Infosec Island Latest Articles https://www.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 OSX Ransomware Offered for Sale in the Underground https://www.infosecisland.com/blogview/24699-OSX-Ransomware-Offered-for-Sale-in-the-Underground.html https://www.infosecisland.com/blogview/24699-OSX-Ransomware-Offered-for-Sale-in-the-Underground.html Wed, 10 Feb 2016 11:11:00 -0600 In the past several years, Ransomware has grown to epidemic proportions. Cybercriminals have learned that extortion works very well and have rapidly adopted this type of malware. For those who are less familiar with the term, a Ransomware is a piece of malware which encrypts important files on the victim's computer, such as pictures, Office documents, music files, databases (in case the victim is a software developer), and more. The victim has a limited amount of time to pay a ransom through Bitcoin or an alternative e-currency, or the files would remain encrypted and thus inaccessible forever. These nasty pieces of software have become so common place they have even reached mainstream TV, with shows such as The Good Wife dedicating an episode for the subject. Ransomware has been limited to mainly one platform, Windows, and has more recently also moved to mobile, specifically Android. Other operating systems, such as Apple's OSX, remained relatively safe. So far, OSX Ransomware has been limited to a Proof-of-Concept called Mabouia and a Ransomware-like scam which did not really affect any file. However, this era of relative security for OSX users is perhaps coming to an end.

A relatively new vendor on an underground marketplace is now offering a new type of Ransomware, dubbed "GinX". The ransomware seems fairly standard as far as Ransomware go. Once triggered, it encrypts files of the types mentioned above and gives the victim 96 hours to pay the ransom via Bitcoin. If the victim hasn't paid the ransom in time, the encryption keys needed for decrypting the files would be deleted, making sure access to the files is lost forever. What makes "GinX" relatively unique is that it does not only come in Windows-form, but also has an OSX version.

According to the vendor, the OSX version:

Comes in .app format and can have any icon associated to the application. Default icon is a Word Document. The file once double clicked does not throw any warnings. With Default Mac OS-X settings it opens and executes with no user prompts.

Once the file is executed it activates immediately and begins encrypting their files. This also can be set to a delay in minutes if required. Once the files are encrypted the target will be prompted that they have been infected with GinX RaaS along with instructions on how to make payment to get their files back. Just before the user is prompted it takes a picture via their internal webcam and displays it to the victim in the instructions file for added affect (Yes the webcam green light does come on). Default payment is required within 96 hours. After 96 hours has pass the files are no longer accessible. This prompt will appear once and once only.

From that point on the files are no longer recoverable unless they pay and use the decrypt file supplied after payment.

If the vendor's claims are accurate (more on that below), this would be one of the first cases where a "true" Ransomware, which encrypts files on the machine, is targeting OSX users. Not a Proof-of-Concept, not cheap Javascript tricks that appear like Ransomware, nor locking users out of their accounts after they've been taken over. If, again, the vendor's claims are to be believed, the fact that there are no warnings triggered when the file runs should be a cause for concern, as OSX does usually warn or prevent users from opening programs that were not approved by Apple. Furthermore, the vendor claims that this ransomware currently bypasses the detection of 50 Anti-Virus softwares, not uncommon for new malware on the market.

Yes both OS versions currently pass over 50 AV's at the time of this writing. Should they get flagged (eventually they will) efforts will be made to ensure they remain undetectable. This is a cat and mouse game and will continue to be. You should be able to get a month free of AV problems before running into issues. Again, this has so many variables it's difficult to predict when and how it will get detected. It's highly advisable to do short campaigns and quick cash outs to achieve the most from this product.

In the end we cannot guarantee it will remain undetected. We take no responsibility for that.

The Ransomware supposedly operates on all OSX versions and weights less than 2MB.

2690841c611062c7d1e513d5ba784851_800_800

Note that Inteller has not obtained the malware and therefore has not investigated it. The vendor appears to be new on this particular marketplace and has yet to make any deals. In other words, we have not validated any of the vendor's claims. However, another vendor on the marketplace, one who has already been verified to be a trustworthy individual, has vouched for the Ransomware vendor.

[RANSOMWARE VENDOR] was a member of our team and I can vouch for him. He's professional and we've worked beside one another for quite some time.

I've had an opportunity to test this product on Windows 7 and 8 virtual machines as well on a MacBook pro OS-X Mountain Lion and Yosemite with success. Payments received appear to be processed manually by the team when you initiate a "cash out" of funds received from ransoms. Not sure if that's a positive or a negative but either way in "theory" this product will work. Not as automated as some other products out there but maybe this has less problems simply because of that.

The mentioned "payment processing" refers to another interesting aspect of the Ransomware - its business model. "GinX" isn't just being sold in the underground for a fixed price, but instead it is offered in the model of RaaS - Ransomware-as-a-Service. This business model, which has been pioneered by previous Ransomware "Tox", means that in addition to paying for "GinX", the buyer splits the profits from its operation with the developers. The vendor offer three possible plans - a 50-50 cut from the profits, with a down payment of $500, a 60-40 split with a down payment of $1000 or a 70-30 split with a down payment of $1500. In this way, the initial payment is much lower than what a new cutting-edge Ransomware may cost while the developers secure long-term revenue from their work.

As with all new products and innovations in the underground, it remains to be seen whether OSX versions would be adopted by criminals in future releases of Ransomware products. If the vendor's claims are true and the application can run without triggering any warnings even on the default settings of OSX, all it would take to victimize Mac users is social engineering. Considering many cybercriminals have already mastered the art of social engineering, "GinX" may become the criminal product that would popularize Ransomware on Macs.

About the Author: Idan Aharoni is the founder & CEO of Inteller, a leading provider of web intelligence solutions. Idan was the Head of Cyber Intelligence at RSA where he was responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Idan joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. In 2006, he founded the FraudAction Intelligence team, which he led until 2013. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team at RSA, Idan offers vast expertise into the underground fraud economy and how cybercriminals operate.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes February 2016 - Review https://www.infosecisland.com/blogview/24698-SAP-Security-Notes-February-2016-Review.html https://www.infosecisland.com/blogview/24698-SAP-Security-Notes-February-2016-Review.html Wed, 10 Feb 2016 08:10:25 -0600 SAP has released the monthly critical patch update for February 2016. This patch update closes 23 vulnerabilities in SAP products including 15 SAP Security Patch Day Notes, 1 update to a previous Security Note, 2 Support Package Notes released on this SAP patch day and 5 Notes released after the second Tuesday of the previous month and before the second Tuesday of this month.

13 of all closed Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5.

SAP Security Notes February 2016 by priority

Most of the discovered vulnerabilities belong to SAP NetWeaver J2EE applications security.

SAP Security Notes February 2016 by platforms

The most common vulnerability type is Cross Site Scripting and Missing authorization check.

SAP Security Notes February 2016 by vulnerability type

This month, four critical vulnerabilities found by ERPScan researchers Dmitry Chastuhin and Vahagn Vardanyan were closed.

Cyber Security issues for SAP Manufacturing

One of the issues closed by ERPScan researchers deserves attention. We speak about a directory traversal vulnerability in SAP xMII (Manufacturing Integration and Intelligence). This solution plays a vital role in Cyber Security of Manufacturing, Oil and Gas, Energy and Utility companies. SAP xMII provides a connection between shop-floor systems and enterprise business applications. This solution is designed to collect and aggregate plant and production information and then to display this data to management on nice dashboards based on ERP, BI, and other systems. Despite all the benefits, SAP xMII also may put enterprises at risk. Vulnerabilities affecting SAP MII can be used as a starting point of multi-stage attack aiming to get control over plant devices and manufacturing systems. ERPScan researchers demonstrated how to perform similar attack vectors against Oil&Gas companies at the recent BlackHat conference. The directory traversal vulnerability is another entry point for hackers to penetrate into plant floor and Operational Technology networks where ICS and SCADA systems are located.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • A Directory traversal vulnerability in SAP Manufacturing Integration and Intelligence (CVSS Base Score: 4.0). Update is available in SAP Security Note 2230978. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
  • An SQL injection vulnerabilities in SAP UDDI (CVSS Base Score: 6.8). Update is available in SAP Security Note 2101079. An attacker can use an SQL injection vulnerability with specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands.
  • An Information disclosure vulnerability in SAP Universal Worklist Configuration (CVSS Base Score: 5.0). Update is available in SAP Security Note 2256846. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks.
  • A Cross-site scripting vulnerability in SAP Java Proxy Runtime (CVSS Base Score: 4.3). Update is available in SAP Security Note 2220571. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s research.

