Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Gaining Control of Security and Privacy to Protect IoT Data Wed, 24 Apr 2019 05:50:29 -0500 Internet traffic growth is unrelenting and will continue to expand exponentially, in large part, due to Internet of Things (IoT). The amount of data being generated is staggering, with 5 quintillion bytesof data produced and transmitted over the Internet, daily.  

Virtually every industry is going to be impacted by IoT. The vast amounts of data that devices, apps and sensors create, collect and consume are a real challenge for individuals and companies, throughout the world. This explosive growth of IoT-driven traffic is expanding the attack surface on our networks, putting business and user data at great risk.

Within our increasingly connected world, IoT gathers insightful data from almost every facet of our lives. These devices offer valuable intel about our social habits, public and personal transportation, healthcare facilities, manufacturing assembly processes, industrial plant operations, and even our personal health, sleep and exercise regimens.  

Can you imagine the consequences IoT device manufacturers and healthcare providers would face if sensitive patient health data was mishandled and exploited by hackers? Or if a design flaw in a modern car’s network access control system couldn’t be remotely patched, and hackers took over the vehicle's gas pedal, brakes and steering? If we don’t get a handle on the security issues for smart products, tomorrow’s news headlines will eliminate your need to imagine.

I remember a children’s song called “Dem Bones.” It went something like, “The toe bone's connected to the foot bone, the foot bone's connected to the ankle bone, the ankle bone's connected to the leg bone, now shake dem skeleton bones!”

Here’s a different take on that song. “The watch app is connected to the voice app, the voice app is connected to the car app, the car app is connected to the geofencing app - and that’s how the data gets around!”

While data access is great for helping us gain useful insights in all manner of life and business, it also poses a great threat, when in the hands of those who use it for ill-gotten gain.

IoT Data Should Be Private and Controlled

Data is being created, collected and consumed by IoT, everywhere. Yet, most consumers and companies don’t know if, or how, their data is being used. Many companies are monetizing our personal data, without our knowledge, and reaping billions of dollars. Yet, we continue to just give it away. Other companies are sharing this data within their ecosystem, to “enhance” the value of their products or services. Depending on the product or service, this information sharing can be of potential benefit for consumers, or a possible detriment.

So, what are we as individuals, and as a society to do? How do we discover who has access to our data, and how it is being used? Are we okay with this? After all, what we don’t know can’t hurt us, right?  Perhaps, we can start by becoming more aware and asking some of these questions:

What can we do to protect our data, and keep it confidential? How can we be assured that companies are acting responsibly with our data? Who is responsible for data protection? If we had a choice, how and what kind of information would we want shared with us? How can we gain greater transparency over how our data is used? Are we comfortable living with smart home devices that may listen in on private conversations we have at home?

The other day, my wife and I had a conversation at home about buying new shoes for our daughters. While having this conversation, we were surrounded by smart devices - Alexa, Ring, Nest and a multitude of smart phones and tablets. The next morning, I woke up and the first image in my Instagram feed was for toddler girl shoes. Is this a coincidence or targeted marketing? I haven’t figured out which device it was that captured our conversation, but I’m certain one of the smart devices is monetizing on the data it collects from private conversations going on in our home.  

That story provides a real-life example of how companies may be monetizing on data they collect from IoT devices. As devices proliferate into society, it’s important for consumers to be aware that data is being captured, and the importance of knowing how and when it is being captured. Manufacturers need to be more transparent about these practices so consumers have the right to opt-in or out of data collection on such a private and intrusive level.

You Can’t Have Trust Without Transparency

Many of the answers to the privacy questions mentioned above are not going to be solved with technology alone. We must gain greater insights and control into the way our data is used. Companies must self-regulate, and if they don’t, there should be regulatory and legislative actions required.

Many IoT manufacturers have direct control over their ecosystem, while others have more open systems and hub platforms that are more difficult to control, and specifically, to control how data is collected, stored, and ultimately used. Most companies fall short in communicating their data-handling policies to consumers.

We want these amazing devices in our homes, cars, offices, and bodies, but we don’t necessarily want the companies, or worse, hackers, misusing our information. It’s a catch 22. There are no easy answers or solutions, however as a society, we must feel the urgency to address this growing problem. Consumers need to be aware, while manufacturers need to be responsible. 

I think transparency is key to solving this problem. Companies must adopt a more transparent use of customer data, that will in turn, build customer trust. Transparency will help us know what data is being tracked, how it is being tracked, and how is it being monetized or shared. In the near future, we will have systems that provide data visibility to consumers. Perhaps a privacy portal with authentication mechanisms, where consumers can have autonomy, and even the ability to monetize their own data, by revenue sharing with companies.

Not only will this give consumers control over their data, it will also help companies build greater loyalty and brand equity, when they show consistent data stewardship.

Protecting IoT Data in Transit

In addition to a higher level of transparency, manufacturers need to protect the sensitive data collected. Data encryption is a best practice for confidentiality, and should be used by all IoT manufacturers when transmitting data.  Making sure all connections to an IoT device are properly authenticated, and that access controls are in place, helps keep bad actors out of the device’s ecosystem. If IoT is going to continue to grow in the future, we must have confidence in the security and privacy of our data. I believe all IoT devices that collect personal data, or sensitive business information, should always use encryption.

Controlling access to encryption keys is accomplished through authentication. User authentication uses username and password combinations, biometrics, tokens and other techniques. Server authentication uses certificates to identify trusted third-parties. Authentication allows a company to determine if a user or entity is who they say they are. It then verifies if, and how, they can access a system, including the ability to decipher encrypted data. Without question, multi-factor authentication is always the most secure form of protection for users.

While encryption and authentication protect data, they can’t prevent unauthorized access to a network. As a result, in addition to protecting access through authentication, authorization is used to control who sees sensitive data, and what they can do with it.

Authorization allows IT to restrict activity within their resources, applications and data, by giving specific access rights to individuals and groups. Privileges are defined, and the level of access is granted to individuals or groups.

Updating software on IoT devices isn’t always possible, and many devices don't have a secure method of ensuring the authenticity or integrity of software updates. This is a dangerous practice, as it enables hackers to introduce malware into devices. Code signing is an effective solution, that requires proof of the origin and integrity of executable software, by using a private signing key to create a digital signature of a hash of the file. Code signing is an effective way of protecting IoT device manufacturers, the businesses that deploy the devices, and the consumers of the devices, from the dangers posed by unauthorized software.

Consistency, security and trust have always been requirements for ensuring lasting customer relationships, and the digital age is no different. It’s a matter of who is in control of our data. Today, IoT device manufacturers and businesses are in control. In the future, we must be in control of our own information.

About the author: Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. He oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations.

Copyright 2010 Respective Author at Infosec Island]]>
Growing Reliance on Digital Connectivity Amplifies Existing Risks, Creates New Ones Wed, 24 Apr 2019 05:03:50 -0500 Information security threats are intensifying every day. Organizations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, data proliferation, increased regulation, and a debilitating skills shortage.

By 2021 the world will be heavily digitized. Technology will enable innovative digital business models and society will be critically dependent on technology to function. This new hyperconnected digital era will create an impression of stability, security and reliability. However, it will prove to be an illusion that is shattered by new vulnerabilities, relentless attacks and disruptive cyber threats.

The race to develop the next generation of super-intelligent machines will be in full swing and technology will be intertwined with everyday life. Coupled with heightened global mistrust and rising geopolitical tensions, this will lead to a cyber threat that is relentless, targeted and disruptive. The operating environment for business will become increasingly volatile.

At the Information Security Forum, we recently highlighted the top three threats to information security emerging over the next two years, as determined by our research. Let’s take a quick look at these threats and what they mean for your organization:


Vast webs of intelligent devices, combined with increased speeds, automation and digitization will create possibilities for businesses and consumers that were previously out of reach. The Internet of Things (IoT) will continue to develop at an astonishing rate, with sensors and cameras embedded into a range of devices across critical infrastructure. The resulting nexus of complex digital connectivity will prove to be a weakness as modern life becomes entirely dependent on connected technologies, amplifying existing dangers and creating new ones.

