA is a huge event with thousands of vendors, and hundreds of talks, which naturally bring about some common topics and trends.
Stop, Collaborate, and Listen
No, Vanilla Ice wasn’t a keynote speaker, but a common thread from the keynote to the show floor was one of collaboration and working better together.
I attended a great presentation by Wade Baker and Jay Jacobs if Cyentia Institute entitled “NONE of Us Are as Smart as All of Us” in which they take a scientific approach to proving why many is better than one for learning in the security industry.
Don’t call it a comeback
There was a lot of discussion around security fundamentals. While there are many new threats and attacks in the wild, they are not worth focussing on if the foundations are shaky. Industry luminaries HD Moore and Jeremiah Grossman are working on asset discovery, and Cybersecurity Asset management firm Axoni
Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of.
One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency prices, mining campaigns continue to plague organizations. Below, we've shared some of the more noteworthy forms of attack where the hackers’ end objective is to use your cloud infrastructure to mine cryptocurrency.
Compromised Container Management Platforms
We've seen attackers using open APIs and unauthenticated management interfaces to compromise container management platforms.
We recently investigated attacks involving mining malware served from the domain xaxaxa[.]eu. That domain may sound familiar, as it appeared in a February 2018 report by RedLock on the compromise of the Kubernetes infrastructure of an electric car company. The report details the container commands showing the malicious request.
RedLock reported the attackers used the compromised Kubernetes server in Amazon Web Services to mine Monero and potentially access customer data. In the event of such unrestricted access, cryptocurrency mining is one of the least malicious outcomes to victim organizations. For example, customer data and business operations could be at risk for theft or malicious modification.
Following the attention of the report by RedLock, the owners of xaxaxa[.]eu published a Public Notice stating that they are just a mining proxy and are not responsible for any malicious activity themselves.
Notably, we have also observed the domain serving pages saying it is a Dynamic Domain and a Vesta Control Panel. However, we have seen from other attacks listed in this article that the root domain is actively involved in serving malware and implicated in other campaigns.
Control Panel Exploitation
We have also observed attacks aimed at the control panels of web hosting solutions. The impact is similar to the previous topics, essentially allowing administrative control over web services for the execution of malicious code.
In April 2018, the same attackers that compromised Kubernetes infrastructure started exploiting an unknown vulnerability in VestaCP. This was followed by frantic posts on the official VestaCP forums and those of web-hosts that run VestaCP. VestaCP users provided details on how their installations were compromised.
In these attacks, they added a new backdoor user called “sysroot,” and then downloaded and installed the XMRig application to mine Monero cryptocurrency.
I am very excited to announce the 2018 AT&T Cybersecurity (formerly AlienVault) Partners of the Year! These eight outstanding companies achieved phenomenal business growth during 2018 and truly reflect the types of organizations that believe in ‘customers first’.
The AT&T Cybersecurity Partner Program enables leading VARs, system integrators, managed security service providers (MSSPs), managed detection and response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by AlienVault USM in the global marketplace. With a strong focus on enablement, the program is designed to help solution providers create new opportunities for business growth, expansion and profitability.
Our dynamic and rapidly expanding partner community is a critical part of our success as a company, and we are committed to enabling and supporting the growth of our participants based on their individual goals and objectives.
Our Partner of the Year awards recognize the success achieved by our partners in the following categories:
Binary Defense led the AT&T Cybersecurity global partner community by identifying, architecting and delivering managed security services to a record number of customers. These customers ran the spectrum in size, from small business to some very recognizable, household names! They had top honors two years ago and we are very proud to recognize their return to the top spot by delivering more than 100% year-over-year growth.
“We are honored to receive such an award. The continued partnership and support between AlienVault and Binary Defense is a testament to the dedication of both organizations to improving cyber security around the world. As a leading MSSP and provider of SOC-as-a-Service, Binary Defense is proud to be aligned with AlienVault’s world class SIEM platform.” - Mike Valentine, CEO
Highest growth in 2018 as compared to 2017 sales bookings
IT Lab, based in the UK, delivered more than 800% growth year-over-year leading all others in 2018 by a comfortable margin. These growth numbers are challenging to achieve even in the best of times and IT Lab were able to take a great baseline and deliver these amazing results. With an eye firmly on value, it’s no surprise their existing customers renew and new customers flock to their services.
“IT Lab are thrilled to have been awarded growth partner of the year. This represents the excellent growth that we have had across IT Lab, both within our cyber security services and beyond. The SOC team have on-boarded some excellent clients in the last 12 months; spanning large FTSE250 businesses to financial and professional services, healthcare organisations and beyond. This award is testament to the fantastic team, and the great people that make up that team, right across our cyber and managed services.” – Michael Bateman
Highest sales bookings by a solution provider that joined our program in 2018
Agio signed on with us in early 2018 and came to the table with focused goals, a compelling service offering and an amazing technical team. Their desire to be impactful to their customers immediately made recognizing Agio a simple process. When you
The Federal ban on smartphones for some employees in the workspace makes a lot of sense in post-Snowden days. The phone has a camera, microphone, Bluetooth and other capabilities that can be abused, with or without the employee even intending harm.
AT&T ThreatTraq did a six-minute video I really enjoyed. The video included Karen Simon, Director Technology Security, AT&T, Manny Ortiz, Director Technology Security, AT&T and Matt Keyser, Principle Technology Security, AT&T. They referenced a great article in Security Magazine on this topic recently. Here are some key takeaways:
Unbridled smartphone capabilities are a righteous threat in highly secure facilities. Cameras can be used to steal classified documents. Microphones can be used to spy. Bluetooth is fraught with valid security issues that could be abused to exfiltrate data and spy.
The ban cost about 52 minutes per day of lost productivity. Karen calls it the “backlash on productivity”. Manny found the 52 minute number to be incredible, but then broke it down to employees having to walk out to their car or to a locker to check on their phones multiple times per day – yes it does add up. But is that really true? Would employees have been equally or more unproductive due to using the smartphone for personal reasons on the job?
There’s a definite hit on employee morale. I know a few people who wouldn’t take a job that required surrendering their smartphone to go to work. From the article:
“The numbers don’t lie: four out of ten millennials refuse to work for an organization that doesn’t allow personal devices in the workplace.”