Other critical issues closed by SAP Security Notes February 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2273881: SAP TREX has an OS command execution vulnerability (CVSS Base Score: 7.5 ). An attacker can use OS command execution vulnerability to execute operating system commands without authorization. Executed commands will run with the same privileges as the service that executed them. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent risks.
  • 2266565: SAP SAPSSOEXT has a Denial of service vulnerability (CVSS Base Score: 5.0). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and reputation. Install this SAP Security Note to prevent risks.
  • 2272211: SAP HANA Extended Application Services SAPUI5 has a Cross-site scripting vulnerability (CVSS Base Score: 4.3 ). An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Five Security Threats Businesses Should Prepare for in 2016 https://www.infosecisland.com/blogview/24696-Five-Security-Threats-Businesses-Should-Prepare-for-in-2016.html https://www.infosecisland.com/blogview/24696-Five-Security-Threats-Businesses-Should-Prepare-for-in-2016.html Thu, 28 Jan 2016 12:29:00 -0600 Cyber security continued to step into the public eye in 2015 with numerous high-profile data breaches at major, global organizations. As we move into 2016, cyber-attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cybercriminals are cultivating new techniques to sidestep them.

Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact business reputation and shareholder value.

After reviewing the current threat landscape, there are five prevalent security threats that we at the Information Security Forum believe that businesses need to prepare for in 2016. These include, but are not limited, to the unintended consequences of state intervention, Big Data, mobile applications and the Internet of Things (IoT), cybercrime and the growing skills gap in the information security industry.

Let’s take a quick look at each:

1. The IoT Adds Unmanaged Risks

Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines. Organizations that get on the front foot now and prepare for stricter data breach laws with bigger fines for non-compliance will find themselves ahead of the curve and in customers’ good graces. They’ll also make better business decisions along the way.

The IoT will also transform supply chain leaders' access to information, as well as the exposure of operations to cyber-risk. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake.  Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.

When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organizations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of PII, with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and loss of customers due to privacy breaches. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.

2. Cybercrime Causes the Perfect Threat Storm

Cybercrime, along with the increase in hacktivism, the surge in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm.  Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

But, establishing cyber security alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.

Cybercrime often involves sophisticated, targeted attacks against an organization, and additional security measures are required to respond to specific cybercrime-related attacks and to put in place cyber resilience programs that anticipate uncertainty. There is an ever increasing need for a prepared and comprehensive rapid-response capability, as organizations will continue to be subject to cyber-attacks regardless of their best efforts to protect themselves.

Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.

3. Mobility Concerns

Smartphones are creating a prime target for malicious actors. The rapid uptake of BYOD, and the introduction of wearable technologies to the workplace, will increase an already high demand for mobile apps for work and home in the coming year. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Mobile device risk in the workplace is established on one fundamental factor: ownership of the device. Employees who bring their own devices expose the organization to different behaviors and thwart long established organization controls when it comes to managing the associated risk. The fact that the employee, not the organization, owns the device has consequences that many organizations have yet to understand or have the proper resources to apply.

Some employee tablet or smartphone activities would be entirely unacceptable if the devices were owned by the organization.  For example, the device may be taken to an unsuitable location where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Devices, especially small form-factor phones and tablets, can easily be lost. If the device contains sensitive organizational data, or can connect to a corporate network to access such data, these behaviors greatly increase the risk of compromising an organization’s information.

Time is critical and businesses need to formulate a response to the growing trend of mobile devices in the workplace with a sense of urgency. Focusing on the organization’s information as a guiding principle for considering risk as part of a BYOD program can bring a great deal of clarity to decision-making as it facilitates the definition of device-agnostic solutions which could be re-used for other BYOD deployments. This approach must be tempered against the willingness of executives to increase their risk appetite to enable BYOD

4. Skills Gap Becomes an Abyss for Information Security

A maturing information security field and more sophisticated cyber-attack capabilities will demand skilled information security professionals who are increasingly scarce. Cybercriminals and hacktivists are increasing in numbers and deepening their skillsets. The ‘good guys’ are struggling to keep pace. Where will these resources and skillsets come from? CISOs need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organization’s cyber resilience.

In 2016, the skills gap will deepen as hyper connectivity increases. CISOs should prepare to build information security capabilities across the organization and position the executive team to recognize and retain talent, both those who have come up through the ranks and newer employees who have worked in a digital environment and business roles. Moving forward, there will be a need to be more aggressive about getting the skill sets that the organization needs. While the industry continues to attract the right level of interest, and while businesses continue to work with Universities and passing needed legislation, the industry as a whole must realize that there is a skills gap problem that needs to be resolved.

5. Governments and Regulators Won’t Do it For You

Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.

Additionally, conflicting official involvement in cyberspace will create the threat of collateral damage and have unforeseen implications and consequences for all organizations reliant on it. Varying regulation and legislation will restrict activities whether or not an organization is the intended target. Even organizations not implicated in wrongdoing will suffer collateral damage as authorities’ police their corner of the Internet.

Moving forward, it will be about organizations understanding what governments are able to ask for and being open about that with partners. In the past, we didn't have this kind of openness.

The Need to Engage with the Board

The role of the C-Suite has undergone significant transformation over the last decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization (ostensibly among the victims of the crime) will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.

The executive team sitting at the top of an organization has the clearest, broadest “big picture” view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.

Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.

Information Risk Assessment Methodology

 

With the explosion of digital information, it’s not possible for organizations to protect all their information and associated systems to the same level. In addition, threats aren’t monolithic; they vary immensely in origin, intent, strength, and a multitude of other factors. While much has been written on this subject, there are few methodologies that provide an end-to-end approach to presenting a business-focused view of information risk.

That is, until now.

At the Information Security Forum, we recently introduced our Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.

The six IRAM2 phases include:

  1. Scoping
  2. Business Impact Assessment
  3. Threat Profiling
  4. Vulnerability Assessment
  5. Risk Evaluation
  6. Risk Treatment

Threats, threat events, vulnerabilities and potential impacts are not necessarily static. This results in the need for the practitioner and key stakeholders to review risks on a regular basis, as well as when any contributing factor in the organization or environment significantly changes.

As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.

The Time is Now: Get Prepared…or Be Prepared to Get Left Behind

Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be aware of the emerging threats that have shifted in the past year, as well as those that they should prepare for in 2016.

Organizations of all sizes are operating in a progressively cyber-enabled world and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling. 

From cyber to insider, organizations have varying degrees of control over evolving security threats and with the speed and complexity of the threat landscape changing on a daily basis, far too often we are seeing businesses getting left behind, sometimes in the wake of reputational and financial damage. Businesses must take stock now in order to ensure that they are prepared and engaged to deal with these ever-emerging challenges.

While it would be nearly impossible for businesses to avoid every serious incident, few have a mature, structured approach for analyzing what went wrong. By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately. This will be of the highest importance in 2016 and beyond.

Copyright 2010 Respective Author at Infosec Island]]>
Top Five Enterprise Data Privacy Mistakes https://www.infosecisland.com/blogview/24695-Top-Five-Enterprise-Data-Privacy-Mistakes.html https://www.infosecisland.com/blogview/24695-Top-Five-Enterprise-Data-Privacy-Mistakes.html Thu, 28 Jan 2016 09:28:38 -0600 Global businesses are reevaluating their data privacy programs this year as new privacy regulations targeted at businesses take effect. The European General Data Protection Regulation is a new privacy regulation with fines as high as four percent of annual global revenue for companies that fail to safeguard data of EU citizens and residents. In the U.S. 16 states recently introduced new, ACLU supported data privacy legislation. In spite of efforts to improve privacy protections many enterprises are not doing enough to protect consumer data.

“Data Privacy Day is a great opportunity for organizations to reevaluate their privacy program,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”

According to Erlin, the top five data privacy mistakes businesses make are:

1. Failure to keep only essential consumer data: Many organizations keep a lot of customer data in case they need it “someday.” While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.

2. Failure to encrypt customer data: While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab.

3. Failure to secure access paths: Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set.

4. Failure to patch known vulnerabilities: Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit the three year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.

5. Failure to monitor and control simple misconfigurations: More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can leverage.

Source: Tripwire

Copyright 2010 Respective Author at Infosec Island]]>
The Age of Advanced Threats Has Arrived https://www.infosecisland.com/blogview/24694-The-Age-of-Advanced-Threats-Has-Arrived-.html https://www.infosecisland.com/blogview/24694-The-Age-of-Advanced-Threats-Has-Arrived-.html Fri, 15 Jan 2016 13:00:00 -0600 "There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it."

Gartner published that quote in 2012, Best Practices for Mitigating Advanced Persistent Threats. Back then, people thought it was alarmist claim, but three years later, it is clear that it’s anything but. We are now living in the age of advanced, insidious attacks. Need evidence?  Take a look back at the numerous data breaches we have seen in the last couple of years: Target, Home Depot, Sony Pictures, White House, German Parliament, JPMorgan, Anthem... just to name a few.

