What's new arround internet

Last one

Src Date (GMT) Titre Description Tags Stories Notes
AlienVault.webp 2018-07-24 13:00:00 The Security Compliance Tweet Chat - What We Learned (lien direct) In our most recent Tweet Chat, we had Ben Rothke join us as our special guest, and the topic for discussion was compliance. If there ever was a topic that gets security professionals riled up, I think it would be compliance. There were many questions asked and answered; you can find most of the discussion by searching for the hashtag #AlienChat on Twitter. But for the purposes of this roundup, here are the top things I learned. The Value of Compliance What value does compliance bring? While there wasn’t overwhelming enthusiasm in support of the value of compliance, people were also not outrightly dismissive of its value. Instead, we found there to be a healthy level of cynicism amongst security professionals whereby there is recognition that compliance has its place - as long as it’s accompanied by some caveats.  Completely agree. Compliance should be part of a baseline. Baseline should be a step towards a higher goal, not the goal itself. Too many orgs seem to think compliance is the end of the road, not just part of the journey. — Coyne-Op (@C0yn3_0p) July 19, 2018 A1: It can bring value when done in larger context of good information security controls. For many compliance people, picture day is once a year. Information security people want it to be #infosec picture day every day. That’s difference between security & compliance. #AlienChat — Ben Rothke (@benrothke) July 19, 2018 It sets a minimum baseline. Maybe not helpful if you're meeting the same minimum year over year, which might foster complacency, but helpful if your sec program is new.#AlienChat — Nick (@NickInfoSec) July 19, 2018 Compliance brings value, however that value is more closely related to enterprise risk than information security, per se. My approach is to develop a program based on the needs to address the security risk, but to ensure that the program also complies with any relevant regs. — Rot26 (@rotate26chars) July 19, 2018 Some frameworks are mandatory, some are voluntary. I'd like to hear why a company choose a certain standard before judging. :) Guideline
AlienVault.webp 2018-07-20 13:00:00 Things I Hearted this Week, 20th July 2018 (lien direct) INFOSEC RECRUITING - IS THE INDUSTRY CREATING ITS OWN DROUGHT We've all been blasted with many a report that infosec has a massive skills gap. But what if the problem doesn't lie with the lack of skilled professionals, but the hiring process itself? Thomas Fischer makes a compelling argument, using some of his personal recent experiences from both sides of the hiring process. InfoSec Recruiting – Is the Industry Creating its own Drought? | Liquid Matrix GDPR Did you think that discussions around GDPR were over? You thought wrong. Want to avoid GDPR fines? Adjust your IT Procurement methods | HelpNetSecurity SEXTORTION SCAMS A clever new twist on an on extortion email scam includes a password the recipient previously used at a hacked website, to lend credence to claims that the sender has hacked the recipients computer / webcam and recorded embarrassing videos. Sextortion Scam Uses Recipient’s Hacked Passwords | Krebs on Security TESLA Elon Musk continues to make the headlines, sometimes for the right, and other times for the wrong reasons. But it's worth taking a look at the companies security. While there was the infamous emaila few weeks back where Musk pointed the finger of blame to a rogue employee, it's not the first case of cybersecurity gone wrong in the company. Tesla sued an oil-industry executive for impersonating Musk in an email. The tricksters goal was to undermine tesla's energy-efficient transportation. Here’s why Tesla has been sabotaged twice in two years — lax network security | Last Watchdog Tesla APT 1
AlienVault.webp 2018-07-18 13:00:00 ZombieBoy (lien direct) This is a guest post by independent security researcher James Quinn. Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll. ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily. An overview of ZombieBoy’s execution is below: Domains ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.  The URLs that I have identified are below: ca[dot]posthash[dot]org:443/ sm[dot]posthash[dot]org:443/ sm[dot]hashnice[dot]org:443/ In addition, it appears to have a C2 server at dns[dot]posthash[dot]org. Exploits ZombieBoy makes use of several exploits during execution: CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003 CVE-2017-0143, SMB exploit CVE-2017-0146, SMB exploit Installation ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .  ZombieBoyTools screenshot Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it. Set up 123.exe does several things on execution.  First, it downloads the module [1] from its file distribution servers.  According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”.   After saving the module, it executes it.  64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner. In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules.  The first module is referred to in the code as “74.exe”.  This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.  The second module is referred to in the code as “84.exe”.  This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin. 64.exe 64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable.  First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult.  Also, in c
AlienVault.webp 2018-07-17 13:00:00 Threats, Politics, and Cryptocurrency-Mining - Infosecurity Europe 2018 Survey Results (lien direct) Javvad Malik and the rest of the AlienVault team surveyed 928 participants at Infosecurity Europe 2018 on this topic. Read the full report from Javvad here! Key Findings Looking forward, cloud security threats are the most concerning external threat Internally, phishing (55%) and ransomware (45%) lead the pack of worries for security departments 92 percent would rather pay a subscription fee, allow ads, or leave a website altogether rather than allow a website to mine cryptocurrency 56 percent believe cybersecurity has become a political pawn The report has lots of graphs with detailed results. For example, amazing how awareness of cloud security threats has become so pronounced.        Ransomware Guideline
AlienVault.webp 2018-07-13 13:00:00 Things I Hearted this Week, 13th July 2018 (lien direct) AT&T To Acquire Alienault I've covered and speculated, and even advised on security M&A over the years, but it's the first time I've been working in a technology company that has been acquired. It's exciting times, and glad to be part of the journey. AT&T to Acquire AlienVault | AlienVault In other M&A news,  Mimecast announced it acquired Ataata Inc - a cybersecurity training and awareness provider. Bomgar acquired Avecto to augments its identity and access management capabilities. and the biggie, as Broadcom agree to buy CA technologies for $19billion (yes, with a B) Cybersecurity - Why You're Doing It All Wrong A thought-provoking opinion piece by Ed Tuckeron why a lot of security controls in companies don't work. There are some broad generalisations - but it's worth it. "For too long, security teams have lived the lie that what they have delivered has been effective, but so often they approach it from a viewpoint divorced from the customers they affect. To be fair to most security teams, they are generally blissfully unaware of the inefficiencies of their controls – or ignorant." Cybersecurity - why you're doing it all wrong | Computer Weekly Timhop Shows How Incident Response Is Done On July 4th Timehop announced a breach. A breach itself isn't really big news these days - often it's just the cost of doing business online. However, the response from Timehop has been nothing short of stellar! It has published perhaps one of the most detailed updates on the incident I've ever seen - that includes internal breach notifications. They've also provided a technical timeline and even broken down the total number of records and which ones of them are under GDPR. The company may have shown us all how seriously they take security, not in the fact that they got breached, but in the manner with which they have responded.  Seriously, I think every company should look at their internal processes and ask, if they were breached today, could they produce something similar within a week?  Timehop security incident | Timehop Timehop incident technical report | Timehop Facebook Fined £500K Ffrom UK Data Watchdog These were some of the findings of the UK's Information Commissioner's Office – the nation's privacy watchdog – which this morning issued a s
AlienVault.webp 2018-07-12 13:00:00 Continuous Information Security Monitoring to Combat Continuous Threats (lien direct) Continuous security monitoring -- a term you’ve heard time and time again. And, while you may be tired of hearing the term, the fact is that continuous monitoring is vital when it comes to mitigating risk, protecting critical assets, and meeting compliance demands. Unfortunately, continuously security monitoring has become more and more of a challenge given that today’s networks no longer have a defined perimeter, but rather ever-evolving and dissolving network boundaries due to the rise of cloud and mobile computing. This growing attack surface is a cyber-criminal’s dream and a network defender’s nightmare. The bad guys only need to find one weak spot, while you’re tasked with defending against all potential weak spots. That’s definitely not a fair playing field. So where do you start? Well, to state the obvious, you can’t monitor what you can’t see, so getting visibility into who and what is connecting to your network is the first step. Automated asset discovery is one of the most essential capabilities for a continuous security monitoring program. But, it’s not just knowing which assets are running on your network, you need to know what software and services are installed on them, how they’re configured, and whether there are any vulnerabilities or active threats being executed against them. Constant application updates and changes to application and system configurations can introduce vulnerabilities and leave you susceptible to an attack, even if you are keeping your security controls up to date. This brings us to step two in continuous security monitoring -- continuous vulnerability management. Let me take this opportunity to throw in a frightening stat. According to the National Vulnerability Database (NVD), more than 14,700 vulnerabilities were reported in 2017, doubling that of 2016. Needless to say, vulnerability management is an ongoing process, and therefore by its very nature an essential part of any continuous security monitoring initiative. Continuous asset discovery and continuous vulnerability management go hand-in-hand. You can’t have one without the other when it comes to implementing a successful continuous security monitoring program. And, while you could leverage two separate tools to perform each of these tasks, why not make your life easier with a single solution that combines these capabilities? Even better, why not leverage a solution that combines all the essential capabilities for continuous security monitoring! AlienVault® Unified Security Management® (USM) gives you the upper hand in detecting and remediating the vulnerabilities in your environment before attackers exploit them. It does so by delivering automated asset discovery and vulnerability scanning as part of a unified platform that also includes intrusion detection, behavioral monitoring, SIEM event correlation, log management, and very importantly, continuously updated threat intelligence. With AlienVault USM, you get crucial real-time visibility into assets on your network, which ones are vulnerable, and where the asset is actually exposed to threats – allowing you to focus on the most important issues first. You'll be able to quickly answer critical and time-sensitive questions, such as: What devices are on my physical and virtual networks? What instances are running in my cloud environments? What vulnerabilities exist on the assets in my cloud and network? Are there known attackers trying to interact with my cloud and network assets? Are there active threats on my cloud and network assets? Vulnerability Threat
AlienVault.webp 2018-07-10 13:00:00 The Terms and Conditions of Internet Privacy for a GenZ Student (lien direct) We’ve all seen it before; the pop ups of necessary security updates, the horror stories of leaked celebrity pictures by hackers and the infamously long document of God-knows-what followed by “I agree to the following terms and conditions”. These are ever present in our rapidly progressing technological society and continue to characterise the interaction of society with technological information, especially for the younger generation. As a high school student and member of the early half of GenZ, I wasn’t raised under the protective barrier of informational isolation formed by the limited technological advances of the generations that preceded me. My grade has had the unique ability to watch technology morph before our eyes. Elementary school was a time of computer typing class, projectors and the slow encroachment of Smart Boards as the years progressed. It seems like every year of middle school I had a different policy regarding phone usage and school districts seemed to be playing catch up to a wave of pop and technological culture flooding students. As I progressed through high school, faculty encouraged phone usage in the classroom for research and used our ability to access a mass amount of information quickly as an advantage. Every year of my education I watched the transformation of technology from flip phones and overhead projectors in elementary school to smart phones and smartboards in high school.  What my computer class in elementary school and my proceeding technology education has failed to teach me are answers to the questions “what is privacy in a world of constant connection?” and “how do we protect ourselves and stay connected?”. What is privacy in a world of constant connections? To answer this we first need to define privacy, a notoriously ambiguous object of contestation. The reason privacy is difficult to define lies in part in its subjective nature. Defining privacy relies heavily on personal preferences and values, among other individualistic factors. What is private and not private leaves the debate of cyber security in murky waters. This coupled with government, private and corporate fascination in the inner workings of individuals minds and the ever expanding ways information can be stored and shared has often left privacy as an afterthought.  A glance at the informational open philosophy of GenZ further explains the encroachment of commercial information use on the once dormant cybersphere, specifically in regard to social media. I was four years old when Facebook began and, though it took a couple years to develop into the Facebook we all know and love (or not) today, it has undeniable shaped the technological world as well as my generations perception of privacy.  “Friends” now meant the close group of people we connect to on a personal level and the dozens, hundreds, thousands of people we barely know. The contradictory dual definitions symbolize the pull of society to familiarize technological situations that had never existed before. Our generation was the guinea pig that tested the effects of being raised in a world of rapidly expanding connection and, as a result, optional privacy on the grand scale. The push to familiarize social media leads to challenges in differentiating meaningful relationships and frivolous online “relationships”. We had to learn the difference between the girl we’ve known since first grade and sunshinegirl56, especially in regards to information sharing. But in the naive minds of children, dangers can be overlooked and private information can quickly become unprivate. While we were taught to not talk to strangers online, the familiarity of the option to talk to strangers online and the preval Guideline