Personal effectiveness can be greatly reduced. Think of all the times getting a quick text to a colleague during a long meeting can save quite a bit of time and reduce wasted work.
Work laptops / desktops have similar functionality as smartphones – why does it make sense to ban a smaller version of a laptop? Laptops can’t be taken from employees because they would be unable to do much work without them!
As Karen suggested, while security does have an impact – it’s never entirely benign - there needs to be a balance between security and productivity. Perhaps technology to disable the recording and camera functions of smartphones while at work?
We are very excited to announce that our new Success Center has just launched. It is our new “one stop shop” for help for AT&T Cybersecurity commercial USM Anywhere, USM Appliance and USM Central customers, OTX and OSSIM users, and InfoSec practitioners in need of help and support.
Why a Success Center?
We studied the situation at length before formulating our plan for the Success Center. In interviews with customers and partners, we determined that those wanting our help had to go to too many sites to get what they needed. These sites include the Forum, the Support Portal, the Documentation Center and the blogs. It was hard for folks to know the best place to look for information about a particular topic or question.
What Makes the Success Center Different?
Now you can log in one time and have access to information from a great many resources. You have the capability to search across all the resources and find helpful information that would otherwise be tricky to find. Searches span across blogs, AlienVault documentation, KB articles, Forum questions and even the customer case history (in the case the user is a customer.) We respect your privacy - company case history is accessible only by designated users of that company.
What Happened to the Customer Support Portal?
If you were a user of the Support Portal, your existing credentials will allow you access to the Success Center. You will have access to all the things you used to have access to, and much more!
What Happened to the AlienVault Forum?
The Success Center is a superset of the Forum. If you were a Forum user, you should have received an email near the end of January requesting you set up a new password in for the Success Center.
We migrated all the users of the Forum over to the Success Center, as well as the all existing Forum questions and answers.
There’s another neat feature about the Success Center – we will be able to get the focus from our technical experts to answer your questions better. In the Forum, questions could go unanswered. With the Success Center we will be alerted if a question has not been answered in a reasonable time. We can then open a ticket to get the right eyes and minds to answer your questions. In addition, duplicate questions will be resolved, and questions we’ve already answered in the past will get answers automatically.
Features to Notice in the Success Center
Intelligent Search: Searching for an answer is hard enough, but trying to filter through the results for the best answer makes finding your answer a frustrating process. Our new search intelligence can help with that by adding the following features:
View filters – additional filters allow you to filter results by result type, product, or source.
AI - Search AI will compare your search to previous results and your own history in the community to determine the likelihood of relevance for each result.
Result post-filtering - Our new search will analyze the results to rank not just by term relevance, but also age, validation, and reviews.
Getting Started Guide
Sometimes it is hard to know where to start with a new product. To help ease the process of getting used to our products, we provide a quick Getting Started Guide to help you get off the ground quickly.
In order to simplify finding what you need, we have provided a list of links to commonly requested answers and pages.
Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops.
That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible:
Termite is a useful networking and penetration testing tool, but we’re seeing it used in attacks to enable access to machines too. There has been little reporting on Termite, beyond a brief mention in a report by Kaspersky of an earlier version of Termite called “EarthWorm”. Below, we’ve provided an outline on some of the attackers we’re seeing deploying Termite.
Termite and EarthWorm are publicly available tools written by an employee of 360NetLab. They can be considered an updated version of the well known packet relay tool HTRAN.
Termite popped up on our radar when we were reviewing malicious binaries compiled to run on IoT architectures. Termite is available for a range of different operating systems and architectures including x86 ARM, PowerPC, Motorola, SPARC and Renesas.
This means an attacker can use a long chain of desktop, mobile and IoT devices to be able to connect through networks and DMZs.
Termite can act as a SOCKS proxy to bounce traffic, as well as a lightweight backdoor that can upload and download files, and execute shell commands:
The Termite help function
For example, this is a typical sequence of commands you may see when investigating a compromised machine:
On a victim host, the attacker listens for incoming connections:
agent.exe -l 8888
Then the attacker connects to the compromised machine:
admin.exe -c [tartet_ip] -p 8888
And selects which compromised system to interact with:
Then they start a SOCKS proxy on the system to route traffic through it:
And a shell on the compromised system that they can connect to with netcat:
Breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII).
.With instances of identity theft and fraud rising, however, many healthcare organizations are now hosts to valuable patient data such as social security numbers, medical records, and more personal information that can be compromised through cyber-attacks. If cybersecurity is not a key piece of your healthcare facility’s infrastructure, you may be putting both your organization and your patients at extreme risk. With the current cybersecurity climate in healthcare, it is important to consider some foundational security elements in terms of maintaining cyber hygiene.
What it Means for 2019 and Beyond
The data from 2018 illustrates that there is a problem with security throughout the healthcare industry. Information security experts warn that healthcare will be the biggest target for cybercriminals over the next five years, as noted in Healthcare IT News. The financial burden on attacked organizations is crippling, but the reputation risk is even greater.
A Smarter Approach to Security
Healthcare organizations must have an effective security risk management strategy built on the concept of edge-to-edge protection. They need to know what their data security priorities are, have policies that are effectively enforced, and bring an approach to cybersecurity that’s surgical— working from the inside out — to understand every fit and function of their organization. Without proper guidance, healthcare organizations could be throwing money into cybersecurity with little return, strangling their operations rather than supporting them. So as healthcare organizations work to toward their future security, a key step is consider doing a penetration test. Consider it a self-check-up.
To combat a hacker, you need to think like a hacker. Penetration testing is a form of ethical hacking that simulates attacks on an organization’s network and its systems. This is done to help organizations find exploitable vulnerabilities in their environment that could lead to data breaches. The test is a manual process performed by security experts that dive deeper into your environment than an automated vulnerability scan does.
A Penetration Test Does NOT Equal Automated Vulnerability Scans.
It exposes your weaknesses before real hackers do
It can reveal which areas of security you need to invest in
It provides an outsider perspective of your security posture
It will simulate a real attacker scenario
Help with meeting compliance with industry standards and regulations
Help prioritize and tackle risks based on their exploitability and impact
MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions.