The need to improve protection and detection is felt by all, and some companies have taken the right steps in creating new approaches to tackle these threats, like Breach Detection Systems (BDS) and Next Generation Firewalls (NGF). Both attacks focus on Indicators of Compromise (IoC) to detect current attacks that are already happening within the network. These solutions are extremely valuable, and help CISOs in their fight to keep their organizations as safe as possible.

However, there are some obvious weaknesses in this approach. There is nothing wrong in analyzing the network traffic to find out anomalies, but the key is protecting the endpoint.

With the sophistication of these new attacks, comes more targeted goals from the attackers. They focus on attacking the endpoint, not the network. No longer is it enough to protect the endpoints from an outside view. The old approach neglects to inform CISO’s what is actually happening. When attackers infiltrate using USB devices, it only gets worse, as those solutions do not see any of that. It can be said that those threats are not a real danger, but this couldn’t be further from the truth - look at Stuxnet, the USB worm used to destroy 1,000+ uranium centrifuges in Iran.

On top of that, those anomaly detections rely mostly in the use of IoC as a detection mechanism. These IoC can be anything from URLs, IP addresses, C&C servers, etc. In other words: they are using signatures.  Advanced security providers have no excuse to charge thousands and thousands of dollars for their solutions when their solutions rely on outdated detection methods."

These companies are well-aware of the limitations and weaknesses, and they try to mitigate them using other layers, such as sandboxing or some kind of virtualization, to learn what the files entering the endpoints are going to do. Those who have been fighting against malware, know that cybercriminals learned years ago how get around any sort of virtualization thrown at them. It’s one of the first things in their check list when they are planning such an attack.

What Can Be Done?

Traditional antivirus solutions are not enough - BDS and NGF only tell you you’ve been attacked. At best, they give you a chance to reduce the elapsed time that you have been compromised, but doesn’t do much in the way of stopping the attack and limiting the damage. They can only prevent an attack if it is already known, using the same approach as a traditional antivirus: signatures. What else can a CISO do to really protect his or her organization? What kind of tools or services should be used?

The most capable defense solutions must not only be centralized, but also be able to automatically block, identify, forensically profile and purge malware, even when it is veiled by legitimate programs and processes.  The software needs to be smarter than the malware itself.

Additionally, a CISO must have knowledge and control of every process running throughout all of the computers in the organization. Most APTs rely on exploits that take advantage of vulnerabilities present in all kinds of reliable applications. Real time monitoring is a must, with a holistic approach that takes into account the execution context of every program. Forensic capabilities also have to be in place in order to have all actionable information, in the event that a compromise takes place.

One of the major issues when a breach has been detected is the lack of information. When did it start? Where did it come from? Has it accessed confidential data? Has there been any information exfiltration? With continuous monitoring and advanced forensic technologies, all available data can be made available from the very first moment, closing the gap and limiting the damage.

2015 saw the most sophisticated cyberattacks in history. Traditional antiviruses are no longer capable enough to handle the malware it’s faced with. It’s time for the sophistication and strength of our solutions to catch up, or we’ll never be one step ahead of cybercrime.

Luis Corrons, Technical Director of PandaLabs at Panda Security, has been working in the security industry for more than 16 years, specifically in the antivirus field. Luis is a WildList reporter, member of the Board of Directors at AMTSO (Anti-Malware Testing Standards Organization) and member of the Board of Directors at MUTE (Malicious URLs Tracking and Exchange). He is also a top rated industry speaker at events like Virus Bulletin, HackInTheBox, APWG, Security BSides, etc. Luis also serves as liaison between Panda Security and law enforcement agencies, and has helped in a number of cyber-criminal investigations.

Copyright 2010 Respective Author at Infosec Island]]>
Key Risk Management Issues For 2016 https://www.infosecisland.com/blogview/24693-Key-Risk-Management-Issues-For-2016.html https://www.infosecisland.com/blogview/24693-Key-Risk-Management-Issues-For-2016.html Wed, 13 Jan 2016 09:00:33 -0600 KPMG Identifies Risk Issues and Opportunities That Should Top Chief Risk Officers' Agendas

Chief risk officers (CRO) will need to keep close watch on a number of strategic, operational, and external risks this year. Effective risk management and mitigation will be critical, since companies' strategies, business models, operations, reputations, and, ultimately, survival are on the line.   

"CROs today face an unprecedented number of new and emerging risks that can threaten corporate strategy if they are not identified quickly and managed properly," said Kelly Watson, National Service Group Leader for Risk Consulting at KPMG LLP.  "The CRO needs to lead an integrated, organization-wide risk management program that can turn potentially crippling risks into opportunities for innovation, cost reduction, improved compliance and competitive advantage." 

KPMG LLP has identified seven key strategic, operational and external risk areas that should top CROs' risk management agendas this year: 

•   Technology Risk Management– The increase in technology risk has caused many IT organizations to establish information technology risk management functions (ITRM).  ITRM functions manage and monitor technology risks so that companies can anticipate and avoid problems rather than react to them. CROs who maintain a strong ITRM function and establish a strong connection with this function can proactively manage technology risks rather than reacting to audits, new regulations, new business strategies, and other disruptions.  

•   Third Party Risk Management – Organizations today have thousands, if not tens of thousands, of third-party intermediaries. As the role of third parties in companies' interaction with governments has grown and supply chains become more stretched, companies' monitoring of their third parties has become critically important. Companies are challenged to identify which of these numerous third parties are putting them at risk. The CROs should help to vet third parties and help identify those which should be placed under the microscope – not only during the onboarding process, but on a continuous basis. They should also help to determine how technology and the effective use of data analytics can help, rather than hinder, the process.

•   Fraud and Misconduct– Companies should continue to monitor the activities of employees, vendors and third parties to detect and, wherever possible, prevent financial fraud or employee misconduct, that can result in financial losses and damaged reputations. CROs should be especially wary of frauds that indicate collusive behavior. Collusive behavior is on the rise due to the emphasis companies have placed on improving their financial controls environment to comply with Sarbanes-Oxley and other regulations. These controls make it more difficult for individuals to perpetrate frauds. Co-conspirators can enable fraudulent schemes to bypass certain control structures. 

•   Crisis Management – CROs should ensure that their companies place a strong emphasis on scenario planning – holding workshops and developing documented plans to prepare for and respond to potential crises such as cyber intrusions, regulatory scrutiny or investigations, compliance challenges, litigation, or workplace violence. Since a crisis strikes without warning and requires a swift response, CROs need to take steps to ensure that on-call arrangements are in place. Lawyers, IT and forensic accounting professionals, and other consultants should be vetted, contracted with, and know the business beforehand to be ready to take action at a moment's notice.

•   Data Security – Diminishing security perimeters have been discussed for some time, but it is now fully acknowledged that corporate security perimeters no longer exist. Data and critical processes cross many organizational boundaries, including customer self-service, strategic sourcing, supply chain integration, business partnerships, and technology enhancement. Being able to understand risk, not just at the technology infrastructure or data levels, but also at the business process level, is critical. Since companies are more connected to more organizations than ever before, CROs need to monitor those connections if they are to better understand how trusted third parties are using and protecting company information. It is also important for CROs to provide their trusted business partners with greater insight into their own control and security environments.

•   Achieving Compliance Program Effectiveness – The growing number of regulations affect every facet of a company's operations and are implemented and enforced by an array of agencies worldwide. In this environment, companies need to anticipate regulations before they are implemented and plan for them under the leadership of the CRO and the Chief Compliance Officer. Companies should have a mechanism in place to capture an updated inventory of global regulations; employ a methodology to help prioritize regulatory obligations and manage regulatory change; evaluate compliance program effectiveness with regard to monitoring, testing and reporting; and ensure that they have an enterprise-wide view of regulatory risk and are able to collaborate internally to present a comprehensive report to the board.

•   Improving Risk Data Aggregation and Reporting – As regulatory requirements become more stringent, and the demand for risk data aggregation and improved data quality increases, it is essential that CROs concentrate on improving risk reporting, particularly within the financial services sector. Such improvement involves enhanced report content and the automation of real-time information collection. The ability to identify risk exposure across entire organizations and geographies and the capacity to understand its concentration risk and counterparty risk from a business perspective is imperative.