5G Technologies Broaden Attack Surfaces:The emergence of the fifth generation of mobile networks and technologies (5G) will provide a game-changing platform for businesses and consumers alike. Colossal speeds, minimal latency and a range of newly available radio frequencies will connect previously unconnected devices, accelerate processes and change entire operating models – but with these changes comes a broader attack surface, as millions of telecommunication masts are built with varying levels of security. As organizations become heavily reliant on 5G to operate, new attack vectors will exploit weaknesses in this emerging technology.

Manipulated Machine Learning Sows Confusion: Machine learning, and neural networks in particular, will underpin processes such as image recognition, pricing analysis and logistics planning. As businesses become reliant upon machine learning and humans are taken out of the knowledge loop, machine learning will become a prime target for attackers. Confusion, obfuscation, and deception will be used by attackers to manipulate these systems, either for financial gain or to cause as much damage and disruption as possible.

Parasitic Malware Feasts on Critical Infrastructure: Parasitic malware is a particular strain of malware designed to steal processing power, traditionally from computers and mobile devices. However, attackers will turn their attention to the vast interconnectivity and power consumption of Industrial Control Systems (ICS), IoT devices and other critical infrastructure, which offer an enticing environment for this malware to thrive. All organizations will be threatened as this form of malware sucks the life out of systems, degrading performance and potentially shutting down critical services.


By 2021 a digital cold war will unfold, causing significant damage to business. The race to develop strategically important, next generation technologies will provoke a period of intense nation state-backed espionage – intellectual property (IP) will be targeted as the battle for economic and military dominance rages on. Cloud services will become a prime target for sabotage by those seeking to cause disruption to society and business. Drones will become both the weapon and target of choice as attackers turn their attention skywards.

State-Backed Espionage Targets Next Gen Tech:A new wave of nation state-backed espionage will hit businesses as the battle for technological and economic supremacy intensifies. The target: the next generation of technology. History teaches us that at times of great technological change targeted industrial espionage follows. Organizations developing technologies such as Artificial Intelligence (AI), 5G, robotics and quantum computing, will find their IP systematically targeted by nation state-backed actors.

Sabotaged Cloud Services Freeze Operations:Popular cloud providers will have further consolidated their market share – organizations will be heavily, if not totally, dependent on cloud providers to operate. Attackers will aim to sabotage cloud services causing disruption to Critical National Infrastructure (CNI), crippling supply chains and compromising vast quantities of data. Organizations and supply chains that are reliant on cloud services will become collateral damage when cloud services go down for extended periods of time.

Drones Become Both Predator and Prey: Drones will become predators controlled by malicious actors to carry out more targeted attacks on business. Developments in drone technologies, combined with the relaxation of aviation regulations, will amplify attackers’ capabilities as the threat landscape takes to the skies. Conversely, drones used for commercial benefit will be preyed upon, hijacked and spoofed, with organizations facing disruption and loss of sensitive data.


Competing in the digital marketplace will become increasingly difficult, as businesses develop new strategies which challenge existing regulatory frameworks and social norms, enabling threats to grow in speed and precision. Vulnerabilities in software and applications will be frequently disclosed online with ever-decreasing time to fix them. Organizations will struggle when one or more of the big tech giants are broken up, plunging those reliant on their products and services into disarray. Organizations will rush to undertake overly ambitious digital transformations in a bid to stay relevant, leaving them less resilient and more vulnerable than ever.

Digital Vigilantes Weaponize Vulnerability Disclosure: Ethical vulnerability disclosure will descend into digital vigilantism. Attackers will weaponize vulnerability disclosure to undercut organizations, destroy corporate reputations or even manipulate stock prices. Organizations will find their resources drained as digital vigilantes reduce the timelines to fix vulnerabilities and apply patches, seriously threatening operations, reputations and endangering customers.

Big Tech Break Up Fractures Business Models: Calls for the breakup of big technology giants will reach their peak by 2021. By then, at least one of them will be broken up, significantly disrupting the availability of the products and services they provide to dependent organizations. From email to search engines, advertising, logistics and delivery, the entire operating environment will change. Malicious actors will also prey upon vulnerable, transitioning organizations.

Rushed Digital Transformations Destroy Trust: The demand for organizations to remain relevant in a technology-centric world will drive them to undertake rushed digital transformations. Organizations will deploy technologies such as blockchain, Artificial Intelligence (AI) and robotics, expecting them to seamlessly integrate with ageing systems. Organizations will be faced with significant disruption to services, as well as compromised data when digital transformations go wrong.

Preparation Must Begin Now

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The three themes listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.

Copyright 2010 Respective Author at Infosec Island]]>
How Microsegmentation Helps to Keep Your Network Security Watertight Wed, 24 Apr 2019 04:57:44 -0500 A submarine operates in hazardous conditions: in the ocean depths, even a small breach of its hull could spell disaster for the vessel and its crew. That’s why submarine designers don’t just rely on the strength of the outer skin for protection. The interior is segmented into multiple watertight compartments, with each capable of being closed off in the event of an emergency so that the rest of the boat can continue to function. 

The same logic has been applied to enterprise networks for several years now.  Segmentation has been a recommended strategy for shrinking enterprise attack surfaces, with a lack of it being cited as a contributing factor in some of the biggest-ever data breaches. A lack of segmentation also contributed to the $40M disruption experienced by manufacturer Norsk Hydro in March this year, when multiple IT and operational systems were hit by ransomware that moved laterally across its networks.

But while segmentation is recognized as an effective method for enhancing security, it can also add significant complexity and cost – especially in traditional on-premise networks and data centers. In these, creating internal zones usually means installing extra firewalls, cabling and so on to police the traffic flows between zones. This is complex to manage when done manually.

However, the move to virtualized data centers using software-defined networking (SDN) changes this. SDN’s flexibility enables more advanced, granular zoning, allowing networks to be divided into hundreds of microsegments, delivering a level of security that would be prohibitively expensive and complicated to implement in a traditional data center. As such, research by analyst ESG has shown that nearly 70% of enterprises are already using some form of micro-segmentation to limit hackers’ ability to move laterally on networks, and make it easier to protect applications and data.

Even though SDN makes segmentation far easier to achieve, implementing an effective micro-segmentation strategy presents security teams with two key challenges. First, where should the borders be placed between the microsegments in the network or data center for optimum protection against malware and hackers? Second, how should the teams devise and manage the security policies for each of the network segments, to ensure that legitimate business application traffic flows are not inadvertently blocked and broken by the micro-segmentation scheme?

A process of discovery

To start devising a micro-segmentation scheme for an existing network or datacenter, you need to discover and identify all the application flows within it. This can be done using a discovery engine which identifies and groups together those flows which have a logical connection to each other and are likely to support the same business application.

The information from the discovery engine can be augmented with additional data, such as labels for device names or application names that are relevant to the flows. When compiled, this creates a complete map identifying the flows, servers and security devices that your critical business applications rely on.

Using this map, you can start to draw up your segmentation scheme by deciding which servers and systems should go into each segment: A good way to do this is by identifying and grouping together servers that support the same business intent or applications. These will typically share similar data flows, and so can be placed in the same segment.

Once the scheme is outlined, you can then choose the best places on the network to place the security controls to enforce the borders between segments. To do this, you need to establish exactly what will happen to your business application flows when those filters are introduced.

Remember that when you place a physical or virtual filtering device to create a segment border, some application traffic flows will need to cross that border. These flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail.

Crossing the borders

To find out if you need to add or change specific policy rules, examine the application flows that you identified in your initial discovery process – and make a careful note about any flows whichalready pass through an existing security control. If a given application flow does not currently pass through any security control, and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked, you will need to add an explicit new policy rule that allows the application flow to cross it.

