Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 How Extreme Weather Will Create Chaos on Infrastructure Wed, 21 Oct 2020 05:40:26 -0500 Extreme weather events will soon become more frequent and widespread, devastating areas of the world that typically don’t experience them and amplifying the destruction in areas that do. We have already seen devastating wildfires and an increase in hurricane activity this year in the United States. Uncovering shortcomings in technical and physical infrastructure, these events will cause significant disruption and damage to IT systems and assets. Data centers will be considerably impacted, with dependent organizations losing access to services and data, and Critical National Infrastructure (CNI) will be put at risk.

Extensive droughts will force governments to divert water traditionally used to cool data centers, resulting in unplanned outages. In coastal areas and river basins, catastrophic flooding, hurricanes, typhoons or monsoons will hit key infrastructure such as the electrical grid and telecommunication systems. Wildfires will lead to prolonged power outages, stretching continuity arrangements to breaking point. The impact of extreme weather events on local staff, who may be unwilling or unable to get to their workplace, will put operational capability in jeopardy. The magnitude of extreme weather events – and their prevalence in areas that have not previously been prone to them – will create havoc for organizations that have not prepared for their impact.

In addition to natural factors, environmental activists will establish a link between global warming and data center power consumption and will consider them to be valid targets for action. For data-centric organizations, the capabilities of data centers and core technical infrastructure will be pushed to the extreme, as business continuity and disaster recovery plans are put to the test like never before.

What are the Global Consequences of This Threat?

Extreme weather events have frightening consequences for people’s lives and have the potential to degrade or destroy critical infrastructure. From wildfires on the West Coast of the United States that wreck power lines, to extreme rainfall and flooding in South Asian communities that poison fresh water supplies and disrupt other critical services, the impacts of extreme weather are pronounced and deadly. They have severe ramifications for the availability of services and information – for example, in 2015 severe flooding in the UK city of Leeds caused a telecommunications data center to lose power, resulting in a large-scale outage.

According to the Intergovernmental Panel on Climate Change (IPCC), human-induced warming from fossil fuel usage, overbreeding of animals and deforestation will contribute to, and exacerbate, the damage caused by extreme weather events. The impact on human lives, infrastructure and organizations around the world will be destructive.

The probability and impact of extreme weather events are increasing and will soon spread to areas of the world that haven’t historically experienced them. Overall, up to 60% of locations across North America, Europe, East Asia and South America are expected to see a threefold increase in various extreme weather events over the coming years. Moreover, the US Federal Emergency Management Agency released new proposed flood maps along the west coast of Florida, showing that many companies that once assumed their data backup solutions were safe will find themselves struggling to deal with rising water levels. These increasingly volatile weather conditions will result in severe damage to infrastructure including telecommunication towers, pipelines, cables and data centers.

A study performed by the Uptime Institute found that 71% of organizations are not preparing for severe weather events and 45% are ignoring the risk of environmental disruption to their data centers, highlighting the need to take more action to ensure preparedness and resilience.

Data centers are some of the biggest users of energy in the world, using up to 416 terawatt hours of energy annually and accounting for 1–3% of the global electricity demand, doubling every four years. According to Greenpeace, only 20% of the energy used by data centers is from renewable resources. Criticism will soon turn to action, with environmental activists targeting organizations that use technical infrastructure that contributes towards harming the environment.

With the likelihood of extreme weather events increasing and becoming more damaging, organizations will be caught off guard, as their core infrastructure is crippled and CNI is taken offline. Combined with a greater scrutiny from environmental activists, data centers and core infrastructure will be put at risk.

How Should Your Business Prepare?

Extreme weather events, coupled with environmental activism, should prompt a fundamental re-examination of and re-investment in organizational resilience. It is critical that organizations risk assess their physical infrastructure and decide whether to relocate, harden it or transfer risk to cloud service providers.

In the short term, organizations should review risk exposure to extreme weather events, considering the location of data centers. Additionally, revise business continuity and disaster recovery plans and conduct a cyber security exercise with an extreme weather scenario.

In the long term, consider relocation of strategic assets that are at high risk and transfer risk to cloud or outsourced service providers. Finally, invest in infrastructure that is more durable in extreme weather conditions.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
BSIMM11 Observes the Cutting Edge of Software Security Initiatives Wed, 21 Oct 2020 05:35:48 -0500 If you want to improve the security of your software—and you should—then you need the Building Security In Maturity Model (BSIMM), an annual report on the evolution of software security initiatives (SSIs). The latest iteration, BSIMM11, is based on observations of 130 participating companies, primarily in nine industry verticals and spanning multiple geographies.

The BSIMM examines software security activities, or controls, on which organizations are actually spending time and money. This real-world view—actual practices as opposed to someone’s idea of best practices—is reflected in the descriptions written for each of the 121 activities included in the BSIMM11.

Since the BSIMM is completely data-driven, this report is different from any earlier ones. That’s because the world of software security evolves. The changes in BSIMM11 reflect that evolution. Among them:

New software security activities 

BSIMM10 added new activities to reflect the reality that some organizations were working on ways to speed up security to match the speed with which the business delivers functionality to market.

To those, BSIMM11 adds activities for implementing event-driven security testing and publishing risk data for deployable artifacts. Those directly reflect the ongoing DevOps and DevSecOps evolution and its intersection with traditional software security groups.

Don’t just shift left: Shift everywhere

When the BSIMM’s authors began writing about the concept of shifting left around 2006, it was addressing a niche audience. But the term rapidly became a mantra for product vendors and at security conferences, dominating presentations and panel discussions. At the February 2020 RSA conference in San Francisco, you couldn’t get through any of the sessions in the DevSecOps Days track without hearing it multiple times.

And the point is an important one: Don’t wait until the end of the SDLC to start looking for security vulnerabilities.

But the concept was never meant to be taken literally, as in “shift (only) left.”

“What we really meant is more accurately described as shift everywhere—to conduct an activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are made available,” said Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM since its beginning.

Engineering demands security at speed

Perhaps you could call it moving security to the grassroots. Because while in some organizations tracked in the BSIMM there is only a small, centralized software security group focused primarily on governance, in a growing number of cases engineering teams now perform many of the software security efforts, including CloudSec, ContainerSec, DeploymentSec, ConfigSec, SecTools, OpsSec, and so on.

That is yielding mixed results. Being agile, those teams can perform those activities quickly, which is good, but it can be too fast for management teams to assess the impact on organizational risk. Not so good. Few organizations so far have completely harmonized centralized governance software security efforts and engineering software security efforts into a cohesive, explainable, defensible risk management program.

Still, engineering groups are making it clear that feature velocity is a priority. Security testing tools that run in cadence and invisibly in their toolchains—even free and open source tools—likely have more value today than more thorough commercial tools that create, or appear to create, more friction than benefit. The message: We’d love to have security in our value streams—if you don’t slow us down.

The cloud: Division of responsibility

The advantages of moving to the cloud are well known. It’s cheaper, it makes collaboration of a dispersed workforce easier, and it increases mobility, which is practically mandatory during an extended pandemic.

But using the cloud effectively also means outsourcing to the cloud vendor at least parts of your security architecture, feature provisioning, and other software security practice areas that are traditionally done locally.

As the BSIMM notes, “cloud providers are 100% responsible for providing security software for organizations to use, but the organizations are 100% responsible for software security.”

Digital transformation: Everybody’s doing it

Digital transformation efforts are pervasive, and software security is a key element of it at every level of an organization.

At the executive (SSI) level, the organization must move its technology stacks, processes, and people toward an automate-first strategy.

