Infosec Island Latest Articles https://www.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 Avoid the Breach: Live Webinar 9/27 - Register Now https://www.infosecisland.com/blogview/24827-Avoid-the-Breach-Live-Webinar-927-Register-Now.html https://www.infosecisland.com/blogview/24827-Avoid-the-Breach-Live-Webinar-927-Register-Now.html Mon, 26 Sep 2016 08:02:56 -0500 Live Webinar: Tuesday, Sept. 27th at 1PM ET

Please join Centrify and SecurityWeek for this live webinar on Tuesday, Sept. 27th at 1PM ET, when we will discuss guidance from the National Institute of Standards and Technology (NIST) along with best practices and regulation mandates.

The webinar will explore how new technologies such as multi-factor authentication (MFA) address requirements for higher levels of assurance for user authentication, while preventing identity theft and account misuse. 

Register Now

image

Join this webinar to learn why ensuring only authorized users can access your enterprise’s critical resources is a primary component in today’s security best practices, standards and regulations, and should be top priority to protect your business from data breaches. 

Sponsored By:

Sponsored by Centrify

Copyright 2010 Respective Author at Infosec Island]]>
Going Global: Three Key Strategies for Managing International Firewalls https://www.infosecisland.com/blogview/24825-Going-Global-Three-Key-Strategies-for-Managing-International-Firewalls.html https://www.infosecisland.com/blogview/24825-Going-Global-Three-Key-Strategies-for-Managing-International-Firewalls.html Fri, 23 Sep 2016 08:30:00 -0500 Globalization is the new normal for most organizations today, but it can present some significant challenges - not least when it comes to managing the firewall estate across these large-scale, distributed networks.

A typical, multinational corporation, headquartered in the US may have offices and datacenters in dozens of countries around the globe. Let’s assume the organization takes a proactive, structured and logical approach to cybersecurity, and therefore protects each datacenter with firewalls. Yet all of these firewalls also have to work together cohesively, allowing network traffic to move securely between the international networks and datacenters. How do you manage this? There are three vital issues to consider.

Issue one: a matter of time

A core element of firewall management – in any context – is configuration and in particular the change control process – that is, updating firewall rules when application network connectivity is updated or changed.

However, in global networks, with applications in different countries that need to communicate and share information, this gets a little more complicated.  Imagine one common scenario: an organization has deployed a new application across its global network, so needs to implement firewall policy changes in multiple countries.  While the policy change in itself is easy enough to make, the question becomes – when exactly should it be made?

For many large organizations, policy changes are limited to specific change control windows in order to mitigate the risk of operational downtime for core applications or configuration mistakes.  Firewall policy changes therefore usually take place overnight, or at the weekend – out of high risk hours.  But in a global organization, operating across multiple time zones, those high risk hours vary from country to country.  What’s more, high traffic periods in the calendar vary too – the run-up to the Christmas holidays will be critical to a retailer in Western Europe and the US, while Chinese New Year will impact on retailers in Asia.

So businesses have a choice. They can set a single universal change control window according to when its convenient for the most important location in its network, and hope that the other locations will manage.  This is quicker but riskier.  Alternatively, they can set different change control windows in different countries, and somehow coordinate a staggered firewall change process.  This is unlikely to cause security problems part-way through the process, as legitimate traffic will most likely continue to be blocked somewhere along its path until the change has been fully implemented – but clearly this could be a significant operational issue, blocking different sites from communicating with each other.  This change management process requires careful coordination between an organization’s network operations and application delivery teams.

Ultimately, there is no simple answer to this challenge. A business needs to weigh up the risks and benefits of the two approaches, and choose the most appropriate path for the organization.

Issue two: staying within the law

Another aspect of running multiple datacenters in multiple countries is the question of multiple jurisdictions. Different nations have different laws governing the location and movement of information; Switzerland, for example, requires Swiss banking information to remain inside Switzerland, while the Australian government does not allow government or federal information to leave the country.

These laws have significant technical implications for how international enterprises organize their datacenters, whether on premise or in the cloud. Information must be segmented, siloed and protected with firewalls according to local jurisdictions, and the IT team will normally be required to manage this. Technically all the necessary segmentation can be achieved remotely or even outsourced to a service provider, but it still carries a significant organizational burden – especially for organizations migrating to cloud infrastructures, as they may be nervous about the legislative compliance implications.

We may see this in action if the Bangladesh Bank decides to press charges following the recent $81m heist via the SWIFT wire transfer network. Which police force will they go to?  Can INTERPOL help?  Even if they manage to identify the criminals, who is going to arrest them, or request extradition? 

There are, as yet, no easy answers to these issues. Ultimately organizations need to take responsibility for understanding all of the data protection laws and regulations that apply in every country where you store and transmit data – and they need to translate compliance with those regulations into proper technical, legal and compliance related actions for its IT security strategy and business.

Issue three: who else is connected?

The picture gets more complex still when businesses grant external organizations access to their networks.  At this point, it is important to note that they become part of the organizations’ information security and regulatory compliance posture.  Minimizing the risk of such external connectivity depends on implementing careful network segmentationas well as using additional controls such as web application firewalls, data leak prevention and intrusion detection.

Furthermore at some point in time businesses will have to make changes to their external connections, either due to planned maintenance work by its IT team or the peer’s IT team, or as a result of unplanned outages. Dealing with changes that affect external connections is more complicated than internal maintenance, as it will probably require coordinating with people outside the organization and tweaking existing workflows, while adhering to any contractual or SLA obligations. As part of this process, organizations need to ensure that their information systems allow its IT team to recognize external connections and provide access to the relevant technical information in the contract, while supporting the amended workflows.

Finally organizations should also ensure that they have a contract in place with third party organizations to cover all technical, business and legal aspects of the external connection.

When managing global network infrastructures, it is more important than ever to have full, real-time visibility and control of exactly how firewalls are controlling network traffic across the globe, both to maximize security and compliance, and minimize downtime. 

Copyright 2010 Respective Author at Infosec Island]]>
What Is ID and Verification and Why Is It Such an Integral Part of Digital Life? https://www.infosecisland.com/blogview/24824-What-Is-ID-and-Verification-and-Why-Is-It-Such-an-Integral-Part-of-Digital-Life.html https://www.infosecisland.com/blogview/24824-What-Is-ID-and-Verification-and-Why-Is-It-Such-an-Integral-Part-of-Digital-Life.html Fri, 23 Sep 2016 07:00:00 -0500 Identity and verification (ID&V) are two closely linked concepts that play an increasingly critical role in consumers’ day-to-day lives.

Identification systems use a trusted ledger, process or token to identify a person or entity. Verification is answering the question “is this person who they say they are?”  

They are familiar to us in our everyday lives. From showing our passports when entering a country to showing proof of address and identity when applying for a financial product, it’s something we all do.

All of these methods of identification and verification rely on the presentation of a physical document. And, of course, up until the digital commerce revolution, when the vast majority of transactions were carried out face to face, it was a tried and tested method that worked

These processes are something we are all familiar with. From boarding a flight to collecting a parcel from the Post Office, identifying and verifying ourselves has been commonplace for generations.

However, these methods rely on the possession and production of hard copies of various forms of accepted ID, and in the digital economy, face-to-face interactions are increasingly less common.

The Digital Economy

The internet changed how we shop forever. With an estimated 1.61bn online shoppers [1] globally, and £52.25bn spent via e-commerce in the UK in 2015 [2], the last decade and a half has seen e-commerce grow into a well-established, even dominant, method for business and commerce.