Micro-segmentation management

Having devised and implemented your micro-segmentation scheme, you will need to manage and maintain it, and ensure it works in harmony with the security across your entire enterprise network. The most effective way to achieve this is with a network security automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premise firewalls.

Automation ensures that the security policies which underpin your segmentation strategy are consistently applied and managed across your entire network estate, together with centralized monitoring and audit reporting. Any changes that you want to make to the segmentation scheme can be assessed and risk-checked beforehand to ensure that applications will continue to work, and no connectivity is affected. Then, if the changes do not introduce any risk, they can be made automatically, with zero-touch, and automatically recorded for audit purposes. This streamlines the management process, and avoids the need for cumbersome, error-prone manual processes every time you need to make a network change.

To conclude, building and implementing a micro-segmentation strategy requires careful planning and orchestration to ensure it is effective. And automation is critical to success, as it eliminates time-consuming, complex and risky manual security processes. But when done right, micro-segmentation helps to ensure that your networks offer watertight security, and stops a small breach turning into a disaster that could sink your business.

About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
Through the Executive Lens: Prioritizing Application Security Vulnerabilities Thu, 28 Mar 2019 05:29:54 -0500 It’s an old axiom in the security business that your security is only as good as your weakest link. Today, as the number of security threats and attack vectors continues to grow, so too does the number of tools security teams have at their disposal to find and block them. Also growing is the pile of data that security teams must sift through to identify where their systems might be vulnerable. Given all the data, how do you prioritize your efforts?

First, a couple of statistics. According to Tim Clark, SAP contributor to Forbes, 84 percent of all cyber-attacks are happening on the application layer. The 2018 Verizon Data Breach Investigations Report (DBIR) states that web application attacks were responsible for 38 percent of data breaches. And an IBM white paper states that “the costs of discovering defects after release are significant: up to 30 times more than if you catch them in the design and architecture phase.” Conclusion: Start by focusing on your application security initiatives.

Within the AppSec space, the variety of vulnerability analysis tools fall into two broad groups: tools that analyze your source code and tools that do dynamic analysis. Each tests for a different type of vulnerability, so a portfolio approach to using them will give you the most comprehensive results—and the most data to sift. You can narrow your focus and prioritize issues in a number of ways.

IDE tools

Use source code scanning tools that integrate with the tools your developers use every day, like their integrated development environment (IDE). Some static analysis tools have IDE plug-ins that let your developers do vulnerability analysis directly in the IDE.

This approach to “shifting security left” in the software development life cycle (SDLC) has several benefits. One is that it distributes the load of looking at vulnerabilities across the entire development organization and makes the team more aware of developing secure code as part of their daily job. Second, it reduces the total number of security issues that make it into the code to be scanned at CI/CD build time.

Whichever tool you pick, be sure that the developer scans use the same engines as the central scans. Otherwise, correlating results across the two scan types won’t work well. And if that plug-in supports multiple analysis types, so much the better.

False-positive rate

Choose vulnerability scanning tools with low false-positive rates. Not only do false positives increase the volume of data to sift through, but too many false positives in a developer’s queue breeds malaise and disinterest in fixing them.

Developer training and measurement

Add security training to your developers’ personal development goals, and measure security issues as part of their MBOs. Learning about common vulnerability types, such as cross-site scripting, will make the team more efficient. Adding metrics around software security as part of a team’s MBOs will ensure that developers treat security on par with quality and feature delivery. Nothing changes behavior more than a combination of incentives and measurement by one’s boss.

Risk correlation

This one is harder than you might think. Several tools let you aggregate the results from different tools into one view showing the risk profile of a given app based on those results. The challenge is in correlating data that comes from different tools, each with its own categorizing methodology. Ideally, you’d have a tool that normalizes the results across tools and lets you filter issues based on things like security category and industry standards, such as the OWASP Top 10 or CWE categories.

A few tools offer other features, such as showing open/closed issues over time so you can see progress, and the ability to filter results from one tool by the results of another. For example, if your static analysis tool says you’ve got 1,000 issues, but your open source scanning tool reports that 800 of those are in open source components, your developers can focus on fixing the 200 that you know are uniquely in your source code.

Summing it up

The work of the security team is never done, but by focusing on specific AppSec initiatives and applying some well-tested strategies and tools, you can do a lot to prioritize the most important issues to focus on.

About the author: Neal Goldman is Senior Product Manager at Synopsys, with over 25 years of product management, marketing, and business development experience at a variety of technology vendors.


Copyright 2010 Respective Author at Infosec Island]]>
Next Generation Firewalls are Old News in the Cloud Wed, 27 Mar 2019 11:47:15 -0500 Having been in the security field for many years, long enough that I’ve seen the firewall be replaced with the “Next Generation Firewall.” What was special about this change was that it signaled a big milestone as we went from a model that focused on IP addresses to one that targeted applications, users and content. This major shift provided a lot more visibility and context on what was being protected.

As you move to the cloud, the “Next Generation Firewall” is no longer “Next Generation” but looks like an antique “Grandfather’s Generation,” which will inevitably take on the same fate as, say, the dinosaurs.  In the case of the Next Generation Firewall, application visibility provides the ability to do deep packet inspection to identify and inspect applications. The challenge is that in the cloud most traffic is encrypted which means the network has no ability to inspect it.  Even if by some miracle you are able to perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.

Next Generation Firewall Can’t Keep Up in the Cloud

Applications in an IaaS environment are custom-written so there are no known signatures to identify the app.  Even if you are able to identify the application, its security profile can be different based on how it’s used. The security profile and behavior of these two database apps is completely different when it comes to communication patterns but from a launch perspective, they are the same application.  Next Generation Firewall is not able to distinguish between the launch and communication patterns to understand the application behavior or required policy.

Containers, Kubernetes, and serverless computing also make Next Generation Firewalls completely blind as they were never built to understand these new generations of microservices.  

IaaS has actually become a PaaS and any application which is in the cloud is surely using a lot of native service offerings from cloud providers. All the activity accessing these native cloud services never cross the network so the Next Generation Firewall has no visibility to this critical piece of an app.

User Identification in the Cloud

The Next Generation Firewall also makes user identification more difficult in the cloud as the same user might have different permissions on the same application in different environments. In other words, production versus development environments changes how users interact. Next Generation Firewalls have no context for deployment models as they were built before the CI/CD concept.

The majority of activity in the cloud is not really by users but is done by machines or applications assuming roles to accomplish various tasks. The Next Generation Firewall is completely blind to these users as they accomplish tasks using APIs which never shows up in network traffic.

In the cloud, the other challenge is that users use service accounts or SUDO to do the work which means you cannot attribute activity to the right user by just looking at network traffic or Active Directory as the effective user is not necessarily the original user doing all the work.

Enforcement Rules in the Cloud

The enforcement function is one of the main capabilities of the firewall but in the cloud, service providers now offer their own ability to set the firewall policies, e.g. security groups in AWS, for example, which provides more control and is built from the ground up to support elasticity and tags which provide finer control. The Next Generation firewalls struggle with elasticity and have no context on machine tags.

The Next Generation firewalls were built using static rules which even in a static environment were impossible to maintain. In every firewall configuration I have come across there are at least 10 rules which no one can explain why they exist, but everyone is scared to touch them as they do not know what it will break. In an elastic environment like the cloud, building and maintaining rules is an impossible task.

New Data Set will be needed in the Cloud

To identify the apps and users in the cloud you need a new set of data which does not exist in network traffic and rules/signatures cannot be used as you need to use behavior and context to do application and user attribution.

Here is the list of applications, users and behaviors which are significant in the cloud, along with a comparison between a “Next Generation Firewall” and a solution natively built for cloud.