At the SSG level, the team must reduce analog debt, replacing documents and spreadsheets with governance as code.

At the engineering level, teams must integrate intelligence into their tooling, toolchains, environments, software, and everywhere else.

Security: Getting easier—and more difficult

Foundational software security activities are simultaneously getting easier and harder. Software inventory used to be an Excel spreadsheet with application names. It then became a (mostly out-of-date) configuration management database.

Now organizations need inventories of applications, APIs, microservices, open source, containers, glue code, orchestration code, configurations, source code, binary code, running applications, etc. Automation helps but there are an enormous number of moving parts.

 “Primarily, we see this implemented as a significant acceleration in process automation, in applying some manner of intelligence through sensors to prevent people from becoming process blockers, and in the start of a cultural acceptance that going faster means that not everything (all desired security testing) can be done in-band of the delivery lifecycle,” Migues said.

Your roadmap to a better software security initiative starts here

There is much more detail in BSIMM11, which reports in depth on the 121 activities grouped under 12 practices that are, in turn, grouped under four domains: governance, intelligence, secure software development life cycle (SSDL) touchpoints, and deployment.

In addition to helping an organization start an SSI, the BSIMM also gives them a way to evaluate the maturity of their SSI, from “emerging,” or just starting; to “maturing,” meaning up and running, including some executive support and expectations; to “optimizing,” which describes organizations that are fine-tuning their existing security capabilities to match their risk appetite and right-size their investment for the desired posture.

Wherever organizations are on that journey, the BSIMM provides a roadmap to help them reach their goals.

About the author: Taylor Armerding is an award-winning journalist who has been comvering the field of information security for years.

Copyright 2010 Respective Author at Infosec Island]]>
Sustaining Video Collaboration Through End-to-End Encryption Wed, 21 Oct 2020 05:27:02 -0500 The last several months have been the ultimate case study in workplace flexibility and adaptability. With the onset of the COVID-19 pandemic and widespread emergency activation plans through March and April, businesses large and small have all but abandoned their beautiful campuses and co-working environments. These communal, collaborative and in-person working experiences have been replaced by disparate remote environments that rely on a combination of video, chat and email to ease the transition and keep businesses productive.

The embrace of remote collaboration, and specifically video collaboration, has been swift and robust. In the first few months of the pandemic, downloads of video conferencing apps skyrocketed into the tens of millions, and traffic at many services surged anywhere from 10-fold to 100-fold. While uncertainty remains on what exactly a post-pandemic working experience will look like, it is without a doubt that video will remain a fundamental part of the collaboration tool kit.

While video has proven to be an effective bulwark against a disconnected workforce, the relative newness of the channel combined with its massive spike in popularity has revealed some fault lines. Most notably, several high-profile intrusions of ill-intended and disruptive individuals into private meetings. From a wider security perspective, this represents one of the most significant barriers to the long-term viability of video collaboration. Highly sensitive information and data are now shared over video – board meetings, product development brainstorms, sales reviews, negotiations – and the possibility that any of this information could be seen by the wrong eyes is a business-critical risk.

Yet, the vulnerabilities and threats presented by video conferencing are not insurmountable. In fact, there is a growing movement among CIOs and IT executives to further educate themselves on the nature of these platforms and identify the right solutions that fit the unique needs, opportunities and challenges of their businesses. As a result, there’s been a robust interest in  encryption.

The most common forms of encryption protect data when it is most vulnerable: in transit between one system and another.  However, in these common forms, communications are often not encrypted when they go through a variety of intermediaries, like internet or application service providers.  That leaves them susceptible to intrusion at varying points. If just one link in the chain is weak – or broken entirely – the entire video stream could be compromised.

Comprehensive and thorough protection of sensitive data requires a more robust solution – what’s known as end-to-end encryption. That means only the authorized participants in a video chat are able to access the video or audio streams. Consider it the structural equivalent of a digital storage locker. You may rent the space from the provider, but only the approved participants have the key.

It is important to note that secure video conferencing isn’t only important for large enterprises. Startups and small businesses are just as (if not more) vulnerable and benefit greatly from setting a high bar for security. Whether it’s protecting customers, meeting standards for business partnerships or even leaning into security as an additional value-add, higher levels of security can profoundly impact the growth of an organization.

As the future of work relies increasingly on digital workplace tools like video conferencing, security-first instincts and strong encryption are essential to prevent malicious actors from disrupting business continuity and productivity amid times of uncertainty. Video conferencing has enabled dispersed teams to achieve new opportunities and has a bright future ahead of it. By infusing end-to-end encryption into any video strategy, it ensures not only the sustainability of the channel, but the businesses that rely on it.

About the author: Michael Armer is Vice President and Chief Information Security Officer at 8x8

Copyright 2010 Respective Author at Infosec Island]]>
Will Robo-Helpers Help Themselves to Your Data? Tue, 08 Sep 2020 03:20:44 -0500 Over the coming years, organizations will experience growing disruption as threats from the digital world have an impact on the physical. Invasive technologies will be adopted across both industrial and consumer markets, creating an increasingly turbulent and unpredictable security environment. The requirement for a flexible approach to security and resilience will be crucial as a hybrid threat environment emerges.

While robots may seem like the perfect helpers, by 2022, the Information Security Forum (ISF) anticipates that a range of robotic devices, developed to perform a growing number of both mundane and complex human tasks, will be deployed in organizations and homes around the world. Friendly-faced, innocently-branded, and loaded with a selection of cameras and sensors, these constantly connected devices will roam freely. Poorly secured robo-helpers will be weaponized by attackers, committing acts of corporate espionage and stealing intellectual property. Attackers will exploit robo-helpers to target the most vulnerable members of society, such as the elderly or sick at home, in care homes or hospitals, resulting in reputational damage for both manufacturers and corporate users.

Organizations will be caught unawares as compromised robo-helpers such as autonomous vacuum cleaners, remote telepresence devices and miniature delivery vehicles roam unattended and unmonitored. The potential for these invasive machines to steal intellectual property and corporate secrets through a range of onboard cameras and sensors will become a significant concern. Organizations developing and using care-bots, a type of robo-helper designed for healthcare, will face significant financial and reputational damage when vulnerable individuals suffer emotional, physical, psychological and financial harm when care-bots are compromised.

This proliferation of robo-helpers into the home, offices, factories and hospitals will provide attackers with a range of opportunities to make financial gains and cause operational damage. Nation states and competitors will target robo-helpers that have access to sensitive areas in order to steal critical information. Organized criminal groups and hackers will also use manipulative techniques to frighten and coerce individuals into sending money or giving up sensitive information.

Imagine this scenario: the building maintenance division of a large pharmaceutical organization decides to replace its staff at the research and development (R&D) site with a range of outsourced, automated robots. These robo-helpers carry out building maintenance and sanitation operations in place of their human counterparts. Each unit is fitted with cameras and sensors and requires network connectivity in order to operate. Shortly after their deployment, details of an early phase experimental drug trial are leaked to the media.

Are you sure that your robo-helpers are secure?

What is the Justification for This Threat?

The extent to which robo-helpers are adopted and used, especially in homes and office spaces, currently differs significantly depending on geography and culture. Japan, China and South Korea, amongst other Asian nations, are typically more accepting of robots, whereas Western nations are currently less so. Robo-helpers are particularly seen in a positive light in Japan, with The International Federation of Robotics attributing the cultural influence of the Japanese religion of Shinto – where both people and objects are believed to possess a spirit – as a key enabler for the high rate of robotics adoption in Japan. China, the US and Japan are currently the biggest exporters of robots in the world, with overall growth expected to increase worldwide.