Mobile (i.e. unsecured touchscreen devices such as mobile phones and tablets) is rapidly winning the race to become the dominant platform. The ability to shop and carry out transactions on the go is now something we almost take for granted.

Yet all this convenience has come at a cost, and that cost is the challenge of managing ID&V online.

Digital transactions all require ID&V to a greater or lesser extent. Online shopping often requires a password and email address, while financial products, bound by a need to comply with know-your-customer and anti-money laundering legislation, require much greater levels of ID&V.

The problem is that ID&V is more challenging for remote transactions due to a lack of face-to-face interaction.

ID&V in the Digital Age

Remote ID&V is nothing new. Consumers have carried out transactions by mail or telephone (MOTO) for decades. However, these all relied on forms of ID&V such as address and date of birth. Yet, as such information is now readily available online, they can no longer be considered sufficiently robust.

This has driven a need to develop and accept new methods of ID&V with both customers and businesses having to adapt to the new business realities.

The most obvious of this is the password, which comes with its own drawbacks. Having to come up with a secure, eight-character password which includes a capital, a symbol and a number can be a challenge, especially if you can’t use the last five variations. .

This can lead to fundamental problem with digital ID&V if   it is time consuming and challenging then it significantly detracts from the very convenience digital commerce is supposed to bring.

This is why the industry is continually looking for new ways to improve the ID&V experience without it impacting negatively on the user experience. Currently, the hot talking point is biometrics which have the advantage of convenience but as they are seldom independently verified they should not be relied upon solely.  However they can form part of a multi-factor, strong authentication alongside something you are and something you know.

Biometrics

Biometrics are, quite simply, using a human characteristics for ID&V. There are a variety of different forms being currently trialled.

  • Voice recognition – Voice recognition can verify someone in around 15 seconds, quicker than passwords.[3] Yet questions remain about the accuracy of this method. What if someone is in a crowded room or restaurant? Could the technology cancel out the background noise?
  • Facial recognition – Also known as “selfie” authentication. For this to work, the lighting of the photograph will need to be of sufficient quality which isn’t always guaranteed.  
  • Fingerprint recognition –It’s widely used, it’s trusted, it’s easy, but it is not perfect. Fingerprints can be copied by fraudsters using easily obtained chemicals. If a fraudster has your phone and wants access to it, they can.

Where to now?

ID&V is part of our lives and while there might be complaints about the inconvenience that obtrusive security plays in digital commerce, it is still an improvement on how things used to be.

The good news is that it is going to become even more suited for the dominant mobile platform. Despite some issues around biometrics, they will become an integral part of ID&V although it is likely that they will be part of a wider, multifactor ID&V process, incorporating factors such as PIN to give further security.

[1] Statistica, 2016

[2] Retail Research, 2016

[3] China News

Copyright 2010 Respective Author at Infosec Island]]>
How to Choose the Right EDR solution for Your Organization https://www.infosecisland.com/blogview/24823-How-to-Choose-the-Right-EDR-solution-for-Your-Organization-.html https://www.infosecisland.com/blogview/24823-How-to-Choose-the-Right-EDR-solution-for-Your-Organization-.html Fri, 23 Sep 2016 05:55:00 -0500 The rise of cyber-attacks has led to a major uptick in breaches in recent years, and not only have these attacks increased in volume, but in sophistication as well. Although the motivation of hackers remains the same – money, information, and more money, their new methods are much more complex, invasive and harder to stop. Cyber-criminals are now attacking the endpoint, bypassing traditional hacks and hitting organizations where it hurts most. The need for an Endpoint Detection and Response (EDR) solution is at its highest for any organization who wants to ensure they are as protected as possible from the threat of attack.   

EDR solutions have been available for several years, but are getting much more attention now, mostly due to the rise in ransomware, a targeted threat than can infect multiple systems within the endpoint. The rise of ransomware is forcing anyone who handles corporate security to reevaluate their security solutions and realize the importance of immediate EDR implementation.     

Traditional antivirus solutions, although very important in their own right, aren’t enough to protect an organization from attacks on the endpoint. In addition, traditional antivirus solutions can only block what they know, and if a threat isn’t recognized, it still has the ability to pass through. A strong EDR, on the other hand, can evaluate software and label it as a threat or can identify it as “goodware,” letting only this permissible category through. This is important as the sophistication of hacks improve.   

It’s clear EDR solutions need to be an organizational asset now and into the future. Here are what organizations need to consider when choosing the right EDR solution:

  • Tradition – Organizations need to choose an EDR solution from a company that has tradition in the cybersecurity space. To meet the demand for EDR solutions and products, start-ups and new companies are popping up all over the cybersecurity space. Yet, they are relying on third party data, as opposed to cybersecurity firms who have the knowledge, history and proprietary data to classify threats as either “goodware,” or “badware.” Several upstart firms offer solutions that will just score the threat, while not formally classifying it as “good” or “bad”. This method of scoring still has the potential of allowing an unknown threat to slip through the cracks. When it comes to something as important as an organizations’ information, CTOs need to have confidence they’re relying on trusted data, and not just estimates.  Although risk tolerance varies from organization to organization, it is something that needs to be defined as part of a security strategy.     
  • Visibility – An EDR solution should run as a managed service based on complex analysis, and organizations need to have visibility into EDR operations and management, yet have the confidence in it as a managed service. This is a highly technical product, and it’s important a firm provides a full service, not just the product.   
  • Implementation Cost – Organizations of all sizes need to consider what it’s going to cost to get an EDR up and running within their system. Everything needs to be considered, including technical resources, services, installation, updates, and support to name a few. It is not simply just the cost of licenses. The more complex the technology, the more things (like hard and soft costs) need to be considered when it comes to price/budgets.   

Information is the bloodline of every organization, and when that information is threatened, the entire organization is threatened. We all know based on major corporate hacks at Sony, Target, and JPMorgan Chase, that it can be devastating not only to the company, but to consumer and client confidence in that brand. As ransomware and other advanced attacks continue to be more commonplace for hackers, having the right EDR solution in place is now more important than ever.   

About the author: Tom Wayne is Panda Security’s Sales Manager for the U.S. and Canada markets. Tom is based in Orlando, Fla.

Copyright 2010 Respective Author at Infosec Island]]>
Automating Access May Be Best for Remote Users https://www.infosecisland.com/blogview/24822-Automating-Access-May-Be-Best-for-Remote-Users-.html https://www.infosecisland.com/blogview/24822-Automating-Access-May-Be-Best-for-Remote-Users-.html Wed, 21 Sep 2016 07:10:00 -0500 More and more people are working remotely, outside the typical office and everything that that entails. In a traditional work environment, most employees worked in the office, keeping normal business hours. While this is still the most common situation today, a growing number of US-based employees are working from a remote location, according to a recent Gallup poll.

According to this report, 37 percent of U.S. workers say they telecommute, up slightly from 30 percent last decade, but four times greater than the 9 percent found in 1995. Many sectors are affected by this trend, including the education industry. Thus, one of the largest trends in higher education specifically, is completing online courses and degrees. Often, going to a physical campus to complete classes is not feasible, especially for full-time working adults wanting to complete a degree. Adding to the traditional complexities, is the ability to take classes on a flexible schedule and from wherever they must be, as mandated by their work or personal schedules. This, of course, is why online colleges have become an extremely popular options for these individuals.