We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX) now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques, we are assisting in prioritizing analysis work by understanding the context and scope of an attack.
Below we’ve outlined how this new capability can help you investigate two threats - TrickBot and RevengeRat.
Mapping a Trickbot infection with ATT&CK
Trickbot is a malware family that was discovered a few years ago targeting the banking industry, but following some investigations, it is still active and evolving. The malware is usually delivered using attached Office documents via spear-phishing emails.
This particular sample works by running a PowerShell script via command line from the malicious Excel document. The script will load the code that needs to be executed in memory and run the payload. In order to run the payload without being detected, the malware will try to disable and evade anti-malware protection. Once that is done, it will copy itself to another location and will run from there. It also spawns instances of the svchost.exe process to perform several tasks such as downloading config files and injecting into browsers to steal user credentials.
AlienVault USM Anywhere detects and tracks the previous malware behavior and maps all different behaviors to ATT&CK definitions. This provides a clean understanding of the attack’s stage and tactics, and makes the analysis work easier.
Running the sample in our environment we can observe different alarms that USM Anywhere is automatically triggering once the malicious Office document is opened by the user:
Suspicious Process Created by Microsoft Office Application
Suspicious Powershell Encoded Command Executed
Windows Defender Disabled
Windows Unusual Process Parent
Malicious SSL Certificate
Now it’s possible to see those alarms mapped to the ATT&CK matrix:
As we can observe, the ATT&CK matrix provides visibility of the techniques and tactics that Trickbot uses. Starting with Execution tactics, Defense Evasion mechanisms and finishing with Command and Control activity.
The first alarm in the kill chain is the Suspicious Process Created by Microsoft Office Application. After opening the malicious document, the process EXCEL.EXE creates a new process to run a PowerShell command and load code in memory using the IO.MemoryStream class. We can see how the alarm Suspicious Powershell Encoded Command Executed detected the malicious activity and the encoded command trying to evade detection.
Today marks another new milestone and I am proud to unveil our new name….AlienVault has now combined with AT&T Cybersecurity Consulting and AT&T Managed Security Services to form a new standalone division, AT&T Cybersecurity!
Digitalization continues to drive rapid changes in business models and network architectures. On the other hand, it also drives changes in how cybercriminals operate, making it easier for them to harvest data and launch automated attacks at scale. The mismatch between changes in cybercrime sophistication and the relative stagnation in cybersecurity approaches is apparent as organizations continue to suffer data breaches. According to a survey presented in AT&T Cybersecurity Insights, 88% of respondents had reported at least one type of security incident or breach in the last year.
The root cause? Dispersed networks, an explosion of data, disparate technologies, complex security operations present cybercriminals with gaps or “seams” in organizations’ security postures. Fighting cybercrime requires a coordinated and collaborative approach orchestrating best-of-breed people, process and technology.
AT&T started down this path years ago by building a best-of-breed Cybersecurity Consulting practice and Managed Security Services business serving customers of all sizes, across industries, and around the world. Combined with its network visibility across the threat landscape, AT&T has been well-positioned to take a unique role in cybersecurity.
With the acquisition of AlienVault, AT&T Cybersecurity will continue to deliver on our joint vision to address these “seams” and uniquely bring together people, process, and technology through a “software defined” unified security management platform. A platform that integrates, automates and orchestrates a wide spectrum of best-of-breed point security products.
By abstracting much of the management of individual security products, we are automating deployment and ongoing operations, and operating them as a single unified solution - much in the same way AlienVault had done with the critical capabilities required for threat detection and response. This platform will use the technical capabilities and reach of AT&T’s Edge-to-Edge intelligence in order to deliver solutions as on-demand digital services optimized to help protect customers through their own digital transformation journey.
We will accomplish this through collaboration with AT&T’s industry-leading Chief Security Organization and through the integration and automation of AT&T Alien Labs threat intelligence into the platform. The combination of Open Threat Exchange now curated by Alien Labs and AT&T’s incredible breadth and depth of threat intelligence will create one of the world’s leading threat intelligence platforms!
AT&T Cybersecurity is uniquely positioned to provide security without the seams through people, process and technology, which will provide UNRIVALED VISIBILITY for our customers!
2019 is off to a great start! Stay tuned for more exciting news from AT&T Cybersecurity that will enable our customers to anticipate and act on threats to help protect their business!
Once upon a time, businesses needed to take light cybersecurity precautions to ward off amateur hackers. A business owner may have recruited their tech-savvy nephew to protect their system, barely worrying about the risk. Today, the world of cybersecurity has done a 180 — it’s now a top concern for businesses. As businesses swiftly adapt to the changing digital environment, new technology means more cybersecurity concerns.
Businesses are now using new tech for an assortment of needs, from the recruitment process to audience discovery and beyond. On top of that, as consumers continue to shop online and use the internet to store all sorts of personal information, hackers have only grown in their knowledge and resourcefulness to create clever, threatening ways to attack businesses. And for good reason: Uncovering financial and health information is worth a lot of money for hackers.
The internet of things (IoT) has created more opportunities for employees and consumers to stay connected through an assortment of tools, from smartphones to smart home appliances. Every time another device connects to the internet, another security risk opens up. When valuable personal information is transmitted, those devices and connections become gold mines for hackers.
Additionally, any business that has some type of online presence, whether it’s a customer-facing retail store or employees who use an internal, internet-connected system, needs cybersecurity services. Certain industries have even more of a pressing need than others:
These industries deal in high levels of personal information that, if a hacker accessed it, would be detrimental to the business as well as its customers.
How Do Cybersecurity Experts Protect Businesses?
In 2014, Sony Pictures was the target of a major cybersecurity attack. According to Michael Lynton, chief executive, “There's no playbook for this, so you are, in essence, trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of experiences you've had in the past or other people's experiences. You're on completely new ground.”
This is a common sentiment, but it may be unfounded. Even five years ago, cybersecurity pros noted that Sony should have, and could have, been better prepared.
When you decide to go into the field of cybersecurity, you may opt to head back to sc
We have two weeks of news to catch up with because I was travelling last week and wasn’t able to submit to the editor in time.
But that just means double the security fun. So let’s just jump right into it.
Helping The Smaller Businesses
Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don't have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.