There is a growing acceptance of robots in the home and workplace, which may indicate that organizations are ready to accelerate the rate of robo-helper adoption. In offices and homes, a growing number of semi-autonomous robo-helpers are due to hit global consumer markets as early as 2020, all built with a range of networked cameras and sensors. As with poorly secured IoT devices that are constantly connected to an organization’s network, a security flaw or vulnerability in a robo-helper will further broaden attack surfaces, presenting yet another access point for attackers to exploit.

Robotics have been used in manufacturing for decades, but as they become more popular these robo-helpers will perform a greater range of tasks, giving them access to a wealth of sensitive data and locations. In the education sector robots will soon be used in schools, with developers in Silicon Valley creating robo-helpers for teachers that can scan students’ facial expressions and provide one-to-one support for logical subjects such as languages and mathematics. In healthcare there have also been breakthroughs – in November 2019 the world’s first brain aneurysm surgery using a robo-helper was completed, demonstrating that robot-assisted procedures enhance flexibility, control and precision.

As these robots gain greater autonomy and perform a greater number of surgeries over time, the need to secure them will become ever more urgent. In logistics, delivery-bots have seen significant investment and improvement, now using onboard cameras and sensors to navigate difficult terrain and unfamiliar environments.

Robo-helpers will make their way into the lives of more vulnerable individuals in care homes, schools and community centers and people will increasingly feel comfortable sharing sensitive information about their lives with them. Attackers will realize this, aiming to exploit these non-tech-savvy members of society into transferring funds or giving up sensitive information. Organizations developing these products or using them in their business will face serious reputational damage, as well as legal and financial repercussions when their customers become victims.

With the proliferation of robo-helpers across a growing number of countries and into a greater number of industries and homes, the opportunities for attackers to compromise individuals and organizations that use them will be alarming.

How Should Your Organization Prepare?

Organizations using robo-helpers in their business, or providing them to others, should ensure that devices are properly protected against attacks and cannot be used to compromise the privacy and rights of customers.

In the short term, organizations should restrict robo-helper access to sensitive locations. We recommend that they segregate access and monitor traffic between robo-helpers and the corporate network and ensure that robo-helpers using cameras and sensors comply with data protection regulations. Finally, dispose of robo-helpers securely.

In the long term, gain assurance over robo-helpers used in the organization and limit the capabilities of robo-helpers to ensure that ethical norms are not breached. Monitor specific robo-helpers for signs of fraudulent or dangerous activities and provide training and awareness around appropriate use and behaviors.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Securing the Hybrid Workforce Begins with Three Crucial Steps Wed, 02 Sep 2020 03:30:22 -0500 The global shift to a remote workforce has redefined the way organizations structure their business models. As executives reestablish work policies to accommodate remote employees well beyond the initially anticipated duration, a new era of work will emerge: the hybrid workforce, one more largely split between office and remote environments. While this transition brings a wave of opportunity for organizations and employees, it also opens new doors for bad actors to capitalize on strained IT departments who have taken on additional responsibility to ensure sensitive data remains secure, whether on or off the corporate network.

While threats to company data range in attack method, ransomware continues to be the most prominent risk known to organizations worldwide, with a 41% increase in 2019 alone. It’s important that companies focus on acknowledging this threat and deploying strategies to prepare, defend and repair incidents, before adapting to a hybrid workforce model. This process will prevent organizations from falling victim to attacks where data loss or ransom payment are the only unfortunate options. To win the war on ransomware, organizations should incorporate a plan for IT organizations that ensures they have the resilience needed to overcome any attack. Let’s explore three crucial steps for ransomware resilience in more detail.

Focus on education first, avoid reactive approaches to threats later

Education – beginning after threat actors are identified – should be the first step taken on the path towards resilience. To avoid being caught in a reactive position, should a ransomware incident arise, it’s important to understand the three main mechanisms for entry: internet-connected RDP or other remote access, phishing attacks and software vulnerabilities. Once organizations know where the threats lie, they can tactfully approach training with strategies to refine IT and user security, putting additional preparation tactics in place. Identifying the top three mechanisms can help IT administration isolate RDP servers with backup components, integrate tools to assess the threat of phishing attacks to help spot and respond correctly, and inform users on recurrent updates to critical categories of IT assets, such as operating systems, applications, databases and device firmware.

Additionally, preparing how to use the ransomware tools in place will help IT organizations familiarize themselves with different restore scenarios. Whether it be a secure restore process that will abort when malware is detected or software that can detect ransomware ahead of restoring a system, the ability to perform different restore scenarios will become invaluable to organizations. When an attack does happen, they will recognize, understand and have confidence in the process of working towards recovery. By taking the education aspect of these steps seriously, organizations can decrease the ransomware risks, costs and pressure of dealing with a ransomware incident unprepared.

Implement backup solutions that maintain business continuity 

An important part of ransomware resiliency is the implementation of backup infrastructure to create and maintain strong business continuity. Organizations need to have a reliable system in place that protects their servers and keeps them from ever having to pay to get their data back. Consider keeping the backup server isolated from the internet and limit shared accounts that grant access to all users. Instead, assign specific tasks within the server that are relevant for users and require two-factor authentication for remote desktop access. Additionally, backups with an air-gapped, offline or immutable copy of data paired with the 3-2-1 rule will provide one of the most critical defenses against ransomware, insider threats and accidental deletion.

Furthermore, detecting a ransomware threat as early as possible gives IT organizations a significant advantage. This requires tools in place to flag possible threat activity. For endpoint devices displaced remotely, backup repositories that are set up to identify risks will give IT further insight into an incredible surface area to analyze for potential threat introduction. If implementations don’t prohibit attacks, another viable option is encrypting backups wherever possible for an additional layer of protection – threat actors charging ransom to prevent leaking data do not want to have to decrypt it. When it comes to a ransomware incident, there isn’t one single way to recover, but there are many options aside from these that organizations can take. The important thing to remember is that resiliency will be predicated on how backup solutions are implemented, the behavior of threat and the course of remediation. Take time to research the options available and ensure that solutions are implemented to protect your company.

Prepare to remediate an incident in advance

Even when there are steps in place that leverage education and implementation techniques to combat ransomware before an attack hits, organizations should still be prepared to remediate a threat if introduced. Layers of defense against attacks are invaluable, but organizations need to also map out specifically what to do when a threat is discovered. Should a ransomware incident happen, organizations need to have support in place to guide the restore process so that backups aren’t put at risk. Communication is key, having a list of security, incident response, and identity management contacts in place if needed – inside the organization or externally – will help ease the process towards remediation.

Next, have a pre-approved chain of decision makers in place. When it comes time to make decisions, like whether to restore or to fail over company data in an event of an attack, organizations should know who to turn to for decision authority. If conditions are ready to restore, IT should be familiar with recovery options based on the ransomware situation. Implement additional checks for safety before putting systems on the network again – like an antivirus scan before restoration completes – and ensure the right process is underway. Once the process is complete, implement a sweeping forced change of passwords to reduce the threat resurfacing.

The threat that ransomware poses to organizations both large and small is real. While no one can predict when or how an attack will happen, IT organizations that have a strong, multi-layered defense and strategy in place have a greater chance for recovery. With the right preparation, the steps outlined here can increase any organization’s resiliency – whether in office, remote or a combination of the two – against a ransomware incident and avoid data loss, financial loss, business reputation damage or more.

About the author: Rick Vanover is senior director of product strategy for Veeam.