Because of this, there needs to be technology solutions in place to ensure that the end user is successful and can work efficiently from any location. There are many common issues that remote workers and students face because of their need to work anywhere at any time. Getting technical support at any time can be a bit more of a challenge. Accordingly, the school or corporate organization can easily use a few solutions to assist.

Common technical issues for remote users

The first common issue is remote end users often need to access several different systems and applications to complete their work. These are often cloud applications which they need to login to each day. These users need an easy way to access everything they need, as they may be studying from a coffee shop, on their phones, in a train station, etc. Logging into each application is an annoyance and requires the user to remember several sets of complex credentials.

So how can this be made easier? A web single sign-on solution (SSO) allows remote users to access what they need from one simple portal. The end user simply enters a single set of credentials to access the portal where all of their applications are kept. Thereafter, they can open any of their authorized applications and are automatically authenticated. This allows them to quickly open their portal and complete their work or classes wherever they are, on whatever devices they may be utilizing.

Aggravation of simple passwords

Another common aggravation is simple password issues, such as password resets, that require users to contact the helpdesk to resolve. Since remote students cannot easily get assistance from the helpdesk after hours, they need to have a simple way to resolve their own password issues. For example, students who are completing an online degree, might be completing classes after they get home from work at night. The helpdesk typically only works a nine-to-five schedule so they are out of luck for the night. The user might not even be in the same time zone as the helpdesk, as they may be traveling for work or even taking classes from a different state. 

So if they have any issues with their password, how are they supposed to get them resolved? A very simple solution for this is self-service password reset software. This solution allows the end users to securely reset their own password after correctly answering security questions, which they previously provided answers to. They can then reset their password and continue with their work without needing any interaction with the helpdesk. Since these applications do not require human intervention, they are available 24x7x365.

Correct access rights

Still another issue is ensuring that the end user has the correct access rights. What if you’re a remote user and you need access to an additional application? You probably need to email someone at your school try to get the rights created. Then you often need to continue to follow up with them to make sure it is getting completed. If you are on the go, or working different hours than your office, this can present an issue.

The advent of automated account management solutions, with workflow management, provides a secure solution to this type of situation. Users simply access a portal where they can easily request anything that is needed, such as access to shares, groups or even additional applications. The employee simply submits their request and it is routed to the correct person for approval. Once approved, the change is automatically carried out in the network. The employee can also easily check on the status of the request without needing to contact the helpdesk for an update.

When you are working remotely, things need to be very convenient, otherwise it becomes a huge aggravation of dealing with technical issues before you can get anything for work or school completed. Account and password management solutions ensure that users can focus on getting their work completed whenever and wherever they are, so that they can be just as productive as users who are attending the school on campus or employees working in the office.

Dean Wiech is managing director of Tools4ever, a global provider of access and identity governance solutions. 

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence report – September 2016 https://www.infosecisland.com/blogview/24820-SAP-Cyber-Threat-Intelligence-report--September-2016.html https://www.infosecisland.com/blogview/24820-SAP-Cyber-Threat-Intelligence-report--September-2016.html Tue, 20 Sep 2016 05:01:26 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

1) SAP’s critical patch update for September fixes 19 vulnerabilities.

2) This update contains a record number of patches for missing authorization check vulnerabilities.

3) DBMS at risk. Several critical vulnerabilities in SAP ASE were discovered.

SAP Security Notes – September 2016

SAP has released the monthly critical patch update for September 2016. This patch update closes 19 vulnerabilities in SAP products including 14 SAP Security Patch Day Notes and 5 Support Package Notes. 7 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.

3 of the released SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 8.8.

SAP Security Notes September by priority

The most common vulnerability type is Missing authorization check. Approximately 40% vulnerabilities in this update are missing auth check issues(twice more than the total number of 20%).

SAP Security Notes September 2016 by type

Missing authorization check in SAP

Missing Authorization Check vulnerability allows an attacker to access a service without any authorization procedure and use its functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.

image

According to the recent SAP Security in figures. Global threat report, Missing Authorization is among the most common vulnerability types for SAP products. It constitutes approximately 20% of all closed SAP security issues. As for the end of 2015, 725 such issues were closed in all SAP products (for more details see the table below).

In total SAP NW ABAP SAP NW J2EE SAP HANA SAP BOBJ SAP Frontend Mobile OTHER 725 643 54 2 4 1 5 16 Issues that were patched with the help of ERPScan

This month, 1 critical vulnerability identified by ERPScan’s researcher Roman Bezhan was closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researcher.

  • An Information disclosure vulnerability in SAP Guided Procedures (CVSS Base Score: 5.3). Update is available in SAP Security Note 2344524. An attacker can use Information disclosure vulnerability to reveal information (in this case, usernames), which will help to learn about a system and to plan further attack.
    The impact of this vulnerability seems not so dangerous. However, there are at least 2 attack scenarios, and their execution does not require sophisticated skills. First, an attacker can bruteforce passwords for known usernames or just try to guess the right password by entering the most widespread ones. Secondly, an attacker can simply block the number of user accounts by entering wrong passwords several times (usually, according to SAP policy, 3-5 is the maximum password attempts). Without a doubt, both options are critical for business.

  The most critical issues closed by SAP Security Notes September 2016 identified by other researchers

 

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2358986: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 8.8). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2353243: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2353243: SAP Profile Maintenance has a Directory Traversal vulnerability (CVSS Base Score: 6.5). An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.

  Vulnerabilities in SAP ASE

As you can see from the previous part, 2 of 3 the most critical vulnerabilities within this patch update affect SAP Adaptive Server Enterprise (ASE). It is an SQL database that uses a relational model. Usually, it stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers.

Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute.

Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Demonstration of Hacking a Protective Relay and Taking Control of a Motor https://www.infosecisland.com/blogview/24821-Demonstration-of-Hacking-a-Protective-Relay-and-Taking-Control-of-a-Motor.html https://www.infosecisland.com/blogview/24821-Demonstration-of-Hacking-a-Protective-Relay-and-Taking-Control-of-a-Motor.html Thu, 15 Sep 2016 08:48:48 -0500 Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices (IEDs).

 

Consequently, IEDs are now cyber vulnerable from both IT network and control system issues. In March 2007, the Idaho National Laboratory (INL) demonstrated the Aurora vulnerability by using IEDs to damage large rotating equipment, in this case a generator. The test assumed that the IEDs could be accessed. DOE has spent considerable sums of money to improve the cyber security of protective relays. However, it took less than a day for cyber security researchers (Mission Secure, Inc.-MSI) with NO power industry experience to compromise a very common industry IED – the SEL-751A (see 7/22/16 blog).

 

The purpose of this exercise was not to single out Schweitzer but to demonstrate the generic vulnerabilities of IEDs and the lack of external security around them. Not every IED is critical but some are very critical and must be protected. A typical mid-sized utility may have hundreds or even thousands of substations and many thousands of IEDs but only a small percentage of the IEDs are protecting critical loads. These critical loads may be in transmission or distribution applications.

There continues to be reticence from many to believe the grid can be cyber vulnerable or that equipment can be damaged from a cyber attack. Consequently, we will be providing a demonstration at the 2016 ICS Cyber Security Conference (www.icscybersecurityconference.com) where we will take the SEL-751A used in a traditional motor control setting and compromise not only the SEL751A, but then take control of the motor.