Security Isn’t Enough. Silicon Valley Needs ‘Abusability’ Testing
It is time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Tech companies need to think not just about protecting their own users but about abusability: the possibility that users could exploit their tech to harm others, or the world.
CISO Spotlight: Security Goals and Objectives for 2019
Rick Holland shares his security goals and objectives for 2019, which has some great insights and tips such as hyperfocusing on process / program improvements, establishing a security and risk playbook, avoiding ‘expense in depth’, eating their own BBQ, and investing in the team.
Some defense attorneys in San Juan County worry that Sheriff Ron Krebs has a finger on the scales of justice after learning he used a courtroom security camera to surreptitiously zoom in on defense documents and a juror’s notebook during a criminal trial last week.
The incident has drawn outrage from criminal and civil-rights attorneys and frustration from the county prosecutor, and prompted a rare weekend hearing during which a judge dismissed misdemeanor assault and trespass charges against a Lopez Island man after finding the incident amounted to government misconduct that had violated his right to a fair trial.
Given you’re here, you’re likely new to this topic, so please be aware in that fileless malware, fileless malware attack, and fileless attack are different words for the same thing. With that clear, let’s jump in!
What is Fileless Malware and How Does It Work?
There are many definitions of a fileless malware attack. I like the description from the Poneman Institute:
"A fileless attack is really an attack technique - what we're talking about is a technique - that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network."
What's most confusing about these attacks is that they might not be 100% file-free. Typically, different technique types are termed “fileless”, but that doesn't mean the malware or an entire attack campaign won’t include executables at some stage. For example, a traditional phishing attack could have components of a fileless attack in it. Instead of opening the file, clicking on a link and it downloading something to your hard drive, malware may just run in your computer’s memory. It’s a phishing attack, but one piece is fileless. That scenario is more common than a completely fileless malware attack where everything is running in memory. More commonly, we're going to see traditional attacks: phishing campaigns, spoofs, Man in the Middles (MiTM), where something in the attack vector includes malicious code that runs in memory.
The other point is that you might hear “fileless attacks” referred to as non-malware attacks, memory-based attacks, in-memory attacks, zero footprint attacks, and macro attacks. These are all different flavors of attack techniques. The whole premise behind the attack is that it is designed to evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.
Just to get a picture of some of those techniques, in the picture below on the left there are some example delivery methods we see for fileless types of attacks. As we know, phishing and social engineering remain tactics that work for attackers.
This nice diagram from Microsoft that shows a full taxonomy of fileless threats. The diagram shows the breadth of different types of techniques and different types of tools, tactics, and procedures that malicious attackers are using to launch attacks.
Cyber security has three pillars of people, process, and technology. Enterprises have historically had a skewed focus towards the technology aspect of cyber security - installing another endpoint agent, or deploying another network monitoring device designed to seek out anomalys behaviour.
While all these things are well and good, when you look at user awareness plans, and most companies have a once-a-year activity where they go over a few points and hope people remain educated.
And as far as processes go … well, it’s unclear how much of a conscious effort is put into developing robust processes for cyber security, particularly in small and medium businesses.
If we take an unscientific look at some of the trends over the last couple of years, we can see that attacks coming from non-state adversaries has been changing some of its tactics. It is no longer possible for most attackers to waltz in through the virtual front door of organizations and access their data. Which is why many attackers focus on different areas.
Three of the most commonly spotted areas are as follows:
Going after employees is a tried and tested method. Be that dropping USB drives marked “HR bonus list” in the car park, or sending targeted phishing emails, these attacks have proven to stand the test of time.
Phishing emails have been used in many ransomware infections, as well as Business Email Compromise (BEC) rely on duping users within a company.
At the beginning of 2019 it was reported that the Indian unit of an Italian firm was targeted and managed to swindle $18.6m. This trend shows no signs of slowing down as Business email compromise (BEC) fraud attacks soared 58% in the UK during 2018, possibly affecting as many as half a million SMEs, according to Lloyds Bank data.
Employees aren’t the only ones targeted by criminals. Customers of companies are also fair game in the eyes of hackers.
Phishing attacks are a common avenue, with scammers masquerading as popular brands such as Apple or Amazon, threatening behaviour such as law enforcement or the tax office, or even pulling at emotions such as love and greed.
Accidental Personal Info Disclosure Hit Australians 260,000 Times Last Quarter
The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error. The report [PDF] says
Way back in around the 2010 / 2011 timeframe Wendy Nather coined the phrase "The Security Poverty Line" in which she hypothesised that organisations, for one reason or another (usually lack of funds), can't afford to reach an effective level of information security.
Nearly a decade on, and while the term has sunk into frequent usage within the information security community, are we any better at solving the issue now that we've identified it?
I asked Wendy on her thoughts, to which she said, “I don’t think we’ve even come close to understanding it yet. And I think solving it will take an effort on the level of US health care reform.”
It’s a morbid thought, and can leave one with a feeling of helplessness. So, I thought I’d try to scratch beneath the surface to see what we can understand about the security poverty line.
The term technical debt has become more prevalent within information security over the years. Whereby a company will accrue technical debt, or information security risk over time due to decisions they've made. For example, if a service is launched before undertaking a full penetration test or code review, it adds to the debt of fixing any subsequent issues in a live environment.
One of the challenges with technical debt is that it doesn’t occur in a linear manner, rather the debt, or fall below the poverty line, occurs at an exponential rate.
Speaking to people who run small businesses, things become a bit clearer as to some of the challenges they face.
Cybersecurity needs investment in different areas, initially that is to hire expertise, or invest in technologies. Neither of which are necessarily the smallest of investments. But then there are ongoing costs - the cost to maintain security, to undertake ongoing testing. Then, when wanting to do business with larger companies, the smaller company is usually subject to a 3rd party assurance process where they need to demonstrate they meet all the cybersecurity requirements of the larger company, even in instances where the controls may not be directly applicable. Finally, in the event of an incident, a company that has already under-invested in security is faced with loss of business, or even legal action from partners, regulatory fines, as well as the cost of incident recovery and PR management.
How Much Information Security is Enough?