Copyright 2010 Respective Author at Infosec Island]]>
A New Strategy for DDoS Protection: Log Analysis on Steroids Wed, 26 Aug 2020 01:49:34 -0500 Anyone whose business depends on online traffic knows how critical it is to protect your business against Distributed Denial of Service (DDoS) attacks. And with cyber attackers more persistent than ever – Q1 2020 DDoS attacks surged by 80% year over year and their average duration rose by 25%—you also know how challenging this can be.

Now imagine you’re responsible for blocking, mitigating, and neutralizing DDoS attacks where the attack surface is tens of thousands of websites. That’s exactly what HubSpot, a top marketing and sales SaaS provider, was up against. How they overcame the challenges they faced makes for an interesting case study in DDoS response and mitigation.

Drinking from a Firehouse

HubSpot’s CMS Hub powers thousands of websites across the globe. Like many organizations, HubSpot uses a Content Delivery Network (CDN) solution to help bolster security and performance.

CDNs, which are typically associated with improving web performance, are built to make content available at edges of the network, providing both performance and data about access patterns across the network. To handle the CDN log data spikes inherent with DDoS attacks, organizations often guesstimate how much compute they may need and maintain that higher level of resource (and expenditure) for their logging solution. Or if budgets don’t allow, they dial back the amount of log data they retain and analyze.

In HubSpot’s case, they use Cloudflare CDN as the first layer of protection for all incoming traffic on the websites they host. This equates to about 136,000 requests/second, or roughly 10TB/day, of Cloudflare log data that HubSpot has at its disposal to help triage and neutralize DDoS attacks. Talk about drinking from a firehouse!

HubSpot makes use of Cloudflare’s Logpushservice to push Cloudflare logs that contain headers and cache statuses for each request directly to HubSpot’s Amazon S3 cloud object storage. In order to process that data and make it searchable, HubSpot’s dedicated security team deployed and managed their own open-source ELK Stack consisting of Elasticsearch (a search database), Logstash (a log ingestion and processing pipeline), and Kibana (a visualization tool for log search analytics). They also used open source Kafka to queue logs into the self-managed ELK cluster.

To prepare the Cloudflare logs for ingestion into the ELK cluster, HubSpot had created a pipeline that would download the Cloudflare logs from S3 into a Kafka pipeline, apply some transformations on the data, insert into a second Kafka queue whereby Logstash would then process the data, and output it into the Elasticsearch cluster. The security team would then use Kibana to interact with the Cloudflare log data to triage DDoS attacks as they occur.

Managing an Elasticsearch cluster dedicated to this Cloudflare/DDoS mitigation use case presented a number of continuing challenges. It required constant maintenance by members of the HubSpot Elasticsearch team. The growth in log data from HubSpot’s rapid customer base expansion was compounded by the fact that DDoS attacks themselves inherently generate a massive spike in log data while they are occurring. Unfortunately, these spikes often triggered instability in the Elastic cluster when they were needed most, during the firefighting and mitigation process. 

Cost was also a concern. Although Elasticsearch, Logstash, and Kibana open source applications can be acquired at no cost, the sheer volume of existing and incoming log data from Cloudflare required HubSpot to manage a very large and increasingly expensive ELK cluster. Infrastructure costs for storage, compute, and networking to support the growing cluster grew faster than the data. And certainly, the human capital in time spent monitoring, maintaining, and keeping the cluster stable and secure was significant. The team constantly had discussions about whether to add more compute to the cluster or reduce data retention time. To accommodate their Cloudflare volume, which was exceeding 10TB/day and growing, HubSpot was forced to limit retention to just five days. 

The Data Lake Way

Like many companies whose business solely or significantly relies on online commerce, HubSpot wanted a simple, scalable, and cost-effective way to handle the continued growth of their security log data volume.

They were wary of solutions that might ultimately force them to reduce data retention to a point where the data wasn’t useful. They also needed to be able to keep up with huge data throughput at a low latency so that when it hit Amazon S3, HubSpot could quickly and efficiently firefight DDoS attacks.

HubSpot decided to rethink its approach to security log analysis and management. They embraced a new approach that consisted primarily of these elements:

- Using a fully managed log analysis serviceso internal teams wouldn’thave to manage the scaling of ingestion or query side components and could eliminate compute resources

- Leveraging the Kibana UIthat the security team is already proficient with

- Turning their S3 cloud object storage into a searchable analytic data lakeso Cloudflare CDN and other security-related log data could be easily cleaned, prepared, and analyzed in place, without data movement or schema management

By doing this, HubSpot can effectively tackle DDoS challenges. They significantly cut their costs and can easily handle the 10TB+/day flow of Cloudflare log data, without impacting performance.

HubSpot no longer has to sacrifice data retention time. They can retain Cloudflare log data for much longer than 5 days, without worrying about costs, and can dynamically scale resources so there is no need to invest in compute that’s not warranted. This is critical for long-tail DDoS protection planning and execution, and enables HubSpot to easily meet SLAs for DDoS attack response time.

Data lake-based approaches also enable IT organizations to unify all their security data sources in one place for better and more efficient overall protection. Products that empower data lake thinking allow  new workloads to be added on the fly with no provisioning or configuration required, helping organizations gain even greater value from log data for security use cases. For instance, in addition to storing and analyzing externally generated log data within their S3 cloud object storage, HubSpot will be storing and monitoring internal security log data to enhance insider threat detection and prevention.

Incorporating a data lake philosophy into your security strategy is like putting log analysis on steroids. You can store and process exponentially more data volume and types, protect better, and spend much less.

About the author: Dave Armlin is VP of Customer Success and Solutions Architecture at ChaosSearch. Dave has spent his 25+ year career building, deploying, and evangelizing secure enterprise and cloud-based architectures.

Copyright 2010 Respective Author at Infosec Island]]>
COVID-19 Aside, Data Protection Regulations March Ahead: What To Consider Wed, 26 Aug 2020 00:53:31 -0500 COVID-19 may be complicating organizations’ cybersecurity efforts as they shift more of their operations online, but that doesn’t lessen the pressure to comply with government regulations that are placing increased scrutiny on data privacy.

Despite the pandemic, companies are obligated to comply with many laws governing data security and privacy, including the two most familiar to consumers -- the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). With CCPA enforcement set to begin July 1, organizations’ regulatory responsibilities just got tougher.

The CCPA is similar to GDPR in that it is designed to improve privacy rights and consumer protection, giving Californians the right to know when their personal data is being collected, whether their personal data is being disclosed or sold, and to whom. It allows them to access their personal data, say no to its sale, and request that a business delete it.

The law applies to any business with gross revenues over $25 million and that has personal information on 50,000 or more California citizens, whether the company is based in California or not. Violations can result in stiff fines.

Like GDPR before it, CCPA makes data security and regulatory compliance more of a challenge and requires businesses to create a number of new processes to fully understand what data they have stored in their networks, who has access to it, and how to protect it.

The challenge is especially rigorous for large organizations that collect and store high volumes of data, which is often spread across multiple databases and environments. And CCPA’s enforcement date comes as companies have already been scrambling to deal with COVID-19’s impact – enabling remote workforces while guarding against hackers trying to exploit fresh openings to infiltrate networks.

Here are four things that every business should consider in maintaining a rigid security posture to protect its most important asset – its data – and meet rising regulatory requirements:

1.    Protect headcount.

We may be in an economic downturn, but now is not the time to lay off anyone with data security and privacy responsibility. Oftentimes when a company is forced to fire people, the pain is spread equally across the organization – say 10 percent for each department. Because the CISO organization (as well as the rest of IT) are usually considered “general and administrative” overhead, the target on its back can be just as large.