Source: KPMG LLP

Related: Learn More at the 2016 CISO Forum

Copyright 2010 Respective Author at Infosec Island]]>
Study Shows Few Organizations Achieving "Full DevOps" Maturity https://www.infosecisland.com/blogview/24692--Study-Shows-Few-Organizations-Achieving-Full-DevOps-Maturity.html https://www.infosecisland.com/blogview/24692--Study-Shows-Few-Organizations-Achieving-Full-DevOps-Maturity.html Tue, 12 Jan 2016 16:04:53 -0600 According to the results of a new global study, commissioned by CA Technologies (NASDAQ:CA), only 20 percent of organizations that have attempted to implement DevOps have fully deployed it. The research also found that these "advanced" DevOps adopters were more likely to report that their digital initiatives contributed to competitiveness, customer retention and top- and bottom-line results.

With 46 percent of respondents still working on security and compliance, it’s clear that most DevOps activity is not well supported from an enabling platform and risk management perspective

In the study titled “Assembling the DevOps Jigsaw,” more than 80 percent of senior IT and business executives confirm nine components that are key to maximize DevOps effectiveness. Vital areas of focus include business stakeholder education; security and compliance measures; and cross functional IT processes.

“To leverage the full potential of DevOps, organizations need to ensure IT is properly skilled and working collaboratively, as well as put in place the necessary enablers and controls,” said Michael Madden, general manager, DevOps, CA Technologies. “CA’s DevOps solutions, developed using an agile methodology, play a crucial role in helping customers use their digital initiatives to drive a competitive advantage in an increasingly fast-paced, ever-changing business environment.”

Even though DevOps is seen as a key component to driving business agility and keeping up with customer demands, only a little over half (55 percent) of respondents stated that they have a well-defined DevOps strategy and objectives. Furthermore, while 86 percent considered business stakeholder education, and the alignment of IT and business priorities to be important, only 33 percent and 37 percent respectively had completed these steps.

Although both development and operations teams may have individually implemented modern methods and automation techniques, the majority (63 percent) of the DevOps adopters say there’s still work to be done in relation to infrastructure and tooling.

Also, with 46 percent of respondents still working on security and compliance, it’s clear that most DevOps activity is not well supported from an enabling platform and risk management perspective.

Assembling all of the pieces of the DevOps jigsaw puzzle may require time, effort and careful planning, but the results are worth it. Compared to those without DevOps, advanced DevOps adopters are:

  • 2.5 times more likely to have seen improvements in customer retention
  • 2 times more likely to have seen improvements in customer acquisition
  • 3.4 times more likely to have seen progress on market share
  • 2 times more likely to have seen a positive impact on revenue growth
  • 2.4 times more likely to have experienced higher profit growth

The global online survey of 1,442 senior IT and business executives was sponsored by CA Technologies and conducted by industry analyst firm Freeform Dynamics in July 2015. It was augmented by in-depth telephone interviews with key industry executives. 

Source: CA Technologies

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes January 2016 – Review https://www.infosecisland.com/blogview/24691-SAP-Security-Notes-January-2016--Review.html https://www.infosecisland.com/blogview/24691-SAP-Security-Notes-January-2016--Review.html Tue, 12 Jan 2016 15:44:00 -0600 SAP has released the monthly critical patch update for January 2016. This patch update closes 23 vulnerabilities in SAP products (including ones closed after the second Tuesday of the previous month and before the second Tuesday of this month). Among them, there are 20 Patch Day Security Notes and 3 Support Package Security notes. 13 of these Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 6.4.

SAP Security Notes January 2016 by priority

Most of the discovered vulnerabilities belong to JAVA security.

SAP Security Notes January 2016 by platforms

The most common vulnerability is Cross Site Scripting.

SAP Security Notes January 2016 by vulnerability type

This month, five critical vulnerabilities found by ERPScan researchers Mathieu Geli and Vahagn Vardanyan were closed.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • Log Injection and Denial of service vulnerabilities in SAP HANA Extended Application Services Classic (XS) (CVSS Base Score: 5.0). Update is available in SAP Security Note 2241978 (version of the note: 2). An unauthenticated attacker can create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function. This allows forging additional entries in the trace files of the XS process and thus consuming disk space of the HANA system. Also, the attacker can use a denial of service vulnerability to terminate processes of the vulnerable component. During this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
  • A Cross-site scripting vulnerability in SAP RWB (CVSS Base Score: 4.3). Update is available in SAP Security Note 2206793 (version of the note: 2). An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s white paper.
  • A Cross-site scripting vulnerability in SAP PMI (CVSS Base Score: 4.3). Update is available in SAP Security Note 2234918 (version of the note: 2). An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
  • An Information disclosure vulnerability in SAP User Management Engine (CVSS Base Score: 3.5). Update is available in SAP Security Note 2191290 (version of the note: 3). An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks.

The most critical issues closed by SAP Security Notes January 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2246277 (version of the note: 2): SAP on ORACLE database has an Implementation flaw vulnerability (CVSS Base Score: 6.4 ). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase the system stability. Install this SAP Security Note to prevent risks.
  • 2248735 (version of the note: 3): SAP System Administration Assistant has an OS command execution vulnerability (CVSS Base Score: 6.0). OS command execution vulnerability allows an attacker to run arbitrary commands on the target OS. The commands will run with the same privileges as the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration and critical system files. It allows them to obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
  • 2233550 (version of the note: 12): SAP HANA Database has an Encryption issues vulnerability (CVSS Base Score: 5.8 ). The communication encryption in SAP HANA multi-tenant database container feature does not work as expected. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Ukranian Electric Grid Cyber Attack – It Can it Happen Here Too https://www.infosecisland.com/blogview/24690-Ukranian-Electric-Grid-Cyber-Attack--It-Can-it-Happen-Here-Too.html https://www.infosecisland.com/blogview/24690-Ukranian-Electric-Grid-Cyber-Attack--It-Can-it-Happen-Here-Too.html Sat, 09 Jan 2016 08:09:17 -0600 On October 20, 2014, iSight partners gave a presentation at the ICS Cyber Security Conference in Atlanta identifying the BlackEnergy malware and what it meant to critical infrastructures including electric utilities. In November and December 2014, DHS held a series of “secret” briefings with US electric utilities on BlackEnergy and the Russian intrusions into US critical infrastructures. Subsequently, there were several news articles in December 2014 about BlackEnergy compromising US electric grid networks. December 23, 2015, the Ukranian electric grid was hacked leading to a regional blackout. A sample of BlackEnergy malware was found on the compromised Ukranian SCADA network. January 8, 2016, iSight confirmed the Russian involvement via BlackEnergy in the Ukranian attack.

 

To date, BlackEnergy has been for data exfiltration not an attack tool. Given that as background, let’s look at some interesting observations from the Ukranian hack and what it may mean to the US electric grid:

  • The Ukranian outage was limited in regional scope, outage time, and lack of electric equipment damage.  Consequently, the event may have been meant to send a message. Why else spend so much time and effort for an incident with such little immediate impact? Consequently, who was the intended target of the message? In November, pro-Ukrainian protesters destroyed pylons carrying electricity from Ukraine to Crimea. Causing a “small” power outage, while demonstrating the ability to have caused significantly more damage, could have served as a warning to Ukraine about damaging infrastructure. Only the electric system in the “Western-friendly” part of the Ukraine lost power even though several electric systems in other regions also were “compromised” but did not lose power (just like Stuxnet, there appears to have been specific targeting for causing damage). The obvious answer would be the pro-Western Ukranians. However, the answer may not be so simple.
  • The timing of the Ukranian event is suspect. In mid-December 2015, DARPA issued a Broad Area Announcement on cyber security of the electric grid. The first task is development of situational awareness strongly implying (and my database also indicates) that situational awareness of the cyber status of the electric grid is still not adequate. Last year’s hacking demonstration where the National Guard was able to compromise a NERC CIP compliant utility in less than 30 minutes reinforces the viability of attacking US electric utilities without being detected. Since the Russians are already in our systems, was the US the ultimate target of the message? 
  • Remotely opening (or closing) breakers requires knowledge about the breakers. As mentioned, November 2014, DHS informed US electric utilities BlackEnergy was found and Russians had access to some electric utility networks. Consequently, breaker information may already be exfiltrated from US electric substations to Russia or others. Yet January 6, 2016 Kimberly Mielcarek, a spokeswoman for the E-ISAC stated about the Ukranian hack: "There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident." Where is the uproar from such an egregious misstatement?
  • Opening breakers is step one in creating an Aurora event. The second part is simply reclosing the breakers out-of-phase with the grid. If you can remotely open the breaker, you can remotely close it and cause an Aurora event. The Ukranian outage could have been so much worse if the attackers had chosen to do so. Considering most US utilities have still not installed Aurora hardware mitigation and DHS has declassified Aurora information, it just may be a matter of time before really bad things happen. 