Application Visibility     Next Generation Firewall    Solution Built for Cloud

Custom Apps                   No Visibility                            App identification uses behavior

                                                                                       and context

Containers                       No Visibility                            Supported

Kubernetes                      No Visibility                            Supported

Cloud Services                No Visibility                            Supported

Encrypted Traffic             No Visibility                            At host, so able to identify the

                                                                                       app and user

Intra-VM Traffic               No Visibility                            All traffic on the host is also visible

Serverless                       No Visibility                            Supported

Machine/Cloud Tags       No Visibility                            Supported


User Visibility        Next Generation Firewall        Solution Built for Cloud

Assumed Roles      No Visibility                                  Supported

SSH Users             No Visibility                                  SSH tracking makes it possible to

                                                                                   attribute activity to right users

Cloud Admins         No Visibility                                 Console activity using account API


Behaviors for Kill Chain   Next Generation Firewall    Solution Built for Cloud

Network Communication     IP address Level                   App/User/Container/Kubernetes

Privilege Changes               No Visibility                           Track users and their privileges

File Changes                       No Visibility                           FIM

User Activity                        No Visibility                           SSH tracking to attribute activity

   to right user

Cloud Config Changes        No Visibility                          Best practices and Compliance

Account API Behavior         No Visibility                          Account based IDS

Application Launches          No Visibility                          Application Launch Tracking

File Malware                        No Visibility                          SHA based malware detection

Users are going to have to change the way they deploy infrastructure to the cloud. As users start to do this, they will also need to find security solutions that are built by using the cloud in order to secure the cloud. The idea of the Next Generation firewall will need to change its name from “Next Generation” to a new moniker such as the “Grandfather’s Generation” to better adapt to new cloud technology.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island]]>
Trojan Horses for the Mind, Part 2 of Building Impactful Security Awareness Messaging Wed, 27 Mar 2019 11:08:00 -0500 In late 2018, I wrote about how we can use Trojan Horses for the mind when it comes to shaping messaging and creating an influential awareness campaigns. In other words, the way we design and deliver our messages can become a Trojan Horse that can sneak past a user’s mental defenses.

Why is this important? Here’s why: the concept of “security awareness” can suffer from a fatal flaw; what I call the knowledge-intention-behavior gap. Just because your people are aware of something doesn’t mean that they will care. And, even if they care and intend to do the right thing, a whole host of situations and contexts can interfere with the follow-through. So, there is a gap between knowledge and intention. And there is a gap between intention and behavior.

We can use our Trojan Horses for the Mind to help close some of those gaps. And we can use them to create messages that people remember and care about.

My last post focused specifically on the emotional side – how people tend to make decisions based on emotion and then build a case for their decision based on logic.  Let’s now talk about another Trojan Horse for the Mind -- visuals.

Think for a moment about all the great companies, products, media sites, and networks that you interact with daily.

When you scrolled through each of those items in your mind, did you see their names as plainly printed words? Probably not. If you are like most people, you saw the logos of the companies; or if you were thinking about a specific product, like McDonalds chicken nuggets, your mind summoned forth a product image.

Images are basically a compression algorithm that the brain easily and readily uses to unzip bundles of data whenever presented with the image. Now consider what a brand and logo really is… it is a simple word, phrase, or symbol that encapsulates the values, products, services, and history of an organization or idea. Icons can serve this purpose as well, as they can pack a complex meaning into a simple picture.

When it comes to building a successful awareness training program, you should always be seeking ways to embed volumes of meaning into simple, instantly digestible, images. For any behavior that you want to train on (password management, tailgating, incident reporting, secure document handling, etc.), consider the fullness of your message. And, as part of your training campaign, create compelling visuals and icons that represent that behavior. They can be photographs capturing the human impact of following (or not following) that behavior, or they can be icons placed at/near the point of behavior as context cues, and so on. The point is that the simple visual acts to ‘unzip’ the broader information bundle within the learner’s mind. That’s powerful!

Repetition is Magic

Remember that Britney Spears song that you hated the first few times you heard it? Then before you know it, the song is on auto-loop in your brain and you find yourself physically grooving to the music the next time you hear it. There’s a reason for that… and that reason emerges in all forms of communication, from the way words are used, to music, as well as imagery.

Here’s the reason: familiarity breeds likability. Cognitive scientists refer to this as the familiarity effect or the mere-exposure effect.

One marker of a mature security awareness program is the seriousness the program leaders place on consistency in the visual and textual components of their communication. These security leaders approach their awareness programs with an entrepreneurial mindset and treat the branding aspects of the program with the same zeal.

Another reason to use repetition in the awareness context is that you are always battling the “decay of knowledge.” Simply stating something once will not likely have a lasting impact. As a result, your once-per-year training marathons are (sorry to say this) next to useless in shaping behavior. Instead, you need to adopt this mindset: If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times…

That’s why you remember phrases like, “See something. Say something.”

The Power of Imagery & Color

It’s super important for us to understand and appreciate the power of imagery. To be human is to inherently understand the power of pictures. The moment an image hits our retinas, our mind decodes not only the data in that image, but also assigns any preconditioned emotional response. So, imagery is important if you want to evoke or enhance the emotional impact of your security-related messaging. Simple text-based security awareness messaging will always be less effective than messaging that includes well thought out and designed visual components.

A discussion about images and design wouldn’t be complete without talking about the use of color. Colors serve a much greater purpose than just being pretty. Colors imply meaning, can evoke emotion, and help establish context. While there are some general rules of thumb that you can use when working with color, it’s important to recognize that the intended meaning behind your color choices may not be interpreted the same by everyone in your audience; there are no hard-and-fast rules.

One of the best ways to think about how to use color is to see what already exists that is like what you want to communicate. Let’s say you wanted to build messaging related to how employees can secure their home networks and help their kids make better security decisions. You may have already defined the practices and now you are trying to figure out how to package and promote the information.

If you aren’t an experienced designer (or even if you are), this is where Google can be your friend. You don’t have to understand color theory, have a degree in marketing, or have studied the psychology of color to create something that can be great. Just enter brand names or search terms related to family, kids, childhood, and so on, and look at the image results. In this example, you’d quickly notice that many of the colors commonly associated with family, kids, and childhood are yellow, orange, green, light blue, and sometimes purple. And after seeing these examples, you can piece together plausible reasons why these colors have become the cultural reference point for the scenarios that you want to relate to. Green is typically associated with life and growth. The orange and yellows can be reminiscent of the sepia tones that we associate with memory and nostalgia; and so on. That’s a valuable starting place. In this Googling exercise you may even come across examples of font styles and images that you may want to use in your messaging. This is way better than starting with a blank page and agonizing about how to begin.

I couldn’t begin to cover all the critical areas or pitfalls of design. Here are some suggested books if you want to take a deeper-dive into color, and design principles in general:

  • Slide-o-logy by Nancy Duarte
  • Superpowers of Visual Storytelling by Laura Stanton, David LaGesse
  • Design Elements, Color Fundamentals: A Graphic Style Manual for Understanding How Color Affects Design by Aaris Sherin
  • Presentation Zen by Gary Reynolds
  • The Senses: Design Beyond Vision by Ellen Lupton (Editor)

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>
Internet-Exposed IBM BigFix Relays May Lead to Full Remote Compromise Thu, 21 Mar 2019 04:50:52 -0500 Internet-facing relays in IBM BigFix deployments could lead to information disclosure and potential full remote compromise if not properly configured, Atredis Partners security researchers have discovered. 

Tracked as CVE-2019-4061 and affecting BigFix Platform versions 9.5 - 9.5.11 and 9.2 - 9.2.16, the vulnerability is found in all deployments where relays that are exposed to the Internet are not configured as authenticating. 

This misconfiguration could allow an unauthenticated, remote attacker to query the relay and gather information about the updates deployed to the associated sites. 

“Internet-facing relays, if any, in a BigFix deployment might be configured as non-authenticating, which exposes the deployment to security risks,” IBM notes in an advisory.

“Security attacks in this context might mean unauthorized access to the relays and any content or actions, and download packages associated with them or to the Relay Diagnostics page that might contain sensitive information (for example: software, vulnerability information, and passwords),” IBM continues. 