In the current environment, security staff certainly needs to be exempt from cuts. Most security teams have little to no overlap – there is a networking expert, an endpoint specialist, someone responsible for cloud, etc. And one person who focuses on data and application security, if you’re lucky enough to have this as a dedicated resource.

The data and application security role has never been more vital, both to safeguard the organization as more data and applications move online and to handle data security regulatory compliance, an onus companies continue to carry despite the pandemic. This person should be considered untouchable in any resource action.

2.    Don’t drop the ball on breach notification.

It’s a question mark to what extent officials are aggressively conducting audits to vigorously enforce these laws during the pandemic. However, I would advise companies to assume that stringent enforcement remains the norm.

This is another reason that fostering strong security is all the more crucial now. For example, companies are still required to notify the relevant governing body if it suffers a breach. This initiates a process involving its IT, security, and legal teams, and any other relevant departments. Who wants that distraction anytime, and especially during a global crisis?

Beyond regulatory factors, companies simply owe it to their customers to handle their data responsibly. This was of course true before COVID-19 and CCPA enforcement, but its importance has intensified. A Yahoo-style scandal now could cause reputational damage that the company never recovers from.

3.    Ask the critical questions that regulations raise.

Where is personal data stored? Companies must scan their networks and servers to find any unknown databases, identify sensitive data using dictionary and pattern-matching methods, and pore through database content for sensitive information such as credit card numbers, email addresses, and system credentials

Which data has been added or updated within the last 12 months? You need to monitor all user database access -- on-premises or in the cloud -- and retain all the audit logs so you can identify the user by role or account type, understand whether the data accessed was sensitive, and detect non-compliant access behaviors.

Is there any unauthorized data access or exfiltration? Using machine learning and other automation technologies, you need to automatically uncover unusual data activity, uncovering threats before they become breaches.

Are we pseudonymizing data? Data masking techniques safeguard sensitive data from exposure in non-production or DevOps environments by substituting fictional data for sensitive data, reducing the risk of sensitive data exposure.

4.    Assume more regulation will come.

As digital transformation makes more and more data available everywhere, security and privacy concerns keep growing. One can assume that GDPR and CCPA may just be the tip of the regulatory iceberg. Similar initiatives in Wisconsin, Nevada, and other states show that it behooves organizations to get their data protection houses very much in order. Compliance will need to be a top priority for organizations for many years into the future.

About the author: Terry Ray has global responsibility for Imperva's technology strategy. He was the first U.S.-based Imperva employee and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for regulatory governance, set data security strategy and implement best practices.

Copyright 2010 Respective Author at Infosec Island]]>
SecurityWeek Extends ICS Cyber Security Conference Call for Presentations to August 31, 2020 Wed, 12 Aug 2020 12:08:01 -0500 The official Call for Presentations (speakers) for SecurityWeek’s 2020 Industrial Control Systems (ICS) Cyber Security Conference, being held October 19 – 22, 2020 in SecurityWeek’s Virtual Conference Center, has been extended to August 31st.

As the premier ICS/SCADA cyber security conference, the event was originally scheduled to take place at the InterContinental Atlanta, but will now take place in a virtual environment due to COVID-19.

“Due to the impact of COVID-19 and transition to a fully virtual event, we have extended the deadline for submissions to allow more time for speakers to put together their ideas under the new format,” said Mike Lennon, Managing Director at SecurityWeek. “Given SecurityWeek’s global reach and scale, we expect this to be the largest security-focused gathering of its kind serving the industrial and critical infrastructure sectors.” 

ICS Cyber Security ConferenceThe 2020 Conference is expected to attract thousands of attendees from around the world, including large critical infrastructure and industrial organizations, military and state and Federal Government. 

SecurityWeek has developed a fully immersive virtual conference center on a cutting- edge platform that provides attendees with the opportunity to network and interact from anywhere in the world.

As the original ICS/SCADA cyber security conference, the event is the longest-running cyber security-focused event series for the industrial control systems sector. 

With an 18-year history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber-attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

Through the Call for Speakers, a conference committee will accept speaker submissions for possible inclusion in the program at the 2020 ICS Cyber Security Conference.

The conference committee encourages proposals for both main track, panel discussions, and “In Focus” sessions. Most sessions will be mixed between 30 and 45 minutes in length including time for Q&A.

Submissions will be reviewed on an ongoing basis so early submission is highly encouraged. Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

To be considered, interested speakers should submit proposals by email to events(at) with the subject line “ICS2020 CFP” by August 31, 2020.

Plan on Attending the 2020 ICS Cyber Security Conference? Online registration is open, with discounts available for early registration.

Copyright 2010 Respective Author at Infosec Island]]>
SecurityWeek to Host Cloud Security Summit Virtual Event on August 13, 2020 Wed, 12 Aug 2020 07:18:27 -0500 Enterprise Security Professional to Discuss Latest Cloud Security Trends and Strategies Via Fully Immersive Virtual Event Experience

SecurityWeek will host its 2020 Cloud Security Summit virtual event on Thursday, August 13, 2020.

Through a fully immersive virtual environment, attendees will be able to interact with leading solution providers and other end users tasked with securing various cloud environments and services.

“As enterprises adopt cloud-based services to leverage benefits such as scalability, increased efficiency, and cost savings, security has remained a top concern,” said Mike Lennon, Managing Director at SecurityWeek. “SecurityWeek’s Cloud Security Summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments.”

The Cloud Security Summit kicks off at 11:00AM ET on Thursday, August 13, 2020 and features sessions, including:

  • Augmenting Native Cloud Security Services to Achieve Enterprise-grade Security
  • Measuring and Mitigating the Risk of Lateral Movement
  • Weathering the Storm: Cyber AI for Cloud and SaaS
  • Securing Cloud Requires Network Policy and Segmentation
  • Managing Digital Trust in the Era of Cloud Megabreaches
  • The Rise of Secure Access Service Edge (SASE)
  • Fireside Chat with Gunter Ollmann, CSO of Microsoft’s Cloud and AI Security Division

Sponsors of the 2020 Cloud Security Summit include: DivvyCloud by Rapid7, Tufin, Darktrace, SecurityScorecard, Bitglass, Orca Security, Auth0 and Datadog.

Register for the Cloud Security Summit at:

Copyright 2010 Respective Author at Infosec Island]]>
Avoiding Fuelling the Cyber-Crime Economy Tue, 11 Aug 2020 09:22:00 -0500 We all know that the prices of key commodities such as oil, gold, steel and wheat don’t just impact individual business sectors as they fluctuate according to supply and demand:  they also power international trading markets and underpin the global economy. And it’s exactly the same with cyber-crime.

The prices of key commodities in the cyber-crime economy – such as stolen credentials, hacked accounts, or payment card details – not only reflect changes in supply and usage, but also influence the types of attack that criminals will favor.  After all, criminals are just as keen to maximise return on their investments and create ‘value’ as any legitimate business.

A recent report gave the current average prices during 2020 for some of these cyber-crime commodities on the Dark Web. Stolen credit-card details start at $12 each, and online banking details at $35. ‘Fullz’ (full identity) prices are typically $18, which is cheaper than just two years ago due to an oversupply of personally identifiable information following several high-profile breaches. A very basic malware-as-a-service attack against European or U.S. targets starts at $300, and a targeted DDoS attack starts at $10 per hour.

Extortion evolves

These prices help to explain one of the key shifts in cyber crime over the past two years:  the move away from ransomware to DDoS attacks for extortion. Ransomware has been around for decades, but on a relatively small scale, because most types of ransomware were unable to spread without users’ intervention. This meant attacks were limited in their scope to scrambling data on a few PCs or servers, unless the attacker got lucky.