With such a seemingly endless laundry list of things to consider in the security world, the question on
Online trading is on the rise as many consumers take control of their own investments or work with brokers virtually rather than in person or over the phone. At the same time, cybersecurity attacks are on the rise as hackers also try to take advantage of gaps in the system, stealing identities and even money.
How do you keep yourself safe when trading online? Here are six simple tips:
Check the Doors and Windows
Before trading online, know that the most important thing is awareness. Be aware of what risks you run by trading online and what might happen. In your home, you check doors and windows before going to bed because you know they are potential entry points; you need to understand the same thing about online trading.
How do you recognize a threat and combat it or prevent it in the first place? One of the keys is good security software and setting up automatic alerts. Of course, once you receive an alert, you need to know what actions to take, and software can help with that as well. Secure your online trading accounts and all of the data associated with them by securing any potential entry points. As well, it’s never a bad idea to regularly back-up your data either through physical offsite or cloud-based storage. Should the integrity of your systems be compromised due to a breach, you’ll still have access to your data.
None Shall Pass
For a moment, let’s talk passwords, one of the entry points mentioned above. Truth is, as much as we talk about passwords, the list of the top awful ones every year is astounding, including things like your birthday, 123456, and even the word “password” used as a password.
There is no reason for this in an age of password vaults and generators that not only help you set your password, but remembers them for you as well and can even remind you to change them. Consider using such a password management system, and guard your passwords carefully. All of the fancy firewalls and protection in the world do no good if your password is easy to guess.
Do you know what two-factor authentication is and how to use it? Most apps, even those for social media, offer this now, and bank and trading apps are no exception. When you log in from a new device, you will need not only your password, but you will need to have access to a device you own.
This can be everything from your tablet, your phone, your smartwatch, or at the minimum access to your primary email. A code will be sent to that device or email that you must enter in order to access your account. This is a great second layer of security — one that is free.
That way, even with your password, a hacker cannot breach your account.
Don’t Let Them In
What happened in the quite public cyberattacks on Home Depot and Target? Both retailers had the same problem, in that they had granted access to their systems to vendors and did not shut off that access when the vendor was done working.
Security information and event management (SIEM) technology is transforming the way IT teams identify cyber threats, collect and analyze threat data and respond to security incidents. But what does that all mean? To better understand SIEM, let's take a look at SIEM technology, how it works and its benefits.
What Is SIEM?
SIEM technology is a combination of security event management (SEM) and security information management (SIM) technologies. IT teams use SEM technology to review log and event data from a business' networks, systems and other IT environments, understand cyber threats and prepare accordingly. Comparatively, IT teams use SIM technology to retrieve and report on log data.
How Does SIEM Work?
IT teams use SIEM technology to collect log data across a business' infrastructure; this data comes from applications, networks, security devices and other sources. IT teams can then use this data to detect, categorize and analyze security incidents. Finally, with security insights in hand, IT teams can alert business leaders about security issues, produce compliance reports and discover the best ways to safeguard a business against cyber threats.
What Are the Benefits of SIEM?
SIEM technology frequently helps businesses reduce security breaches and improve threat detection. The AlienVault Infographic and "2019 SIEM Survey Report" revealed 76 percent of cyber security professionals reported their organization's use of SIEM tools resulted in a reduction in security breaches. Additionally, 46 percent of survey respondents said their organization's SIEM platform detects at least half of all security incidents.
Also, SIEM tools typically provide compliance reporting – something that is exceedingly valuable for businesses that must comply with the European Union (EU) General Data Protection Regulation (GDPR) and other data security mandates. SIEM tools often come equipped with compliance reporting capabilities, ensuring IT teams can use these tools to quickly identify and address security issues before they lead to compliance violations.
SIEM tools help speed up incident response and remediation, too. A cyber security talent shortage plagues businesses worldwide, but SIEM tools help IT teams overcome this shortage. SIEM tools are generally simple to deploy, and they often can be used in combination with a business' third-party security tools. As such, SIEM tools sometimes reduce the need to hire additional cyber security professionals.
Is SIEM Right for My Business?
SIEM technology is designed for businesses of all sizes and across all industries. If a mid-sized retailer wants to protect its critical data against insider threats, for example, SIEM technology can help this business do just that. Or, if a globally recognized bank requires a user-friendly compliance management tool, it can deploy SIEM technology as part of its efforts to meet industry mandates. SIEM tools can even help businesses protect their Internet of Things (IoT) devices against cyber attacks, proactively seek out cyber threats and much more.
How Can I Select the Right SIEM Tool for My Business?
The right SIEM tool varies based on a business' security posture, its budget and other factors. However, the top SIEM tools usually offer the follo
Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.
Enough reminiscing - let’s get down to it.
The Big Five
There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.
But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.
Considerations for When Your Apartment Goes “Smart”
Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).
Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.
While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vuln
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
With the constant barrage of headlines regarding breaches in the last few years, it seems that society in general has become numb to losing personal data. This year’s overarching cybersecurity theme is clear: We’re all in this together because we simply can’t do it alone. Effective defense demands a team effort where employees, enterprises, and end users alike recognize their shared role in reducing cybersecurity risks.
To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis. Here are tips for improving your cyber risk management this year.
Tip #1: Balance risk versus reward.
The key is to balance risks against rewards by making informed risk management decisions that are aligned with your organization’s objectives — including your business objectives. This process requires you to:
Assign risk management responsibilities;
Establish your organization’s risk appetite and tolerance;
Adopt a standard methodology for assessing risk and responding to risk levels; and
Monitor risk on an ongoing basis.
Tip #2: Use your investments wisely.
When determining the best strategy for future cyber investments, it’s vital that you review your organization’s current security posture and existing security controls, including technology, people and processes. Before making new investments, perform an architectural and program review to understand how the existing controls can be utilized to address your identified risks. There are almost always ways to optimize, reduce cost, or minimize upcoming investments.
Tip # 3: Be nimble; make sure your strategy can quickly adapt.
Business is not static and neither are the solutions that enable and protect it. To grow, compete, and own its place in the market, a business must adopt new models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting.
Tip #4: Don’t lose sight of the data — are you asking the right questions?
Before analyzing your security controls, take a step back to understand what data is needed to support the business, who that data must be shared with, and where that data is stored. Look at your operations, the flow of data into, throughout, and outside of your organization, and the risks associated with your business model. This will give you an understanding of the exposures that the data faces, enabling you to address and prioritize security measures. The three questions most organizations should be asking are:
How secure are we?