The cyberattack demonstration will highlight a loss of control of the relay, how such loss impacts an end device like a motor and how this can all be hidden from the operator.  The attacks include an adversary gaining access to the relay, taking control of the relay, locking out administrators, changing the relay’s configuration, and taking control of a motor. In addition, the attacks will be masked to leave no trace, making it difficult for an operator to troubleshoot the disruption, determine that the disruption was caused by a cyberattack, let alone prevent the disruption from happening again. I am having a 20+ year utility relay expert, Mike Swearingen, who has served on numerous NERC and DOE committees and projects, to oversee the demonstration to assure its relevance. Mike will explain the relevance and significance of the test.

Protective relay issues can have real impacts. The 2008 Florida outage shut down power to approximately half the state of Florida for 8 hours because of relay setpoint changes, the 2015 Ukrainian hack shut down power to 230,000 customers by remotely opening breakers, refinery equipment was damaged from using wrong relay settings, and a nuclear plant experienced a loss-of-off-site power condition (the Fukushima condition) after every plant scram because of wrong relay settings. Given these actual cases, it should be evident that compromising relays can have very significant impacts. Consequently, the lack of appropriate cyber security of IEDs should be addressed as soon as possible.

Copyright 2010 Respective Author at Infosec Island]]>
Pokémon GO Security Threats Hit via Social Media https://www.infosecisland.com/blogview/24819-Pokmon-GO-Security-Threats-Hit-via-Social-Media.html https://www.infosecisland.com/blogview/24819-Pokmon-GO-Security-Threats-Hit-via-Social-Media.html Sun, 11 Sep 2016 19:37:54 -0500 Just days after the Pokémon GO mobile game was launched in Australia and New Zealand, fake apps leveraging its popularity to infect users with malware started to emerge, and the threat continues to hit users via social media accounts, Proofpoint researchers warn.

In July, a malicious Pokémon GO application packing the remote access tool (RAT) DroidJack emerged, but that was only one example of threat actors abusing the popularity of the game for their benefit. This malicious program was never observed in the wild, but researchers soon discovered malware such as a Pokémon GO lockscreen and scareware masqueraded as guides and cheats for the game.

Pokémon GO continues to remain a highly popular mobile app, and cybercriminals have found a new method of compromise by heading to social networks such as Facebook, Twitter, and Tumblr. According to Proofpoint, there are 543 social media accounts related to Pokémon GO at the moment, and over 30% of them, or 167, are fraudulent.

The actors behind these accounts are using various techniques to compromise users. According to Proofpoint, 44 of the fraudulent accounts contained links to download files, many purporting to be Pokémon GO game guides. Furthermore, 79 were found to be imposter accounts, and 21 accounts promised “free giveaways.”

Although the Pokémon GO hype started on mobile, malware that abuses the popularity of the game is targeting desktop platforms as well. When analyzing the social media accounts offering files for download, researchers discovered that they were affecting both mobile and desktop platforms by linking to adware, malware or software other than the one advertised.

“It’s important to note that while we have seen at least three malicious versions of Pokémon GO, social media is also driving users to install Android APKs, which happen to be malware, as shown in Figure 2. Power ups, guides, and walkthroughs are all common and easy ways to draw users’ attention as these are compelling tools that help players in the game,” Proofpoint researchers explain.

The main issue is Pokémon GO’s popularity can be abused to compromise enterprise networks, because the game can be found on devices connected to corporate environments as well. “4.5% of devices across the organizations we surveyed had Pokémon GO installed, including a small percentage of them (4%) running early versions of the game that had no patch for the Google permissions issues,” Proofpoint notes.

The prevalence of potentially risky apps related to Pokémon GO on corporate networks is more problematic than the high popularity the game enjoys. Niantic, the company developing Pokémon GO, has already warned of add-on map apps that scrape servers for data, and malicious apps related to the game have already been detected in US app stores and have been distributed to users.

Pokémon GO provided cybercriminals with the opportunity to launch a full suite of attacks: compromised apps, fraudulent social media sites, phishing social posts, mobile malware, and more. The 167 fraudulent social media accounts are only the tip of the iceberg when it comes to the risks, scams, and malware that users are exposed to.

“These accounts exist to make a statement or extract money from users who are not cautious enough to avoid them or lack security tools to protect themselves from social media threats and risks,” Proofpoint says. “The popularity of Pokémon GO has created many opportunities across social and mobile ecosystems for threat actors to target players and fans of the application.”

At launch, the application requested excessive permissions on Google accounts, and that represented yet another issue, especially when considering that the game was being installed on devices used within corporate networks. Now, all individuals should exercise caution when interacting with communities related to Pokémon GO, because they are exposed to diverse and numerous potential threats.

“More generally, though, Pokémon GO serves as a ready example of the ways in which cyber attackers will use popular phenomena to go after new targets. As the popularity and novelty of Pokémon GO eventually wanes, attackers will be looking for the "next big thing," exploiting attention on the holidays, presidential elections, major sporting events, and more,” Proofpoint concludes.

Related: Android Apps Fool Hundreds of Thousands With Empty Promises

Related: From Understanding Social Media Risks to Preventing Them

Related: The Social Media Train Has Left the Station - Jump on with Open Eyes

Copyright 2010 Respective Author at Infosec Island]]>
LuaBot Linux Botnet Is Written in Lua Language https://www.infosecisland.com/blogview/24818-LuaBot-Linux-Botnet-Is-Written-in-Lua-Language.html https://www.infosecisland.com/blogview/24818-LuaBot-Linux-Botnet-Is-Written-in-Lua-Language.html Wed, 07 Sep 2016 23:30:13 -0500 A newly discovered Linux botnet that was coded using the Lua programming language is targeting Internet of Things (IoT) devices in addition to Linux systems and servers, researchers warn.

Because it was written in Lua and because it recruits the infected machines in a botnet, the new threat is called Linux/LuaBot. Discovered by MalwareMustDie!, the botnet appears to be created for launching distributed denial of service (DDoS) attacks, though its exact purpose is yet unknown.

While analyzing the threat, the security researchers found multiple traces of the Lua language in the code, such as .lua source files, Lua runtime libraries, and some of the used botnet commands. The malware is packed as an ELF binary and is targeting ARM platforms, which suggests that IoT devices might be a main target. What is unknown at the moment, however, is how exactly the malware infects hosts.

During analysis, MalwareMustDie! discovered that LuaBot would try to increase limit on open files and then would fork itself to two new processes during startup. The main process is terminated after the first forked process is started. Just before the forking, however, the malware sends a message and opens the file socket bound to the 203508 hard-coded mutex.

This new process will assign a PID and then fork its process one more time. This second forked process is the malware’s main process, which is bound to the file socket with the previously created mutex. This main process is responsible for the following activity: checks the active (file) sockets and network sockets, reads all processes and PIDs in /proc, checks the current user privileges, and checks the interface name and its IP.

The malware also assembles BotID and writes it on stdout, and runs the test_domain() lua function to load domains (google.com, facebook.com, baidu.com, amazon.com andwikipedia.org) to be looked up to specific DNS servers. The malware then connects to the command and control (C&C) server at 217.23.3.47 using port TCP/1085.

Initially, the bot would send a HTTP/1.1 GET command, to which the server replies with encrypted data. After decryption, the data was found to be a list of IPs that are “all nodes of AS4998 from 109.236.80.0/20, 217.23.0.0/20 and 93.190.140.0/22” and which belong to WorldStream.NL, a dedicated server hosting service in the Netherlands.

On the infected machines, the malware also changes the setting of iptables (Linux firewall), in addition to opening a backdoor and starting to listen to all inbound network traffic that uses port TCP/11833. The analysis revealed what appears to be a botnet management protocol and some botnet monitoring functions in the code, along with another set of IP addresses, showing that the malware’s developers have been hard at work with preparing the network infrastructure for the botnet.