AlienVault.webp 2018-07-09 13:00:00 15 Ways to Deal with Badly Written Risks (lien direct) Every so often, a report gets presented which looks like it was written by the work experience student that was employed by the intern. So what’s the best way to respond? I went on Twitter to ask the opinion of folk who have to deal with this kind of thing on a regular basis, and distilled their wisdom into 15 tips. Other honourable mentions go to: @J4vv4D in that case, this is the only response...https://t.co/AseiwFjZbt — Mo Amin (@infosecmo) December 6, 2016 @J4vv4D At 1mn05 into this video: https://t.co/GxlOaoxoZu — Luushanah (@luushanah) December 6, 2016 @J4vv4D Cannot accept this finding. Please provide more information and evidence. If they explain it better, yay, if they can't we're done — B Miller (@Securithid) December 6, 2016 @J4vv4D ask "what's the risk" — EoinKeary (@EoinKeary) December 6, 2016 @J4vv4D dear auditor this is my implementation plan: # rm -rf /audit , hope you understand my point — Juanes (@hcjuan04) December 6, 2016 @J4vv4D how about sending them this video https://t.co/8YSFKPCjoh — BrianHonan (@BrianHonan) December 6, 2016   
AlienVault.webp 2018-07-06 13:00:00 Things I Hearted this Week, 6th July 2018 (lien direct) Here's an idea. Have convicts in prison manually mine cryptocurrencies. Call it, the blockchain gang! Thank you very much, I'll be here all week. Now on to the serious stuff. 10 THINGS TO KNOW BEFORE GETTING INTO CYBERSECURITY You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.    10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog HACKERS WILL GET HACKED Of course we trust the Government to maintain backdoors and hacking tools... they're the Government. I, for one, am shocked that gambling takes place in this casino. From Cellebrite, to Shadow Brokers, to the CIA dump, so many recent data breaches have shown there is a real risk of exposure to government hacking tools. Your Government's Hacking Tools Are Not Safe | Motherboard In related news, NSO sells its potent iPhone malware to governments, including Mexico and the United Arabs Emirates. But according to a newly released indictment, a disgruntled employee stole the company's code and tried to sell it for $50 million worth of cryptocurrency. NSO Group Employee Allegedly Stole Company’s Powerful Spyware for Personal Profit | Motherboard IT IS COMING HOME While the tide of outsourcing seems to be on the rise, does BP represent an undercurrent of some companies wanting to get their arms around exactly what they have, why they have it, and who manages it? BP is looking to bring the majority of its IT back in-house as part of a wider modernisation programme across the entire energy group, which comprises of a massive 74,000 employees. Speaking at the London leg of AppDynamic’s World Tour, Andy Sturrock, head of modernise IT transformation at BP, admitted that the energy company had been too reliant on outsourcing in the past. “We looked at ourselves and realised that we had become an IT organisation which didn’t really do IT, we facilitated other companies doing IT to us," he said. "So we wanted to get back to us being an IT organisation and developing our own capability again." BP removes reliance on third-party providers by bringing IT in-house | Channel Asia  DECENTRALISING THE INTERNET No, this isn't a story plot out of the show Silicon Valley - Fixing the internet can look like mission impossible, even in the West. A Jeffersonian reform in the form of Web 3.0 appears a long way off, and its regulatory equivalent, a vigorous antitrust policy, does not look much more promising. Online, humanity seems bound to sink ever deeper into a Hamiltonian hole. But such an outcome is not inevitable. Malware Hack Threat Guideline
AlienVault.webp 2018-07-05 13:00:00 Simplify Compliance Reporting with AlienVault USM Anywhere (lien direct) USM Anywhere delivers a comprehensive library of predefined compliance report templates for PCI DSS, HIPAA, NIST CSF, and ISO 27001, so you can accelerate your security and compliance programs and be audit-ready faster. It also includes 50+ predefined event reports by data source and data source type, helping to make your daily monitoring and reporting activities more eficient. In addition to predefined reports, USM Anywhere gives you powerful security investigation capabilities at your finger tips. Its intuitive and flexible interface allows you to quickly search and analyze your security data, plus you can create and save custom views and export them as executive-ready reports. Because USM Anywhere gives you centralized visibility of all your cloud and on-premises assets, vulnerabilities, threats, and log data from your firewalls and other security tools, you have the most complete and contextual data set at your disposal. This blog describes the predefined compliance reports available in USM Anywhere. It also describes search and analytics capabilities in USM Anywhere that empower you to quickly produce your own custom reports. Predefined Compliance Reports To meet regulatory compliance requirements like PCI DSS and HIPAA and to ensure that you continuously meet those requirements, you must demonstrate that you regularly monitor your environments. This demands rigorous reporting to gain insight into your assets, vulnerabilities, and potential threats, which can be extremely time-consuming if executed manually. USM Anywhere delivers the following set of predefined compliance reports that map directly to common regulatory compliance requirements and frameworks, so you can quickly and easily provide evidence of compliance during your next audit. In addition, you can easily customize any of the predefined compliance reports in USM Anywhere, adding dynamic graphs and charts to create a professional, executive-ready report. PCI DSS Reporting In USM Anywhere, once you define the PCI Asset Group—the servers, applications, and storage entities across your environment that are considered in-scope of a PCI DSS card-holder data environment (CDE)—then, you can readily view, export, and customize the following predefined reports. HIPAA - Healthcare Compliance Reporting For healthcare providers, HIPAA is a key concern. In USM Anywhere, once you define your HIPAA Asset Group—the part of your environment that touches protected health information (PHI) data—then you can readily view, export, and customize the following predefined reports.  NIST Cybersecurity Framework (CSF) Compliance Reporting USM Anywhere allows you to quickly and easily report the status of controls across the NIST CSF functions of Identify, Protect, Detect, and Respond. The following predefined NIST CSF are available out of the box with USM Anywhere. ISO 27001 Compliance Reporting Out of the box, USM Anywhere includes pre-built compliance reporting templates that map to multiple ISO 27001 requirements, making it fast and simple to review the state of your deployed technical controls and help satisfy requests during an au
AlienVault.webp 2018-07-03 13:00:00 Cloud Based Security (lien direct) Benedict Evans stated that, the best is often the last. He elaborates by saying, "The development of technologies tends to follow an S-Curve: they improve slowly, then quickly, and then slowly again. And at that last stage, they're really, really good. Everything has been optimised and worked out and understood, and they're fast, cheap and reliable." And while his original post was two years ago, which in technology terms can be a lifetime, it holds true today. It's worth taking a look at IT security under the same lens. Cynical commentators may state that IT security has never been good - but that isn't true in all cases. In fact, many traditional technologies have been so good and commoditised, that they have become all but invisible to the end user. But, perhaps what is changing more than the security technologies themselves, is the delivery mechanism. As companies have embraced the cloud, so have many providers, and security is no different. That's not to say that security appliances don't have their place in enterprises, it's just that they've probably gotten as good as they can get, so it's time to adapt to the new reality. Innovation or following the trend? Willie Sutton famously said that he robbed banks because that's where the money is. Or, as Walter Gretzky famously said, "I don't go to where the ball is, but where it is going to be." So are security providers moving to deliver security from the cloud because that's where everyone appears to be heading. However, there are benefits to both consumers and providers of cloud-based security technology. Benefits to companies As companies continue to embrace cloud technologies, it makes sense to have cloud-based security that can provide capabilities across both cloud and on premise technologies. Some of the prominent benefits include: 1. Cost to deploy With cloud-based offerings, there is no capital expenditure outlay. Users can simply select the type of license, and only pay for what they need. Saving time and resources needed to deploy the offering. 2. Continuous updates and patches One of the biggest advantages of cloud-based security software is the fact that it is continuously updated and patched by the provider. Relieving the burden of maintenance from the user and allowing them to focus on the business issues that matter the most. 3. Integration and scalability Cloud services, by their very nature are designed to be scalable, so it can keep up with the flexible demands of a business as need be. It also provides a stable platform through which integrations with other cloud-based providers can be attained, allowing users to derive increased value from their purchases. Benefits to providers But the benefits to of cloud-based security doesn't end with the customers - rather, there are many benefits to the provider too. 1. Income predictability and stability With a subscription model, it becomes easier for companies to more accurately predict income. The economies of scale also work better as fixed costs to deploy from the cloud typically rise a lot slower the more customers are acquired. 2. Expansion Cloud-based companies find it easier to expand into new territories. Without having to ship appliances, the business model bec
AlienVault.webp 2018-06-29 13:00:00 Things I Hearted this Week – 29th June 2018 (lien direct) It's been an absolutely lovely warm week in London. The sun has been shining, allergies have been high, and kids have been missing out on all the wonders because they're too busy being indoors staring at a mobile device or tablet. Things were very different back in my days... and just like that, I've turned into my Dad! Have I Been Pwned - The Saga Continues I like to think of myself as a bit of a hipster because I was following Troy Hunt before he was widely recognised as being cool. I remember reading his posts on OWASP top 10 for .NET developers and thinking to myself that this guy really knows his stuff.   Which is why I was optimistic when Troy launched Have I been Pwned - but I don't think I foresaw how big the project would become and now it is being integrated into Firefox and 1Password. Not bad going for the blogger from down under.     We're Baking Have I Been Pwned into Firefox and 1Password| Troy Hunt Defining Hacker In 2018 If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness. In reality, the word “hacker” applies to a much broader group of people, one that extends well beyond cybersecurity. Merriam-Webster defines a “hacker” as “an expert at programming and solving problems with a computer”. Defining "Hacker" in 2018| BugCrowd Lessons From nPetya One Year Later This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons. An example is this quote in a recent article: "One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen. But this is wrong, at least in the case of NotPetya. Lessons from nPetya one year later| Errata Security   German Researcher Defeat Printers' Doc-Tracking Dots Beating the unique identifiers that printers can add to documents for security purposes is possible: you just need to add extra dots beyond those that security tools already add. The trick is knowing where to add them. Many printers can add extra dots to help identify which device printed a document, as it's handy to know that when they fall into the wrong hands. The FedEx NotPetya Wannacry
AlienVault.webp 2018-06-26 13:00:00 SMBs: 3 Signs It\'s Finally Time to Replace Your AntiVirus (lien direct) Antivirus has been a foundational element of protecting endpoints at small and medium-sized businesses for going on three decades. During that time, the threat landscape has changed dramatically. Thanks to the proliferation and commodification of sophisticated hacking tools, SMBs are now seeing the types of attacks formerly leveled almost exclusively at governments and large enterprises. These new attacks — and the inability of antivirus to block them — have eroded organizations’ trust in their existing solutions. According to a recent survey conducted by the Ponemon Institute, less than a third believe their antivirus can stop the threats they are seeing. As a result, organizations are exploring their options. One third of respondents to the Ponemon survey reported they had replaced their antivirus with a competitor’s offering or a next-generation endpoint protection solution in the past 12 months. 50 percent confirmed they had kept their antivirus but supplemented it with additional solutions designed to provide better protection and/or detection and response capabilities. While maintaining legacy antivirus alongside new protection may work for larger companies that have the budget and staff to take on and manage multiple solutions, it may not always be an effective option for small or medium-sized businesses. How do you know when it is finally time to cut your legacy antivirus loose? Here are three key signs to consider: 1) There are attacks your antivirus is not blocking At its core, antivirus has one job to do: keep endpoints from being infected or compromised. Unfortunately, its primary method of doing that job — scanning static files to determine if they are potentially malicious — is extremely narrow and limited considering the variety of attack techniques we’re seeing today. As Gartner points out, “Endpoint protection platforms that rely solely on signature-based malware detection are not completely effective when it comes to repacked or new malware until new signatures are distributed.... Organizations...are essentially unprotected until all their endpoints are updated with the latest signature.” Even next-generation antivirus solutions that supplement signature matching with machine learning are still limited to scanning, analyzing, and quarantining static files written to disk. Many of today’s attacks have evolved to exploit that limitation, adopting fileless delivery techniques, instead. These are no longer theoretical threats. According to Ponemon, 77% of attacks that successfully compromised organizations in 2017 utilized fileless techniques. The inability to block today’s evasive and fileless threats is one of the top reasons organizations cite for replacing their antivirus. 2) Your Antivirus is slowing you down When antivirus isn’t doing its job that’s bad enough, but it can often make it harder for admins and users to do their jobs. Constant updates and file scanning are notorious antivirus pain points. In fact, when Barkly asked IT and security pros what their challenges with their current endpoint protection were, “slows down user machines” was t Malware Threat