According to Atredis Partners’ security researchers, BigFix deployments with external relays that lack authentication expose a very large amount of information to unauthenticated external attackers, and could even lead to full remote compromise. 

Some of the data an attacker could access includes server IP, server name, port numbers, digital signatures, and license information (details found in the masthead BigFix uses to publish info on installations), an index of configured sites, and a list of package names and versions. 

The researchers also note that the BigFix data is still accessible to an attacker with access to the internal network or to an externally connected system with an authenticated agent, even if relay authentication is enabled. 

“The best path to preventing a compromise through BigFix is to not include any sensitive content in uploaded packages,” the researchers note.

An Internet-wide survey Atredis Partners conducted revealed the existence of 1,458 BigFix relay servers with relay authentication disabled. The researchers say they were able to query the masthead and obtain information on each of the discovered relays.

“This list included numerous government organizations, large multinational corporations, health care providers, universities, insurers, major retailers, and financial service providers, along with a healthy number of technology firms,” the researchers reveal. 

After being informed on the vulnerability, the BigFix team updated the documentation and took steps to notify affected customers, a process completed as of March 18, Atredis Partners says. 

IBM recommends addressing the vulnerability by configuring Internet-facing relays in BigFix deployment as “authenticating”. This would allow only BigFix clients in one’s environment to connect to the relay and would also ensure that all communication will take place through TLS (HTTPS). 

“This configuration also prevents any unauthorized access to the Relay Diagnostics page,” IBM notes. 

To enable the relays for authentication, one should head to the BES Support website and find the BES Client Settings: Enable Relay authentication fixlet. Next, they simply need to run the fixlet and wait for the action to finish.

Related: 5 Forecasts to Inform Digital Risk Protection in 2019

Copyright 2010 Respective Author at Infosec Island]]>
1 Million Apps Patched in Android Security Improvement Program Fri, 01 Mar 2019 06:28:21 -0600 Over its five-year lifetime, the Android Application Security Improvement Program helped over 300,000 developers to fix more than 1,000,000 apps on Google Play, Google says.

The program was launched to help the Android ecosystem thrive by helping developers improve the security of their applications and eliminate vulnerabilities from them.

Through this initiative, Google scans all applications submitted to the official storefront to determine if a variety of vulnerabilities are present. Should any issues emerge, the Internet giant then alerts the developer and helps them address the issues. 

This allowed the Internet giant to fix over 1,000,000 apps since the Application Security Improvement Program’s launch. Last year, the program helped over 30,000 developers fix over 75,000 apps, the company says. 

“The downstream effect means that those 75,000 vulnerable apps are not distributed to users with the same security issues present, which we consider a win,” Patrick Mutchler and Meghan Kelly, Android Security & Privacy Team, note in a blog post

The program covers a large variety of problems in Android applications, including vulnerabilities in certain versions of popular libraries, and other issues with broader impact. 

The Internet search giant says it also focuses on improving existing checks and expanding them to cover more classes of security vulnerabilities, to ensure the program evolves to cover emerging exploits. 

Last year, it added warnings for SQL Injection, File-based Cross-Site Scripting, Cross-App Scripting, Leaked Third-Party Credentials, Scheme Hijacking, and JavaScript Interface Injection. 

“Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form,” Mutchler and Kelly note. 

Related: 18,000 Android Apps Violate Google's Ad ID Policies: Analysis

Related: Bug in Twitter Android App Exposed Protected Tweets

Copyright 2010 Respective Author at Infosec Island]]>
The Role of Analytics in Protecting Healthcare Data Privacy and Security Wed, 27 Feb 2019 04:08:00 -0600 Healthcare has traditionally had a weaker security profile than most other industries. On the one hand, it is a favorite target for ransomware attacks, and for hackers looking to steal confidential patient records that have a high resale value on the black market. On the other, healthcare experiences more insider attacks than any other industry.  

Recent research reveals that healthcare companies face their biggest threats from malicious insiders that abuse their access privileges to view or exfiltrate personally identifiable information (PII) and protected health information (PHI) data. Verizon’s 2018 Protected Health Information Data Breach Report noted that 58 percent of data breaches in healthcare stem from employees or contractors.    

Clearly, payers and providers are severely challenged to prevent both insider and outsider attacks on patient and corporate data.   

To limit these threats, progressive organizations are using real-time analytics and risk-scoring to automate security controls. This approach monitors the behavior of users and devices, and applies analytics to risk-score them. When anomalies from normal patterns are detected, the risk score increases.   

The Insider Threat Landscape Insider  threats pose the biggest challenges to healthcare organizations because they can happen without triggering any security alarms.   

A trusted employee can steal confidential patient and corporate information, or tamper with it, and even sabotage systems. While many insider attacks are carried out by disgruntled employees, some can be unintended or simply human error. For example, an employee might mistakenly send confidential information to another employee or to an outsider, or give network access to someone who should not have it.   

In some cases, outsiders use social engineering to trick employees into giving up their account credentials. Such ploys include a spoofed email, phishing scheme or a “call from IT” seeking a person’s ID and password.  

Top Insider Violations Some of the most common insider threat incidents in healthcare include:  

  • Snooping on the medical records of friends, family, neighbors, and celebrities
  • Sending sensitive data to personal accounts, competitors, or bad actors
  • Printing, downloading and exporting patient records and reports  

Most of these activities can be partially addressed by monitoring activity logs from Electronic Medical Records (EMR) Systems such as Allscripts, Cerner, and Epic and from security tools including firewalls, VPNs, etc. However, manual monitoring is incapable of identifying and remediating threats in real-time. This is where data analytics come into play.  

Security analytics powered by machine learning enables healthcare organizations to analyze large volumes of data in real time and to predict anomalous behaviors. Machine learning uses historical data to create behavior baselines for users, devices, and other entities.   

These baselines, which are used to identify deviations from normal patterns, are self-adjusting and change as the user and entity behaviors change. Such capabilities can be used not just to monitor behaviors, but to assign risk scores to individual users and devices — resulting in highly accurate information that singles out potentially risky activity in real time.   

Analytics and risk scoring facilitate the automation and orchestration of security decisions. Sometimes called model-driven security, this approach can respond to threats with the speed and accuracy of a machine by enforcing new controls when activity exceeds pre-determined risk thresholds.   

Real-time Detection and Prevention of Insider Threats As a real-time security control, model-driven security collects all enterprise intelligence data that can be correlated back to a single user identity such as proxy logs, entitlements, actions taken using those entitlements, and basically anything they can bring back into a data warehouse. Then, behavioral models are applied to the data to develop a risk score for users within the company.   

Risk scores are like credit scores. The same way a credit score goes up and down depending on money owed and payment history, a user’s risk score goes fluctuates depending on the actions taken while using their access permissions. The risk score is adjusted dynamically, based on a user’s behavior.  

In this way, an insider’s risk score can serve as a dynamic security control. If the score is high, the organization can block the user’s account. Or, if it’s medium-risk, the user can be prompted to call in to the help desk to verify his or her identity. This has been historically impossible to do without the ability to risk score users dynamically. When a user’s risk score increases in a short amount of time, or exceeds a threshold, the organization can send out an alert, lock an IP address, restrict all traffic via DLP, open a security incident, etc.   

Risk-scoring using analytics enables healthcare organizations to predict, detect and prevent insider threats, in ways that are impossible using static rules. It reduces much of the friction imposed by conventional security mechanisms, while providing continuous risk monitoring and real-time intervention when and where warranted.   

About the author: Nilesh Dherange is CTO of security and fraud analytics vendor Gurucul, and an expert on identity, data science and machine learning. Nilesh was an integral member of identity technology vendor Vaau, which was acquired by Sun Microsystems. He also co-founded BON Marketing Group and created BON Ticker — a predictive analytics tool for online advertising.   