Code usually found in DNS query handling tools was also found in the malware, along with lua resolver code for DNS query, and the botnet appears able to send UDP packets to any desired destination, while also capable of remote communication via an included telnet function. The malware also includes code that appears specifically targeted at Sucuri.

According to MalwareMustDie!, while there’s no solid proof that the botnet can be used for DDoS attacks, the code includes remote command line functions (cmdline and cmdline args), which suggests that attackers are able to perform various actions on the infected machines.

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Related: Linux Trojan Brute Forces Routers to Install Backdoors

Related: Go-Based Linux Trojan Used for Cryptocurrency Mining

Copyright 2010 Respective Author at Infosec Island]]>
Advanced Threat Protection Technologies Beyond Marketing https://www.infosecisland.com/blogview/24817-Advanced-Threat-Protection-Technologies-Beyond-Marketing.html https://www.infosecisland.com/blogview/24817-Advanced-Threat-Protection-Technologies-Beyond-Marketing.html Wed, 07 Sep 2016 05:53:00 -0500 A non-scientific taxonomy for Advanced Threat Protection technologies

As a Chief Information Security Officer (CISO), Chief Security Officer (CSO), Chief Security Architect (CSA), or a Security Manager responsible for selecting and implementing the appropriate security technologies for protecting your organization most valuable information, you will probably be overwhelmed by vendors claiming they have cutting-edge unique technology; convincing you, if not frightening you, that you are missing-out when not implementing their security product.

Advanced Persistent Threat (APT) is probably a subject where you’re currently dealing with this challenge. For this threat, new security products follow each other in a rapid fashion and no standard reference taxonomy exists. In fact, there is no industry agreement on the naming for this technology space. You will encounter names such as Breach Detection System (BDS), Advanced Threat Detection (ATD), Next-Gen Anti-virus (NG-AV), and User and Entity Behavior Analytics (UEBA). All of them address the APT subject, but how do they differ and which security product competes in which space?  

In this article, I will use the umbrella term Advanced Threat Protection (ATP) for indicating these kind of security technologies. Protection, for me, is an overarching concept that covers both detection as well as prevention; especially because it is only a matter of time until these security technologies evolve from detection to prevention, and some already are. I am going to help you address this challenge by:

  1. Providing you with a vendor-neutral ATP technology capability description in which you can easily classify Advanced Threat Protection products; in order to help you distinguish complementary from supplementary ATP products.
  2. Briefly exploring and classifying some of the most prominent ATP products in use currently.

The threat ATP security products attempt to mitigate are so-called APT’s, which are basically targeted attacks against a specific organization. These targeted attacks exploit unknown vulnerabilities as opposed to known vulnerabilities and use techniques such as malware polymorphism to circumvent conventional security technology which mainly focuses on known vulnerabilities and known malware.   The following ATP capabilities are differentiated and discussed throughout this article:

  • Sandboxing capability: NSS Labs refers to these kinds of security technologies as Breach Detection System.
    • Web Sandboxing: Analyzing suspicious files – which enter the organization network via the web (http(s)) – in a secure isolated environment based on object execution and automated analysis of reverse-engineered static code.
    • Mail Sandboxing: Analyzing suspicious files – which enter the organization network via e-mail – in a secure isolated environment based on object execution and automated analysis of reverse-engineered static code.
    • Perimeter Independent Sandboxing: Applying sandboxing to files on systems, independent of their network perimeter entry point. Basically, this works in the following manner – files with an unknown integrity, or unknown reputation as you will, are considered suspicious and delivered to the sandbox for analysis. An example of such a product is Intel McAfee TIE in combination with McAfee ATD.
  • Network Security Monitoring capability: Security technologies in this space are often referred to as Advanced Threat Detection.
    • Technical context-aware monitoring of network activities, for example, “does this SSH or HTTPS network session behave conform protocol specification?”.
  • Next-Gen Anti-malware capability: Next-Gen Anti-malware, often referred to as Next-Gen Anti-virus, is the naming for anti-malware capabilities that identify malware based on artificial intelligence and machine learning rather than on definitions/ signatures.
    • Host-based (endpoint) detection, (automated) response, and some products also provide prevention functionality for malware identification. For example, “does this ‘calc.exe’ system process run with the right privileges?”, “is this object malicious based on machine learning analysis?”.
  • User and Entity Behavior Analytics (UEBA) capability: Gartner refers to these kinds of security technologies as User and Entity Behavior Analytics.
    • Functional context-aware analysis of user and entity behavior, for example, “is using application XYZ common behavior for this user?” or “is endpoint activity on a given time common behavior for this entity?” 

The sandboxing related ATP capabilities focus on the analysis of objects. Network security monitoring focuses on the monitoring of network activities, by applying artificial intelligence and machine learning techniques. Next-Gen Anti-malware focuses on malicious system activity and malicious objects also by leveraging artificial intelligence and machine learning techniques. UEBA capabilities focus on user and entity behavior, by using profiling and anomaly detection based on machine learning.  

An easy comparison between security products competing in the rather new Advanced Threat Protection (ATP) technology space, beyond understanding the essence of the technology itself, is additionally complicated because each vendor product is biased by marketing language.  

The purpose of the above vendor-neutral ATP capability description is to help you understand the fundamentals of the underlying types of technology of  ATP security products, which should enable you to distinct complementary from supplementary ATP security products. Some of the most prominent ATP security products have also been classified in their respective ATP capability and briefly explained, which should help you see through the marketing bias.  

FireEye was an innovator when it came to sandboxing, but meanwhile sandboxing has evolved into a commodity technology and is offered by most best-of-suite security vendors. A network security monitoring capability can be delivered by DarkTrace on the network. Cylance, RSA ECAT, and Carbon Black probably sound familiar as Next-Gen Anti-malware capability for the endpoint. In case of a loosely segmented network, including, unrestricted client-server access for trusted and un-trusted devices, a network security monitoring capability is necessary. In a strictly segmented network, where client-server access is restricted to trusted devices, and un-trusted devices are provided controlled access – via, for example, Virtual Desktop Infrastructure (VDI) or Server-based Computing (SBC) capabilities – a Next-Gen Anti-malware capability is probably preferable. Besides evaluating a Next-Gen Anti-malware capability in the context of Advanced Threat Protection it can be considered, though with due-care, as replacement for a conventional anti-malware capability. But the latter really depends on the overall security architecture/ posture. As an UEBA capability, Cynet, Splunk UEBA, and Microsoft Advanced Threat Analytics (ATA) might ring a bell. The underlying architecture of Cynet is a network-based scanning technology, which requires privileged access to profile user and entity behavior. Splunk UEBA relies heavily on Splunk Enterprise Security (SIEM) for providing automated analytics. Microsoft ATA uses port mirroring for deep packet inspection (DPI) on Active Directory traffic, and SIEM data for analytics.  

The right ATP technology choices depend on your current and target IT architecture. It is also important not to be tempted to base your decision for a specific security product owing to a small unique ‘sales/marketing’ feature. This is especially true, because often you may not have the specialized knowledge for leveraging the same to the fullest or because it is impossible to implement due to the fact that (organizational or technical) pre-conditions are unrealistic to be met, for example, due to a scattered outsourced IT supply chain. The above-mentioned vendors/ products are classified under the capability for which they are primarily known, not taking into account possible product development efforts that expand their capability horizon.