But in 2017, the leak of the ‘EternalBlue’ exploit changed the game. Ransomware designed to take advantage of it – 2017’s WannaCry and NotPetya – could spread automatically to any vulnerable computer in an organization. All that was needed was a single user to open the malicious attachment, and the organization’s network could be paralyzed in minutes – making it much easier for criminals to monetize their attacks.

While this drove an 18-month bubble of ransomware attacks, it also forced organizations to patch against EternalBlue and deploy additional security measures, meaning attacks became less effective. Sophisticated malware like WannaCry and NotPetya cost time and money to develop, and major new exploits like EternalBlue are not common. As such, use of ransomware has declined, returning to its roots as a targeted attack tool.

DDoS deeds, done dirt cheap

DDoS attacks have replaced ransomware as the weapon of choice for extortion attempts. As mentioned earlier, a damaging attack is cheap to launch, using one of the many available DDoS-for-hire services at just $10 per hour or $60 for 24 hours (like any other business looking to attract customers, these services offer discounts to customers on bigger orders).

Why are DDoS attacks so cheap?  One of the key reasons is DDoS-for-hire service operators are increasingly using the scale and flexibility of public cloud services, just as legitimate organizations do. Link11’s researchshows the proportion of attacks using public clouds grew from 31% in H2 2018 to 51% in H2 2019. It’s easy to set up public cloud accounts using a $18 fake ID and a $12 stolen credit card, and simply hire out instances as needed to whoever wants to launch a malicious attack. When that credit card stops working, buy another.

Operating or renting these services is also very low-risk:  the World Economic Forum's ‘Global Risks Report 2020’ states that in the US, the likelihood of a cybercrime actor being caught and prosecuted is as low as 0.05%.  Yet the impact on the businesses targeted by attacks can be huge:  over $600,000 on average, according to Ponemon Institute´s Cost of Cyber Crime Study.

Further, the Covid-19 pandemic has made organizations more vulnerable than ever to the loss of online services, with the mass shift to home working and consumption of remote services – making DDoS attacks even more attractive as an extortion tool, as they cost so little, but have a strong ROI. This means any organization could find itself in attackers’ cross-hairs:  from banks and financial institutions to internet infrastructure, retailers, online gaming site, as well as public sector organizations and local governments.  If services are taken offline, or slowed to a crawl for just a few hours, employees’ normal work will be disrupted, customers won’t be able to transact, and revenues and reputation will take a hit. 

Make sure crime doesn’t pay

To avoid falling victim to the new wave of DDoS extortion attacks, and fuelling the cyber-crime economy through ransom payments, organizations need to defend their complex, decentralized and hybrid environments with cloud-based protection. This should route all traffic to the organization’s networks via an external cloud service, that identifies and filters out all malicious traffic instantly using AI techniques before an attack can impact on critical services – helping to ensure that those services are not disrupted.  Online crime may continue to be profitable for threat actors – but with the right defences, individual organizations can ensure that they’re not contributing.

Copyright 2010 Respective Author at Infosec Island]]>
Expect Behavioral Analytics to Trigger a Consumer Backlash Mon, 10 Aug 2020 11:16:00 -0500 In the coming years, organizations’ insatiable desire to understand consumers through behavioral analytics will result in an invasive deployment of cameras, sensors and applications in public and private places. A consumer and regulatory backlash against this intrusive practice will follow as individuals begin to understand the consequences.

Highly connected ecosystems of digital devices will enable organizations to harvest, repurpose and sell sensitive behavioral data about consumers without their consent, with attackers targeting and compromising poorly secured systems and databases at will.

Impacts will be felt across industries such as retail, gaming, marketing and insurance that are already dependent on behavioral analytics to sell products and services. There are also a growing number of sectors that will see an increased dependency on behavioral analytics, including finance, healthcare and education.

Organized criminal groups, hackers and competitors will begin stealing and compromising these treasure troves of sensitive data. Organizations whose business model is dependent on behavioral analytics will be forced to backtrack on costly investments as their practices are deemed to be based on mass surveillance and seen as a growing privacy concern by regulators and consumers alike.

What is the Justification for This Threat?

Data gathered from sensors and cameras in the physical world will supplement data already captured by digital platforms to build consumer profiles of unprecedented detail. The gathering and monetization of data from social media has already faced widespread condemnation, with regulators determining that some organizations’ practices are unethical.

For example, Facebook’s role in using behavioral data to affect political advertising for the European Referendum resulted in the UK's Information Commissioner’s Office fining the organization the maximum penalty of £500,000 in late 2019 – citing a lack of protection of personal information and privacy and failing to preserve a strong democracy.

Many organizations and governments will become increasingly dependent on behavioral analytics to underpin business models, as well as for monitoring the workforce and citizens. The development of ‘smart cities’ will only serve to amplify the production and gathering of behavioral data, with people interacting with digital ecosystems and technologies throughout the day in both private and public spaces. Data will be harvested, repurposed and sold to third parties, while the analysis will provide insights about individuals that they didn’t even know themselves.

An increasing number of individuals and consumer-rights groups are realizing how invasive behavioral analytics can be. An example of an associated backlash involved New York’s Hudson Yard in 2019, where the management required visitors to sign away the rights to their own photos taken of a specific building. However, this obligation was hidden within the small print of the contract signed by visitors upon entry. These visitors boycotted the building and sent thousands of complaints, resulting in the organization backtracking and rewriting the contracts.

Another substantial backlash surrounding invasive data collection occurred in London when Argent, a biometrics vendor, used facial recognition software to track individuals across a 67-acre site surrounding King's Cross Station without consent.

Attackers will also see this swathe of highly personal data as a key target. For example, data relating to individuals’ personal habits, medical and insurance details, will present an enticing prospect. Organizations that do not secure this information will face further scrutiny and potential fines from regulators.

How Should Your Organization Prepare?

Organizations that have invested in a range of sensors, cameras and applications for data gathering and behavioral analysis should ensure that current technical infrastructure is secure by design and is compliant with regulatory requirements.

In the short term, organizations should build and incorporate data gathering principles into a corporate policy. Additionally, they need to create transparency over data gathering practices and use and fully understand the legal and contractual exposure on harvesting, repurposing and selling data.

In the long term, implement privacy by design across the organization and identify the use of data in supply chain relationships. Finally, ensure that algorithms used in behavioral analytical systems are not skewed or biased towards particular demographics.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Holding public cloud security to account Mon, 10 Aug 2020 10:15:57 -0500 At one of the last cyber-security events I attended before the Covid-19 enforced lockdowns, I was talking with an IT director about how his organization secures its public cloud deployments. He told me: “We have over 500 separate AWS accounts in use, it helps all our development and cloud teams to manage the workloads they are responsible for without crossover or account bloat, and it also makes it easier to control cloud usage costs: all the accounts are billed centrally, but each account is a separate cost center with a clear owner.”

I asked about security, and he replied that each AWS account had different logins, meaning fewer staff had access to each account, which helped to protect each account.

While it’s true that having hundreds of separate public cloud accounts will help to keep a closer eye on cloud costs, it also creates huge complexity when trying to manage the connectivity and security of applications and workloads.  Especially when making changes to applications that cross different public cloud accounts, or when introducing infrastructure changes that touch many – or even all- accounts.

As I covered in my recent article on public cloud security, securing applications and data in these environments can be challenging. It’s far easier for application teams to spin up cloud resources and move applications to them, than it is for IT and security teams to get visibility and control across their growing cloud estates.