Copyright 2010 Respective Author at Infosec Island]]>
WINDSHIFT Hackers Target Government Agency in the Middle East Tue, 26 Feb 2019 10:02:28 -0600 A recently discovered threat actor was observed targeting a Middle Eastern government agency on several occasions over the course of last year, Palo Alto Networks security researchers reveal. 

Referred to as WINDSHIFT, the surveillance-focused threat actor is believed to have remained unnoticed for a long time, and to have hacked other actors to re-use their malware, which helped it stay unnoticed. 

In a report from last year (PDF), Dark Matter said WINDSHIFT was observed launching sophisticated and unpredictable spear-phishing attacks against specific individuals and rarely targeting corporate environments.

The group’s Tactics, Techniques and Procedures (TTPs) were said to resemble those of Bahamut, a threat actor security researchers also linked to Urpage last year

Following a long recon period, which could take several years, the group would attempt to steal the victim’s credentials by sending fake emails prompting the victim to reset their password for Gmail , Apple iCloud, Etisalat (main ISP in UAE), or professional emails. 

Should the credential harvesting fail, the actor then attempts to infect the victim with malware, also via email. The actor would then attempt to erase all traces of the attacks by shifting to a new infrastructure, gaining access to new malware, and shutting down malicious domains. 

The cyber-espionage group is known to be using macOS-targeting malware, namely WINDTAIL backdoor for file exfiltration, WINDTAPE backdoor for taking screenshots, and WINDTAIL downloader for WINDTAPE. The group is also believed to be using WINDDROP, a Windows-targeting downloader. 

Now, Palo Alto Networks saysit has observed WINDSHIFTattacks unfolded at a Middle Eastern government agency between January and May of 2018. 

In early January 2018, an initial attack featuring a WINDTAIL sample was observed originating from the remote IP address 109.235.51[.]110 to a single internal IP address within the government agency. 

The IP was associated with the domain flux2key[.]com, and the malware’s command and control (C&C) server IP address 109.235.51[.]153 was associated with the domain string2me[.]com, both known WINDSHIFT domains. 

Palo Alto Networks says that several other WINDTAIL samples originating from 109.235.51[.]110 were observed being directed at the same internal IP address from January through May 2018. 

All related WINDTAIL samples were Mac OSX app bundles in zip archives. One of them had C&C server IP address 185.25.50[.]189, which was associated with the domain domforworld[.]com at the time of activity.

Palo Alto Networks says it “assesses with high confidence that both the IP address 25.50[.]189 and the domain domforworld[.]com is associated with WINDSHIFT activity. Additionally, the IP addresses 109.235.51[.]110 and 109.235.51[.]153, corresponding to the previously validated WINDSHIFT domains flux2key[.]com and string2me[.]com, respectively, were also observed in use during this campaign.”

One of the attacker-owned IP addresses (109.235.50[.]191) was previously associated with Operation Hangover (which was analyzed several years ago), strengthening the previously identified relation between Operation Hangover and WINDSHIFT activity.

Palo Alto Networks also believes the attackers were unable to establish persistence within the targeted environment, given the multiple inbound WINDTAIL samples directed at the same internal IP address. 

RelatedResearchers Draw Connections Between APTs

RelatedThreat Actor Targets Middle East With DNS Redirections

Copyright 2010 Respective Author at Infosec Island]]>
The Rise of Ransomware and the Consequences for SMBs Thu, 21 Feb 2019 02:59:54 -0600 Ransomware has been making a lot of splashy headlines over recent years with high profile attacks, such as WannaCry and NotPetya, dominating the news in large-scale breaches. While these massive breaches are certainly terrifying, the more common attacks are actually being inflicted across much smaller businesses, though on a large scale.

Large enterprises have substantial IT resources and dedicated security teams working to protect them; therefore, they are more likely to survive an attack or prevent one from happening before any damage is done. Overall business detection of malware rose by 79% in 2018, with major ransomware exploits SamSam and GandCrab targeting smaller organizations like hospitals, city services departments and consumer networks.

SMBs – Ideal Ransomware Targets

Smaller businesses may think that these attacks aren’t relevant to them. However, that would be far from the truth. SMBs tend to make ideal targets for cyber criminals because hackers are well aware that SMBs frequently lack the security that enterprises take seriously. Today, we are seeing more and more non-enterprise organizations being targeted with ransomware, since they house a lot of valuable, private data.

These SMBs are being approached in increasingly sophisticated ways, with phishing attacks being the most common attack vector for ransomware. While the traditional phishing email will try to trick users into providing personal and banking information, hackers are using less obvious phishing emails and more targeted spear phishing emails, as well as turning to social engineering and browser extensions to hide malicious code that will infect a user’s computer, which in turn infects the network it is connected to. For SMBs that do not have the IT expertise or a proper spam/phishing blocking solution in place, this can be a costly lesson to learn, and, in extreme cases, can ruin a business. Employees’ behavior can exacerbate the issue since SMBs often lack the resources to properly train them to understand what a phishing or malicious email looks like; this ignorance can inadvertently cause significant destruction for the business.

How Can Small Businesses Protect Themselves?

  • Have a clear, defined and regularly updated cybersecurity strategy. This means covering all points of entry and having an end-to-end solution on your network.
    • Protect the network at the gateway, with a next-generation firewallsolution, which block spam, viruses, phishing and malware before they ever reach employees and theirdevices.
    • Protect endpoints and ensure each endpoint has a security solution installed and regularly updated.
  • Assign owners to check and update your security, especially if you are unable to hire dedicated IT or security staff.
  • Back up data regularly to a safe source, preferably both onsite and offsite or in the cloud. If you have multiple copies of your data, you can recover via backup without having to worry about paying the ransom in the event of an attack.
  • Arm yourself with information, and learn to spot suspicious websites, links, browser extensions and emails. Educating employees to not click on suspicious emails, or open attachments from unknown users, is a critical part of cybersecurity hygiene.
  • Consider ransomware insurance, which has been growing in popularity in recent years.
  • Lock down administrative rights, and keep systems and apps up to date with the latest patches to ensure vulnerabilities are not exploited.

Step to Take if Ransomware Does Make it onto Your Network

This may seem counterintuitive, but don’t pay the ransom. Paying a cyber criminal doesn’t guarantee the recovery of your files, and many of the SMBs who have paid ransoms have reported being unable to recover data. If you are a victim of a malicious attack, ransomware or otherwise, it is important to lock down the network and devices to ensure it cannot spread further. Using powerful anti-malware solutions can help to identify and remove the ransomware. If you have backups, you can restore the data and systems that have been affected without paying the ransom.

Ransomware works; that’s why hackers keep honing their techniques. SMBs need to be especially careful when it comes to cybersecurity and should work with vendors that understand their unique security needs. The most important thing SMBs can do is protect the network at the gateway to keep ransomware from ever reaching users. Having safe, secure backups of information is like an insurance policy to provide access to critical data in the event of an attack. Last but not least, education is critical for users to understand threats, and IT personnel to deploy the proper defenses against them. 

About the author: Timur Kovalev serves as the CTO at Untangle and is responsible for driving technology innovation and integration of gateway, endpoint, and cloud technologies. Timur brings over 20 years of experience across various technology stacks and applications. Prior to joining Untangle, Timur headed up Client and Threat Intelligence Technology at Webroot, where he led development of desktop and mobile solutions, cloud intelligence services, and research automation systems.

Copyright 2010 Respective Author at Infosec Island]]>
Trump Administration Starts the Ball Rolling with the National Cyber Strategy Tue, 19 Feb 2019 06:11:07 -0600 The Trump Administration has released a comprehensive National Cyber Strategy (NCS) that, if fully implemented, could address claims that the critical issue of current cyberspace threats are not being taken seriously enough. The report outlines a plan that spans all federal agencies, directing how they should work separately and in tandem with private industry and the public to detect and prevent cyber attacks before they happen, as well as mitigate damage in the aftermath.