Copyright 2010 Respective Author at Infosec Island]]>
STOP, Collaborate and Listen: Where Employee Vulnerabilities Put Data at Risk https://www.infosecisland.com/blogview/24816-STOP-Collaborate-and-Listen-Where-Employee-Vulnerabilities-Put-Data-at-Risk.html https://www.infosecisland.com/blogview/24816-STOP-Collaborate-and-Listen-Where-Employee-Vulnerabilities-Put-Data-at-Risk.html Wed, 07 Sep 2016 00:53:00 -0500 In most, if not all organizations, collaboration is not only essential to business, it is the key to success. Every day employees email, instant message, transfer and download digital files, all without a second thought about the data they are sharing and where that data may end up. Do these files contain high valued or confidential information? Is the employee allowed to have access to such data? Does the organization even know who is accessing the information, how they are accessing it and what they are doing with it?

It is easy for an organization to lose sight of model employee activity because they are laser focused on preventing external malicious actors from accessing their systems and the data they contain. Those model employees can, albeit unknowingly, expose the company’s vulnerabilities just by performing the daily activities of their job. For example, an employee working remotely via a non-secure network could send a file to a co-worker and by doing so open the file up for exploitation on that network. The receiving employee could then print that data and carry it outside of the organization’s walls. Will they be vigilant in where they leave that data? 

A recent Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” found that the primary cause of data breaches is careless employees (56%). This statistic is evidence that organizations must prioritize the importance of controlling employee access to data and setting concrete guidelines on how that data can be accessed and shared. It is crucial for companies to educate employees on their own access, what that entails and the consequences of not following protocol which can end with a data breach.

Education and training can only go so far, which is why implementing a data security framework helps to fill the gap created by human error. The Ponemon study determined that 70 percent of respondents could not confidently locate confidential information in their own systems. A data security framework can assist those organizations by not only identifying where their sensitive information is stored, but also controlling the permissions of those employees who can access it and monitoring the usage of those authorized users.  

Whether it is the company’s trade secrets, product designs, financial data or the personal information of customers, businesses must protect high value information from landing in the hands of the wrong individual or threat group. Incorporating a data security framework and enforcing employee training, policies and education helps to ensure this data remains in the possession of the intended parties.  

Copyright 2010 Respective Author at Infosec Island]]>
Insider Threat: Why Negligence Is More Dangerous Than Malevolence https://www.infosecisland.com/blogview/24814-Insider-Threat-Why-Negligence-Is-More-Dangerous-Than-Malevolence.html https://www.infosecisland.com/blogview/24814-Insider-Threat-Why-Negligence-Is-More-Dangerous-Than-Malevolence.html Fri, 26 Aug 2016 08:00:00 -0500 Security threats can come from anywhere, but they most often occur from the inside. These types of threats are on the rise: in a recent report, 39% of IT professionals admitted they were more concerned about the threat from their own employees than the threat from outside hackers.

In May 2014, the U.S. Department of Homeland Security defined Insider Threat as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information nor information systems.”

The potential risks associated with an Insider Threat are particularly disturbing, since Insiders already have the necessary credentials and access to do significant damage to your organization. Traditional data security tools such as encryption are meaningless since Insiders are already authorized to bypass these security barriers in the same way they can use their network credentials to access your sensitive data.

As a recent example, customer records at AT&T Services were accessed by employees who stole information to sell to unauthorized third parties. As a result, in late 2015, AT&T Services had to pay a civil penalty of $25 million to resolve consumer privacy violations.

While we should not ignore the very real danger posed by this type of intentional threat, we must also recognize the role of negligent employees in delivering a similar result. The fact is that the road to a cyberattack is often paved with the best of intentions.

In February 2016, Snapchat announced that one of its employees had responded to a phishing scam, by sharing payroll information with the company’s Chief Executive Officer, or so they thought. Instead, they opened an email sent by an external actor who exploited the employee’s negligence to obtain sensitive information. While it was an honest mistake, the employee’s actions resulted in devastating consequences for the organization as well as the individuals whose data was breached. According to the FBI, this form of business email compromise has cost more than $1.2 billion over the past two years.

Cyberattacks originating from negligent employees are rapidly increasing. Employees have access to sensitive information that, if exposed, could negatively impact their organization. Yet most corporate research and investment on the Insider Threat has focused on those defined by Homeland Security: malicious behavior of purposeful hackers. We need to understand that the Insider Threat is considerably broader.

Contrary to popular belief, Insider Threats should not be restricted to these malicious profiles.  In fact, many would argue that the threat from well-intentioned, negligent employees like the Snapchat case presents a much greater risk. In fact, IT decision makers view the employee as the greatest risk to the security of their organization (46%). Of these respondents, the ‘accidental’ threat outweighed the ‘intentional’ threat by double.

While no one can prevent all Insider Threats, adopting a transparent security policy is a key step in securing employee support while building greater trust between employees and employers. IT should work closely with senior leadership to integrate responsible IT security behavior training, including random user testing, and pre-emptive alerts established to call out unusual activity or access.

Organizations must also implement technology that delivers proactive and intelligence-driven approaches to security to help reduce risk and enable IT to effectively support business initiatives.

The successful prevention of any threat depends on our ability to accurately define and identify it – ideally before it has infiltrated our networks and data.  When addressing the risk of Insider Threats, we must look beyond those who are intentionally doing harm and place equal emphasis on those who are simply doing their job.

About the author: Eric Aarrestad, Senior Vice President, Product Management, leads Absolute’s focus on defining and driving requirements for Absolute’s product portfolio. Under Eric’s guidance, the product management team defines and communicates the product strategy and roadmap for all segments of the business. Eric is a seasoned information security executive, with a proven track record of market impact through building, scaling and growing global cloud, SaaS, mobile, data analytics and security products and services. Eric has worked in enterprise information security for more than 20 years, having previously held leadership positions at Microsoft, HEAT Software and WatchGuard Technologies.

Copyright 2010 Respective Author at Infosec Island]]>
Mr. Robot-Inspired FSociety Ransomware Emerges https://www.infosecisland.com/blogview/24813-Mr-Robot-Inspired-FSociety-Ransomware-Emerges.html https://www.infosecisland.com/blogview/24813-Mr-Robot-Inspired-FSociety-Ransomware-Emerges.html Wed, 24 Aug 2016 06:57:20 -0500 Real-life experiences are often transformed into successful movies, but a piece of ransomware inspired by the Mr. Robot TV series proves that the reverse is also possible. 

The new ransowmare family was named FSociety because it uses an image that appeared in the Mr. Robot show as the logo of an infamous hacking group called FSociety. According to Bleeping Computer, the malware’s creator appears to be a fan of the show, but the ransomware itself is in its early stages of development.

For the time being, the ransomware doesn’t display a ransom note and does not provide users with information on how they can contact the author. Despite that, however, the malware does encrypt users’ files. However, researchers discovered that only a test folder on the Windows desktop is targeted at the moment.

Discovered by Michael Gillespie, the FSociety ransomware is based on the EDA2 educational ransomware that already spawned numerous variants earlier this year. Released in the beginning of 2016, the educational ransomware has been already retired by its developer, Utku Sen.

The same as other EDA2 variants out there, the newly spotted ransomware family was designed to encrypt users’ files using AES encryption. Next, the malware would upload the RSA encrypted decryption key to a command and control (C&C) server.