The US electric grid and other critical infrastructures are cyber vulnerable. Many nation-states know that and may already have footholds in our critical infrastructure networks (e.g., Russia, China, and possibly even Iran). The NERC CIPs are not designed to provide actual grid cyber security. Moreover, as the NERC CIP process is public, our enemies are aware of the gaping cyber holes in our electric systems. When will the responsible entities wake up or will it be after they can’t turn their lights on?

Related: Learn More at the ICS Cyber Security Conference & Training

Cross Posted from the Unfettered Blog

Copyright 2010 Respective Author at Infosec Island]]>
BlackEnergy Malware Used in Ukraine Power Grid Attacks: Report https://www.infosecisland.com/blogview/24689-BlackEnergy-Malware-Used-in-Ukraine-Power-Grid-Attacks-Report.html https://www.infosecisland.com/blogview/24689-BlackEnergy-Malware-Used-in-Ukraine-Power-Grid-Attacks-Report.html Tue, 05 Jan 2016 22:08:24 -0600 (SecurityWeek) - A threat group has been using the Russia-linked BlackEnergy malware family in attacks aimed at news media and electrical power organizations in Ukraine, ESET reported.

The BlackEnergy malware has been around since at least 2007 and it has been used in numerous targeted attacks, including ones aimed at Ukrainian government organizationsand critical infrastructure companies in the United States.

Security firm ESET has been monitoring attacks involving the threat and recently discovered that the Trojan had been used to target news media and electrical power companies in Ukraine.

The news comes just days after Ukraine’s security service, the SBU, accused Russian special services of planting malware on the networks of several regional power companies. The agency also said attackers flooded the targeted firms’ technical support phone lines.

Ukrainian power company Prykarpattyaoblenergo blamed some recent power outages in the Ivano-Frankivsk Oblast region on outsiders who remotely tampered with automatic control systems.

ESET malware researcher Anton Cherepanov has confirmed for SecurityWeek that the attacks analyzed by the security firm and the ones reported by Ukrainian authorities and power companies are connected. The security firm has published a blog post detailing the connection.

Cherepanov said Prykarpattyaoblenergo is not the only company targeted by the attackers, but most of the other victims don’t want to disclose the attacks just yet.

iSIGHT Partners believes the Russian hackers behind the blackouts in Ukraine are part of the threat group known as Sandworm Team, which is known to rely heavily on BlackEnergy malware and which previously targeted SCADA systems in Europe and the United States.

The security firm told SecurityWeek that it has very limited evidence that the recent destructive attacks against Ukraine involved BlackEnergy, but if this is the case, it’s likely the work of Sandworm Team or a related Russian operator. The company has pointed out that this is the first known instance of cyberattacks causing a blackout.

Kaspersky Lab researchers identified nearly two dozen Windows and Linux plugins used by BlackEnergy in 2014. One of the Windows plugins, dubbed “dstr,” was designed to destroy data stored on the infected machine’s hard drive by overwriting the content of files.

According to ESET, in 2015, attackers started using a new destructive plugin called KillDisk(Win32/KillDisk). The component is designed to overwrite a total of more than 4,000 file types with random data and damage the operating system by making it unbootable.

CERT Ukraine reported in November that the KillDisk component was used by BlackEnergy attackers to targeted news companies during last year’s local elections. CERT reported that the threat was used to destroy documents and video files.

A different version of KillDisk was spotted in attacks against Ukrainian energy companies. The newest version of the threat allows attackers to specify when the destructive payload should be activated, it is capable of removing Windows event logs, and it focuses on corrupting 35 types of document, image, database and configuration files.

The KillDisk version observed in attacks against Ukrainian power companies attempts to make the operating system unbootable, and it also contains functionality designed to sabotage industrial systems.

Once it infects a system, the malware targets a couple of services, including sec_service.exe, a process associated with an industrial control systems (ICS) software called ASEM Ubiquity. The malware terminates the process and corrupts the executable file by overwriting its content with random data.

SSH Backdoor

In addition to the BlackEnergy malware, the threat group monitored by ESET has also leveraged an SSH backdoor to gain access to infected systems (Win32/SSHBearDoor.A trojan).

Researchers discovered the backdoor after finding what appeared to be a legitimate copy of the SSH application Dropbear on one of the infected servers. The attackers used a VBS file that executed the Dropbear SSH server and configured it to accept connections on port 6789.

The SSH server had also been configured to allow the attackers to authenticate using a hardcoded password or a private key. This backdoor allowed threat actors to connect to the compromised network whenever they needed.

Cherepanov told SecurityWeek that this backdoor SSH server has so far been detected on just one compromised machine.

Related: Learn More a the ICS Cyber Security Confernece

Copyright 2010 Respective Author at Infosec Island]]>
What Do Star Wars and Recent Data Breaches Teach Us About Cyber Ethics? https://www.infosecisland.com/blogview/24687-What-Do-Star-Wars-and-Recent-Data-Breaches-Teach-Us-About-Cyber-Ethics.html https://www.infosecisland.com/blogview/24687-What-Do-Star-Wars-and-Recent-Data-Breaches-Teach-Us-About-Cyber-Ethics.html Mon, 21 Dec 2015 14:43:00 -0600 As media headlines were dominated by the launch of Star Wars: The Force Awakens and shenanigans (or worse) with voter data by Bernie Sanders political campaign, I pondered the question: what do these recent news stories have in common?

Without going into the specific details of what happened (especially in the new movie), a few possible answers include:

  • We have seen the enemy, and they are us. Or, not all data breaches come from foreign hackers, organized crime or other “outsiders” with malicious intent.
  • Security controls and even technology training have limitations. Or, Darth Vader (and several other Jedi Knights) were well-trained – but used their skills to go over to the “dark side.”
  • There are shades of gray that technology professionals face in their daily duties that often get darker if not exposed and corrected early enough. Or, “the road to hell is paved with good intentions.”  

Perhaps this story will help explain my thought process.

Fictional Characters Based on Real World Data Breach Events

Trevor is a computer security expert who works for a large corporation. Recently, he was working on a computer security investigation involving unauthorized activities within his company network.

Following corporate forensic processes and specified security procedures, he accessed several accounts and online folders of a company executive suspected of wrongdoing. Sure enough, he uncovered unauthorized file transfers to overseas and domestic locations.

Trevor also discovered that company sensitive data was also being copied to flash drives against policy. In addition, this rascal was getting around firewall rules and other safeguards put in place by his team to access data storage locations in the cloud – all against the rules. 

This individual was smart – but not smart enough. Using the USB drives that were found inside the employee’s office to help guide his investigation, Trevor carefully built a rock solid legal case that would stand up in any court of law. All the evidence was carefully compiled and chronicled in a report provided to Trevor’s boss and the HR team that requested the investigation in the first place.

But then something unexpected happened as Trevor was “cleaning-up” his digital fingerprints. Trevor uncovered a directory that had the performance appraisals of everyone in the company, as well as the detailed rationale for raises and promotions (or lack thereof) in his group.

Trevor was intrigued by this “eyes only” corporate data, so he opened and read many related files regarding pay, raises, benefits and more. Along the way, he learned about the intricacies of why someone was promoted over him the year before, the advantages given to minorities and women and other related matters in his company’s “inclusiveness” program.       

Trevor had already violated policy by opening the files and reading this material, but he could easily explain away the situation under his authorized investigation. Besides, he was so good, he was very unlikely to be caught accessing these records – which should not have been on this person’s USB drives in the first place.

Now Trevor faced another set of ethical decisions. Should he copy these files and send them to friends who were fighting a reverse discrimination case against the company? Should he just save them for personal use? Could he gain an advantage in an upcoming promotion interview by leaking some negative information as rumors to others?

Trevor also knew many friends both within and outside the company who would love to see these files to assist in their group’s wider hacktivist activities. He was furious with some of the “company facts” he had uncovered.  He was tempted to dig even deeper to learn more about how the company was really run and decisions were made at the top levels of governance. He justified his actions, since he disagreed with management decisions.    

Ethical Challenges for Security Professionals

The names and a details have been changed, but I have come across many professional stories like Trevor’s over the past decade, many in recent times in my role of CSO and Chief Strategist at Security Mentor.  Oftentimes, security pros quietly think they are above Internet laws, company rules and regulations. As the cyber police, bending (or breaking) a policy may seem acceptable, as long as no one catches you in the process. Sometimes, it may even seem to be required – like the state police needing to speed to catch a car going 100 miles per hour.

Beyond cyber war and the good guys having the right tools to catch the bad guys, there can be a tendency to ignore “more mundane” acceptable use directives. That is, security staff can download copyrighted material (movies and games), view porn at work, look at information that is private (like promotions, raises or other data from management), “borrow” passwords or delete log files to cover their tracks, etc. These acts may almost be viewed as “the spoils of war.” Hackers come across this data once as part of their job, and later they become accustomed to accessing it freely.