Even if you are using a single public cloud platform like AWS, each account has its own security controls – and many of them. Each VPC in every region within the account has separate security groups and access lists: even if they embody the same policy, you need to write and deploy them individually. Any time you need to make a change, you need to duplicate the work across each of these elements.

Then there’s the question of how security teams get visibility into all these cloud accounts with their different configurations, to ensure they are all properly protected according to the organization’s security policy. It’s almost impossible to do this using manual processes without overlooking – or introducing – potential vulnerabilities.

So how do the teams in charge of those hundreds of accounts manage them effectively? Here are my three key steps:

1. Gain visibility across your networks

The first challenge to address is a lack of visibility into all your AWS cloud accounts, from one vantage point. The security teams need to be able to observe all the security controls, across all account/region/VPC combinations.

2. Manage changes from a single console

The majority of network security policy changes need to touch a mix of the cloud providers’ own security controls as well as other controls, both in the cloud and on-premise. No cloud application is an island that is entire of itself – it needs to access resources in other parts of the organization’s estate. When changes to network security policies in all these diverse security controls are managed from a single system, security policies can be applied consistently, efficiently, and with a full audit trail of every change.

3. Automate security processes

In order to manage multiple public cloud accounts efficiently, automation is essential. Security automation dramatically accelerates change processes, avoids manual processing mistakes and misconfigurations, and enables better enforcement and auditing for regulatory compliance. It also helps organizations overcome skill gaps and staffing limitations.

With an automation solution handling these steps, organizations can get holistic, single-console security management across all their public cloud accounts, as well as their private cloud and on-premise deployments – which ensures they can count on robust security across their entire IT estate. 

About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
No Silver Bullet for Addressing Cybersecurity Challenges During Pandemic Mon, 10 Aug 2020 10:12:04 -0500 Infosec professionals have always had their work cut out for them, as the threat landscape continuously challenges existing security measures to adapt, improve and cope with the unexpected. As the coronavirus pandemic forced organizations to migrate their entire workforce to a work-from-home context, practically overnight, security professionals faced a new challenge for which half of them had not planned.

A recent Bitdefender survey reveal that 83 percent of US security and IT professionals believe the COVID-19 pandemic will change the way their business operates, mostly because their infrastructure had to adapt to accommodate remote work. Another concern for companies is that employees tend to be more relaxed about security (34 percent) and that working remotely means they will not be as vigilant in identifying and flagging suspicious activity and sticking to security protocols (34 percent).

Lessons learned

Having managed the initial work-from-home technology transition challenges, 1 in 4 security professionals understands the significant value and deployment of endpoint risk assessment tools. As mobility shifted to 100% for all employees, organizations could no longer rely on infrastructure-embedded and perimeter defense technologies to protect endpoints. Augmenting the endpoint security stack with risk assessment and risk analytics tools became mandatory in order to give infosec professionals needed visibility and more control over remote employee devices.

In addition to deploying risk analytics, 31 percent of infosec professionals indicated they would also increase employee training, as the current threat landscape has been witness to more socially engineered threats than actual malware sophistication. Employees are more at risk of clicking the wrong link or opening a tainted attachment, potentially compromising both their devices and company infrastructure.

With a greater need for visibility of weak spots within their infrastructure, 28 percent of security professionals have also had to adjust security policies. For instance, pre-pandemic policies that took into account infrastructure hardware and security appliances became useless in a remote work context.

The New Normal

While some companies have transitioned to the new normal faster than others, businesses understand they need to provide additional cybersecurity measures for employees, and to permanently increase their capability to monitor and protect devices outside of the office. There’s never been a silver bullet for addressing cybersecurity challenges, and the current post-pandemic era is further proof that security is a living organism that needs to adapt to ensure business continuity.

Nothing new to the role of an infosecurity professional.They still need to deploy the right people, the proper process and products, and the correct procedures to achieve long-term safety and success.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island]]>
Could the Twitter Social Engineering Hack Happen to You? Mon, 10 Aug 2020 10:04:24 -0500 Learning from the experiences of others should be a key job requirement for all cybersecurity, AppSec, DevSecOps, CISO, CRMO and SecSDLC professionals. The recent attack against Twitter where high-profile accounts were compromised to promote a Bitcoin scam is one such opportunity.

As new information comes to light (and I sincerely hope that Twitter continues to provide meaningful details), everyone within the cybersecurity realm should look to both their internal IT and application development practices as well as those of your suppliers for evidence that this particular attack pattern couldn’t be executed against your organization.

What we know as of now is that on July 15th, an attack was launched against Twitter that targeted 130 accounts. Of those 130, 45 had their passwords reset and eight had their Twitter data downloaded. While the initial public focus was on Twitter Verified accounts, those eight accounts were not verified.

The attack itself was based on the concept of social engineering where the targets were Twitter employees with access to an administrative tool capable of modifying account access of individual Twitter employees.

The attacker’s actions included posting a Bitcoin scam on prominent accounts, but it has also been reported that there was an effort to acquire Twitter accounts with valuable names.

That the attack had a prominent component of a Bitcoin scam and a secondary component of account harvesting, there is an obvious first question we should be thinking about: With the level of access the attackers had, why wasn’t their attack more disruptive? This is a perfect example of attackers defining the success criteria and thus the rules of their attack.

That being said, it’s entirely plausible that the true goal of this attack has yet to be identified and that the attackers might easily have installed backdoors in Twitter’s systems that could lay dormant for some time.

Looking solely at the known information, everyone working with user data should be asking these types of questions:

  • Which accounts have administrator, super administrator or God-mode privileges?
  • Can a normal user possess administrator capabilities, or do they need to request them with specific justification?
  • Are all administrator-level changes logged and auditable?
  • Can an administrator modify logs of their activities?
  • Are there automated alerts to identify abnormal administrator activity, which might occur from rarely used accounts?
  • What limits are in place surrounding administrator access to user data?
  • What controls are in place to limit damage should an administrator misuse their credentials, either intentionally or as the result of a credential hack?

For most organizations, administrator access is something given to their most trusted employees. For some, this trust might stem from how long the employee has been with the organization. For others, trust might stem from a variety of background checks. None-the-less, administrators are humans and humans make errors in judgement – precisely the type of scenario social engineering targets.

Knowing that an administrator, particularly one with God-mode access rights, will be a prime target for social engineering efforts, any access granted to an administrator should be as limited as possible. This includes scenarios where an administrator is called upon to resolve users access issues.

After all, someone claiming to be locked out from their account could easily be an attacker attempting to coerce someone in tech support to transfer rightful ownership into their hands. This implies that on occasion a successful account takeover will occur, and that the legitimate owner will retain control of the original contact methods, such as email address, phone numbers and authenticator apps.

If the business sends a confirmation notice to the previous contact method when it changes, that then offers an additional level of warning for users who may be potential targets. The same situation should play out with any security settings such as recovery questions or 2FA configuration.

Since this attack on Twitter exploited weaknesses in their account administration process, it effectively targeted some of the most trusted people and processes within Twitter. Every business has trusted processes and people, which means that they could be equally vulnerable to such an attack.

This then serves as an opportunity for all businesses to reassess how they build and deploy applications with an eye on how they would be administered and what process weaknesses could be exploited.

About the author: Tim Mackey is Principal Security Strategist, CyRC, at Synopsys. Within this role, he engages with various technical communities to understand how to best solve application security problems. He specializes in container security, virtualization, cloud technologies, distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations.