The new threat is likely to receive improvements shortly, but it remains to be seen what these will be and whether they will improve the code enough to prevent security researchers from cracking it.

Previously, researchers were able to neutralize EDA2-based ransomware fast, because of a backdoor that Utku Sen included in the code. In fact, flaws that were packed in the Hidden Tear’s code allowed security researchers to crack the encryption of this ransomware’s offsprings as well.

Related: Variants Spawn From Hidden Tear Ransomware

Related: Radamant C&C Server Manipulated to Spew Decryption Keys

Copyright 2010 Respective Author at Infosec Island]]>
What Elements Are Needed for Security Analytics Success? https://www.infosecisland.com/blogview/24812-What-Elements-Are-Needed-for-Security-Analytics-Success.html https://www.infosecisland.com/blogview/24812-What-Elements-Are-Needed-for-Security-Analytics-Success.html Tue, 23 Aug 2016 04:10:00 -0500 Over the course of the last 18 months, it has become increasingly evident that organizations need to do more to stop the growing epidemic of security failures and data breaches that are threatening the very ability to conduct business. Customers’ sensitive financial and personal information needs to be protected.

In response, many companies now realize they need to shore up their efforts internally to deal with the attackers that dwell on the inside for months looking for their target. In the process, the sheer number and the targeted specificity of attacks have made it clear that it is impossible for any single company’s IT department to weed through the potential problems and possible attack notifications to find the real threats. Even as they deploy next generation firewalls, endpoint detection and response products that move away from signatures to indicators of compromise (IOC) that promise to close the gap on detection and dwell time exposure, alert fatigue continues to plague many IT security teams.

In order to step up their game, businesses and organizations have been implementing security analytics technologies. The promise of security analytics is that it will do what humans in an IT department cannot – review endless amounts of data and flag what the real threats are you should pay attention to.

Not all security analytics solutions are created equal, however. There are five key characteristics critically important to ensuring that your security analytics are effective and capable of stopping today’s advanced threats.

Extreme Flexibility to Task and Data

Security analytics must be ready and willing to take on any problem presented to it. Strong and useful security analytics has to do more than security software that detects simple intrusions. It must be able to consider everything that potentially could be a problem. To do this it has to be applicable for any source of data – be that a network, device, server, user log, etc. Think a broad amount of use cases.

However, just being able to interface with these information silos is not enough. Security analytics needs to analyze several different features of the data – from metrics like response times or counts, to information coming from users, hosts and agents. It also needs to be smart enough to detect patterns like ‘beaconing’ and high information content in communication packets – and then be able to draw conclusions about them and form insights into what is actually happening and where.

In other words, to be successful, security analytics needs to be able to use every data source, data feature and potential problem laid out in front of it to detect unusual behaviors related to advanced attacks; then analyze them and present results to the user.

Speedy, Accurate, Real-Time Analysis

With true security analytics implemented, the analysis should be fast – giving results in near real-time, making the user feel like it is almost automatic. Speed in processing of data is important when it comes to security issues – as any delays in identifying problems can be quite costly for companies, especially when an active data breach is occurring.

At the same time, while speed in processing is very important – it is second to the most important element of security analytics processing: security analytics needs to understand what it’s looking at and draw conclusions about what is important to the end user.

With an ever-increasing amount of cyberattacks to worry about, it is easy to see how IT managers are overburdened with alerts that flag a potential breach or other issue that needs attention. Many of these issues are not breaches or problems that even warrant immediate (if any) attention; but with most security software that looks at signatures or ill-defined IOCs, everything is flagged so that nothing is missed. This clearly works in the advantage of the attacker that hides in the noise of the environment it is operating within. With alert fatigue being a dominant complaint, it becomes harder and harder for analysts to see through the waves of alerts many advanced detection products emit.

Learns from the Past, Applies to the Future

Here is where machine-learning technology often enters the discussion. There are limits to what typical security tools and a single human end user can accomplish. There are only so many hours in the day to review alerts or notifications – and once you start self-selecting which ones seem important, you are already increasing the possibility that you miss a critical notification. Furthermore, while many companies deploy rule sets within their SIEM to aid in the filtering of highly relevant events, these are limited to a static understanding of “what is problematic” and not nearly as dynamic as a mechanism that could look to identify anomalies based on detected patterns from baselines.

Machine learning helps security analytics take the analysis of potential issues a step beyond seeing something and saying something. With machine learning technology in place, security analytics can now see something, correlate its significance and then ensure that it is only identifying the most important items based on probability scoring on the data.

Machine learning is a critical part of most security analytics – it can recognize and understand patterns, periodicity of data and anomalies within the data, learning from each instance what is a normal behavior and where the outliers are. This helps make it possible for the IT manager to know to act on every alert received based on the analytical scoring relevance – instead of hoping he or she selected the correct ones.

Ability to Scale

Security analytics should have an ability to grow and scale with organizational growth. As businesses become more established and achieve greater levels of success, the amount of data they generate, the amount of customers they have and the size of their operations all grow. This means that the probability of being “targeted” by cybercriminals or hackers grows as well. However, it is not always the biggest customers that are hit first or most often, it is the ones that are the least prepared to prevent and detect the attackers the best.

Security analytics needs to be able to handle all of these instances and scale as required. An increasing amount of data should not faze strong security analytics solutions. On the contrary, more data should add context to an attack and lead to proper identification of an attacker techniques. 

Ease of Deployment and Understanding Results

This last item could easily be separated into two, but they are two sides of the same coin. There are an increasing number of security analytics-based products on the market, with many new entrants coming from adjacent parts of the security space that incorporate analytics (many times because they generate too much data to be useful). Ease of deployment and understanding results comes down to achieving value on the analytics performed.

It is increasingly important to be able to deploy ready-built and defined “recipes” that are relevant to detect intrusions as part of security analytics. This can be a bit of an iterative cycle to “tune” to the kinds of customer data present, but a successful solution will be the one that is the most flexible and aids in the tuning process.

To utilize security analytics, the results need to convey things like attack progression and classification of threats that fit in with the vernacular of the users. This aspect is often lost or left for the customer to consume and display into his/her own dashboards. The assumption made by many vendors is that there is an army of data scientists on staff at each customer that can utilize the results to “tell the story” to the security analyst. This is simply not the case. Therefore, you should look to shorten the time to value and deploy smart, highly tunable security analytics that speak the language of your security team.

Conclusion

The importance of security analytics cannot be overstated, especially as data breaches, unfortunately, continue to dominate the headlines each day and attackers come up with new, targeted means to circumvent prevention technologies. This is why, to be successful, you first have to understand the key elements of security analytics – to make sure what you implement will check off all of the boxes that should be checked off, and you’re not left wondering why your analytics solution isn’t finding everything it should. By implementing a security analytics solution that closely aligns with the five elements above you will be in a better position to short circuit the next attack on your business.

Copyright 2010 Respective Author at Infosec Island]]>
Hackers Ghosting the Trail https://www.infosecisland.com/blogview/24809-Hackers-Ghosting-the-Trail.html https://www.infosecisland.com/blogview/24809-Hackers-Ghosting-the-Trail.html Thu, 18 Aug 2016 09:00:00 -0500 If you're a professional hacker looking for the victim of your next big heist, one thing you are going to do is cover your tracks. Eliminating the evidence is a primary concern in many criminal activities. In the physical world, it is finger prints, bullet casings, blood, hair, camera footage, etc. In the virtual world of cyber crime, it largely all comes down to logs. Criminals want to find, delete or alter them and the gate keepers want to save, archive and protect them from the bad guys. After the theft has occurred, if there is going to be any tracking down of the assailant, it will come down to how well the organization has archive and protected the logs and traffic patterns.