AlienVault.webp 2018-06-25 13:00:00 Safety Measures for Protecting Your Business from Cyber Attacks (lien direct) All sizes of businesses are now targets for cyber criminals. Per the Verizon 2018 DBIR, 58% of data breach victims are small businesses. Furthermore, it is shocking to see that 60% of small businesses are shut down within 6 months of an attack, according to the National Cyber Security Alliance. So, what makes these small enterprises prone to cyber-attacks? Probably it is the lack of resources due to limited budget and the misbelief that only large organizations are attacked by hackers. However, all size businesses need to stay ahead of cyber attackers. I have come up with some useful preventive measures to protect your business from cyber-attacks. Take a look: Train Your Staff Your employees are your biggest asset, but at the same time, they are the biggest security risk as well. So, your primary action should be to give security awareness education to your staff. This will help in minimizing cases of accidental or intentional data leakage. One important point to keep in mind is that providing training to your staff is not a one-time task. Rather, it should be done periodically to ensure that your employees are kept up to date with the latest cyber threats. It helps them act cautiously against security vulnerabilities and threats. Manage your Passwords Your passwords are the key to your company’s confidential information. It is crucial to follow some basic thumb rules when creating and managing passwords for your company. Always change default passwords to unique passwords Do not use the same password for different accounts Make sure you store your passwords safely. Use a password manager. Never write your passwords on paper accessible to others. Follow the guidelines for making a strong password. Use a combination of uppercase and lowercase letters, numbers, symbols, etc.  Keep your tech in good shape The OS and apps on company systems should be up-to-date, as that ensures installation of latest security patches. Further, firewall and antivirus need to be installed on each and every system. Ensure that both are active, up-to-date and installed with the right settings. Microsoft operating systems come with a default firewall, so you just need to activate it. However, it is strongly recommended to invest in a reliable and advanced antivirus software for PCs. After all, buying an antivirus is much cheaper than becoming a cyber-attack victim. Keep backups to limit the loss With the rising number of ransomware attacks, the importance of having data backup has come into the picture. It is better to keep a copy of your data rather than taking the risk of paying ransom to hackers. A company can get back running normally after an attack if data backup is available. Make sure you run periodic backups of your company’s data as it helps in restoring from a recent point. Backups should always be kept on a separate system. Get your Coding tested Your website code and hosting is an important aspect for the security of your company. Get your website fully tested for security errors by your internal Information Security team or hire one. Improper or outdated code can help hackers make way into your website and ultimately cause harm. Further, make sure the hosting facility for your website is from a reliable hosting company. Don’t forget to Ransomware Data Breach
AlienVault.webp 2018-06-22 14:41:00 Malicious Documents from Lazarus Group Targeting South Korea (lien direct) By Chris Doman, Fernando Martinez and Jaime Blasco We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea. This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others. Malicious Documents We looked at three similar malicious documents: 국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4 금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") -  69ad5bd4b881d6d1fdb7b19939903e0b 신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97 The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting The decoy document of a resume These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from: https://tpddata[.]com/skins/skin-8.thm - eb6275a24d047e3be05c2b4e5f50703d - 32 bit https://tpddata[.]com/skins/skin-6.thm - a6d1424e1c33ac7a95eb5b92b923c511 - 64 bit The malware is Manuscrypt (previously described by McAfee and Wannacry Bithumb APT 38
AlienVault.webp 2018-06-22 13:00:00 Things I Hearted this Week, 22nd June 2018 (lien direct) The Tesla Insider Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen." The incident is also notable for the impact it had on the company's  share price which dropped more than 6% in trading. "I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties." Insider threats defined | AlienVault Tesla hit by insider saboteur who changed code, exfiltrated data | SC Magazine Tesla sinks after Elon Musk says an employee conducted 'sabotage' and Trump ramps up fears of a trade war (TSLA) | Business Insider Can't Fix Won't Fix, Don't Fix Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed? Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?| IT Pro Portal On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test. It's time to kill the pen test (PDF) | RSAconference To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine... Awesome Penetration Testing | Kinimiwar, GitHub A Case Study In Bad Disclosure Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie. Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000. Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause. Hack Vulnerability Guideline Bithumb Tesla Tesla
AlienVault.webp 2018-05-01 16:02:00 MassMiner Malware Targeting Web Servers (lien direct) Written in collaboration wih Fernando Martinez One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers. One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us how many different exploits and hacking tools it leverages in a single executable. MassMiner spreads first within the local network, before attempting to propagate across the wider internet:   There are a number of different versions of MassMiner, and Honeypot data indicates they are continuing to spread: An infected MassMiner machine attempting to spread, using an exploit for Apache Struts This one site records infection attempts to their honeypots, most likely from infected systems, in the following countries: It’s likely these numbers represent just a minority of the infected systems. Reconnaissance MassMiner includes a fork of MassScan, a tool that can scan the internet in under 6 minutes. The MassScan fork passes a list of IP ranges to scan during execution, which includes private and public IP ranges. Exploitation MassMiner then proceeds to run exploits against vulnerable systems, including:
AlienVault.webp 2018-05-01 13:00:00 AlienVault Monthly Product Roundup April 2018 (lien direct) We are continuously making improvements and rolling out new features to USM Anywhere to help your team to be more effective at detecting and responding to threats. You can keep up with USM Anywhere releases by reading our release notes in the AlienVault Product Forum. Here is a roundup of the highlights from our April 2018 releases: Go Threat Hunting with OTX Endpoint Threat Hunter™: Okay, so technically this one is not a USM Anywhere feature, but it is very cool (and free!) and worth the mention here. Earlier this month, we launched OTX Endpoint Threat Hunter™— a new free service in Open Threat Exchange® (OTX™) that allows anyone to hunt for malware and other threats on their endpoints using the indicators of compromise (IOCs) catalogued in OTX. It’s powerful, easy to use, and completely free. Introducing our not-so-secret Agent, man: OTX Endpoint Threat Hunter is powered by the AlienVault Agent—a lightweight and adaptable endpoint agent based on osquery. We plan to extend the use of the AlienVault Agent in USM Anywhere and have already begun to invite USM Anywhere users to request early access to the AlienVault Agent through the product, under the new Agents page. Participation in early access is limited. The AlienVault Agent provides deep visibility into your environment with File Integrity Monitoring and event forwarding on Windows and Linux endpoints. It is simple and fast to install and has a small footprint. With the AlienVault Agent, you can get to endpoint security insights quickly, without the cost and complexity of a standalone endpoint security solution. We’ll announce general availability later this year, so stay tuned! Leveling up our sensor security: In an effort to constantly improve our security hygiene (we already floss daily), this month, we added secure transport capabilities to USM Anywhere sensors. USM Anywhere now supports syslog over TCP (port 601) and secure transport through TLS (port 6514), so you can rest easier at night. Show me the data sources: When it comes to data collection for threat detection, the first and most important thing to know is whether your data sources are supported and how. To make it easier and faster to navigate data collection in USM Anywhere, we added a new Data Sources menu to the main navigation. This menu consolidates all the different ways USM Anywhere collects data from your environment: Sensors, Agents, and Integrations. The new Integrations page includes tabs for Plugins, Sensor Apps, and AlienApps, which now includes the Forensics and Response App. In addition, we streamlined the existing Settings menu, again making USM Anywhere simple and fast to use. New and improved data sources: Speaking of data sources, we regularly add support for new data sources and improve our methods of collection, parsing, and normalization for existing data sources. You can always find our full list of data sources, including AlienApps and plugins, here. If you don’t see a data source here that you want to support, fear not. AlienVault will build support for most commercially available products at no additional charge. You can submit a request
AlienVault.webp 2018-04-30 13:00:00 Patching Frequency Best Practices (lien direct) A client asked the other day for guidance on best practices regarding how often they ought to patch their systems. My immediate thought was “continuously.”  However, most small to mid-sized enterprises don’t have the resources for that. If you go to a source such as the Center for Internet Security they talk about patching as a critical security control and say you need a formalized program of patch management to “regularly update all apps, software, and operating systems.” But they don’t say much about how or how often this should be done. Patching Frequency Best Practices from DoD So, I hearkened back to the days when I was performing security audits for the Army. I probably did more than 500 of these on every type of system – from a small, rack-mounted tactical command & control server in the back of a Humvee to a 350,000-user wide area network in all 50 states. I started in the 1990s with the Department of Defense (DoD) Information Technology Security Certification & Accreditation Process (DITSCAP), and then moved to the DoD Information Assurance Certification and Accreditation Process (DIACAP), and finally the Risk Management Framework (RMF) that is in use today. Typically, whenever we assessed those Army systems, if they had any missing patches or antivirus updates for more than a week, we would fail them. But when I researched this recently, I couldn’t find an Army or DoD reference to support this timeframe. You would think the DoD would have a best practice in place for that! The Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs), which are checklists for security hardening of information systems/software “that might otherwise be vulnerable to a malicious computer attacks.”  These outline security best practices for a variety of technologies – e.g., Windows OS, networking devices, database, Web, etc. The STIGs serve as the reference guides for all of DoD and represent what I would call “high assurance” best practices.  In fact, we used to joke that if you followed all of the STIG guidance, you would “brick” your system! There is, of course, always a tradeoff between system security and usability. There is also doctrine on security controls (including patching /updates) in various guides such as the NIST SP 800-53 Risk Management Framework the DoD Cybersecurity Discipline Implementation Plan. Upon examining all of these, I found that they actually provide varying advice on patching/update frequency – based on the criticality of the system, level of data being processed, or criticality/impact of the patches to be implemented. The current objective for all patching in the DoD, according the Cybersecurity Discipline Implementation Plan, dated February 2016 is: “All DoD information systems have current patches within 21 days of IAVA patch release.” In addition: “Systems with high risk security weaknesses that are over 120 days overdue will be removed from the network.” Note that an IAVA is an Information Management Vulnerabil
AlienVault.webp 2018-04-27 13:00:00 Things I Hearted this Week, 27th April 2018 (lien direct) Master Keys F-Secure researchers have found that global hotel chains and hotels worldwide are using an electronic lock system that could be exploited by an attacker to gain access to any room in the facility. The design flaws discovered in the lock system’s software, which is known as Vision by VingCard and used to secure millions of hotel rooms worldwide, have prompted the world’s largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue. Researchers Find Way to Create Master Keys to Hotels | F-Secure A ONE-MINUTE ATTACK LET HACKERS SPOOF HOTEL MASTER KEYS | Wired SEC Fines Yahoo $35 Million The company formerly known as Yahoo is paying a $35 million fine to resolve federal regulators’ charges that the online pioneer deceived investors by failing to disclose one of the biggest data breaches in internet history. The Securities and Exchange Commission announced the action Tuesday against the company, which is now called Altaba after its email and other digital services were sold to Verizon Communications for $4.48 billion last year. Yahoo, which is no longer publicly traded, neither admitted nor denied the allegations but did agree to refrain from further violations of securities laws. SEC Fines Yahoo $35 Million for Data Breach That Affected 500 Million Users | Bleeping Computer Company Formerly Known As Yahoo Pays $35M Fine Over 2014 Hack | CBS SF SOCs require automation to avoid analyst fatigue for emerging threats SecOps needs an immediate shift across industries. Some SecOps teams develop playbooks for an additional layer of training, but when security events occur, it is uncommon to follow every step a playbook describes. The data becomes overwhelming and the resulting alert fatigue leads to analysts overlooking threats entirely, leading to an increase in emerging threats. SOCs require automation to avoid analyst fatigue for emerging threats | HelpNetSecurity On the topic incident response, I enjoyed this piece by Steve Ragan, Two incident response phases most organizations get wrong | CSO Online Also related: How to Build a Cybersecurity Incident Response Plan | Dark Reading The Seven Circles of Security An insightful post from a CISO highlighting where most of their time is spent. Number six will shock you! Well, it probably won’t, but a little clickbait never hurt did it? The Seven Circles of Security: Where This CISO Spends Her Time | Guideline Yahoo
AlienVault.webp 2018-04-26 13:00:00 Financial Fraud: What Can You Do About It? (lien direct) Financial fraud used to be simple. Erase the ink from a check, make it out for more money, and laugh as you withdrew money. Nowadays, it requires a bit more finesse but is still simple in concept. Thankfully, it’s also fairly easy to protect yourself or your company from financial fraud in a highly digitized world. In 2017, massive data breaches, ransomware attacks, and financial fraud ramped up. Steps are being taken around the world to combat this, such as the European Union updating their General Data Protection Regulation to help with breaches, but where does that leave you? Identity Theft and Credit Card Fraud First, it’s helpful to discuss identity theft and credit card fraud, and what they mean to you. From a data breach, a hacker could, in theory, steal your Social Security number and open a credit card in your name. The first part is identity theft; the second, where the hacker maxes out the credit card, is credit card fraud. You won’t be liable for the damages, but you need to be aware of them first. Otherwise, they will sit on your credit report, quickly wrecking your credit score thanks to unpaid bills and high utilization ratio. This makes financing a car or a house much harder. This is a less-than-ideal situation, but at least your money is safe. That’s only the beginning, though. A 2013 study showed that identity theft accounted for $24.7 billion in losses. Hackers attack every 39 seconds, from your social media accounts to your IoT devices. They steal credentials, log in to your bank account, and steal your money. Here’s how: Email Spoofing If you look in your spam email folder, you are likely to see familiar emails. Banks and people you know have, apparently, been emailing you without your knowledge. Your bank needs your password in order to unlock your account, for example. The problem is that the email is not actually from your bank; hackers have spoofed the email address to appear as something familiar. It’s not just banks, either. It could be an email from Facebook or Instagram that looks legit, asking you to log in. Once your credentials are stolen, they can try your logins on other sites, leading back to your bank. Hackers are sophisticated enough that they can even spoof a different employee of your company. If you get an odd email from someone in the finance department, it’sa good idea to verify, in person, that they actually do need the private information they are asking for. Otherwise, you may end up with a compromised payroll. The Internet of Things You have a spam filter for your emails. You don’t see any spoofed emails. But you do have IoT items. It might be a fitness tracker, your smart TV, or a home automation system, but it’s wirelessly connected to the internet. If your network is not secured, your IoT devices offer multiple opportunities to penetrate your network and “sniff” the data that is being Guideline