The NCS is the first formal attempt in 15 years to plan and implement a national policy for the cyber arena and takes the form of a high-level policy statement rather than the more targeted method of a Presidential directive. The plan offers plenty in the way of big picture goals, but critics will watch to to see whether forthcoming details will emerge in the coming months and years to fill in the gaps with specific action.

With the release, the Administration formally recognizes that cyberspace has become such an entwined part of American society as to be functionally inseparable. The bottom line is that cybersecurity now falls under the larger umbrella of national security and is not considered a standalone entity.

Army Lt. Gen. Paul Nakasone, speaking at his recent confirmation hearing for the position of leader of U.S. Cyber Command and the secretive National Security Agency, emphasized the importance of this moment in our national history: “We are at a defining time for our Nation and our military...threats to the United States’ global advantage are growing -- nowhere is this challenge more manifest than in cyberspace.”

Sifting through the digital pages of the NCS document reveals the Administration’s focus on the four conceptual pillars of National Security that now have been expanded to accommodate cyber concerns.

Pillar 1: Protecting and Securing the American Way of Life

Considering the present mashup state of the federal procurement process, the new aim is to secure government computer networks and information, primarily through tougher standards, cross-agency cooperation, and the strengthening of US government contractor systems and supply chain management. Electronic surveillance laws will also likely be bolstered, a reality that may result in the netting of more criminals but poses privacy concerns to those who think that the line has been smudged too times in this area already.

Securing all levels of election infrastructure against hacks and misinformation falls into this category. If recent history is any indication, the coming 2020 presidential election will likely inspire a flurry of attempted cyber intrusions.

Pillar 2: Focus on American Prosperity

Operating on the assumption that economic security is intrinsically linked to national security, the NCS lays out a strategy to achieve financial strength through fortification of the technological ecosystem. Plans are to be developed to support and reward those in the marketplace who create, adopt, and push forward the innovation of online security processes.

Though debates over funds for national infrastructure are eternal, the discussion will now expand to include the security and promotion of technology infrastructure as well, especially as it relates to the 5G network protocol, quantum computing, blockchain technology, and artificial intelligence.  

Pillar 3: Peace Through Strength

As the world becomes ever more digitized, criminals have moved offline operations into cyberspace. Perhaps unsurprisingly, the Trump Administration intends to push back hard against efforts to disrupt, deter, degrade, or destabilize the world from both nations and non-nation actors.

National security advisor John Bolton, though refusing to specify operations or adversaries, emphasized the point to USA Today that aggressive action should be expected, saying, “We are going to do a lot of things offensively. Our adversaries need to know that.”

At least part of this offensive strategy will include the creation of an international law framework (called the CDI or Cyber Deterrence Initiative) that will be charged with policing cyberspace behavior and organizing a cooperative response for those who flaunt the standards. The CDI’s stated goals will be to counter sources of online disinformation and propaganda with its own brand of the same.

Pillar 4: Advance American Influence

By staking out an America-first role as thought and action leader in cyberspace, the NCS promises to take the lead in collaborating with like-minded partners to create and preserve a secure, free internet. Considering the well-known surveillance efforts of organizations like the Five Eyes, one can’t help but wonder if the term “internet freedom” is an oxymoron in the making with the government leading the way.

With the NCS, the Trump Administration has laid out a broad platform for addressing cybersecurity concerns. If it’s the down and dirty details of how exactly this will happen you seek, sorry to disappoint, but it’s not in there.

With the next big election close enough to smell, and Congress divided, little to nothing of legislative importance will likely unfold in the near future, including Democrats and Republicans finding the motivation to drag out their Crayons and fill in the president’s cybersecurity outline.

Until then, let’s hope the internet doesn’t implode under an onslaught of fake news, cat videos, and hackers gone wild. One thing you can bet your last dollar on -- the topic of cybersecurity won’t go away. Like national security in general, it will remain eternal fodder for future politicians to bat around. As to whether the NCS will actually make a difference, only time will tell.

Meanwhile, Nero fiddles and Rome burns.

About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.

Copyright 2010 Respective Author at Infosec Island]]>
A Call to Structure Fri, 15 Feb 2019 05:15:00 -0600 When building a threat Intelligence team you will face a range of challenges and problems. One of the most significant ones is about how to best take on the ever-growing amount of Threat Intel. It might sound like a luxurious problem to have: The more intel the better! But if you take a closer look at what the available Threat Intelligence supply looks like, or rather, the way it is packaged, the problem becomes apparent. Ideally, you would want to take this ever-growing field of Threat Intelligence supply and work to converge on a central data model – specifically, STIX (Structured Threat Information eXpression). STIX is an open standard language supported by the OASIS open standards body, designed to represent structured information about cyber threats

This isn’t a solo effort, so first the intelligence team needs to align properly with the open standards bodies. I was thrilled to deliver our theories around STIX data modeling to the OASIS and FIRST communities at the Borderless Cyber Conference in Prague in 2017. (The slides from this are available for download here.) Our team took this to the next level as we started to include not just standard data structures in our work, but standardized libraries, including MITRE’s ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework that now forms a core part of our TTP (and, to some extent, Threat Actor) mapping across our knowledge base. We couldn’t have done it without the awesome folk at OASIS and MITRE. Those communities are still our cultural home.

So far, so good… but largely academic. The one thing I always say to teams who start planning their CTI journeys is: “Deploy your theory to practice ASAP – because it will change.” CTI suppliers know this all too well. In the ensuing months of our threat intel team, we faced the challenge of merging these supplier sources in to a centralized knowledge base. We’re currently up to 38 unique source organizations (with 50+ unique feeds across those suppliers), around a third of those being top-flight commercial suppliers. And, of course, even in this age of STIX, and MISP, we still see the full spectrum of implementations from those suppliers. Don’t get me wrong – universal STIX adoption is a utopia (this is my version of ‘memento mori’ that I should get my team to say to me every time I go on my evangelism sprees). And we should not expect all suppliers to ‘conform’ in some totalitarian way. But here is my question to you: Who designs your data model? I would love to meet them.

Now here’s the thing: If you’re anything like my boss, you probably don’t care how the data model is implemented – so long as the customer can get the data fields they need from your feed, what does it matter? REST + JSON everywhere, right? But the future doesn’t look like that. The one thing that the STIX standard is teaching people better than most other structured languages is the importance of decentralization. I should be able to use the STIX model to build intelligence in one location and have it be semantically equivalent (though not necessarily the same) as the equivalent built by a different analyst in another location. The two outputs should be logically similar – recognizably so, by some form of automated interpretation that doesn’t require polymorphism or a cryptomining rig to calculate – but different enough to capture the unique artistry of the analysts who created them. Those automatically discernible differences are the pinnacle of a shared, structured-intelligence knowledge base that will keep our data relevant, allow for automated cross-referencing and take the industry to the next level.

There is a downside, of course. The cost of implementation is the first hurdle – it may mean reengineering a data model and maybe even complete rebuilds of knowledge repositories. With any luck, it can just be a semantic modelling (similar to what I presented at Borderless Cyber, but instead of STIX 1.2 à STIX 2.1, just à STIX 2.1) that you can describe with some simple mapping and retain your retcon. But perhaps the biggest elephant in the room is that aligning all suppliers to a common data model means leaving people open to de-duplication and cross-referencing. As we start to unify our data models, that “super-secret source” that was actually just a re-package of some low-profile, open source feed is going to get doxed. We think this is a good thing – data quality, uniqueness and provenance will speak for themselves, and those suppliers who vend noise will lose business. This should be an opportunity rather than a threat, and hopefully it will reinforce supplier business models to provide truly valuable intelligence to customers.

About the author: Chris O'Brien is the Director Intelligence Operations at EclecticIQ. Prior to his current role, Chris held the post of Deputy Technical Director at NCSC UK specialising in technical knowledge management to support rapid response to cyber incidents.