For example, when hackers stole at least 45.7 million credit and debit cards from shoppers at off-price retailers including T.J. Maxx and Marshalls. NBC News reported that "TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it."

Removing logs to cover their tracks obviously makes it significantly more difficult but, what if instead of deleting them, the attackers alter their contents. Hackers talk about this strategy on ethical hacking sites.

“Don't delete entire log files, instead, just remove only the incriminating entries from the file. The other question is, is there a backup log file? What if they just look for differences and find the exact things you erased? Always think about your actions. The best thing is to delete random lines of log, including yours.”

Examples of log altering:

  • Hackers stole $101 million from Bangladesh’s central bank.  Investigators learned that the heist was performed by "a sophisticated group who sought to cover their tracks by deleting computer logs as they went". 
  • A phishing attack allowed a perpetrator to infect and compromise JP Morgan Chase, Robert Capps a cybersecurity expert at RedSeal commented that "Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can't always get to more sensitive data." When the FBI was brought in to investigate, CNN reported that “hackers used sophisticated, never-before-seen malware to get deep enough into the banks' computer systems to delete and manipulate records”

How to Protect Logs

All logs should be sent to a separate collection system in real time. Hosting log files locally on the same system that has been compromised isn’t a good idea. It makes it all the easier for the attacker to remove or alter the evidence. Instead, send the logs in real time to an appliance such as a SIEM.

Archive the Traffic Patterns

The traffic patterns to and from all systems on the network can also easily be archived for long periods of time. NetFlow and IPFIX are the leading technologies today for keeping a record of all communication patterns between connected devices. All routers and most major firewall can export these technologies to a flow collection system.  Should an incident occur, log records can be compared to traffic patterns which allow security teams to confirm the validity of events that took place.

Taking the Protection of Logs a Step Further

Due to the critical nature of saving unaltered logs, companies often deploy a UDP Forwarder. These appliances duplicate all received UDP frames (I.e. messages) and forwards them out to multiple collection servers by changing the destination IP address. The source IP address however, is not modified.  As a result, the device performing the UDP forwarding is completely transparent to the destination.

If a hacker were to notice that logs were being off loaded to a 2nd system, they would have to hack UDP Forwarding system, learn where the logs were going and then hack the additional systems. For most hackers, they will omit changing the logs or move on to an easier target.

Keep your Data Safe

Never has there been a time when logs are more important. Attackers are going to get in and you will be required to perform incident response. The first thing the security team will ask for is the logs. When this happens, don’t be the wondering what to do next. Make sure logs are backed up to a 2nd system or 3rd system and make sure a UDP forwarder is relaying the messages. The harder you make it for the attacker, the more likely they are to move onto another victim.

About the author: Michael Patterson, CEO – Plixer: Michael worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University.  He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix which eventually became Plixer.

Copyright 2010 Respective Author at Infosec Island]]>
Paving the Road to Digital Transformation https://www.infosecisland.com/blogview/24811-Paving-the-Road-to-Digital-Transformation.html https://www.infosecisland.com/blogview/24811-Paving-the-Road-to-Digital-Transformation.html Thu, 18 Aug 2016 08:00:00 -0500 I recently had an “a-ha” moment when I realized I had just experienced digital transformation in practice. It happened while I was driving from Los Angeles to Ottawa – a distance of just about 3,100 miles. As with any road trip, refueling your car is a necessity and, as you can imagine, I was stopping at the gas station a couple times a day on my way to Ottawa.

I’ve been a long-time customer of a particular gasoline/petrol vendor as I have one of their credit cards and am a member of their loyalty program. At one of my first gas station stops along the interstate, my favorite provider wasn’t available, so I pulled into an ExxonMobil gas station. As I proceeded to fill up my tank, an advert for a gas payment app caught my eye:

I noticed the app—known as Speedpass+—supported Apple Pay, so I downloaded it. To my surprise, I was able to authorize the transaction from my smartphone, choose my pump, and fill up my car – all within a matter of seconds. Not once during this transaction did I take out my wallet for a credit card or cash. 

Aside from this being a “cool” app, what was my “a-ha” moment? And more importantly, what’s the connection to digital transformation?

Let me start with a definition: digital transformation is all about embracing and adopting the latest digital technical innovations, with the ultimate goal of driving revenue. You’d have to be a hermit to be unaware of the digital innovations happening all around us. Long gone are the days when we anxiously wait for the latest IBM mainframe or the newest PC to enable new business initiatives. Today, the cloud, advances in mobile computing, and the growing use of these technological innovations are driving our respective customers and end-users to adopt these innovations faster than even our companies can. The digital transformation also gives end-users and customers a more direct connection with a company that had previously been impossible.

The Rise of Mobile Payment Apps

One of the precepts of digital transformation is generating top-line revenue for the company. This was the “a-ha” moment for me. I literally said to myself, “Wow, this app is so cool and it uses Apple Pay, so I’m going to switch to ExxonMobil and use them from now on.” It’s no surprise that mobile payment apps are growing in popularity. A recent study from eMarketer forecasts that in the U.S., mobile payments will triple within the next year as approximately 37.5 million people will make use of the technology.

But what about security? One of my biggest concerns about using my credit card at gas stations is one of credit card fraud as a result of credit card skimming—when crooks install a small device to physically scan and store credit card data from the magnetic stripe. Personally, I’ve had to replace my credit card twice in the last six months so any opportunity to avoid swiping my card is welcome in my book.

While still in their infancy, payment apps are constantly iterating on ways to enhance their security features. According to Security Intelligence, popular mobile payment app Venmo now includes multi-factor authentication, so that if a sign-in attempt is made from a phone or browser that is not already linked to a user’s Venmo account, the company sends out an alert with a six-digit text code to the primary mobile number.

The fact that I was now relying on my mobile device’s security features coupled with those of Apple Pay – versus a traditional credit card reader – tells me the digital transformation is in full force.  

Embracing the digital age with BYOD

Another one of digital transformation’s core tenets is “bring your own device,” which ExxonMobil embraced by implementing a hassle-free, mobile method of payment. Rather than retrofit all ExxonMobil pumps with NFC readers, the company built an app that enabled more than 6,000 stations to immediately accept payment via their Speedpass+ app. By using the phone’s GPS, the app automatically recognizes which station you are at and easily allows you to pick the pump you want to authorize.

Again, this is but one great example of embracing today’s digital transformation through BYOD.

The human element of digital transformation

Speaking from the customer’s perspective, I have a direct interaction with ExxonMobil now. Rather than using a credit card to pay for my purchase, I’m using the Speedpass+ application. On top of this, the application offers customers the ability to provide station feedback directly from the app. Instead of assuming the status quo as a faceless corporation, I’m not only able to, but encouraged to provide direct feedback to ExxonMobil about any station that I visit.

This experience showed me that the digital transformation has arrived and organizations are embracing the latest innovations to provide customers with anytime, anywhere, any way access. Now, ExxonMobil has a new customer and a new revenue stream: me.

About the Author: Currently the senior director of Product Management for Dell Security, Jackson Shaw has been involved with directory, meta-directory and security initiatives for 25 years. He has spoken at various industry events and writes a popular identity management blog. Jackson oversees product direction, strategy and go-to-market activities for Dell’s suite of identity and access management products.

Copyright 2010 Respective Author at Infosec Island]]>