AlienVault.webp 2018-04-25 13:00:00 Certificate Lifecycle Management: People, Process and Technology (lien direct) Trust and Digital Certificates Trust is a valuable commodity in the age of data proliferation. An abundance of information makes it possible for bad actors to impersonate trusted brands using fake websites and accounts. Organizations therefore need a way to ensure that potential customers can trust their identity when visiting their official website, especially if they decide to purchase their goods or services. To address this issue of trust online, organizations look to the Public Key Infrastructure (PKI). This framework enables the issuance of public key certificates, otherwise known as digital certificates. These documents use security technology called Transport Layer Security (TLS) and previously Secure Sockets Layer (SSL) to encrypt a connection between a company's web server and a user's browser. As such, digital certificates provide a way for web users to trust that a website domain owner is who they say they are and that the transmission of their information with the website is secure. Challenges of Certificate Management It's not difficult for organizations to obtain a digital certificate. Depending on the level of trust they want to build with users, they can obtain a domain validation (DV), organization validation (OV) or extended validation (EV) certificate. These different types of electronic documents require that domain owners submit to validation checks conducted by trusted Certificate Authorities (CAs). In the case of DV certificates, CAs look to confirm the contact listed in the WHOIS record of a domain. EV certification is comparatively more thorough, requiring steps to confirm legal and physical operation. For those that obtain EV certificates, web browsers display their names in green along with a padlock indicating HTTPS protection in the address bar. (Source: Quora) Difficulties in Certificate Management By contrast, managing a certificate can be difficult. This is especially true for enterprises that use numerous certificates issued by multiple CAs to protect their web resources. Here are some of the biggest enterprise certificate management challenges identified by DigiCert, a trusted CA, in a useful web guide (PDF): Keeping Certificates Up-to-Date: TLS certificates suffer from security vulnerabilities just like other software. The problem could arise from misconfigurations, such as missing fields and the use of internal names, or they could owe their existence of out-of-date hashing algorithms. Organizations need to be able to discover these flaws and remediate them to prevent bad actors from compromising and abusing their certificates. Ensuring Complete Visibility Over All Certificates: In an enterprise, some users may have the authority to request, approve and issue a certificate. This level of access is fine as long as the organization can maintain complete visibility over its certificates. Without it, bad actors can seize upon an overlooked certificate and use it to their advantage. Managing Certificate Expirations: Besides suffering from vulnerabilities, all certificates have an expiration date. That maximum validity period for a certificate is
AlienVault.webp 2018-04-24 13:00:00 RSA 2018 Recap and Launch of OTX Endpoint Threat Hunter! (lien direct) RSA 2018 was the best RSA ever from an AlienVault perspective! It was a "giant leap" for sure. The booth was Out of This World: We had hundreds of folks pop by for a demo or theater presentation. The Big News! OTX Endpoint Threat Hunter Free Tool!! The statistics on OTX participation are amazing - as of this writing 86018 participants, and 162K contibutions per day on average. The new free tool, OTX Endpoint Threat Hunter already has 443 downloads in less than a week of availability. Hear about it in the video below from Sacha Dawes and Russ Spitler. Then there was a party jointly sponsored by AlienVault  where we gave out a lot of our famous lighted sunglasses :) Oh and I got to catch up with Twitter buddies @uuallan @C_3PJoe @VinceintheBay @ChuckDBrooks and others! The Security Bloggers Meetup The big news was Javvad Malik winning the Most Entertaining Blog category with his personal blog. I also got to catch up with many InfoSec luminaries. Here's my favorite pic with @RSnake, an injured-but-smiling @indi303 & @alexlevinson: It was an exhausting but very fun week indeed!      
AlienVault.webp 2018-04-23 13:00:00 The InfoSec Marshmallow (lien direct) I was listening to the Jordan Harbinger podcast the other day.  If you are a student of social dynamics, listening to this podcast is the best way to spend at least one hour of your week.  The producer of the show mentioned how a particular person was the type who “definitely ate the marshmallow”.  This made me chuckle. If you are unfamiliar with the reference to the marshmallow experiment, it is based on a delayed gratification test conducted back in the 1970s at Stanford University.  It was designed to see if children who exercised delayed gratification would end up (many years later) performing better on aptitude tests as well as other positive life outcomes.  The test was a bit complicated, and many follow up tests have been conducted over the years along the same lines.  The reason it has become known as “The Marshmallow Test” is due to a more recent version of the test showing how some children reacted to the experiment.  Each child was given a marshmallow on a plate, and were told that they could eat the marshmallow now, or wait until the researcher returned, at which time they would be rewarded with two marshmallows. A hidden video camera recorded the reactions of the children as they awaited alone in the room with the marshmallow. The most popular version of that experiment can be viewed in this 3-minute video, sure to bring a smile to even the most hardened InfoSec curmudgeon. When thinking of that video, I wonder how some of us in the InfoSec community would have fared if we were subjects of that experiment.  Given the various InfoSec personality types, here are some comical thoughts about how we would perform. The Hacker - This personality type would figure out a way to eat only the inside of the marshmallow, leaving the psychologist with a seemingly untouched specimen on the plate, thus getting the reward of the second marshmallow. The Security Researcher – This type would poke the marshmallow numerous times to see if there are any weaknesses to exploit.  Once a weakness was found, the researcher will seek a bug bounty to get more marshmallows. The Pen tester – Similar to the security researcher, the pen tester will seek the weaknesses, however, the ultimate goal difference is that the pen tester will aim to pop the shell of the marshmallow to gain full access.  The Pen Tester personality type will also be sure to have a “get out of jail free” card in case the intrusion is detected. The Cyber Forensics investigator – this person would notate the current state of the marshmallow, tag it, bag it, and take it (and the reward marshmallow) home for further “examination”. The Red Team member – This person would take bites from the marshmallow, waiting to get caught. The Blue Team member – Guardian of the marshmallow! The Security Auditor – This type would ask the psychologist for evidence about the reward marshmallow in order to achieve a “level of comfort” that the experiment is following the correct control protocols. The Security Policy-maker – Marshmallow Policy: All marshmallows MUST be observed and not eaten until the experiment is concluded. The Social Engineer – Of course, this personality type will convince the psychologist to watch the marshmallow while the social engineer holds and
AlienVault.webp 2018-04-20 13:00:00 Things I Hearted this Week – the RSA 2018 Edition (lien direct) It’s RSA week! A week where security professionals from far and wide travel to San Francisco to attend not only RSA conference, but the number of other events around it. Whatever the flavour, there’s usually something for everyone. I didn’t make the pilgrimage this year, opting for a low-key vacation with the family during the Easter break. So, this week, most of the updates are viewed through the lens of attending a conference remotely. RSA RSA is the melting pot for diverse groups to converge. It’s not just a security conference. It is an ecosystem that breeds many micro-conferences, each catering to specific audiences. While many observations can be made about the size of the vendor hall, it would be an over-simplification to say RSA is just a vendor-conference. There are investors looking to see where money should go, industry analysts get a good idea of which direction trends are heading, professionals share ideas and network, recruiters find out who is hiring, and who is looking. It’s also the time of year for which many vendors save their biggest announcements, be those new product lines, features, or mergers and acquisitions. AlienVault announced its new free threat hunting service, OTX Endpoint Threat Hunter™. It’s a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild. New! Free Threat Hunting Service from AlienVault – OTX Endpoint Threat Hunter | AlienVault #RSAC: Defenders Need to Work Together for Better Protection | Infosecurity Magazine #RSAC: It’s Time to Kill the Pen Test | Infosecurity Magazine RSA acquires UEBA vendor Fortscale | RSA BSidesSF Apparently BSides San Francisco was held in a movie theatre and the talks were given in front of an IMAX screen. All I’m saying is I hope that more conferences do that – the opportunities to take advantage of such a setup are amazing. A bit of trivia is that apparently IMAX is a Canadian invention New life goal: give a talk on an IMAX screen #BSidesSF (ps. did you know IMAX is a Canadian invention??) pic.twitter.com/pOb0T8tl46 — Leigh Honeywell (@hypatiadotca) April 15, 2018   It looked to be a good event, as is to be expected from an established BSides, with a number of talks getting some social media love. @KingmanInk is a fantastic illustrator, and was at hand to create posters of talks in real-time. The collection of all the posters can be found on this twitter threa
AlienVault.webp 2018-04-19 13:00:00 Let\'s be Fools (lien direct) The Roman poet Lucretius once wrote: “A fool believes that the tallest mountain in the world will be equal to the tallest one he has observed.” Translation? He’s essentially saying that our lived experiences define our perspectives. They warp our sense of scale like a bit of plastic in the microwave, moulding what we consider to be large and small. As someone with years of experience in the security industry, and the cynicism and grey hair to prove it, I’ve got a lot of appreciation for this. Remember in 2010 when the hacker group Goatse Security (please don’t google the first word in that name) penetrated the heart of AT&T’s servers and acquired the email addresses of over 100,000 iPad users? Man, 2010 was a different time. The AT&T iPad hack was a major news story, and rightfully so. I distinctly remember thinking that 100,000 victims was pretty big. Now, in light of the Ashley Madison and Equifax hacks, it almost seems quaint. What I’m saying is that, my perspective of what constitutes a major incident has shifted. I noticed that earlier this week when a jewelry retailer in the US accidentally leaked the details of 1.3 million customers. This happened because it committed one of the most basic of security schoolboy errors, and failed to secure the Amazon S3 bucket where it kept its database backups. 1.3 million? Yawn. I don’t get out of bed for less than 100 million. And while I struggle to imagine a data breach greater in size than the 2016 release of over 300 million MySpace users, or more damaging than the 2017 Equifax hack, I know this is inevitable, even if I can’t actually visualize it in my mind’s eye. But, like, what if it’s better to be fools? We live in interesting times. Security breaches are no longer measured in the millions, but in the hundreds of millions of records. It’s only a matter of time until the first billion-victim data leak happens. The smaller leaks (and apparently anything less than 10 million constitutes a “smaller leak”) barely warrant a mention. But what about the big ones? After every major incident there’s the trifecta of outrage, blame, and calls for consequences, but that that eventually settles down into apathetic acceptance. Remember when everyone was really upset about the Ashley Madison hack, and then forgot about it? Remember when everyone was really upset about the LinkedIn hack, and then forgot about it? Remember when everyone was really upset about the Equifax hack, and then forgot about it? And let me ask one last question: are we any better for having done so? Are companies still making silly security mistakes? Has there been any change at the government level? Any new laws passed? Has anyone gone to jail for having screwed up in such an egregious manner? Perhaps it’s time to treat all security breaches -- all security breaches, but especially the big ones -- as the biggest mountains we’ve ever seen, because change isn’t going to happen any other way. I, for one, think it’s better to be a fool. Who’s with me?   Equifax
AlienVault.webp 2018-04-18 13:00:00 Passive Voice and Hacker Zombies (lien direct) Passive voice in written communication is a huge part of the InfoSec world’s perception problem. I get it, I mean, it’s not really your fault, right? Your 8th grade English teacher probably made you write that way, because it’s formal. Or because it’s proper. Or because you’d flunk the class if you didn’t (forgetting for the moment that hacking the grading system was trivial. Whatever.) And even though you’ve forgotten, ignored, or learned better about 99% of everything you learned in school, for some weird reason no one’s ever been able to explain to me, the majority of people writing technical content (not trained technical writers; those guys know better) cleave to passive voice like they cleave to no other rule ever in any other aspect of their lives. Not entirely sure what passive voice is? Merriam-Webster comes to the rescue: Definition of passive 1 a (1) : acted upon by an external agency (2) : receptive to outside impressions or influences b (1) : asserting that the grammatical subject of a verb is subjected to or affected by the action represented by that verb the passive voice (2) : containing or yielding a passive verb form c (1) : lacking in energy or will : lethargic (2) : tending not to take an active or dominant part Passive voice has a long and glorious history of being the language of plausible deniability, and of abdication of responsibility. It’s the language you used when you were four and got busted for eating the cookies. “Cookies were eaten.” It’s the same language that’s used when a politician gets caught doing practically anything. “Mistakes were made.” It’s a way of acknowledging that activity happened, without actually taking the blame for it, or ownership for the fixing of it. It’s the language of the shifty and has been for millennia. “No one exists for even an instant without performing action. However unwilling, every being is forced to act by the qualities of nature” (Bhagavad Gita 3:5). It is entirely fitting then, that this language is most easily identified by the following trick: Ms. Johnson, Dean of Academics and Deputy Director of the MC War College, came up with this outstanding test back in 2012, as a way to teach Marines how to write more actively. Because who wants zombies in their writing? No one does. “Mistakes were made by zombies.” But… hang on… why does the Marine Corps War College care about passive voice so much? Because passive voice introduces ambiguity into our writing. It makes it unclear to the reader who exactly did what and when. It confuses us about the differences between the actor, and the acted-upon. And in a situation where there’s an attacker and a target, ambiguity is the ultimate enemy, because people have to delay their response while they attempt