Copyright 2010 Respective Author at Infosec Island]]>
Augmented Reality Will Compromise the Privacy and Safety of Attack Victims Wed, 08 Jul 2020 00:38:48 -0500 In the coming years, new technologies will further invade every element of daily life with sensors, cameras and other devices embedded in homes, offices, factories and public spaces. A constant stream of data will flow between the digital and physical worlds, with attacks on the digital world directly impacting the physical and creating dire consequences for privacy, well-being and personal safety.

Augmented Reality (AR) technologies will provide new opportunities for attackers to compromise the privacy and safety of their victims. Organizations rushing to adopt AR to enhance products and services will become an attractive target for attackers.

Compromised AR technologies will have an impact on a range of industries as they move beyond the traditional entertainment and gaming markets into areas such as retail, manufacturing, engineering and healthcare. Attackers will perform man-in-the-middle attacks on AR-enabled devices and infrastructure, gaining access to intimate and sensitive information in real-time. Ransomware and denial of service attacks will affect the availability of AR systems used in critical processes such as surgical operations or engineering safety checks. Attacks on the integrity of data used in AR systems will threaten the health and safety of individuals and the reputations of organizations.

As AR begins to pervade many elements of life, organizations, governments and consumers will begin using it more frequently and with greater dependency. AR will bridge the digital and physical realms. But as a relatively immature technology it will present nation states, organized criminal groups, terrorists and hackers with new opportunities to distort reality.

What is the Justification for This Threat?

AR has been heralded as the future visual interface to digital information systems. With 5G networks reducing latency between devices, AR technologies will proliferate across the world, with significant investment in the UK, US and Chinese markets.

The estimated global market value for AR technologies is set to grow from $4bn in 2017 to $60 billion by 2023, with use cases already being developed in the entertainment, retail, engineering, manufacturing and healthcare industries. There are increasing signs that AR will be promoted by major technology vendors such as Apple, which is said to be developing an AR headset for launch in 2020.

Vulnerabilities in devices, mobile apps and systems used by AR will give attackers the opportunity to compromise information, steal highly valuable and sensitive intellectual property, send false information to AR headsets and prevent access to AR systems.

The development of AR technologies across the manufacturing and engineering sectors is being driven by digital transformation and the desire for lower operational costs, increased productivity and streamlined processes. As AR systems and devices become the chosen medium for displaying schematics, blueprints and manuals to workers, attackers will be able to manipulate the information provided in real-time to compromise the quality and safety of products, as well as threatening the lives of users.

Many industries will become dependent on AR technologies for their products and services. For example, within air traffic control, AR displays are being evaluated as an aid to understanding aircraft movements in conditions of poor visibility. In the logistics and transport industries, AR will build upon systems such as GPS and voice assistants. With the help of Internet of Things (IoT) sensors, AI technologies, 5G and edge computing, AR systems will be able to overlay information to drivers in real-time. This will include demonstrating where live traffic accidents are happening, assisting during poor weather conditions, providing accurate journey times, and highlighting vehicle performance.

If the integrity or availability of data used in such systems is compromised, it will lead to significant operational disruption as well as risks to health and safety.

The healthcare industry is already a major target for cyber-attacks and the adoption of immature and vulnerable AR technologies in medical administration and surgical environments is likely to accelerate this trend. Medical professionals will be able to access sensitive records such as medical history, medication regimens and prescriptions through AR devices. This will create a greater attack surface as data is made available on more devices, resulting in a growing number of breaches and thefts of sensitive personal information.

AR promises much, but organizations will soon find themselves targeted by digital attacks that distort the physical world, disrupting operations and causing significant financial and reputational damage.

How Should Your Organization Prepare?

Organizations should be wary of the risks posed by AR. Many of the opportunities that AR ushers in will need to be risk assessed, with mitigating controls introduced to ensure that employees and consumers are safe and that privacy requirements are upheld.

In the short term, organizations should enhance vulnerability scanning and risk assessments of AR devices and software. They should also ensure that AR systems and devices that have records relating to personal data are secure. Additionally, create work-arounds, business continuity plans and redundancy processes in the event of failure of critical AR systems and devices.

In the long term, limit data propagation and sharing across AR environments. Organizations should also ensure that security requirements are included when procuring AR devices and purchase comprehensive insurance coverage for AR technology. Finally, establish and maintain skillsets required for individuals in roles that are reliant upon AR technology.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
Ending the Cloud Security Blame Game Wed, 08 Jul 2020 00:34:00 -0500 Like many things in life, network security is a continuous cycle. Just when you’ve completed the security model for your organization’s current network environment, the network will evolve and change – which will in turn demand changes to the security model. And perhaps the biggest change that organizations’ security teams need to get to grips with is the cloud.

This was highlighted by a recent survey, in which over 75% of respondents said the cloud service provider is entirely responsible for cloud security. This rather worrying finding was offset by some respondents stating that security is also the responsibility of the customer to protect their applications and data in the cloud service, which shows at least some familiarity with the ‘shared responsibility’ cloud security model. 

What exactly does ‘shared responsibility’ mean? 

In reality, the responsibility for security in the cloud is only shared in the same way that an auto manufacturer installs locks and alarms in its cars. The security features are certainly there: but they offer no protection at all unless the vehicle owner actually activates and uses them.  

In other words, responsibility for security in the public cloud isn’t really ‘shared’.  Ensuring that applications and data are protected rests entirely on the customer of those services. Over recent years we’ve seen how several high-profile companies unwittingly exposed large volumes of data in AWS S3 buckets. These issues were not caused by problems in Amazon: they were the result of users misconfiguring the Amazon S3 services they were using, and not using proper controls when uploading sensitive data to the services. The data was placed in the buckets protected by only weak passwords (and in some cases, no password at all).

Cloud exposure

It’s important to remember that cloud servers and resources are much more exposed than physical, on-premise servers. For example, if you make a mistake when configuring the security for an on-premise server that stores sensitive data, it is still likely to be protected by other security measures by default. It will probably sit behind the main corporate gateway, or other firewalls used to segment the network internally. Its databases will be accessible only from well-defined network segments. Users logging into it will have their accounts controlled by the centralized passwords management system. And so on.

In contrast, when you provision a server in the public cloud, it may easily be exposed to and accessible from any computer, anywhere in the world. Apart from a password, it might not have any other default protections in place. Therefore, it’s up to you to deploy the controls to protect the public cloud servers you use, and the applications and data they process. If you neglect this task and a breach occurs, the fault will be yours, not the cloud provider’s.

This means that it is the responsibility of your security team to establish perimeters, define security policies and implement controls to manage connectivity to those cloud servers. They need to set up controls to manage the connection between the organization’s public cloud and on-premise networks, for example using a VPN, and consider whether encryption is needed for data in the cloud. These measures will also require a logging infrastructure to record actions for management and audits, to get a record of what changes were made and who made them.

Of course, all these requirements across both on-premise and cloud environments add significant complexity to security management, demanding that IT and security teams use multiple different tools to make network changes and enforce security. However, using a network security policy management solution will greatly simplify these processes, enabling security teams to have visibility of their entire estate and enforce policies consistently across public clouds and the on-premise network from a single console.

The solution’s network simulation capabilities can be used to easily answer questions such as: ‘is my application server secure?’, or ‘is the traffic between these workloads protected by a security gateway?’ It can also quickly identify issues that could block an application’s connectivity (such as misconfigured or missing security rules, or incorrect routes) and then plan how to correct the connectivity issue across the relevant security controls. What’s more, the solution keeps an audit trail of every change for compliance reporting.

Remember that in the public cloud, there’s almost no such thing as ‘shared responsibility.’ Security is primarily your responsibility – with help from the cloud provider. But with the right approach to security management, that responsibility and protection is easy to maintain, without having to play the blame game.

About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>