But actions have consequences. Much like Anakin Skywalker falling to the dark side of the force…this is a slippery slope.

The reality is that the smarter you are, the more you advance as a cyber security expert, the farther you go as a hacker, the greater your temptation will be. As you learn what the enemy does and how they do what they do (in order to stop them), the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he/she take a bit of the money while no one is looking? It seems so easy, so close and perhaps even innocent.

Sadly, I have seen talented security and technology professionals disciplined for inappropriate behavior at home or work such as stealing property, downloading files or distributing child porn. I personally know technically savvy staff members who are in jail, and I must say that I never would have guessed that certain “experts” would turn to the dark side. Additionally, I have read and heard about dozens of such cases. People are blinded to their own deceitfulness.

I know, you want some “hard data” to back up what I’m saying. OK.

Data Leaks and Professional Security Ethics

A recent report by Enterprise Management Associates (EMA) on behalf of file security company FinalCode, reported that 80 percent of information security professionals have experienced a data leak. This article on the report pointed to some important findings:

David Monahan, research director for security and risk management with EMA, said a majority of the 150 participants from mid-market and enterprise markets reported data loss as a substantial concern, while the minority reported moderate concern on the topic.

“Within the study, 83 percent of the people said they had some kind of significant file leakage via either insider-to-outsider or insider-to-insider. Fifty percent said that happens frequently in their organization.”

While many in this study believed that the data leakers did not have hostile intent, most respondents believed this to be a serious issue that needs to be addressed within their organizations.

And this study raises other serious questions regarding what parameters are being used by staff to make these decisions regarding the sharing of company data.  

Meanwhile, another related and growing trend is social activism with hacking. No doubt, some of the same people who are hacking outside of work also have access to sensitive data on corporate networks.

Of course, hacking can be a good thing or bad thing. There are “white hat” and “black hat” hackers, and plenty of data to show that hacktivism is a growing trend online. The subtlety of this topic is that moral erosion can happen gradually. See this chart to view detailed metrics documenting this growing social activism and hacking trend.

May the Force Be With You

So what can be done to strengthen the ethical culture in your situation?

First, we need to be aware of the problem. Ethics is important, not only my children when on Facebook, but perhaps even more vitally for veteran security and technology professionals who know how to beat the system.

No doubt, we are all susceptible to slip and being honest about the challenges and temptations is a good start. Understanding that these situations will arise and discussing appropriate actions with your team is a good initial step.

Here are a few other ways to help in this area:

  • Seek advice from respected colleagues regarding practical ethical behavior as a security pro. Find one or more accountability partner(s) who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists, athletes, and other experts are accountable to teachers or coaches. Everyone who strives to improve needs accountability.
  • Find a trusted mentor who you admire in the industry. Make yourself accountable to this person regarding the direction of your professional career decisions.
  • Practice these seven habits of online integrity.

Several years ago I was having lunch with John Stewart (Cisco VP and CSO) between sessions at RSA. We were discussing assorted security war stories. I asked him what motivates exemplary cyber ethics for his staff. He said something to the effect: if pros know that they will be held to account, they will usually act responsibly.

I agree with John. Our technology teams need better measures of accountability. 

Bottom line, cyber ethics is not just an academic topic or a class you once took to get a computer degree.

Cyber ethics are the brakes that enable us to traverse cyberspace safely.  

Copyright 2010 Respective Author at Infosec Island]]>
How to Calculate ROI and Justify Your Cybersecurity Budget https://www.infosecisland.com/blogview/24686-How-to-Calculate-ROI-and-Justify-Your-Cybersecurity-Budget.html https://www.infosecisland.com/blogview/24686-How-to-Calculate-ROI-and-Justify-Your-Cybersecurity-Budget.html Fri, 18 Dec 2015 03:02:00 -0600 If you speak with management about money – speak their language and you will definitely get what you need.

Almost eight years ago, Bruce Schneier wrote a great article about the problems of ROI calculation for cybersecurity spending within organizations. Since then, both annual spending on cybersecurity and the cost of global cybercrime have significantly increased.

Despite that organizations increased their information security budgets by 24 percent in 2016, many security officers still have to justify to their management every extra thousand spent on cybersecurity. Traditionally, Europe is more conservative than US, and many more European security officers are asked to reduce their initial cybersecurity budgets by removing some items or replacing them with less expensive alternatives.

Businesses need to make money in order to pay salaries (including salaries of the cybersecurity team), so their point of view, based mainly on financial numbers, is pretty clear and reasonable. Nevertheless, if you prepare a well-explained justification for your cybersecurity budget using terminology and language understandable by management, your chances of getting the budget approved without modifications will at minimum double.

For example, let’s take a budget required to protect front-end of a midsize e-commerce website. To stay simple, we will not calculate the risks of chained attacks, such as Advanced Persistent Threats that are starting at vulnerable websites these days.

We will base our ROI calculations on direct financial loss prevention: if by spending $10 you can prevent a highly probable annual loss of $100, your management will happily allocate the $10. Often, the problem is to prove that you really need $10 (and not just $7 or $8) and that the risk(s) mitigated with the $10 really cause a highly probable $100 direct loss to the organization.

First, we need to calculate an ALE (Annual Loss Expectancy): an expected [approximate] financial loss caused by particular risks and threats (if not properly mitigated). We will use a simplified ALE formula from the official guide to CISSP®-ISSMP®:

ALE = (Number of Incidents per Year) X (Potential Loss per Incident)

In our case, the number of incidents per year can be reasonably set to 12, expecting one serious intrusion attempt via web front-end per month. We can obviously make it bigger, but don’t forget that we are preparing the budget for management who will be skeptical if you present them with numbers that look overstated.

Potential financial loss per incident is a bit trickier, as it consists of numerous factors and sub-factors. Cyber threats will now affect Moody’s ratings, however it’s a very subjective impact as it’s almost impossible to predict if a particular data breach will impact the rating. The same difficulty applies for reputational losses, stock options drop, and all other high-profile losses related to a data breach.

Therefore, we shall try to take an average cost per breach in our industry from a reputable source. For example, according to a recent study by Kaspersky Lab, the amount of financial loss suffered by SMEs averaged $38,000. In some cases, management may question such a “big” amount, therefore, we will need to take tangible and unavoidable incident costs and present them one by one to management in order to validate the amount. In the case of e-commerce web front-end, it’s pretty easy to identify at least some them:

  • Cost of customer database and other sensitive information theft and exposure

  • Cost of e-commerce portal unavailability during forensics and recovery

  • Cost of third-party experts allocated to investigate and remediate the breach

  • Cost of legal and compliance fines.

Obvious and easily calculable costs are related to PCI DSS compliance. If for example you have PCI merchant level 2, you will be “promoted” to level 1 in case of data breach with all the related costs. Costs related to third-party consultants are also simple to calculate, estimating that they will have to spend at least one week investigating the incident – you already have at least $10 000.

For example, TalkTalk [due to the size of the business and the scale of hack] has lost about £35 million in total, and in comparison to them $38,000 looks very reasonable. Even a higher cost per incident comes from the 2015 Information Security Breaches Survey published by UK government and PwC, where the average cost of data breach for SMEs is between £75,000 and £310,800 ($112,000 and $466,200 respectively). But let’s come back to our modest $38,000 for our example and use it in our equation:

ALE = (Number of Incidents per Year) X (Potential Loss per Incident)

ALE = 12 X $38,000

ALE = $456,000

This is the amount a company should expect to lose per year if nothing is done to protect its web front-end. Of course, each new incident will aggravate the losses, but here we can omit this point.

The next step is to justify the money you are asking for. The easiest way to do so is to provide your management with the most efficient and effective solutions and products, carefully selected by the price/quality ratio. In order to protect the web front-end (I omit SDLC and all other costs related to secure development, maintenance and compliance) we typically need:

  • Web Application Firewall – despite that a WAF cannot protect from sophisticated attacks, it’s a great protection layer against bots and other malicious “noise”, automated attacks and script-kiddies.

  • Continuous vulnerability scanning and security monitoring solution – what is secure today may become vulnerable tonight, and an annual penetration test will not detect it on time. Therefore, continuous security monitoring is extremely important.

  • Regular manual or hybrid assessments involving third-party experts - a good example is a critical RCE in Zen Cart, recently detected by High-Tech Bridge in the latest version of this popular e-commerce platform. The vulnerability is present only in the latest version, and was not detected by any of automated scanners prior to our discovery.