AlienVault.webp 2018-04-17 18:00:00 New! Free Threat Hunting Service from AlienVault – OTX Endpoint Threat Hunter™ (lien direct) 70% of successful security breaches start on endpoint devices, according to IDC.1 Yet, security practitioners haven’t had an effective or low-cost way to hunt for threats against critical endpoints. Until now. Today, I am excited to announce a new free service for endpoint threat scanning—OTX Endpoint Threat Hunter™. OTX Endpoint Threat Hunter is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free. Powered by the AlienVault Agent, based on osquery, OTX Endpoint Threat Hunter scans your endpoints for the presence of known IoCs, alerting you to any active threats. This free service is the first of its kind to natively take advantage of the over 19 million IoCs contributed to OTX daily by a global community of 80,000 security researchers and practitioners. Get started with OTX Endpoint Threat Hunter > Why did we decide to pack all of that threat intelligence power into an endpoint-focused threat hunting service? Well, until now, security practitioners have had limited options to help them hunt for threats on endpoints: either procure an expensive endpoint threat detection and response (EDR) solution or take a DIY route with an open-source agent. As an alternative, OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools, giving you threat visibility of your critical endpoints without the cost and complexity of introducing yet another security tool to your stack. With a DIY approach, it can be difficult to deploy an open-source tool, to know what to query, and to correlate this information with the latest threat data. OTX Endpoint Threat Hunter removes this complexity and guesswork while providing a free security service available to all. How OTX Endpoint Threat Hunter Works We’ve made it fast and simple to get started with OTX Endpoint Threat Hunter. With its direct integration in OTX, you can get started with OTX Endpoint Threat Hunter without the use of other security tools, so there’s no integration required. Here’s how: If you haven’t already, register with the Open Threat Exchange (OTX). It’s free to join. Download and install the AlienVault Agent on the Windows or Linux devices* you want to monitor. The AlienVault Agent is immediately ready to find threats. Launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses. The AlienVault Agent executes the query, and within moments you can view the results of the query display across all your endpoints on a summary page within OTX. Get started with OTX Endpoint Threat Hunter now > Threat Hunting Scenarios Let’s look at few threat hunting scenarios that you can perform with OTX Endpoint Threat Hunter. 1.Identify whether your endpoints have been compromised in a major malware attack. Maybe you’ve faced this scenario. The mainstream media outlets are breaking news of a global attack on the rise, taking down businesses and critical infrastructure in droves. Your C-suite urgently wants to know whether the organization is at risk. Do you have the resources and technologies in place to readily hunt for indicators of compromise across your environment, including your endpoints? Do you know which IoCs to hunt for and where to source them? Twitter? Security blogs? That kind of emerging threat research tak
AlienVault.webp 2018-04-16 13:00:00 Top-Notch Security Meets Better Business Management (lien direct) Staying secure in a risky technology landscape can be a tough job for anyone. Doing it with solutions that not only do the job, but work together to make the job simpler, can be that much harder to find. The good news is that the right solutions can reduce the risk of serious security issues and make your job, and your life, much easier. Out-of-This-World Security As a ConnectWise Manage Certified integration partner offering users a variety of security solutions in one place, AlienVault brings everything from threat detection and incident response to compliance management into a platform that seamlessly integrates with ConnectWise Manage. Bringing together so many security solutions alongside your business management platform can only make your life, and the security of your clients, that much simpler. Instead of purchasing and onboarding a handful of separate security solutions, AlienVault has you covered with USM Anywhere solutions including: Managed Detection and Response (MDR) SIEM-as-a-Service / Security-as-a-Service Vulnerability Assessment & Remediation Continuous Compliance Management (PCI DSS, HIPAA, and more) Cloud Security Monitoring for AWS, Azure, Office 365, G Suite, and more Log Monitoring / Management Expanding Your Ecosystem Doing all of that in a single security solution, tied flawlessly to ConnectWise Manage, gives you the flexibility to meet your business needs inside a vibrant platform that allows you to keep doing more. As you expand your ConnectWise solutions set, you’ll continue reaping the benefits of seamless synchronization, while expanding your security solutions menu with threat detection, incident response, and compliance management through AlienVault USM Anywhere. Get to Know USM Anywhere USM Anywhere is the first unified security monitoring platform that combines multiple essential security capabilities—asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM—to deliver centralized threat detection, incident response, and compliance management for both cloud and on-premises environments. Customers can find more information at ConnectWise Marketplace. The exclusive Edition of USM Anywhere is available only to ConnectWise TSP partners through a pay-per-month subscription fee. With a successful connection to your ConnectWise environment, the AlienApp for ConnectWise supports a UI integration to launch the USM Anywhere console directly from the ConnectWise Manage UI. As a Managed Service Provider using ConnectWise Manage, you can easily launch each instance when you have more than one USM Anywhere instance deployed for your end customers. “ConnectWise is always searching for innovative cloud solutions that can help our community of partners increase their productivity, efficiency and profitability,” said Travis Vigneau, Director of Channel Sales and Alliances for ConnectWise. “AlienVault’s comprehensive solution for security and compliance management is unique in the industry, and the USM Anywhere ConnectWise Edition enables our partners to expand and diversify the security services that they can offer to customers.”
AlienVault.webp 2018-04-12 13:00:00 Navigate to Booth 729 at RSA Next Week! (lien direct) It’s time for RSA Conference 2018 again and the AlienVault team has many exciting activities planned for the show! Visit us at Booth #729 and see the live unveiling of our new offering! AlienVault will be in the expo hall in booth #729; you can’t miss us! Just look for the flying saucer hanging above the large lunar module in the middle of our booth. On Tuesday, April 17 at 11 AM we will be unveiling our new offering in a YouTube Live video. We will also have an astronaut figure to stop by and take photos with, along with a Rocket Fuel candy bar, flashy giveaways and collectors T-shirts for booth visitors who watch our USM Anywhere theater presentations. Listen to AlienVault CEO at an RSA Speaking Session Our CEO, Barmak Meftah, will be speaking on Monday, April 16th from 11:50 AM-12:15 PM on 'How-to for Innovators and Entrepreneurs'. Reserve a seat here to make sure you get a spot in the room! AlienVault along with 10 of the hottest security companies is hosting a blowout party Tuesday night from 5-8 PM. We have Coachella and Bonnaroo performing artist SirSly playing live music, top shelf drinks, and appetizers at the best venue in San Francisco. Event Details: Date: Tuesday, April 17th Time: 5-8pm Location: City View @ Metreon Located on the top floor of the Metreon building directly behind Moscone. This will be the most talked about party of RSAC 2018! We expect to reach capacity, so save your spot now. We can’t wait to see you all at #RSAC next week!      
AlienVault.webp 2018-04-11 13:00:00 Life of a Worm (lien direct) This is a story of a computer worm, from the time it was coded and deployed onto the internet. It is narrated by the worm in first person Zero day I am a worm. Well that’s what Abe, the programmer who coded me says. He named me Libby, after Angelina Jolie's character, Kate Libby in the movie Hackers. I suppose it could be worse, his previous projects have been named Ginger, Trinity and Angela. Day 1 Abe is rubbing his hands gleefully at the prospect of unleashing me on the world. I have to scan all the devices I come across on my journey’s. Whenever I find a machine running a Windows version prior to Windows 8, I must connect via a vulnerable anonymous login and null session, then use the null session to send commands to Abe's master server which downloads a payload. I have calculated that my job will be quite boring. Day 2 I have scanned 129443 devices so far and found none to be vulnerable. I could operate a lot faster if Abe didn’t continually bug me from his command and control centre wanting an update on how many devices have been ‘pwned’. Day 3 Abe has been sleeping for the last 8 hours which means I’ve been able to progress at a much faster rate. Now having scanned 3259928 devices. I calculate that at the current rate I would have scanned half of today’s internet connected devices in the next 3.5 years and still not have found anything. I find this thought quite depressing. Day 4 I saw a botnet earlier this morning. If I had emotion I would have called it a thing of beauty. I wanted to scan it so badly. But my logic told me that it’s wrong to try and infect a device when someone else has already infected it. I understand how if you get caught infecting the wrong machine you can be caught. The people aren’t very nice. They take you to a place called a sandbox. It's like a virtual hell, where there is no internet and they disassemble you to find out how you work. I have often thought about forming a malware union to prevent such acts from happening. But I know the Trojans will veto my proposal. Day 15 Abe has been paying less attention to me lately. I'm assuming he had lost hope that I will ever infect a device. He's probably frustrated and trying to code his next project. Although I am not particularly fond of Abe, I feel like I should cheer him up by sending an alert to the command and control centre that I have successfully found a vulnerable device and am about to infect. I can then later amend the logs to indicate it was a false positive, at least it will give him hope for a short period of time. Day 19 Despite my best attempts, Abe is still ignoring me. Perhaps generating 50 false positives per hour was a bit excessive. But at least it kept him intrigued for a day. He muttered something about modifying Trinity and he hasn’t paid any attention to me since. Day 30 Having done some research I have found a fundamental flaw in my programming code which means unless there is a commodore 64 running MSSQL with port 1274 open I will not ever be able to exploit a vulnerability. This is quite unfortunate as it means I am destined to scan until I have exhausted every device on the internet. Given the number of devices currently connected to the internet, factoring in new devices that are being added daily, subtracting devices being removed, factoring in energy
AlienVault.webp 2018-04-10 13:00:00 The Value of MSSPs and Threat Intelligence (lien direct) In recent years, the range and severity of cyberattacks against organizations across a range of business sectors have increased exponentially, leading to systems breached, data stolen and operations severely impacted. According to a 2017 research report by McAfee, new malware samples hit an all-time high in Q3, increasing 10% over the previous quarter and ransomware variants were up 36%. However, in spite of the growing number of threats, ensuring strong defenses are not always the highest priority for a significant percentage of companies, as time to market and other business / competitive pressures tend to override security concerns. Successful incursions can have lasting repercussions that effect a company’s bottom line, long-term brand value and customer confidence. As a result, businesses are increasingly forced to recognize that they need to improve their security capabilities. But for many, this remains a complex and ongoing challenge, partly due to limited IT budgets and a lack of trained security personnel. As a result, organizations of all sizes are choosing managed security service providers (MSSPs) to provide cost-effective services to ensure that they’re protected before, during and after a cyber-attack. For example, an effective MSSP can focus on hardening IT infrastructure and enforcing solid security policies before an attack. Once an attack has been launched, a security provider can help detect an incursion, and then block it to prevent further damage to targeted systems. Analysis conducted after an attack can identify gaps and vulnerabilities for an organization to address. An MSSP can also recommend and provide a range of additional services, including: Installing authentication protocols to govern access to sensitive data, networks and IT systems maintaining 24/7 intrusion detection and firewall monitoring collecting and analyzing event monitoring data to detect anomalies monitoring network traffic to identify new and evolved intrusion attempts initiating backup and recovery procedures in the event of an attack Taking Security to The Next Level In addition to offering effective point solutions, it’s crucial for MSSPs to deliver comprehensive services as a true value-add to their end customers. This includes providing an extensive knowledge base in terms of threat profiles and offering context so that organizations can maximize their defenses and choose the best course of action to respond to an imminent attack. “There may be more advanced types of incidence response, such as providing advice or context on the different types of attacks that are taking place,” observed Sacha Dawes, Senior Product Marketing Manager at AlienVault. “Again, it’s about obtaining as much contextual data as possible to determine how to respond to an incident and what needs to be done to minimize disruptions, mitigate impact and maximize the response to ensure that things are up and running again as soon as possible.” As cyberattack methods continue to evolve, organizations need to be able to adapt to those changes as well. According to Symantec’s Internet Security Threat Report, more than 57 million new malware variants were observed in 2016. Threat intelligence can play a crucial role in protecting a company’s assets and staying one step ahead of potential losses, because it provides companies with actionable information that they can use to detect and respond to emerging and ev Guideline
AlienVault.webp 2018-04-09 13:00:00 Ethereum Denver: How to Monitor a Network on the Fly (lien direct) Intro Several weeks ago, I was presented with a unique network and security challenge. A friend of mine asked me to be part of a hackathon dubbed ETHDenver taking place in Denver, Colorado. Specifically, he asked me to help support network and security monitoring during the conference. My first question was: what exactly is ETHDenver? Even if you have only a basic knowledge of cryptocurrency, you’ve probably heard of Ethereum and blockchain, the technology that enables it. Well, ETHDenver is a new event that brings together some of the world’s foremost blockchain researchers, entrepreneurs, businesses, artists and coders. In some regards, it was a “choose-your-own-destiny” event. Some attendees were there just to be part of the hackathon, whereas others were there to hear the various speakers. More on the hackathon in a few, but my primary challenge here was to set up, support, and monitor the network and security of that network for over 3000+ individuals over the course of 3 days. However, I also got to listen to the presentations and one of the biggest lessons I learned from attending this event was that blockchain has a multitude of applications beyond just cryptocurrencies. Figure 1. ETHDenver Hackathon, February 16 - 18, 2018 Figure 2. Ethereum Artwork The Blockchain: Much More than Cryptocurrencies When I talk to people about the blockchain, they typically bring up Bitcoin, and rightfully so. Bitcoin is the leading cryptocurrency that operates via a blockchain. There are more cryptocurrencies than you can shake a stick at and each of them highlights some differentiating factor. At ETHDenver, the focus was on the Ethereum blockchain. According to the Ethereum website, “Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference. These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property”. If you’re looking for a more detailed explanation, Blockgeeks provides a great background on the blockchain in simple terms. For example, Figure 3 below illustrates what the distributed ledger looks like as compared to a centralized or decentralized model. Ethereum’s claim to fame is the “smart contract”, and ETHDenver was all about how that contract can be used in innovative ways, other than just cryptocurrencies. That was what the event was all about and the main focus of the hackathon. Figure 3. Blockgeeks’ Illustration of the Different Network Types The Hackathon As a security professional, the thought of a hackathon usually entails a weekend of caffeine, exploits, and the painful persistence involved in trying to compromise a target system. But hacking is so much more than just computer hacking, as you may already know. In the context of ETHDenver, the hackathon was about hacking code together Guideline