Are we going to be secure based on our current and future business plans?
Are we investing the right amount of time and resources to minimize risk and ensure security — especially people, technology and process?
Tip # 5: Re-imagine your security approach; don’t go looking for the silver bullet.
The cybersecurity market is flooded with solutions, leaving many organizations struggling to select the right protection for their business and get the best value from their investments. Most cybersecurity solutions, however, are point solutions, which don’t adequately address today’s threats.
Tip # 6: Make security awareness stick.
More than 90 percent of security breaches involve human error. These acts are not always malicious, but often careless and preventable. To change security
Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways companies respond to breaches.
A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog.
Complicated response (traumatic or prolonged)
A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend.
Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers.
A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack.
A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next.
Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third party company.
On occasion the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO.
Also known as “keep this between us” is a conscious decision by a company to keep details of a breach limited to a very small group.
Problems can occur if customers or regulators get wind of it, and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties.
Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side and put their differences aside.
When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain.
A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual.
It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions.
Or it could just mean they don’t care, it can be hard to tell.
Remember all those posters telling you ‘it’s not a matter of
And in what feels like a blink of an eye, January 2019 is almost over. Time sure does fly when you’re having fun. But we’re not here to have fun, this is a serious weekly roundup of all the security news and views, with a few cynical observations thrown in for good measure.
Tables Turn on Journalists
Colorado journalists on the crime beat are increasingly in the dark. More than two-dozen law enforcement agencies statewide have encrypted all of their radio communications, not just those related to surveillance or a special or sensitive operation. That means journalists and others can’t listen in using a scanner or smartphone app to learn about routine police calls.
Law enforcement officials say that’s basically the point. Scanner technology has become more accessible through smartphone apps, and encryption has become easier and less expensive. Officials say that encrypting all radio communications is good for police safety and effectiveness, because suspects sometimes use scanners to evade or target officers, and good for the privacy of crime victims, whose personal information and location can go out over the radio.
How long before journalists start touting, “If you’re innocent you have nothing to fear.”
What would really be ironic is if journalists ask that police put backdoors into their comms so that journalists could listen in.
Would a Detection by Any Other Name Detect as Well?
One detection category is not necessarily “better” than other categories. While detection categories and descriptions might lead one to think that certain categories are better, the category alone is not enough to give a complete picture of the detection. It’s important to look at the technique under test, the detection details, and what’s considered normal behavior in your organization’s environment to help you understand what detections are most useful to you.
Over 24 million financial and banking documents were found online by researcher Bob Diachenko as one does I suppose.
The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.
Voicemail Phishing Campaign Tricks You Into Verifying Password
A new phishing campaign is underway that utilizes EML attachments that pretend to be a received voicemail and prompts you to login to retrieve it. This campaign also uses a clever tactic of tricking you into entering your password twice in order to confirm that you are providing the correct account credentials.
67% of small and micro businesses have experienced a cyber attack, while 58% have experienced a data breach within the last 12 months, according to a study conducted by the Ponemon Institute. Cybersecurity has become one of the major questions that plague the 21st century, with numerous businesses reporting significant losses resulting from loss of private customer data, denial of service (DoS) attacks that cripple operations and internal employee threats that pose a growing data security challenge for both small and large companies. When you consider the effects of the cyber attack in Alaska and the astounding number of businesses it crippled, it's clear that businesses owners need to understand the threats they face today.
The Question of Cybersecurity
A few decades ago, the thought of cyber warfare would have seemed far-fetched to say the least. But today, it has become as likely as it is terrifying, especially when you consider how many of our gadgets are connected to the internet - mobile phones, smart TVs, PCs, and IoT devices. The technical advancements in data-hacking have led to the parallel development of data-protection. While downloading an antivirus software may previously have been sufficient protection, this is now only a preliminary measure, and must be coupled with stronger controls like 2-factor authentication, access control, and raising threat awareness. The cyber-security industry grows steadily each day, and it is now possible to find adequate protection for all your gadgets: from your phone to your tablet and yes, even your new television set.
Artificial Intelligence Shaping Cybersecurity
If you have a basic interest in the tech world, you will have undoubtedly come across Sophia. Sophia is a humanoid robot and may be termed by many as the perfect illustration of how far AI has come. It is for this reason that AI is leading the cybersecurity field. This is through the application of the concept of synthesizing data. Basically, what this means is that two independent chunks of information can be combined to arrive at a single conclusion. In layman's terms, AI is expected to improve cybersecurity by speeding up incident response when malicious activity is detected, thwarting ransomware and automating practices. This way, companies will be able to remain a step ahead of potential cyber threats.
The Future of Cybersecurity Innovation
Conventionally, data transfer has been achieved through electrical signals. However, this may change if we enter the era of data exchange through light signals. This works through the use of photons as carriers of quantum information in cyberspace. Photons are light particles which are generated simultaneously in pairs. With timing controls, this would mean that data transfer would only be possible if twin-photon particles existed for the sender and recipient. Ultimately, the only way to hack the data would be to upend the laws of physics. More innovations like deep learning, cloud technology, and hardware will revolutionalize the future of cybersecurity, making it easier for companies to prevent cyber attacks.
The field of cybersecurity is shifting and improving daily to match the changing needs of today’s cyberspace. It is essential that everyone, including businesses, become familiar with the means with which to protect their data. Understanding the changing face of cybersecurity is a key step to achieving that goal.
What does it mean to be a thought leader? Is it merely the opposite of a thought follower, or is it more nuanced than that?
Becoming a thought leader is the epitome of professional success. But a thought leader isn’t a title that one attains by going to Harvard, or Cambridge. No, it’s a title bestowed by your peer
But wait, there are many naysayers in this world who will try to make out that thought leadership is a made up marketing term. But they're wrong. Thought leaders are the future, with them, the future is bright, and will lead us to an enlightened future, where blockchains and machine learning will co-exist in harmony, fuelled by cryptocurrencies and moderated by artificial intelligence.