Estimating that a) + b) + c) will be $40,000 per year, we can come back to our equation and calculate ROI. We will take ROI formula from the official guide to CISSP®-ISSMP®:

ROI = (ALE / Cost of Countermeasures) X 100%

ROI = ($456,000 / $40,000) X 100%

ROI = 1140%

Even if such a huge ROI may be subjective from a purely technical point of view, it will definitely convince your management better than a long saga about the dangers of blind XSS attacks.

Robert Metcalf, a cybersecurity expert at PwC Switzerland, says: "Cybersecurity is about risk management and loss prevention, not just earnings and so any investment in security needs to demonstrate to the business that it is focused on defending what is of most value to the organization, its "crown jewels". How these key assets are then being targeted by threat actors can strongly indicate where you must invest the most and where your business reputation is also at stake."

If you speak with management about money – speak their language and you will definitely get what you need.

Cross posted from CSO.

Copyright 2010 Respective Author at Infosec Island]]>
Cybersecurity Predictions for 2016 https://www.infosecisland.com/blogview/24685-Cybersecurity-Predictions-for-2016.html https://www.infosecisland.com/blogview/24685-Cybersecurity-Predictions-for-2016.html Wed, 16 Dec 2015 16:00:00 -0600 2015 was another fascinating year for cybersecurity. From the OPM to Anthem, Ashley Madison and countless other data breaches, there was no shortage of stories capturing national attention. So what does 2016 have in store? Here’s my forecast:

Cyber Attacks Getting Increasingly Physical

Traditionally, cyber-attacks have targeted companies to steal information. Today, people are using more connected devices, home surveillance, wearable, home appliances and automobiles. Companies are also bringing control systems online to improve communication and increase productivity. Therefore, hackers are now increasingly targeting these devices for opportunities for monetary gain. For the past year, we have seen ransomware used as an extortion tool against individuals. We have also seen attacks on control systems in manufacturing and utilities that disrupt service and operation. We will see cybercrimes that are committed by a combination of online hacking with offline activities.  

More High-Impact Vulnerabilities from Open-Source Software

Heartbleed (of OpenSSL) and Shellshock (of Bash) vulnerabilities have hit us hard in recent years: the reason being that these open source packages have found ways into a wide range of devices, applications and services. Developers, especially ones building the latest web applications, increasingly rely on open-source technologies for application development and operations. It is very common in today’s application architecture to depend on dozens of open-source tools or libraries. However, the bugs and vulnerabilities of these tools and libraries are sometimes not well studied and understood. If OpenSSL and Bash, which been in existence for a long time, still have vulnerabilities, what can be said about more recent ones such as Hadoop, OpenStack and Docker? As the popularity of open-source projects grow, security researchers and hackers will be attracted to the projects and more vulnerabilities will be discovered. The impact of newfound vulnerabilities will be directly proportional to the popularity of the open-source project.

More Focus on Post Breach and Incident Response

With the continuous stream of breaches at large companies made public over the year, people realize that it is very difficult to guarantee that a company’s infrastructure is never compromised. Because of new technologies such as BYOx and cloud services, IT does not always have full control over some phases of the cyber kill chain. Post breach detection and incident response is a crucial part of a layered defense architecture. A good post breach detection and incident response implementation can catch bad guys sooner and reduce the damage a breach causes. Latest advancements in security analytics combines up-to-date threat intelligence information and context-sensitive data from local network traffic to identify traces of an intruder or malicious insider.

More Focus on Data Security

A great majority of the security breaches we have seen publicized involves the leak of sensitive data. As hacking is moving more towards monetary focus, this is arguably the most common goal of a successful hack. With technological developments such as mobile computing and cloud, companies have found it increasingly harder to secure their data from unauthorized access. At the same time, they not only need to secure how data is accessed, but also how data is used. Different users may be allowed access only to different views of the same data. This would mean identifying assets, more fine-grained application/API level control, better monitoring, auditing, and securing the storing and transmission of data.

Cloud Security Technology Advances

Security has always been one of the top concerns in moving applications to the cloud. And for a long time, limited security capabilities were provided because of the vastly different and rapidly changing underlying infrastructure. As SDN and network virtualization become more mainstream, it enables the deployment of security technology through virtual network boundary and service chaining. We will see companies offering new ways of doing more comprehensive security as cloud technology evolves. This advancement of cloud security will ultimately drive more business to the cloud.  

Copyright 2010 Respective Author at Infosec Island]]>
Carrier Grade NAT and the DoS Consequences https://www.infosecisland.com/blogview/24684-Carrier-Grade-NAT-and-the-DoS-Consequences.html https://www.infosecisland.com/blogview/24684-Carrier-Grade-NAT-and-the-DoS-Consequences.html Wed, 16 Dec 2015 15:02:26 -0600 The Internet has a very long history of utilizing mechanisms that may breathe new life into older technologies, stretching it out so that newer technologies may be delayed or obviated altogether. IPv4 addressing, and the well known depletion associated with it, is one such area that has seen a plethora of mechanisms employed in order to give it more shelf life.

In the early 90s, the IETF gave us Classless Inter-Domain Routing (CIDR), which dramatically slowed the growth of global Internet routing tables and delayed the inevitable IPv4 address depletion. Later came DHCP, another protocol which assisted via the use of short term allocation of addresses which would be given back to the provider's pool after use. In 1996, the IETF was back at it again, creating RFC 1918 private addressing, so that networks could utilize private addresses that didn't come from the global pool. Utilizing private address space gave network operators a much larger pool to use internally than would otherwise have been available if utilizing globally assigned address space -- but if they wanted to connect to the global Internet, they needed something to translate those addresses. This is what necessitated the development of Network Address Translation (NAT).

NAT worked very well for many, many years, and slowed the address depletion a great deal. But in order to perform that translation, you still needed to aquire at least one globally addressable IP. As such, this only served to slow down depletion but not prevent it - carriers were still required to provide that globally addressable IP from their own address space. With the explosive growth of the Internet of Things, carriers likewise began to run out of address space to allocate.

NAT came to the rescue again. Carriers took notice of the success of NAT in enterprise environments and wanted to do this within their own networks, after all, if it worked for customers it should likewise work for the carriers. This prompted the IETF to develop Carrier Grade NAT (CGN), also known as Large Scale NAT (LSN). CGN aims to provide a similar solution for carriers by obviating the need for allocating publicly available address space to their customers. By deploying CGN, carriers could oversubscribe their pool of global IPv4 addresses while still providing for seamless connectivity, i.e. no truck-roll.

So while the world is spared from address depletion yet again, the use of CGN technologies opens a new can of worms for carriers. No longer does one globally routable IP represent a single enterprise or customer - due to the huge oversubscription which is afforded through CGN, an IP can service potentially thousands of customers.

This brings us to the cross-roads of the Denial of Service (DoS) problem. In the past, when a single global IP represented only one customer network, there was typically no collateral damage to other customer networks. If the DoS was large enough to impact the carrier's network or if there was collateral damage, they would simply blackhole that customer IP to prevent it from transiting their network. However, with CGN deployments, and potentially thousands of customers being represented by a single IP, blackhole routing is no longer an option.

CGN deployments are vulnerable to DoS in a few different ways. The main issue with CGN is that it must maintain a stateful record of the translations between external addresses and ports with internal addresses and ports. A device which has to maintain these stateful tables is vulnerable to any type of DoS activity that may exhaust the stateful resources. As such, a CGN device may be impacted in both the inbound and the outbound direction. An outbound attack is usually the result of malware on a customers machine, sending a large amount of traffic towards the Internet and consuming the state tables in the CGN. Inbound attacks usually target a particular customer, and take the form of a DoS attack, or a Distributed Denial of Service (DDoS) attack. Regardless of the direction of the attack, a large amount of resources are consumed in the CGN state table, which reduces overall port availability. Left unregulated, these attacks can easily cause impact not only to the intended victim, but potentially the thousands of other customers being serviced by that CGN.

With the inability to simply blackhole a given IP using edge Access Control Lists (ACLs), carriers must look at other options for protecting their customer base. While some CGN implementations have the ability to limit the amount of ports that are allocated to a single customer, these only work in discrete cases and can be difficult to manage. They also do not protect customers if the CGN device is itself the target of the attack.

The solution to this problem is the use of a purpose-built DDoS mitigation device, or what is more commonly referred to as a "scrubbing" device in IT circles. Dedicated DDoS mitigation devices attempt to enforce that everyone plays nicely, by limiting the maximum number of sessions to or from a given customer. This is done by thorough analysis of the traffic in flight and rate-limiting or filtering traffic through sophisticated mitigation mechanisms to ensure fairness of the public IP and port availability across all customers. Through the use of dedicated DDoS mitigation devices, CGN devices and their associated customers are protected from service disruptions, while still ensuring legitimate traffic is allowed unencumbered. Lastly, another important aspect of DDoS mitigation technology is that they tend to be "bumps in a wire", that is to say, they don't have an IP address assigned to them and as such cannot be the target of an attack.