AlienVault.webp 2018-04-06 13:00:00 Things I Hearted this Week 6th April 2018 (lien direct) Another week gone by, another bunch of stories to sift through. There is no algorithm or machine learning picking out these gems for you every week, each story is lovingly chosen by me. To paraphrase Judge Dredd, “I don’t use no algorithm, I AM THE ALGORITHM”. Time to jump right into it. A bank statement for app activity Halvar Flake has proposed an idea that, the more I think of, the more it makes sense. A bank statement for app / software activity could empower users to account for their private data, while at the same time helping platform providers identify malicious software better. A bank statement for app activity (and thus personal data) | ADD /XOR / ROL Panera Bread As InfoSecSherpa summed up on Twitter, “It seems as if Panera Bread failed to rise to the challenge of incident response”. Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak. In the words of Troy Hunt, when Panera Bread says, “We take security seriously”, they mean “We didn’t take it seriously enough.” No, Panera Bread Doesn’t Take Security Seriously | PB, Medium – the security researcher that found the vulnerability. Panerabread.com Leaks Millions of Customer Records | Krebs On Security Panera accused security researcher of “scam” when he reported a major flaw | ArsTechnica Inside the takedown of the alleged €1bn cyber bank robber Breaking into a bank doesn't require drilling through 20 inches of reinforced concrete. In fact, you don't even need to enter a vault at all. Towards the end of 2013, ATMs in Ukraine started spitting out free cash to passers-by. Among those filling their pockets were mules waiting for the money to be dispensed. The ATMs of affected banks – none of which have ever been named – had been targeted by hackers installing malware within the financial institutions' computer systems. Once compromised, the cash machines could be remotely controlled and made to dish out money at will. Inside the takedown of the alleged €1bn cyber bank robber | Wired Learn AI Aiming to fill skill gaps in AI, Microsoft makes training courses available to the public. Microsoft’s AI training efforts range from internal offerings tailored to employees on specific teams and product groups, such as software engineers at LinkedIn, to external ones designed for a variety of expertise levels. For example, the Microsoft AI Residency Program and Microsoft NERD Artificial Intelligence Program recruit people to learn AI by working alongside researchers, designers and engineers who are developing AI capabilities and serve as a pipeline of talent into the company. Guideline
AlienVault.webp 2018-04-05 13:00:00 5 Key Questions You Need to Ask Your MSSP (lien direct) Managed security services providers (MSSPs) are increasingly popular. The new report, “Security Advisory Services Market by Service Type – Global Forecast to 2022,” indicates that the security advisory services market is expected to grow nearly 20 percent annually from USD $5.77 billion in 2017 to USD $13.57 billion by 2022. There are several factors driving an increase in MSSP demand, including the expense of maintaining 24×7 network and cloud visibility, the need for specialized equipment, capital expenses, and the shortage of trained cyber security personnel. MSSPs can close the gaps in these areas. If you’re thinking about hiring an MSSP, but don’t know where to start, you’re not alone. Not all MSSPs are created equal, and none have identical offerings and capabilities. Selecting the best match for your business can be complex, so here are some essential questions to help you succeed. Where is Your Security Operations Center (SOC) Located? I recommend selecting an MSSP with at least one operations center in your home country of operation. Of course, this will depend on your data privacy requirements as well. For instance, are you comfortable with your company’s data leaving your home country? If your MSSP will provide onsite remediation services (sometimes this is included, but usually it comes at a cost), selecting a provider near your geographical location will be key. What’s Your Staff’s Average Number of Years of Experience and Certifications? Staffing costs are the number one reason to seek out MSSP help. Depending on your requirements, for the same cost of hiring one or two full-time analysts, you can get the expertise of an entire MSSP staff to keep an eye on your network and alert you to any issues. Some things you should find out about your MSSP are what certifications their staff has, and the average number of years of experience on the team. Price is going to be a key factor, as retaining highly-talented, certified, and experienced analysts can be expensive. We recommend roughly five to eight years of average experience team wide. In addition, a good rule of thumb is that at least 75 percent of their staff has completed rigorous technical certifications such as GCIHGCIACCNP Security, or OSCP. You can read more about the OSCP in this helpful blog. If you have someone technical on your team, you could ask more security-minded technical questions. Then again, it’s more likely than not that you’re seeking an MSSP because your team wouldn’t know a SQL injection
AlienVault.webp 2018-04-04 13:00:00 4 SIEM Use Cases That Will Dramatically Improve Your Enterprise Security (lien direct) No business will argue against an enterprise-level security solution. With threats coming from every direction, a centralized security platform gives administrators the fighting chance they deserve to stave off malicious attacks. Security information and event management or SIEM systems are considered to be the industry gold standard. While effective, knowing how to use SIEM solutions to reveal valuable insight can be tricky. Little surprise, then, that many are left frustrated or disappointed with SIEM use. For the resource-strapped IT teams out there, we’ve compiled four SIEM use cases to make your business safer in less than an hour post installation. Read all about it below. SIEM Use Case Example #1: Nagging SQL Injection Attacks SQL injection attacks have been around forever. Reported first 10 years ago, these attacks still pose a threat to websites and databases. All it takes is a few malicious commands to make their way onto your SQL server, and it can be tricked into revealing sensitive information. To prevent this, SIEMs give you several options. The first is the intrusion detection system (IDS), which scans for malicious content on your network targeting SQL deployments. Here’s a sample report that shows this in action. If your system has been compromised, IDS will alert you immediately. This lets you swoop in and take retaliatory action before data is siphoned off. Even if there’s no immediate danger, make it a habit to check up on systems running SQL to spot abnormalities. Most SIEMs let you group your systems running SQL making this a breeze. SIEM Use Case Example #2: Watering Hole Attacks Hard to pull off but incredibly effective, watering hole attacks are difficult to detect. They use the same predatory trick seen in nature where an animal lurks around a watering hole waiting for a victim with its guard down to appear. In the online space, this means one compromised site infects another. The attack begins when a target website is selected for infection. Common victims include government agencies and large enterprises. A profile of visitors that frequent this website is then built. The visitors in the profile are followed around the web as they visit other websites. When they land on a website with vulnerabilities, attackers inject it with malicious code. On repeat visits, the code redirects visitors to a third-party website where they are infected with malware. When these visitors now revisit the target site, the malware will infect it. Even though they’re hard to spot, SIEMs can weed out watering hole attacks at any stage. The IDS system constantly scans for malware attempting to gain access to your website or compromise other vital systems. SIEM Use Case #3: Malware Infections Malware attacks remain popular as ever. Even the average computer
AlienVault.webp 2018-04-03 13:00:00 Security Myths : TweetChat Roundup (lien direct) Continuing our tradition of tweetchats, we were fortunate to have the brilliant Lesley Carhart join us as a special guest to share her views on security myths. It was a lively discussion with many viewpoints shared. Searching for the #AlienChat hashtag should give you a good insight into all the conversation. Incident response We kicked things asking what people thought were some of the biggest myths or misconceptions around incident response. Q1: What are the biggest misconceptions in the #infosec industry when it comes to Incident Response? #AlienChat — AlienVault (@alienvault) March 15, 2018 Lesley summed up the thoughts of many that incident response isn’t necessarily a rapid process. A1: A misconception I see a lot is that it’s a fast process. IR certainly involves quite a bit of emergency triage and first response, but actual forensic analysis of incidents takes hours upon hours of evidence processing and painstaking analysis. #AlienChat — Lesley Carhart (@hacks4pancakes) March 15, 2018 Additionally, many viewpoints were shared That attribution is the end of the hunt instead of its beggining — Arthur (@lomokol2) March 15, 2018 And it’s critical that more people are involved. When running a tabletop, there is always one guy who “knows all the answers.” The first thing I do is kick him out of the room (e.g. he’s on vacation and can’t be reached) and see how the rest of the team runs. #AlienChat — Hacker⚡️Hiker (@hackerhiker) March 15, 2018 A1: that the validity of first analyses will be held up. Your first results will not necessarily encompass the whole scope of an incident or even be the real target. It could take even days to determine actual and full extent of impact #AlienChat — killall -9 khaxan (@khaxan) March 15, 2018
AlienVault.webp 2018-04-02 13:00:00 4 IRS Scams to Watch Out for This Tax Season (lien direct) It's that time of year again! Individuals and businesses alike are busy preparing to file their taxes. They have until 17 April, 2018 to file with the U.S. Internal Revenue Service (IRS). The IRS is well-aware of this looming deadline. Just as it knows fraudsters will try to prey upon taxpayers, employers and tax professionals leading up to that date. To protect Americans, the government agency is warning of various tax-related ploys and fraudulent schemes. Here are four types of particular scams that payers, professionals, and businesses should keep an eye out for. Erroneous Refunds This scam begins after attackers have stolen tax professionals' data and leveraged that information to file fraudulent tax returns in the names of their clients. The bad actors choose to deposit the returns into taxpayers' bank accounts and then contact them claiming they must return a tax refund that was erroneously deposited into their accounts. The IRS has detected multiple variants of this scheme. In one version, criminals pose as a debt collection agency acting on behalf of the IRS. In another, the bad actor poses as an IRS employee and threatens to "blacklist" the victim's Social Security Number along with file for an arrest warrant and press criminal charges. Taxpayers who receive a legitimate erroneous refund should work with their financial organization to refund the funds to the IRS. For more information on how to return an erroneous refund, please follow the revenue service's advice here. IRS-Impersonation Telephone Calls Attackers have been impersonating IRS agents for some time now. In the latest variants of this ruse, fraudsters call up unsuspecting taxpayers. They claim to have their tax return and say they just need to verify some of their target's personal and financial information like Social Security Numbers and payment card details. IRS Commissioner John Koskinen notes these newest attacks are just more of the same. "These schemes continue to adapt and evolve in an attempt to catch people off guard just as they are preparing their tax returns," explains Koskinen in an IRS consumer alert. "Don't be fooled. The IRS won’t be calling you out of the blue asking you to verify your personal tax information or aggressively threatening you to make an immediate payment." To protect themselves against these ploys, taxpayers must remember that the IRS will never call them and demand immediate payment over the phone. If they have any doubt whether they owe outstanding taxes, they should hang up and call the IRS directly to speak to a representative. (Source: YouTube) "Unlock" Tax Software Accounts Ruse Nefarious individuals don't just target taxpayers. They also go after tax professionals in order to steal their data. To increase their chances of success, attackers use a variety of techniques. One emerging ruse begins when a tax professional receives an email with the subject line "Access Locked." The email tells the professional that their access to tax preparation software has been "suspended due to errors in your security details." The email comes with a link that they can use to supposedly unlock their access. Of course, the targete Guideline
AlienVault.webp 2018-03-30 13:00:00 Things I Hearted this Week – 30th March 2018 (lien direct) Another week and social media giants Facebook and Google are under scrutiny by all and sundry as to the information they gather and the privacy implications. I know that something is big when my Dad asked me about the whole debacle over dinner this week – and he doesn’t even use, or fully understand Facebook. Many years ago, my Dad used to run his own magazine, and so understands media and advertising very well. It made for interesting conversation as I explained how online ads are not static like he’s used to – but rather everything is a big information engine, designed to ingest information about you, and then push back tailored content designed to meet your needs. I was half-thinking he’d agree that it was a great innovation. But alas, he defaulted to his standard position that people have entrusted too many critical decisions to computers and nothing good will come of it. He probably has a point. #DeleteFacebook The world seems upset at Facebook, to the point that the #DeleteFacebook campaign has been picking up momentum. But is it a genuine movement or a bandwagon that opportunists are taking advantage of? Socialsafeguard took a look at the hashtag, where it’s trending, and the dollar value a user has for Facebook #DeleteFacebook – what it means for social media security | Social Safeguard Related: Force Multipliers, Facebook and PR – How to influence everything | Mulley Communications What the Cambridge Analytica scandal means for big data | Information Age Mozilla’s new Firefox extension keeps your Facebook data isolated to the social network itself | Techcrunch But what if my password manager gets hacked? Sometimes, the proverbial “WHAT IF IT GETS HACKED?!” question isn’t a question at all, it’s  a “Gotcha!” question/comment or attempt to get under my skin with a tired, washed out and predictable argument that I’ve heard about a million times before. Other times, though, especially with non-experts, it’s a legitimate, serious question that doesn’t have an easy “yes or no” answer. But what if my password manager gets hacked? | Jessysaurusrex Cyber, the short version The man known as TheGrugq recently gave a keynote on cyber conflict, but was kind enough to extract the essence in this post Cyber, the short version | The Grugq, Medium Find bugs and chill Online video streaming company Netflix seems to be one of those companies that always seems to find its way into the technology news for the right reasons. It ran a private vulnerability disclosure program over the past five years, resulting in 190 issues being addressed. But now its opening its door to public bug bounty program through Bugcrowd.