Copyright 2010 Respective Author at Infosec Island]]>
What CEOs Need to Know About the Future of Cybersecurity Thu, 14 Feb 2019 06:09:00 -0600 Until recently, Chief Executive Officers (CEOs) received information and reports encouraging them to consider information and cyber security risk. However, not all of them understood how to respond to those risks and the implications for their organizations. A thorough understanding of what happened, and why it is necessary to properly understand and respond to underlying risks, is needed by the CEO, as well as all members of an organization’s BoD, in today’s global business climate. Without this understanding, risk analyses and resulting decisions may be flawed, leading organizations to take on greater risk than intended.

After reviewing the current threat landscape, I want to call specific attention to four prevalent areas of information security that all CEOs need to be familiar with in the day to day running of their organization.

Risk Management

Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. Over the past few years, we’ve seen cybercriminals demonstrating a higher degree of collaboration amongst themselves a degree of technical competency that caught many large organizations unawares. 

CEOs must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events. Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm. Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

Avoiding Reputational Damage

Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners have appeared as very real targets for the cybercriminal and hacktivist. With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage.

CEOs need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with attacks on their reputations. This may seem obvious, but the faster you can respond to these attacks on reputation, the better your outcomes will be.

Securing the Supply Chain

When I look for key areas where information security may be lacking, one place I always come back to is the supply chain. Supply chains are the backbone of today’s global economy and businesses are increasingly concerned about managing major supply chain disruptions. Rightfully so, CEOs should be concerned about how open their supply chains are to various risk factors. Businesses must focus on the most vulnerable spots in their supply chains now. The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand.

Being proactive now also means that you – and your suppliers – will be better able to react quickly and intelligently when something does happen. In extreme but entirely possible scenarios, this readiness and resiliency may dictate competitiveness, financial health, share price, or even business survival.

Employee Awareness and Embedded Behavior

Organizations continue to heavily invest in ‘developing human capital’. No CEOs speech or annual report would be complete without stating its value. The implicit idea behind this is that awareness and training always deliver some kind of value with no need to prove it - employee satisfaction was considered enough. This is no longer the case. Today’s CEOs often demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative. Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals.

While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk. The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. CEOs have become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team.

Stay Ahead of Possible Security Stumbling Blocks

Businesses of all shapes and sizes are operating in a progressively cyber-enabled world and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling. 

Organizations have varying degrees of control over evolving security threats and with the speed and complexity of the threat landscape changing on a daily basis, far too often I’m seeing businesses getting left behind, sometimes in the wake of reputational and financial damage. CEOs need to take the lead and take stock now in order to ensure that their organizations are better prepared and engaged to deal with these ever-emerging challenges.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Who’s Responsible for Your Cyber-Security? Tue, 12 Feb 2019 05:56:00 -0600 Threats to online security are constantly evolving, and organisations are more aware than ever of the risks that it can pose. But no matter how seriously cyber security is viewed by most businesses, many still fall short of properly addressing some of the biggest issues. In fact, recent figures from the government show that over four in ten UK businesses have suffered a cyber breach or attack within the last 12 months.

Two of the most common attacks are due to issues with basic computer hygiene, including fraudulent emails and cyber criminals impersonating organisations. The bigger question isn’t how to secure your business, but who takes ownership of the cyber security process.

Not just the IT department’s responsibility

The responsibility for an organisation’s cyber security often falls on the IT department, which historically dealt with the security of IT systems. At face value this makes sense - as the resident tech experts, the IT department is often best positioned to choose the tools and solutions that make a business secure.

In general, these tools serve the purpose of assessing and encrypting your sensitive information, or blocking malicious activity at the source. But cyber threats can often begin outside the IT department. It only takes a single staff member opening a malicious attachment or clicking on a link in a phishing email for hackers to find a way in, and sometimes even the most sophisticated cyber security solutions can’t prevent this.

This makes it next to impossible for the IT department to keep the entire organisation secure, since they can’t be constantly monitoring every person’s click of the mouse. The onus, therefore, falls on every single staff member within the organisation to be cyber aware.

Do the board need to be involved?

High-profile, malicious attacks, such as WannaCry and NotPetya, have grown increasingly prolific in recent years. The potentially devastating effects of these attacks has meant that cyber security has become an integral facet of an organisation’s risk assessment and management.

But despite the prevalence of these successful attacks, there is often still a lack of understanding amongst some board members when it comes to tackling these threats – in fact, our analysis found that only 30% of senior leadership teams have an in-depth understanding of the risks associated with evolving cyber threats.

Flagging the importance of cyber awareness with the board is therefore essential, particularly to increase their awareness of the most common cyber threats and any potential security gaps. More pressingly, the board often have direct access to the most sensitive data within your organisation, which makes them the perfect target for potential cyber criminals. Arming the board with the tools and knowledge to spot potentially malicious emails, links or attachments – in the same way that you would the rest of the organisation – could help to prevent potentially disastrous consequences. 

It’s everybody’s responsibility

Although cyber security certainly does need to be a board-level concern, it’s still important to remember that the safety of your organisation is everybody’s responsibility. As a security and technology expert within the business, you have an integral role in ensuring that everybody’s knowledge is up to scratch.

Thoroughly educating staff on the warning signs to look out for in order to spot a malicious email, or activities that they should avoid when using business devices can greatly improve the overall cyber security of your business. When combined with encryption, and other online security tools, the likelihood of experiencing a cyber attack can be greatly diminished. Cyber security is everybody’s responsibility – make sure that staff have the tools, and the knowledge, to do it properly.

Matt Johnson is Chief Technology Officer at Intercity Technology. With over 25 years’ business and technical experience in providing IT solutions, Matt’s expertise covers the design, implementation, support and management of complex communications networks.

Copyright 2010 Respective Author at Infosec Island]]>
CERT/CC Warns of Vulnerabilities in Marvell Avastar Wireless SoCs Fri, 08 Feb 2019 10:57:12 -0600 The CERT Coordination Center (CERT/CC) has issued a vulnerability note providing information on a series of security issues impacting Marvell Avastar wireless system on chip (SoC) models.

Initially presented by Embedi security researcher Denis Selianin at the ZeroNights conference on November 21-22, 2018, and tracked as CVE-2019-6496(CVSS score 8.3), the vulnerability could allow an unauthenticated attacker within Wi-Fi radio range to execute code on a vulnerable system. 

The security researcher discoveredmultiple vulnerabilities in the Marvell Avastar devices (models 88W8787, 88W8797, 88W8801, and 88W8897), the most important of which is a block pool overflow during Wi-Fi network scan.

The vulnerability can be exploited via malformed Wi-Fi packets during identification of available Wi-Fi networks. 

“During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures. Because many devices conduct automatic background network scans, this vulnerability could be exploited regardless of whether the target is connected to a Wi-Fi network and without user interaction,” the CERT/CC vulnerability note reads.

Depending on the implementation, the attack could result in either network traffic interception or in achieving code execution on the host system. 

Marvell has already acknowledged the issue and released a statement revealing that it has already deployed a fix in their standard driver and firmware. 

“We have communicated to our direct customers to update to Marvell’s latest firmware and driver to get the most recent security enhancements, including support for WPA3,” Marvell said. 

Given that the vulnerability requires the attacker to be within Wi-Fi radio range of the target, users can mitigate exploitation by restricting access to the area around vulnerable devices. Disabling Wi-Fi on systems that have other connectivity options should also prevent the attack, CERT/CC says. 

“Marvell is not aware of any real world exploitation of this vulnerability outside of a controlled environment,” Marvell noted, encouraging customers to contact their Marvell representative for additional support.  

The United States Computer Emergency Team too encouragesusers and administrators to review CERT/CC’s Vulnerability Note and refer to vendors for appropriate updates.

RelatedResearcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

RelatedVulnerability Exposes Rockwell Controllers to DoS Attacks

Copyright 2010 Respective Author at Infosec Island]]>