Cross posted from Corero DDoS Blog.

Copyright 2010 Respective Author at Infosec Island]]>
Why Companies Fail to Secure Their Web Apps https://www.infosecisland.com/blogview/24683--Why-Companies-Fail-to-Secure-Their-Web-Apps-.html https://www.infosecisland.com/blogview/24683--Why-Companies-Fail-to-Secure-Their-Web-Apps-.html Mon, 14 Dec 2015 05:35:00 -0600 Vulnerable web application is just one of the great gifts left for hackers, as it significantly reduces their time, cost and efforts to get into corporate network.

So why do companies fail to secure their web apps?

There are many ways hackers can get at your Web site and data, but in many of the most recent major data breaches the common weak link has been vulnerable web applications. Despite that many companies still underestimate the importance of web application security in their cybersecurity and risk management strategy.

Today, the vast majority of Advanced Persistent Threats (APT) gain their first foothold inside target companies by sending a few emails. Ten years ago, many people would easily click on any link from an email or open an exe file from an attachment. Today users are much better educated, and this is why modern APTs start with your corporate website, even if it has no sensitive information and it is hosted on the other side of the world.

Instead of sending you a link to a phishing domain (e.g. with a typo), or to a newly registered website in a shady TLD zone that your corporate email gateway will quite probably block on-fly, attackers would rather send you a link to… your own website.

First of all, hackers will compromise your corporate website or one of your web applications (e.g. subdomain or different domain your company owns). As many companies still believe that their websites do not deserve more sophisticated protection than automated vulnerability scanning and a WAF, attackers will probably get in within a couple of hours or even quicker.

Once your website is under their control, attackers will create a legitimate page on it that will look like any other page on your website with similar content, so leaving you none the wiser when you visit the page. Attackers will host a recent exploit-pack on the page, the most expensive of which would cost them just a few thousand dollars on the Black Market. Hackers do not even need expansive zero-days: a Verizon report says that 99.9 percent of exploited vulnerabilities in 2014 were publicly discovered more than a year prior to exploitation.

Finally, an email will come from a legitimate looking email address on a legitimate domain from a person you may have briefly met in the past, and will contain a link to your own [authentic] website that is quite probably whitelisted in your corporate IPS/IDS. The content of the email will be relevant enough to encourage you to click onto the link in nine out of 10 cases. Once clicked, one of the recent vulnerabilities in your browser, its plugins or components (e.g. Flash) will be exploited to execute arbitrary code - quite probably successfully. Now your machine is under the attacker’s control. A local privilege escalation exploit will help to gain local admin rights, and intrusion will spread to all available machines and hosts in the same segment of your local network (if your network is segmented of course).

Further intrusion to your corporate network will be quite probably quick and easy, as internal penetration testing is often considered “useless” or economically unjustified – fair enough, but only if you don’t let attackers get into your network from the outside, and have properly implemented patch management (including patches for third-party software), access control and user segregation.

But let’s come back to the entry point of the attack: unsecure web application. Here are five most common reasons why almost any website or web application today can be so easily compromised:

1. Underestimation of risks and threats related to unsecure web applications

Many large companies and international organizations still seriously underestimate the value of their web applications, and have their security as the lowest priority in their risk management. And I am not even speaking about complicated SSRF or application logic flaws, but at least about proper detection and remediation of OWASP Top Ten vulnerabilities. As we can see from the beginning of this article, companies just don’t realize that a vulnerable website is a perfect vector to start an APT without spending much money on it.

2. Lack of continuous monitoring

Web technologies are constantly evolving, and what is secure today may become vulnerable tonight. Therefore, a quarterly scan and annual pen test to achieve PCI DSS compliance is not enough anymore to stay ahead of hackers. Many companies do not perceive web application security as a continuous process, but rather as a one-time audit, putting their web infrastructure and related back-end at critical risk.

3. Missing or poorly-implemented Secure Software Development Life Cycle (S-SDLC)

In spite of a plethora of guidelines and standards of secure software development in existence today, many companies still ignore them due to high complexity or expense of implementation. The situation is even worse in companies where software development teams have existed for years – as any change to well-established [but insecure] procedures will be met with hostility, as nobody wants to spend additional time on software security if not paid additionally for it.

4. Dominance of business needs over security processes

Data breaches via insecure web applications regularly occur even in companies where S-SDLC is mature and well integrated into a company’s daily business processes. The consequences of financial crisis of 2009 are still here – many companies suffer from sluggish demand and very tough global competition. Often business requires a new feature to be done in few hours on Friday evening to outperform a competitor – of course, we can forget about security when such pressure occurs. Nevertheless, it’s the business who pays the salaries to developers and infosec folks, and it’s always the business who has the last word. However, it's also the business who shall be ready to take the responsibility for a new data breach and related costs.

5. Ignorance of third-party risks

Many companies start introducing thorough security and compliance guidelines for their third-party suppliers and partners, however they often fail to mention proper web application security with them. As a result, attackers can compromise a website of your long-time supplier, consultant or partner, and instead of hosting malware on your website – they host it on a trusted-party website, achieving the same result at the end.

Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, says: "Recently we've seen many organizations attacked through sophisticated cyber attacks on their supply chain partners. With global supply chains becoming more and more digital and interconnected, establishing trust in your supply chain is becoming more challenging all the time."

As paying for an anti-smoking patch is much cheaper and less dramatic than spending a six-digit amount on cancer treatment, spending on preventive web application security is much more cost-effective and less painful than paying for APT forensics. Therefore, if you are currently finalizing your cybersecurity budget for 2016 – don’t forget about proper web application security, not just vulnerability scanning.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes December 2015 - Review https://www.infosecisland.com/blogview/24682-SAP-Security-Notes-December-2015-Review.html https://www.infosecisland.com/blogview/24682-SAP-Security-Notes-December-2015-Review.html Wed, 09 Dec 2015 06:00:00 -0600 SAP has released the monthly critical patch update for December 2015. This patch update closes 26 vulnerabilities in SAP products (19 Patch Day Security Notes and 7 Support Package Security notes), 16 of which are high priority. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov, Mathieu Geli and Vahagn Vardanyan were closed.

The largest part of vulnerabilities closed by this update relates to the "other" type according to SAP’s blog post. This is quite typical for business applications such as SAP. Due to their uniqueness and complexity, there are much more uncommon vulnerabilities comparing to traditional software where, as our research Analysis of 3000 SAP Security notes revealed, configuration issues constitute only 2%. Last year we analyzed SAP Security Notes by type, and about 300 vulnerabilities of almost 3000 were defined as configuration issues and about 150 were uncategorized. Configuration and other unusual issues in SAP are 5 times more common than in traditional products, thus a significant part of security measures falls on shoulders of administrators.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • An Authentication bypass vulnerability in SAP Mobile Platform SysAdminWebTool servlets (CVSS Base Score: 6.8). Update is available in SAP Security Note 2227855 (version of the note: 4). An attacker can use Authentication bypass vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to information disclosure and privilege escalation. Also, it can be exploited for remote file overwrite, denial of service, SMB relay attack, etc.
  • An Implementation flaw vulnerability in SAP Log Viewer (CVSS Base Score: 4.6). Update is available in SAP Security Note 2240946 (version of the note: 3). Depending on a problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionaluty and increase system stability.

The most critical issues closed by SAP Security Notes December 2015

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2234226 (version of the note: 2): SAP TREX/BWA has an OS command execution vulnerability (CVSS Base Score: 7.5 ). An attacker can use this vulnerability to run operating system commands without authorization. Executed commands will run with the same privileges as the service that executes them. The attacker can also access arbitrary files and directories located in the SAP server filesystem, including application source code, configuration, and critical system files. They can obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
  • 2067570 (version of the note: 3): SAP BI Servers, security & CrystalReports viewing in BI platform has a denial of service vulnerability (CVSS Base Score: 7.1). An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation . Install this SAP Security Note to prevent risks.
  • 2227169 (version of the note: 3): SAP 3D Visual Enterprise Author, Generator and Viewer has a remote command execution vulnerability (CVSS Base Score: 6.8 ). An attacker can use Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run under the same privileges as the service that executed the command. The attacker can access arbitrary files and directories located in a SAP server filesystem including application source code, configuration and critical system files. They can obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
  • 2165583 (version of note: 7): SAP HANA has an incorrect system configuration vulnerability (CVSS Base Score: 6.6). SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place. This could endanger system availability, data confidentiality and integrity. It is recommended to install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>