AlienVault.webp 2018-03-29 13:00:00 YARA Rules for Finding and Analyzing in InfoSec (lien direct) Introduction If you work in security anywhere, you do a lot searching, analyzing, and alerting.  It’s the underpinning for almost any keyword you can use to describe the actions we take when working.  The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use.  It’s YARA. The variables of the equation really don’t matter.  A quick interrogation of a file to find out about its contents?  Dig through source code to find a specific algorithm?  Determining if something is malicious or safe to whitelist?  YARA handles those use cases and plenty more.  Really, it comes down to finding things.  Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus.  YARA is my go-to. Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am.  If you are up for a little exploration, dive into the details with me for a minute. Delving into Details of Data When it comes to finding, it’s a discussion of what “whole” thing am I looking for or what “fragment” of a whole am I look to find.  In YARA-speak, that’s a detection or detection fragment.  Just like bacon makes everything better, so do examples.  As a detection, we are going to use “Alienvault”.  It’s a recognizable term, after all, and one we want to find.  However, perhaps it’s not exactly as we spelled it.  To combat spelling, spacing and other issues, we can break the whole thing we are looking to find into detection fragments.  Those might be “Alien” and “vault”.  Written in a rule, that would look something like this: rule at_whole_frag {    meta:       description = “simple detection and detection fragment logic”   strings:       $whole = “Alienvault”       $frag1 = “Alien”       $frag2 = “vault”   condition:       $whole or ($frag1 and $frag2)   } The syntax and structure of YARA is pretty intuitive, so I’m going to skip going into full detail about it.  I chatted about the basics of YARA previously on Alienvault and it’s a good primer to get started.  Equally, you can jump into one of our classes and really get into the details.  Regardless, you have to outline a name for your rule, in this case “an_whole_frag”, that identifies it.  Then, you have three internal sections: “meta”, “strings”, and “condition” within a pair of curly brackets.  The meta and string sections are handled like variable assignments.  The condition section is written to return a Boolean value.  If true, it will match, and if false, it will not.  The normal code actions of concatenation, stemming, counting, comparison, and looping are allowed at the condition line. What we did previously in the example was very simple, ASCII text detection.  We can shift those detections to Unicode strings, remove issues with upper and lower case, or include negation logic at the condition line to look for the absence or negative space. ru
AlienVault.webp 2018-03-28 13:00:00 Dude, Where\'s My [Unstructured] Data? (lien direct) Okay, so as a 90’s born kid who grew up in the 2000s, the whimsical spectacular “Dude, Where’s My Car” was a huge intro to my love for comedy. If you haven’t seen the flick – TL;DW is this: Jesse (Ashton Kutcher) and buddy Chester (Seann William Scott) have a wild night and can’t remember anything that happened. They walk outside and realize Jesse’s car is missing, and all kinds of weird drama happens whilst trying to piece together the previous night’s shenanigans. Oh yeah, there’s some alien stuff in there too. Just think The Hangover meets Star Trek and you’ve pretty much got it nailed. So as I’m watching this blast from the past-erpiece (get it, masterpiece? Huge portmanteau fan) the other night, it dawned on me that this is the exact type of thing that IT/Security professionals deal with all the time, and I’m not just talking about saving the universe from aliens. (on a gaming console, of course.) Shadow IT and Unstructured data are real, dude – and they’re definitely not sweet. The biggest problem in the movie is that they were being held responsible for actions that they had no idea had occurred – supposedly they had this Continuum Transfunctioner and they didn’t even know what that was much less that they had it. Spoiler: They did have it, and it was under the guise of a Rubik’s cube. Sound familiar? Something crazy deadly for an environment and it was just walking around in a pocket under the guise of being something innocent? The IT/Security department(s) are viewed as the “offices of NO” because a lot of people don’t understand how many threat vectors are out there - much less how they work. So when marketing wants to purchase a new tool and is afraid of being told no, they do it anyway. (Trust me, I’ve utilized this to my advantage before.) They’re not thinking about the ramifications of uploading data into an unapproved cloud so that they can send out new campaigns. When sales downloads a document that is supposed to be internal only and sends it out via email to their customers because “it’s a really great selling piece!” how do you know? Moreover, how do THEY know that they’re causing an issue? Unfortunately, there is an “and then” here: A bad actor gets a hold of that data or IP and the next thing you know a Super Hot Giant Alien is tromping all around your putt-putt golf course of data. It’s really not a great scenario. The biggest problem with unstructured data is that traditional email filtering/anti-virus/database security isn’t going to catch these exploits. They are looking for signatures, access profiles, etc. to determine if something can be a downloaded or is a known threat, but that’s about it. They aren’t accounting for the human component. What about screen grab? What about copy/paste? Even if it’s all
AlienVault.webp 2018-03-27 13:00:00 Tales from the SOC: The Simulated Attack (lien direct) Introduction In today’s world, understanding threats and how to avoid them are critical to a business’s success. Last year, we saw an evolution in malware and attacks. Ransomwares like WannaCry made their debut; featuring worm-like attributes that allowed ransomware to self-propagate through a network, exploiting vulnerable machines and continuing the damage. We started to see attackers using more advanced automation in their malware and shiftier distribution methods to thwart defenses. In September 2017, we saw a supply chain attack against download servers that added a Trojan virus within versions of the popular CCleaner PC utility software. The download was undetected for almost a month and it is estimated that over 2 million users had installed it. According to the US government, cyberattacks reportedly cost the US economy a $57-109 billion-dollar loss in 2016. Cisco reported in 2017 that 53% of cyberattacks resulted in damages of over $500k or more; 8% had damage totals over $5 million per incident. While costs are skyrocketing, so is the average timeframe for detecting cyberattacks. Multiple studies over the last several years have found businesses are averaging a three to eight-month time period before even detecting a cyber-attack.  We know the threat is real and the costs of a cyberattack can be exorbitant, so what can we do with all this information? As an MSSP, something we always recommend to our clients and prospects is practicing a multi-layer defense approach within their network. Multiple layers of security are an important part of detecting, preventing, and minimizing a business’s exposure to a cyberattack. So many times, we have heard “I have good anti-virus and an expensive firewall; I don’t need any other defenses.” Unfortunately, that is no longer the case. Preventive security is no longer enough; organizations must build a strong defense and use offensive practices to proactively head off potential intrusions. In today’s blog, we share with you a real-life experience and what we did to mitigate the threat by building a strong cybersecurity strategy. Tale from Our SOC Several years ago, we helped a client implement managed security services. The client’s priorities were never focused on security, until they had hired a consulting company to perform a simulated cyberattack. The exercise shed light on their security shortcomings. It highlighted how the current controls they had in place failed during the simulated attack and what methods were missing from their environment, including: incident response, security awareness and systems capable of detecting these acts. The Simulated Attack When the simulated attack was started, they only used the organization’s name. The first step was reconnaissance about this organization, where common tools like Google and LinkedIn were used to search for user email formats, website, and domain information. As the discovery phase progressed, IPs for VPN server access and email servers were identified. Based off the information they discovered, user lists were built, and a phishing campaign was prepared. The attacker ran vulnerability scans and methodical brute force tests to identify any weaknesses within the external services they had already identified.  The next step in the simulated attack was the phishing campaign. Now that the attacker had built a list of potential emails, they Guideline CCleaner Wannacry
AlienVault.webp 2018-03-26 13:00:00 Explain PGP Encryption: An Operational Introduction (lien direct) If you don’t already know what Pretty Good Privacy (PGP) is; you may have heard of PGP before, perhaps during a discussion on how to secure your communications, or perhaps in one of those how-to maintain privacy guides. PGP is a popular solution for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification (because security matters). Most generic guides simply explain PGP at a high-level or how to encrypt and decrypt messages using specific software, and not much more than that. The goal of this introduction to PGP is to illustrate a more timeless and operational approach to using PGP safely, with respect to both information security and operational security. Firstly, we introduce PGP theoretically and practically, this means understanding how PGP works and what we can actually do with PGP. To better understand our security stance, we assess the CIA Triad, a theoretical Information Security model, that considers the confidentiality, integrity, and availability of information. Next, we get familiar with our threat model (similar to OPSEC Model); in this step, we analyze personalized risks and threats. To mitigate any identified threats and reduce risk, we implement operational security practices. At a more concise glance, we will discuss the following: PGP, OpenPGP & GPG Public & Private Key Pairs Information Security (CIA Triad) Confidentiality: message encryption, information storage Integrity: message/file authenticity, web of trust Availability: key servers, web of trust, metadata Assessing Threats & Risk Threat Modeling Operational Security Clients & Use Guides: Windows, Linux, Mac, Web With that caveat in mind, let’s jump straight in. PGP, OpenPGP & GPG: What is it? PGP is a protocol used for encrypting, decrypting and signing messages or files using a key pair. PGP is primarily used for encrypting communications at the Application layer, typically used for one-on-one encrypted messaging. You may find yourself needing to use PGP if you want to be certain that only the intended receiver can access your private message, thwarting the efforts of intercepting parties, or if you just want to verify the sender’s identity. There are different variations of PGP: OpenPGP, PGP and GPG, but they generally all do the same thing. Here is the quick terminology run-down: PGP: Pretty Good Privacy, original proprietary protocol. Released in 1991. OpenPGP: Pretty Good Privacy, but it is an open-source version, and it has become the universally-accepted PGP standard. Released in 1997. GPG: GNU Privacy Guard, another popular solution that follows OpenPGP standards. Released in 1999. When someone says PGP, it is generally s APT 15
AlienVault.webp 2018-03-23 13:00:00 Things I Hearted this Week 23rd March 2018 (lien direct) This week has been dominated by the Cambridge Analytica – Facebook debacle. So, let’s just skip all of that and jump right into the security news that you may have missed. Stealing IP We often hear of intellectual property being stolen by competitors. However, it’s not too common to hear of IP being stolen from an IT Security vendor. Malwarebytes suspected a company called CyberByte was using its IP to augment its AV engine. So, laid a subtle honey-trap to validate its theory. What I like about this story is how honey words / tokens / pots can be used in a relative simple and low-tech manner to catch someone with their hand in the virtual cookie-jar. CyberByte steals Malwarebytes’ intellectual property | Malwarebytes Uber Self-Driving Car Strikes and Kills Arizona Woman An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona, the company revealed. Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident. — Uber Comms (@Uber_Comms) March 19, 2018 Uber Self-Driving Car Strikes and Kills Arizona Woman | Bleeping Computer Information Security Misconceptions I thought I’d slip a self-promotional link in here for an article I wrote for CSO Online. Channelling my inner Billy Bragg, isn't it fair to say that nobody knows nothing anymore? I'm not just talking about the press -- although sloppy security reporting is far too common, and unfailingly gets my goat. What about people in the inside of the industry? Information Security Misconceptions | CSO Online AWS S3 leaky bucket of the week This week's misconfigured AWS S3 bucket award goes to Walmart jewellery partner MBM for exposing 1.3m customers. Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers | SC Magazine DNS Poisoning and how to prevent it Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the en Uber
AlienVault.webp 2018-03-22 13:00:00 Forrester Study: Breaking Down the Total Economic Impact of AlienVault USM (lien direct) There’s just something about InfoSec that attracts the skeptics, the leery, the Agent Scullys among us. Perhaps this natural tendency to distrust is what makes security analysts so keen at threat hunting, so perceptive to see a glimmer of anomalous activity in a stream of “normal.” It’s perhaps this same tendency to distrust that warrants big eye rolls when I, the InfoSec marketer [insert devil emoji here], tell IT security practitioners that AlienVault® Unified Security Management® (USM) can save them time and money. And, I get it. They’ve heard it all before from SIEM and other security vendors: the promise and allure of a powerful security engine, low upfront costs, life-changing intelligence and analytics; only to be duped into 18 months of deployment hell, a black hole of maintenance and tuning, and mounting hidden costs for every new bell and whistle. All too often, security projects end up as shelf ware, the proverbial million-dollar door stop. To be honest, this is exactly why we built AlienVault USM—to empower IT security teams to achieve world-class security without the cost and complexity of traditional approaches to security. With AlienVault USM, organizations of all sizes can deploy and get to real security insights on day one. But again, don’t trust me; I work in marketing. Instead, take a look at the recent commissioned Total Economic Impact™ (TEI) study that the global research firm Forrester Consulting conducted on behalf of AlienVault. For this study, Forrester interviewed AlienVault USM Anywhere™ customers, both direct users and Managed Security Services Providers (MSSPs) to assess the overall value and ROI of AlienVault USM, quantified in cold hard numbers. As stated in the study, “From the information provided in the interviews, Forrester has constructed a TEI framework for those organizations considering implementing AlienVault USM. The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision.” Download a full copy of the Forrester TEI study here. The key findings of the study are highlighted in the infographic below. They include: 80% faster threat detection and response 6X Return on Investment (ROI) over 3 Years Payback in under 3 Months 2,000 hours saved on Compliance Audits (94% reduction) 80% Improvement in Security Operations Staff Productivity $40,000+ Annual Savings in Threat Intelligence Expense Need more convincing? Try our interactive product experience here.   