So how does one become known as a thought leader? Simple, just watch this video and follow the awesome advice given by me and @SpaceRog
Every day, as a part of my work at AlienVault, I talk to prospective clients. Many of them are trying to put together a security plan for their business. Most of the people I talk to are IT professionals who, like everyone else, are learning as they go.
During my time in IT and the security industry, I have seen almost every type of network you could imagine. Most of them made sense and could be explained and I could understand why they were built the way they were. Some, not so much. During the last 10 years especially, I have started compiling network drawings and information on the many ways that networks are designed and deployed.
The following list of bullet points are my recommendations to an IT manager or business leader if they consulted me on how to put together information technology for their business. Please remember this is a fairly generic list and there are tons of deviations to take into consideration when building a network and then protecting it.
1. Policies and Procedures
Policies and procedures are the cornerstones of your IT governance. This is the “what is going to happen and how is going to happen” of your security posture, and from the big picture your entire IT infrastructure. Creating a solid policy and procedure document or documents will provide your organization with an IT and security blueprint for your initial build, maintenance, management and remediation of issues. Solid policy and procedure manual(s) will also prepare the environment to work within any framework and meet compliance requirements.
2. Gateway Security
Gateway security is essential to keeping the bad guys out. There are a number of popular firewalls on the market that will provide excellent security at the gateway. The needs of the environment will dictate which firewall will work best.
For example, a high throughput environment with a large internal IP count might require a Next Generation Firewall (NGF) that runs only a few services on board and reserves the majority of resources for ingress-egress traffic. On the other hand, an environment that requires a very high level of security but has limited WAN bandwidth may be better suited for a UTM (Unified Threat Management) firewall which runs a number of services onboard. Traditionally it also utilizes significant resources for services like deep packet inspection (DPI), data loss prevention, (DLP), gateway antivirus, website filtering, email filtering and other high-end security services.
Actually, antivirus is evolving and morphing like your favorite advanced persistent threat (APT) malware. A few years back the InfoSec industry started to break new ground on digging deeper into threats and breaches using threat intelligence in real-time to actively pursue malware based on heuristic data. Heuristic data became important as technology progressed to utilize behavioral analysis based on up-to-date threat intelligence.
These progressions in the industry gave rise to Endpoint Detection and Response (EDR), which is quickly morphing into a formidable companion to traditional antivirus and antiMalware protection. The very minimum that should be deployed into an environment includes a good reputable antivirus with antimalware capabilities, however, to get a definite head start on any co
It’s a plan for responding to a cybersecurity incident methodically. If an incident is nefarious, steps are taken to quickly contain, minimize, and learn from the damage.
Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Your cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.
The Importance of Incident Response Steps
A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end.
Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.
The Two Industry Standard Incident Response Frameworks
Introduced in no particular order, NIST and SANS are the dominant institutes whose incident response steps have become industry standard.
NIST stands for National Institute of Standards and Technology. They’re a government agency proudly proclaiming themselves as “one of the nation’s oldest physical science laboratories”. They work in all-things-technology, including cybersecurity, where they’ve become one of the two industry standard go-tos for incident response with their incident response steps.
The NIST Incident Response Process contains four steps:
Detection and Analysis
Containment, Eradication, and Recovery
SANS stands for SysAdmin, Audit, Network, and Security. They’re a private organization that, per their self description, is “a cooperative research and education organization”. Though more youthful than NIST, their sole focus is security, and they’ve become an industry standard framework for incident response.
The SANS Incident Response Process consists of six steps:
The Difference Between NIST and SANS Incident Response Steps
With two industry standard frameworks, there’s a chance you’re familiar with one but not the other. So let’s do a walk-through of their similarities and differences. First, here’s a side-by-side view of the two processes before we dive into what each step entails.
Placed side-by-side in a list format, you can see NIST and SANS have all the same components and the same flow but different verbiage and clustering. Let’s walk through what each of the steps entail to get into the nuanced differences of the frameworks.
For consistency, NIST steps will always be presented on the left and SANS on the right during the steps side-by-side compariso
London saw a few flakes of snow drop this week, and social media nearly broke with everyone sharing photos of the white pixie dust falling from the sky. Fortunately, I have few friends, and even fewer social media platforms that I use, so was saved from most of the insanity… well, except for my daughter singing “let it snow”.
TheCurious Case of the Raspberry Pi in the Network Closet
What would you do if you found a Raspberry Pi plugged into the network closet? Sounds like something from your worst nightmare, especially if you hadn’t commissioned any red team testing.
But that’s exactly what one team found, and this is the story of how they tracked down (almost) the suspect. If Scooby Doo has taught me anything, it was the janitor!
The DDoS Attacker Rescued by a Disney Cruise Ship is Sentenced to Over 10 Years in Prison
A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital.
The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner.
In a post released on 1/8/19, I wrote about the record number of breaches in 2018. This brought to mind a podcast that I was listening to a few days back hosted by Corey Nachreiner, CTO of WatchGuard Technologies, Inc. on his 443 Podcast. Corey discussed the potential data deduplication problem on the Dark Web. This article will attempt to break down how this can happen and how this can cause issues not only for users of the Dark Web, but also for those whose data has been stolen and placed on the Dark Web for purchase.
The breaches of 2018 were vast and widespread, affecting businesses from fast food to department stores to airlines with record amounts of data being lost. If you look at just the breaches I referenced in the previous article, total PII records counts are over one billion in the United States. In India, every citizen in the country had their data compromised with the breach of Aadhaar, the Indian biometric IT program owned and operated by the government of India. The Aadhar breach alone accounted for 1.1 Billion records lost to hackers.
Researching this, I discovered that for just the US-based hacks in the article, Americans and foreign travelers doing business with one of the breached companies had a total of 1.3 billion records stolen. If you figure there are approximately 330 million citizens of the United States and if every person in the US was affected they would have their personally identifiable information exposed to the Dark Web approximately 4 times.
While that may not seem like a lot, please consider that it would be nearly impossible for every US citizen to be breached. The US does not have a mandatory centralized identification system as the Indian government has. Then, of course, not all 330 million Americans were affected by these breaches due to lack of exposure to affected breached sites, age, and other factors. Let’s say that 150 million Americans were affected in some way - which would mean that about half of all US citizens were affected by the breaches of 2018. Let’s also assume that another 150 million citizens of other countries were affected by the breaches of 2018. That would calculate to 300 million total people affected by the breaches of 2018.
With a nice round number like 300 million people being affected one could assume there would be some duplicate records. With that being said, there are probably a lot of duplicate records. The total number of records duplicated per affected person I calculate at 4.333 records. This is admittedly a pretty arbitrary number, considering some people are more active than others on the web or at a particular retailer. Some people fly frequently, while others may not fly or stay in hotels at all. But this is an estimate to work with.
From the results of the 2018 breaches, it is fairly safe to say that a very large number of people globally had their PII stolen and many of those had the information stolen several times. Each time a little more and different information was stolen. Many people look at a cyber breach as a big, scary and mysterious thing. What they should be more concerned with is that their data is stolen multiple times, from different sources.
A lot of information stolen is static, like social security numbers and driver’s license numbers; however, much of it is not. You can change your credit card numbers, passport numbers, addresses, and phone numbers. You can even improve your health or change it in some way that would make the stolen data inaccurate.
Once you look at the statistics from the 2018 breaches and th
According to Investopedia, “cryptocurrency is a digital or virtual currency that uses cryptography for security.” In other words, it’s electric money that is designed to be used by online users both safely and securely. The price of digital currencies, like Bitcoin and Ripple, have been all over the place throughout the past year — mainly because it’s a volatile online market that has celebrities, bankers, and other online users all wanting a piece of the pie.
While there are a number of people who are skeptical about the impact cryptocurrency will have on our future, there’s no doubt that it has sent shockwaves through just about every industry in the world.
The one question, however, many users are asking is what does the future have in store for cryptocurrency? Since 2009, online currencies haven’t just shown promise; they’ve started being used for various applications as well. Nowadays, it’s hard to hold a financial conversation without discussing cryptocurrency. It’s also not uncommon to hear the subject being talked about on the news, talk show radio, and of course, social media. This just goes to tell you how far this subject has come in such a short amount of time.
So, what impact will cryptocurrency have on us in 2019? Even though it’s hard to predict how much cryptocurrency will change within the coming years, we do know some changes that users should be on the lookout for this year. So, let’s take a look.
Citizens who are born in underdeveloped countries like Ghana, Brazil, Honduras, Nigeria, and certain parts of China are all at a disadvantage because of financial reasons. Aside from jobs being scarce and hard to find, residents also have a difficult time finding a safe place to store their money. While most people would consider going to a bank, you have to remember that in underdeveloped countries, banks might not be that common.
Fortunately, cryptocurrency has the power to solve some of these issues, which helps improve economic growth in smaller countries. That’s because anyone with internet access can open an account and create a cryptocurrency wallet, which provides users with the opportunity to store and transfer values safely and securely.
With cryptocurrency services becoming more popular, millions of unbanked people in other countries across the globe can finally have access to banking services. Furthermore, these platforms can be accessed through mobile apps, and handheld devices, making telecommunication in the financial world that much easier.
Giving Power Back to the People
The arrival of cryptocurrency has had a major impact in our world today by creating a shift in power; it takes the power out of economic and political leaders’ hands and puts it in the grasp of everyday citizens. The public’s trust in banks and other financial institutions has always been in question. With economic crisis’s going on throughout the world, trust in banking institutions and government leaders is something that continues to be talked about today as these leaders start to lose more and more trust.
Luckily, digital currencies can help people all over
There has been much discussion of a “software bill of materials” (SBoM) lately, for use when addressing security vulnerabilities. Many are curious, wanting to learn more. Googling the term gives lots of positive descriptions. This post will go negative, describing problems with the concept.
Rather than cover the entire concept, I want focus on a narrow part of it, so I asked Kate Brew to write a short blurb why she’s interested in SBoMs. Her response was:
“I am an Industrial Engineer by training. So when I heard of the concept of software BoM I was intrigued. Being able to quickly see all the components, open source or not, incorporated into an application appears like a valuable way to determine needed actions in the case of vulnerabilities found in a component. It seems efficient and helpful to me to have a clear view of components in an application.”
Software is never built wholly from scratch these days. Instead, software is built combining components, development frameworks, libraries, operating system features, and so on. It has a “bill of materials” describing the bits that make it up every much as hardware does.
When vulnerabilities happen, knowing this information can help. Good examples are the high profile Apache Struts bugs, where customers don’t know they are vulnerable because they are unaware that products they own include Struts. If only product vendors provided a list of sub-components, then customers would quickly know if they are vulnerable, and be able to act accordingly.
Some claim this sort of thing already exists in narrow industries, like medical and energy. They are pushing the concept for use everywhere because it’s already being used successfully somewhere.
This is a great story, but it isn’t true.
Software Bill of Materials Is a Misguided Concept for DevSecOps
Proponents are being deliberately vague defining exactly what should be in included in a software BoM. For hardware BoMs, you don’t list the ingredients of the circuit board, where you sourced the silica for glass fibers, or the recipe of the epoxy that binds them together. Hardware BoMs aren’t that granular because it’s not necessary. They include an indented list of components and sub-components. Hardware is basic. But when tracking software vulnerabilities, such granularity is important: you need to track every line of source code.
There are four levels of details for SBoMs:
Most of the discussion about SBoMs is roughly at the license level. The makers of software already track this, even when they don’t disclose it to customers. Commercial products track this for legal reasons, for compliance with legal contracts they have with suppliers. Open-source products track this for practical reasons, since you often have to hunt down install the dependencies yourself in order to make open-source work -- importing open-source implicitly means importing the license.
You see the artifacts of this everywhere. My parents just bought a new Subaru, which like most new cars contains a small screen for the maps and backup camera. On one of the pages on the screen I find something that lists a number of embedded components. Displaying this information is often a requirement of the license.
Software Bills of Materials Aren’t That Great for Tracking Vulnerabilities
SBoMs aren’t as useful as you’d think for tracking vulnerabilities, because it’s not granular enough. Take Linux, for example. The entire thing is licensed under the GPL. This hides the complexity that the kernel is around 20 million lines of code, and the GNU userland components are millions more. An SBoM saying this IoT product uses “Linux” hides a lot of the complexity of what may or may not exist in the product.