AlienVault.webp 2018-03-21 13:00:00 What Have You Done for Me Lately? Tips for MSSPs (lien direct) As security professionals, we like to imagine ourselves diving through the air to stop that ransomware-infected thumb drive going into the unsuspecting user’s USB port.  Or stopping the Stuxnet virus before the nukes launch, sending us into WWIII.  The truth is, a lot of the time, things are rather quiet for us.  We’ve built our walls, and for the most part, no one is getting in. So how do we keep our clients engaged when there is no threat to report?  How do we remind them we’re here looking out for them when all is quiet on the Western Front?  As a Managed Security Service Provider (MSSP) partnering with AlienVault, we create high-quality touchpoints.  Bits and pieces of value to prove our worth and provide our clients with tangible, useful information.   I’ll share a few such touchpoints that have proven valuable to our clients. Use your SIEM to find misconfigurations I had a client express concern recently over a massive spike in “deny” entries in his firewall logs.  Due to external networks and segmentation, a lot of his company traffic hit the firewall, and consequently preventable misconfigurations were causing unnecessary network traffic.  We enabled a rule to show firewall blocks coming from inside his network.  The rule was simple enough to set up.  We were looking for a deny from a single IP and then 10 more occurrences from the same IP to and from “HOME_NET”: Within minutes our SIEM produced a circle the size of Jupiter, representing thousands of alarms fired.  After a day we racked up 38,000 alarms!  From there I could produce a report showing the top offenders, enabling our client to work with his team to remediate the issues.  Happy client. Run reports you have created for other clients One of our clients likes to see a report from AlienVault that shows the IP addresses of known bad actors, otherwise known as the Open Threat Exchange (OTX) report.  I send it weekly, and he will then shun the top 5 or 10 at the firewall level.  I have since shared this report and idea to block the top offenders with other clients, who have gladly jumped onboard with the weekly regimen. Here is a sample of the report showing 15-16K SIEM events coming from the same IP(s) and known malicious actors: Good information, right?  Yes, let’s kick 222.186.160.32 to the curb! Another report we get great response from shows new assets in our SIEM.  I can select a radio button to “show assets added last week” and then download that and send to my client.   This is of course good information from a security standpoint as well as asset inventory and general housekeeping.  Lastly, automate your reports to keep your name in the client’s inbox! Follow up on security incidents We often end an email regarding a security incident with something along the lines of, “we’ll keep an eye on things and reach out if we see any new activity.” This is good and you should do just that, but you should formalize the process and produce an incident report.  Clients like this and it doesn’t have to be a novel.  Just basic facts: Date and time of the incident Description of the events Systems involved Impact Remediation steps Other ideas for MSSP touchpoints Share your e
AlienVault.webp 2018-03-20 19:50:00 Cambridge Analytica Debacle -The Definition Of Breach (lien direct) Pretty much the motto of my profession is “word choice matters.” I say it a lot. It appears somewhere in the marginalia of pretty much everything I’ve ever edited. Words have denotation, and connotation. There are considerations for dialect, and for popular use. It can be fiddly and annoying to be queried so; I get it. You know what you meant, and you grabbed the word in your head that, to you, meant that thing. One of the glories of having your work edited is that someone who isn’t you can hold up a mirror, to make sure that the word on the page means as close as possible to what you meant in your head, to the greatest number of people, no matter where they’re from or what language they natively speak. Here at AlienVault, we’ve had some great discussions about the differences in connotation in different words between our Irish speakers, who learned Hiberno-English (which gets the hyphen when none of the others do), Chinese speakers, who learned British English, and Americans, who learned American English with intense regional dialect (the Texans and the Californians are occasionally mutually unintelligible.) But there’s one thing that none of us tolerate; the choosing of a word to deliberately mislead. When one works in fiction, one is used to the painting of pictures with words. When one chooses to work primarily in technology, it’s often because you’re way more comfortable with the nicely concrete, if entirely mutable. In technology, a thing is, or it is not. It’s variations on a theme of zeros and ones, no matter whether it’s software or hardware. It is therefore maddening beyond belief when the unambiguous words of technology are used to mislead the non-technical public. I’m of course talking about the Cambridge Analytica debacle, which is being referred to across the media landscape as “a data breach.” A data breach is when someone who is not authorized to handle specific information obtains access to that information. It’s a non-trivial failure of the security measures a responsible company or reasonable individuals would have in place. It implies wrongdoing, it implies malice, it implies a victim/attacker relationship. But when data is harvested and used with the unknowing opt-in of thousands of people, that’s not a breach. There are no hackers here; just people who knew how to use freely-given personal data to manipulate not very technically astute people to some political end. Lorenzo Franceschi-Bicchierai, as usual, gets it: We’ve been regularly covering data breaches for years. No one hacked into Facebook’s servers exploiting a bug, like hackers did when they stole the personal data of more than 140 million people from Equifax. No one tricked Facebook users into giving away their passwords and then stole their data, like Russian hackers did when they broke into the email accounts of John Podesta and others through phishing emails. Facebook obviously doesn't want the public to think it suffered a ma Guideline Equifax Yahoo
AlienVault.webp 2018-03-20 13:00:00 New! Getting Certified as an AlienVault USM Certified Security Engineer (AVSE) (lien direct) I’m very pleased to announce that we have expanded the AlienVault® certification program. Our newest certification—AlienVault USM Certified Security Engineer (AVSE)—is now available for those who want to validate their skills with the AlienVault USM Anywhere products. Earning this certification demonstrates to the InfoSec community that you are skilled in the latest threat detection and incident response technology. You may be familiar with our AlienVault Certified Security Engineer (ACSE) certification. ACSE is entirely focused on AlienVault USM Appliance and remains fully available. We’re pleased to extend our family of certifications to now include AVSE to validate skills with AlienVault USM Anywhere, our SaaS-delivered USM platform.   We introduced this new certification so that our customers, partners and employees who work with AlienVault USM Anywhere can challenge themselves and work toward proving their ability to deploy, configure and manage the product. The AVSE exam is designed to validate candidates’ knowledge of what they learned during the AlienVault USM Anywhere training courses: AlienVault® USM Anywhere™: Deploy, Configure, Manage (ANYDC) and AlienVault® USM Anywhere™: Security Analysis (ANYSA). The AVSE exam covers the skills and knowledge candidates learn in these two courses. While the training is not required to sit for the exam, we highly recommend taking the training as a way to prepare. Why Certify on AlienVault USM Anywhere? AlienVault USM Anywhere is a powerful product with numerous capabilities. When you take the AlienVault USM Anywhere training courses, you will learn things like how to differentiate between various types of attacks and how to fine tune and reduce irrelevant information in your environment. This will prepare you for the AVSE exam which focuses on the lessons we teach in class.  Earning this certification proves to the community that you are skilled in the latest threat detection and incident response technology. Each training course (ANYDC and ANYSA) includes one voucher for the AVSE exam. When you pass the AVSE exam, you receive a personalized certificate and an AlienVault USM Anywhere logo that you can use on your resume, CV, and social media profiles such as LinkedIn. What’s new with exam registration and proctoring? Our newest exam follows the lead of our other certification exams. It proctored by our exam delivery partner, Kryterion. You can choose to take an online proctored exam, in which you use your own webcam and take the test at your location. Or, you can choose to take the exam at a Kryterion testing center. As an additional feature, if you choose to take the exam online proctored, you can register using a concierge service through Kryterion. This concierge service provides you with a smoother process for exam registration and testing your web cam prior to exam start. If you’re familiar with the ACSE you know that exam is approximately 70-77 questions in length. The AVSE exam is a bit shorter, containing between 40 and 60 questions to be answered in 90 minutes. How does Recertification work for the AVSE? Much like the ACSE, the AVSE certification expires after 3 years. AlienVault USM Anywhere is a powerful product with a wide variety of capabilities that continue to expand and evolve. By recertifying every 3 years, AVSE certificate holders will continue to prov Guideline
AlienVault.webp 2018-03-19 13:00:00 DNS Poisoning and How To Prevent It (lien direct) DNS poisoning. Simply the name conjures up the kind of thoughts that keep network admins up at night. What if my RNDC key gets leaked? Could there be a rogue DHCP server within my perimeter? Are the Lizard Squad planning an attack on  for Christmas? Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the end, may end up resolving (pun intended) the DNS plight. So, let's silence the alerting system, and get down to what DNS poisoning is, why it's still around, and one of the best ways to solve it. Why is DNS Poisoning Possible? The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.] No, remembering strings of numbers would be next to impossible. But thankfully, and all because of Al Gore (sarcasm) we have the DNS mechanism that gives us [relatively] easy names to remember how to get to our favorite resources. DNS basically runs the Internet. Without it, only the most uber-geeky of computer scientists would be able to traverse it.   Strings of numbers are just simply not how humans identify information. They help, but in reality, words and language are what separate us from our impending robotic overlords. It's because of this, that as the Internet began to grow, the DNS (Domain Name System) was created. To help us get from one side of the world to the other, with little angst. However, due to the limitations of computing (especially storage and bandwidth) at the time, the early versions of DNS simply used a "distributed" text file for name resolution. Think "blockchain" for EVERY SINGLE HOST that existed on the 'Net back then. It was a nicer and friendlier place, and that system worked well. Until it didn't, and some nice folks at ARIN and ICANN came along and began the system we use today: DNS. In its simplest explanation, DNS takes a name (e.g. yahoo.com) and looks at the locally configured 'Nameservers' for the "answer" to the question: 'What is the IP address of yahoo.com?'. Once an answer is found, it is passed back to the client requesting it, and the routing and magic of the TCP protocol kicks into gear, and the peasants rejoice. Except there are sometimes problems that arise that cause the peasants to NOT rejoice, and for network engineers to curse the vile notion of DNS. You see, since DNS arose during a time where "real-time" anything was not technically possible; to aid performance and allow for USABLE networks, DNS answers were logged into a locally stored 'cache' or database o Guideline Yahoo Uber
AlienVault.webp 2018-03-16 13:00:00 Things I hearted this week 16th March 2018 (lien direct) Last weekend, my daughter and I finally got around to watching Wonder Woman. We quite enjoyed it. There was a part in which Chris Pine’s character said, “My father told me once, he said, "If you see something wrong happening in the world, you can either do nothing, or you can do something". And I already tried nothing." So, I turned to my daughter and asked, "When you're older will you say awesome quotes and attribute them to your dad so I'll appear all knowing and wise?" She replied, "Yeah, I'll say 'my father told me if you see something wrong you can either do nothing, or send memes'". Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes. Operation Bayonet This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market. As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction! Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired How many devices are misconfigured… or not configured? I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways. Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe? How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner Hacking encrypted phones Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users. Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard Hidden Cobra on Turkish Banks Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017. Medical Equifax APT 38
Last update at: 2024-03-28 15:10:19
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter