Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Microsoft Makes OneDrive Personal Vault Available Worldwide Tue, 01 Oct 2019 08:42:56 -0500 Microsoft this week announced that users all around the world can now keep their most important files protected in OneDrive Personal Vault.

Launched earlier this summer, the Personal Vault is a protected area in OneDrive that requires strong authentication or a second identification step to access. Thus, users can store their files and ensure that they can’t be accessed without a fingerprint, face, PIN, or code received via email or SMS.

Now available worldwide on all OneDrive consumer accounts, Personal Vault allows users to securely store important information such as files, photos, and videos, including copies of documents, and more. 

The added security ensures that, even if an attacker manages to compromise the OneDrive account, they won’t have access to any of the files in Personal Vault. 

Personal Vault won’t slow users down, as they can easily access content from their PC, on, or mobile device, Microsoft says.

On top of that, additional security measures are available, including the ability to scan documents or shoot photos directly into Personal Vault. Files and shared items moved into Personal Vault cannot be shared. 

Both Personal Vault and files there will close and lock automatically after a period of inactivity, and Personal Vault files are automatically synced to a BitLocker-encrypted area of the user’s Windows 10 PC local hard drive. 

“Taken together, these security measures help ensure that Personal Vault files are not stored unprotected on your PC, and your files have additional protection, even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it or to your account,” Microsoft says.

OneDrive provides other security features as well, including file encryption, monitoring for suspicious sign-ins, ransomware detection and recovery, virus scanning on downloads, password-protection of sharing links, and version history for all file types.

To use Personal Vault, users only need to click on the feature’s icon, available in OneDrive. Only up to three files can be stored in Personal Vault on OneDrive free or standalone 100 GB plans, but that limit is as high as the total storage limit for Office 365 Personal and Office 365 Home plans.

RelatedDHS Highlights Common Security Oversights by Office 365 Customers

RelatedMicrosoft Adds New Security Features to Office 365

Copyright 2010 Respective Author at Infosec Island]]>
Human-Centered Security: What It Means for Your Organization Tue, 24 Sep 2019 13:57:15 -0500 Humans are regularly referred to as the ‘weakest link’ in information security. However, organizations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required: one that helps organizations to understand and manage psychological vulnerabilities, and adopts technology and controls that are designed with human behavior in mind.

That new approach is human-centred security.

Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans ‘touch’ data throughout the working day, organizations can uncover the circumstances where psychological-related errors may lead to security incidents.

For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organizations make a step change in their approach to information security.

Identifying Human Vulnerabilities

Human-centred security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. Humans, however, have a range of vulnerabilities that can lead to errors in decision making, resulting in negative impacts on the organization, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.

In some cases, organizations can put preventative controls in place to mitigate errors being made, e.g. preventing employees from sending emails externally, strong encryption of laptops or physical barriers. However, errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.

By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behavior, organizations can begin to understand why their employees might make errors, and begin managing that risk more effectively.

Exploiting Human Vulnerabilities

Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on considerable scale.

Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and backstories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. These errors can then be exploited by attackers.

There are several psychological methods that can be used to manipulate human behavior; one such method that attackers can use to influence cognitive biases is social power.

There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on scale but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, ‘spray and pray’ attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realized that it is far easier targeting humans than trying to attack technical infrastructure.

The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attack may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organizations can deconstruct and analyze real-world incidents to identify their root causes and therefore invest in the most effective mitigation.

For information security programs to become more human-centred, organizations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organizations can then begin to readdress information security programs to improve the management of human vulnerabilities, and to protect their employees from a range of coercive and manipulative attacks.

Managing Human Vulnerabilities

Human vulnerabilities can lead to errors that can significantly impact an organization’s reputation or even put lives at risk. Organizations can strengthen information security programs in order to mitigate the risk of human vulnerabilities by adopting a more human-centred approach to security awareness, designing security controls and technology to account for human behavior, and enhancing the working environment to reduce the impact of pressure or stress on the workforce.

Reviewing the current security culture and perception of information security should give an organization a strong indication of which cognitive biases are impacting the organization. Increasing awareness of human vulnerabilities and the techniques attackers use to exploit them, then tailoring more human-centred security awareness training to account for different user groups should be fundamental elements of enhancing any information security program.

Organizations with successful human-centred security programs often have significant overlap between information security and human resource functions. The promotion of a strong mentoring network between senior and junior employees, coupled with the improvement of the structure of working days and the work environment, should help to reduce unnecessary stress that leads to the triggering of cognitive biases affecting decision-making.

Develop meaningful relationships between a mentor and mentee to create an equilibrium of knowledge and understanding. Create a working environment and work-life balance that reduces stress, exhaustion, burnout and poor time management, which all significantly increase the likelihood of errors being made. Finally, consider how the improvement or enhancement of workspaces and environments can reduce stress or pressure on the workforce. Consider what is the most appropriate work environment for the workforce as there may be varying options, e.g. working from home, remote working, or modernizing office spaces, factories or outdoor locations.

From Your Weakest Link to Your Strongest Asset

Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks. Errors and manipulation now account for the majority of security incidents, so the risk is profound. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage the risk of the accidental insider. To make this happen, a fresh approach to information security is required.

A human-centred approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization’s awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure.

Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centred security will help organizations transform their weakest link into their strongest asset.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.


Copyright 2010 Respective Author at Infosec Island]]>
How Ethical Hackers Find Weaknesses and Secure Businesses Wed, 11 Sep 2019 09:41:03 -0500 When people hear about hackers, it typically conjures up images of a hooded figure in a basement inputting random code into a computer terminal. This Hollywood cliché is far from the truth from modern-day cybersecurity experts, and it’s also important to note that not all hackers are malicious.

Hackers and their role in information cybersecurity is a vastly growing career on a global scale. Market research predictions in the cybersecurity space is expected to exceed $181.77 billion by 2021. The global market for cybersecurity is growing, and companies are considering security an imperative for today’s organizations.

The cybersecurity landscape has growing threats today, with data breaches and attacks happening constantly. For instance, it’s hard to forget the infamous WannaCry ransomware attack spread through the world, targeting Microsoft machines and bringing multiple services worldwide to their knees. The attack hit an estimated 200,000 computers across 150 countries, encrypting files in health services, motor manufacturing, telephone companies, logistics companies, and more.

So, what can we do to secure our businesses and online infrastructure? One option is to look to ethical hackers, or white hat hackers, security experts who approaches your data and services through the eyes of a malicious attacker. An engagement from an ethical hacker is designed to see how your infrastructure or applications would hold up against a real-world attack.

Turning to Ethical Hackers

A commonly used term for ethical hackers attacking your system is known as the “Red Team.” While this term covers a broader attack surface, including attacks against people, such as social Engineering, and physical attacks, such as lock picking. Would your security stop dedicated and professional attackers or would they find holes and weaknesses, unknown to you and your internal security team (also known as, The Blue team)?

The job description for an ethical hacker can be simple to breakdown – assess the target, scope out all functionality and weaknesses, attack the system and then prove it can be exploited. While the job description can be described quite easily, the work involved can be large and undoubtedly complex. Additionally, when carrying out a pen-test or assessment of a client’s application or network, production safety and legality is what separates the “good guys” (ethical hackers) from the “bad guys” (malicious hackers).

Assessing the Target

When beginning an assessment of a system or application, we must have a set scope before we begin. It is illegal to attack systems without prior consent and furthermore a waste of time to work on assets out of the predefined scope. Target assessment can be one of the most important steps in a well-performed test. The idea of simply jumping straight in and attacking a system on the first IP or functionality we come across is a bad way to start.

The best practice is to find everything that is part of the assessment and see how it works together. We must know what the system in place was designed to do and how data is transferred throughout. Building maps with various tools gives a much greater picture of the attack surface we can leverage. The assessment of the target is commonly known as the “enumeration phase.”

At the end of this phase we should have a great place to start attacking, with an entire structure of the system or application, hopefully with information regarding operating systems, services packs, version numbers and any other fingerprinting data that can lead to an effective exploit of the target.

Vulnerability Analysis

All information gathered against the machines or applications should immediately give a good hacker a solid attack surface and the ability to identify weakness in the system. The internet provides a vast amount of information that can easily be associated with the architecture and lists of all known exploits or vulnerabilities already found against said systems.

There are additional tools to help with vulnerability analysis, like scanners, that flag possible points of weakness in the system or application. All of the analytic data is much easier to find and test after a thorough assessment.


Then, with exploitation, the services of an ethical hacker make an impact. We may have all the assessment data and vulnerability analysis information, but if they do not know how to perform strong attacks or bypass any security mechanisms in place, then the previous steps were useless. Exploiting a commonly known vulnerability can be fairly straight forward if it has write-ups from other security specialists. But hands-on experience against creating your own injections and obfuscated code, or black/white list in place is invaluable.

Furthermore, it is imperative to test with production safety in mind. Having an ethical hacker run dangerous code or tests against the system may cause untold damage. This defeats the purpose of a secure test. The objective is to prove that it is vulnerable, without causing harm or disruption to the live system.

Providing Concepts

After a test has been concluded, the results of all exploits, vulnerability analysis and even enumeration data returning valuable system information should be documented and presented to the client. All vulnerabilities should be given ratings (Standard rating systems like CVSS3 are most common to use) on how severe the issue and impact of the exploit could be.

Additionally, steps shown on how an attacker could perform this exploit should be included in a step-by-step proof of concept. The client should be able to follow along with your report and end up with the same results showing the flaw in the system. Again, non-malicious attacks should be given in the report.

Providing these proof-of-concept reports to clients, with steps on how to reproduce the issues and give non-malicious examples of how the system can be breached, is paramount to success in securing your systems.

No Perfect System

Finally, it’s important to note that no system is ever considered flawless. Exploits and vulnerabilities are released on almost a daily basis on every type of machine, server, application and language. Security assessments and tests in modern applications must be a continual process. This is where the role of a hacker in your organization, simulating attacks in the style of a malicious outsider becomes invaluable.

Approaching your currently implemented security as a target to beat or bypass, instead of a defense mechanism waiting to be hit, is the strongest and fastest way to find any flaws that may already exist! Modern-day web applications have been described as a living, breathing thing and negligence for keeping it secure will surely result in a digital disaster!

About the author: Jonathan Rice works as a vulnerability web application specialist for application security provider WhiteHat Security. In this role, Rice has focused on manual assessments, vulnerability verification and dynamic application security testing (DAST).

Copyright 2010 Respective Author at Infosec Island]]>
New Passive RFID Tech Poses Threat to Enterprise IoT Wed, 11 Sep 2019 09:33:00 -0500 image

As RFID technology continues to evolve, IoT security measures struggle to keep pace.

The Internet of Things (IoT) industry is growing at a staggering pace. The IoT market in China alone will hit $121.45 billion by 2022 and industry analysts predict that more than 3.5 billion devices will be connected through IoT globally by 2023. 

Among the most important technologies precipitating this breakneck growth is RFID or Radio Frequency Identification. RFID-tagged devices can help track inventory, improve the efficiency of healthcare and enhance services for customers in a variety of industries. 

For example, many hospitals across the world are beginning to test the use of on-metal RFID tags to not only track their inventory of surgical tools--such as scalpels, scissors, and clamps--but to ensure that each tool is properly sterilized and fully maintained prior to new operations. The implications of the widespread application of RFID tracking in the healthcare system would be a dramatic reduction in the number of avoidable infections due to unsterilized equipment and a sharp increase in the efficiency of surgical procedures.

IDenticard Vulnerabilities in PremiSys ID System

Although passive RFID technology shows much promise for streamlining and improving the management of IoT, unresolved vulnerabilities in the technology’s security remain a bottleneck for both the implementation of RFID and the growth of the IoT industry. 

In January, the research group at Tenable discovered multiple zero-day vulnerabilities in the PremiSys access control system developed by IDenticard, a US-based manufacturer of ID, access and security solutions. 

The vulnerabilities - which included weak encryption and a default username-password combination for database access - would have allowed an attacker to gain complete access to employee personal information of any organization using the PremiSys ID system. Though IDenticard released a patch to resolve the vulnerabilities, the incident points to growing security risks around network-connected, RFID-tagged devices.

In the summer of 2017, these security risks were put on full display when researchers from the KU Leuven university discovered a simple method to hack the Tesla Model S’s keyless entry fob. The researchers claim that these types of attacks were possible (prior to the security patch rolled out by Tesla in June of 2018) because of the weak encryption used by the Pektron key’s system. 

Despite the numerous security concerns that have surfaced in recent years, RFID is still one of the most tenable solutions for increasing the efficiency and safety of IoT. That said, for enterprise to take full advantage of the benefits of RFID technology, stronger security protocols and encryptions must be implemented. 

Compounding the threat is the fact that many RFID-enabled enterprise networks are at an increased risk of breaches (especially those in the Industrial IoT, IIoT) due to their inability to detect vulnerabilities and breaches in the first place. In fact, a recent study published in January by Gemalto discovered that nearly 48% of companies in all industries are unable to detect IoT device breaches. 

The Bain & Co. study pointed to security as the major obstacles to full-scale RFID/IoT adoption. With data breaches costing, on average, more than $3.86 million or $148 per record, new security measures must be taken if IoT is to fulfill its promises of en masse real-time connection between businesses, consumers, and their devices. Unsurprisingly, in the Gemalto survey interviewing 950 of the world’s leaders in IT and IoT businesses, more than 79% of them claim to want more robust guidelines for comprehensive IoT security. 

According to The Open Web Application Security Project (OWASP), there are ten primary vulnerabilities present in IoT and many of these risk factors are directly related to the implementation of RFID technology. 

Securing RFID-Enabled Enterprise IoT Devices

Of the many vulnerabilities in RFID/IoT devices and technologies, few impact consumers as directly as those presented by RFID scanners. 

RFID scanners can glean information from any RFID-enabled device, not just credit cards and phones. Our IoT and IIoT, both growing at a breakneck pace and with security features lagging behind, are prime targets for exploitation. 

Security analysts have raised concerns about the safety of data traveling on these networks for years. In fact, in a study conducted by IBM, it was found that fewer than 20% of routinely test their IoT apps and devices for security vulnerabilities. With data breaches growing at an alarming pace--2018 alone resulted in the exposure of more than 47.2 million records--many customers are asking, “What protections do we have against the growing threat against connected devices?” 

As it happens, quite a lot. In 2017, a research group at the IAIK Graz University of Technology created an RFID-based system aiming to secure RFID data on an open Internet of Things (IoT) network. The engineers designed a novel RFID tag that exclusively uses the Internet Protocol Security layer to secure the RFID tag and its sensor data, regardless of what type of RFID scanner attempts to steal the tag data.

Their innovation lies in collecting the RFID sensor data first through a virtual private network (VPN) application. Using the custom RFID tag, communications are routed through the IPsec protocol, which provides secure end-to-end encryption between an RFID-enabled IoT device and the network to which it’s connected. 

Solutions that identify and resolve potential IoT device vulnerabilities still need more work before we can expect widespread implementation. For one thing, the IPsec protocol, which is available on most consumer VPN applications, does not secure networks with 100% certainty.

Researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) recently discovered a Bleichenbacher vulnerability in numerous commercial VPNs, including those used by Cisco, Clavister, Huawei and Zyxel.

RFID Breaking Big in the Enterprise Market

When it comes to RFID security, conversations gravitate toward consumer applications like contactless payment fraud or bugs in wearable technology. Though RFID spending is mostly business-to-consumer, the next largest spending category is the enterprise, comprising nearly 30% of the total RFID market.

RFID’s market size is projected to grow an additional 30% through 2020, as enterprise embraces RFID tags in everything from supply-chain management to security keycard systems. One of the big enablers of IoT in enterprises has been the simple addition of “passive” RFID tags for day-to-day operational functions. 

Passive RFID systems are comprised of RFID tags, readers/antennas, middleware, and (in many cases), RFID printers.  

With the rate the technology has evolved, the modern market now has access to thousands of tag-types with increased range and sensitivity and a plethora of substance-specific designs (e.g. tags made specifically for metal, liquid, and other materials). This technology allows for unprecedented tracking for and security of inventory, personnel, and other company assets.

Passive RFID tags, which have no electronic components, cost roughly 1/100th of the price of their “active” counterparts. And, although they have a much lower range than their active counterparts, they require no internal power source and instead draw their power from electromagnetic energy emitted by the local RFID readers. Though a tag cannot be assigned an IP address, the reader is actually part of the IoT network and is identified by its IP address, which makes the latter vulnerable, as we’ve seen, to the same kinds of hacks that affect other devices when steps have not been taken to hide the IP address.

Because of these factors, passive RFID tags are ideal for companies and supply chains operating in extreme heat and cold, dust, debris and exposure to other elements.

Final Thoughts

With all of this taken into consideration, the question still remains, “What can the average consumer do to protect their IoT devices from hackers?”

One of the simplest solutions is to make a minor investment into some kind of blocking or wallet jamming card. If you have first generation contactless cards, ask your bank or credit card company to upgrade you to the encrypted second generation. While your data might be skimmed, it will be unreadable to the perpetrator due to the power of modern encryption protocols. 

For example, a standard 256-bit protocol would take 50 supercomputers many billions of years to decrypt and the impracticalities of such an attack lead cybercriminals to target easier prey. 

Ultimately, the accelerating pace of RFID tech will make our lives more convenient. With greater convenience, however, comes a greater need for security solutions. When it comes to RFID, one can only hope that the good guys stay one step ahead in the ongoing crypto arms race.

About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.


Copyright 2010 Respective Author at Infosec Island]]>
Android RAT Exclusively Targets Brazil Mon, 02 Sep 2019 09:59:12 -0500 A newly discovered Android remote access Trojan (RAT) is specifically targeting users in Brazil, Kaspersky reports. 

Called BRATA, which stands for Brazilian RAT Android, the malware could theoretically be used to target any other Android user, should the cybercriminals behind it want to. Widespread since January 2019, the threat was primarily hosted in Google Play, but also in alternative Android app stores. 

The malware targets Android 5.0 or later and infects devices via push notifications on compromised websites, messages delivered via WhatsApp or SMS, or sponsored links in Google searches.

After discovering the first RAT samples in January and February 2019, Kaspersky has observed over 20 different variants to date, in Google Play alone, most posing as updates to WhatsApp. 

One of the topics abused by BRATA is the CVE-2019-3568 WhatsApp patch. The infamous fake WhatsApp update had over 10,000 downloads in the official Android store when it was removed, Kaspersky says.

As soon as it has infected a device, BRATA enables its keylogging feature and starts abusing Android’s Accessibility Service feature to interact with other applications.

The commands supported by the malware allow it to capture and send user’s screen output in real-time, or turn off the screen or give the user the impression that the screen is off while performing actions in the background. 

It can also retrieve Android system information, data on the logged user and their registered Google accounts, and hardware information, and can request the user to unlock the device or perform a remote unlock.

What’s more, BRATA can launch any application installed with a set of parameters sent via a JSON data file, send a string of text to input data in textboxes, and launch any particular application or uninstall the malware and remove traces of infection.

“In general, we always recommend carefully review permissions any app is requesting on the device. It is also essential to install an excellent up-to-date anti-malware solution with real-time protection enabled,” Kaspersky concludes. 

RelatedMalware Found in Google Play App With 100 Million Downloads

RelatedResearchers Discover Android Surveillance Malware Built by Russian Firm

Copyright 2010 Respective Author at Infosec Island]]>
Three Strategies to Avoid Becoming the Next Capital One Fri, 30 Aug 2019 09:00:00 -0500 Recently, Capital One discovered a breach in their system that compromised Social Security numbers of about 140,000 credit card customers along with 80,000 bank account numbers. The breach also exposed names, addresses, phone numbers and credit scores, among other data.

What makes this breach even more disconcerting is Capital One has been the poster child for cloud adoption and most, if not all, of their applications are hosted in the cloud. They were one of the first financial companies - a very technologically conservative industry -- to adopt the cloud and have always maintained the cloud has been a critical enabler of their business success by providing incredible IT agility and competitive strengths.

So, does this mean companies should rethink their cloud adoption? In two words: hell o! The agility and economic value of cloud are intact and accelerating.  Leading edge companies will continue to adopt the cloud and SaaS technologies. The breach does, however, put a finer point on what it means to manage security in the cloud.

So how do you avoid becoming the next Capital One? At Sumo Logic, we are fully in the cloud and work with thousands of companies who have (or are planning to) adopt the cloud. Our experience enables us to offer three strategies to our enterprise CISO/security teams:

1. Know the “shared security” principles in the cloud environment.

The cloud runs on a shared security model. If you are using the cloud and building apps in the cloud, you should know that your app security is shared between you (the application owner) and the cloud platform. .

Specifically, the cloud security model means that:

  • The cloud vendor manages and controls the host operating system, the virtualization layer, and the physical security of its facilities.
  • To ensure security within the cloud, the customer configures and manages the security controls for the guest operating system and other apps (including updates and security patches), as well as for the security group firewall. The customer is also responsible for encrypting data in-transit and at-rest.
  • Have a strong IAM strategy, access control and logging are key to stopping inseider threats
  • Consider a Bug Bounty program, this was an essential point in what Capital One did right to identify the breach.

Hence, running in the cloud does not absolve you of managing the security of your application or its infrastructure, something all cloud enterprises should be aware of. It is also a good time to step up you security to invite ethical hacking on your services. At Sumo Logic, we have been running Bounties on our platform for two years using both HackOne and BugCrowd to open the kimono and gain trust from our consumers that we are doing everything possible to secure their data in the cloud.

Your call to action: Know the model. Know what you are responsible for (at the end of the day, almost everything!).

2. Know and use the cloud native security services

Some elements of cloud infrastructure and systems are opaque -- all cloud providers provide native security services to help you get control of access/security in the cloud. It’s imperative enterprises in the cloud use these foundational services. In Sumo Logic’s third annual State of the Modern App Report, we analyzed the usage of these services in AWS and saw significant usage of these services.

Your call to action: Implement the cloud platform security services. They are your foundational services and help implement your basic posture.

3. Get a “cloud” SIEM to mind the minder

A security information event management (SIEM) solution is like a radar system pilots and air traffic controllers use. Without one, enterprise IT is flying blind in regard to security. Today’s most serious threats are distributed, acting in concert across multiple systems and using advanced evasion techniques to avoid detection. Without a SIEM, attacks are allowed to germinate and grow into emergency incidents with significant business impact.

Cloud security is radically different from traditional SIEM’s. There are many key differences:

  • The architecture of cloud apps (microservices, API based) is very different from traditional apps
  • The surface area of cloud applications (and therefore security incidents) is very large
  • The types of security incidents (malware, ransomware etc.) in the cloud could also be very different from traditional data center attacks

While you consider a SIEM, consider one focused on new threats in the cloud environment, built in the cloud, for the cloud.

So, there you have it -- three strategies to preventing catastrophic cloud security issues. These strategies will not fix everything, but they are the best starting points to improve your security posture as you move to the cloud.

About the author: As Sumo Logic's Chief Security Officer, George Gerchow brings over 20 years of information technology and systems management expertise to the application of IT processes and disciplines. His background includes the security, compliance, and cloud computing disciplines.

Copyright 2010 Respective Author at Infosec Island]]>
Why a Business-Focused Approach to Security Assurance Should Be an Ongoing Investment Thu, 29 Aug 2019 08:14:49 -0500 How secure is your organization’s information? At any given moment, can a security leader look an executive in the eye and tell them how well business processes, projects and supporting assets are protected?   

Security assurance should provide relevant stakeholders with a clear, objective picture of the effectiveness of information security controls. However, in a fast-moving, interconnected world where the threat landscape is constantly evolving, many security assurance programs are unable to keep pace. Ineffective programs that do not focus sufficiently on the needs of the business can provide a false level of confidence.  

A Business-Focused Approach

Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. Unfortunately, there is often a significant gap between aspiration and reality.

Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses. 

Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are. It requires a broader view, considering the needs of multiple stakeholders within the organization.

Business-focused security assurance programs can build on current compliance-based approaches by:

  • Identifying the specific needs of different business stakeholders
  • Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
  • Reporting on security in a business context
  • Leveraging skills, expertise and technology from within and outside the organization

A successful business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should energetically engage with each other to make sure that requirements are realistic and expectations are understood by all.

A Change Will Do You Good

The purpose of security assurance is to provide business leaders with an accurate and realistic level of confidence in the protection of ‘target environments’ for which they are responsible. This involves presenting relevant stakeholders with evidence regarding the effectiveness of controls. However, common organizational approaches to security assurance do not always provide an accurate or realistic level of confidence, nor focus on the needs of the business.

Security assurance programs seldom provide reliable assurance in a dynamic technical environment, which is subject to a rapidly changing threat landscape. Business stakeholders often lack confidence in the accuracy of security assurance findings for a variety of reasons.

Common security assurance activities and reporting practices only provide a snapshot view, which can quickly become out of date: new threats emerge or existing ones evolve soon after results are reported. Activities such as security audits and control gap assessments typically evaluate the strengths and weaknesses of controls at a single point in time. While these types of assurance activities can be helpful in identifying trends and patterns, reports provided on a six-monthly or annual basis are unlikely to present an accurate, up-to-date picture of the effectiveness of controls. More regular reporting is required to keep pace with new threats.

Applying a Repeatable Process

Organizations should follow a clearly defined and approved process for performing security assurance in target environments. The process should be repeatable for any target environment, fulfilling specific business-defined requirements.

The security assurance process comprises five steps, which can be adopted or tailored to meet the needs of any organization. During each step of the process a variety of individuals, including representatives from operational and business support functions throughout the organization, might need to be involved.

The extent to which individuals and functions are involved during each step will differ between organizations. A relatively small security assurance function, for example, may need to acquire external expertise or additional specialists from the broader information security or IT functions to conduct specific types of technical testing. However, in every organization:

  • Business stakeholders should influence and approve the objectives and scope of security assurance assessments
  • The security assurance function should analyze results from security assurance assessments to measure performance and report the main findings

Organizations should:

  • Prioritize and select the target environments in which security assurance activities will be performed
  • Apply the security assurance process to selected target environments
  • Consolidate results from assessments of multiple target environments to provide a wider picture of the effectiveness of security controls
  • Make improvements to the security assurance program over time

An Ongoing Investment

In a fast-moving business environment filled with constantly evolving cyber threats, leaders want confidence that their business processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences.

Security assurance activities should demonstrate how effective controls really are – not just determine whether they have been implemented or not. Focusing on what business stakeholders need to know about the specific target environments for which they have responsibility will enable the security assurance function to report in terms that resonate. Delivering assurance that critical business processes and projects are not exposed to financial loss, do not leak sensitive information, are resilient and meet legal, regulatory and compliance requirements, will help to demonstrate the value of security to the business.

In most cases, new approaches to security assurance should be more of an evolution than a revolution. Organizations can build on existing compliance-based approaches rather than replace them, taking small steps to see what works and what doesn’t.

Establishing a business-focused security assurance program is a long-term, ongoing investment.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
If You Don’t Have Visibility, You Don’t Have Security Tue, 20 Aug 2019 05:01:00 -0500 If you’ve ever watched a thriller or horror movie, you’re probably familiar with the scene where someone is trying to keep a monster or attacker out so they barricade the doors and lock the windows and feel safe for 10 seconds…until someone remembers that the cellar door is unlocked and they discover the threat is already inside. That’s a pretty good metaphor for cybersecurity. IT security professionals scramble to protect and secure everything they’re aware of—but the one thing they’re not aware of is the Achilles heel that can bring everything crumbling down. That is why comprehensive visibility is crucial for effective cybersecurity.

You Can’t Protect What You Can’t See

As illustrated in the example above, you can have the best security possible protecting the attack vectors and assets you’re aware of, but that won’t do you any good if an attacker discovers an attack vector or asset you aren’t aware of and haven’t protected. It may not seem like a fair fight, but an attacker only needs one vulnerability to exploit. The burden is on the IT security team to make sure that everything is secured.

That’s easier said than done in today’s network environments. When you’re trying to keep a monster out of the house, you’re at least only dealing with a static and manageable number of doors and windows. In a dynamic, hybrid cloud, DevOps-driven, software-defined environment running containerized applications, the entire ecosystem can change in the blink of an eye and the number of assets to protect can increase exponentially. Employees have installed unauthorized routers and wireless access points and connected to unsanctioned web-based services that expose the network and sensitive data to unnecessary risk since the dawn of networking, but the advent of IoT (internet-of-things) has created an explosion in the volume of rogue devices.

Organizations need a tool that provides visibility of all IT assets—both known and unknown—including endpoints, cloud platforms, containers, mobile devices, OT and IoT equipment across hybrid and multi-cloud environment. It’s urgent for IT and cybersecurity teams to have comprehensive visibility and the ability to assess their security and compliance posture and respond in real-time to address challenges as they arise.

Vulnerability and Patch Management Can’t Replace Visibility

Since the dawn of cybersecurity, vulnerability and patch management have formed the backbone of effective protection. It makes sense. If you can proactively discover vulnerabilities in the hardware and software you use and deploy patches to fix the flaws or take steps to mitigate the risk, you should be able to prevent almost any attack.

Vulnerability and patch management are still important elements of effective cybersecurity, but comprehensive visibility is crucial. Finding and patching vulnerabilities without visibility provides a false sense of security. The assumption is that the environment is secure if all of the discovered vulnerabilities have been patched, but the reality is that only the vulnerabilities of the hardware and software you’re aware of have been patched. If you aren’t confident that you have an accurate, real-time inventory of your hardware and software assets, you’re not really secure.

Continuous Visibility Leads to Better Cybersecurity

Ideally, organizations need to have visibility of all IT assets—both known and unknown—throughout the entire IT infrastructure, spanning local networks and hybrid cloud environments. Imagine how much better your security and compliance posture would be if you actually knew—with confidence—what is on your global hybrid-IT environment at any given moment rather than relying on periodic asset scans that are already obsolete. What would it be like to have a single source of truth that enables you to identify issues and respond in real-time?

Visibility alone is not enough, though. It’s also crucial to have the right tools to do something with the information. Beyond visibility, you also need workflows to seamlessly connect to vulnerability and compliance solutions. For example, IT and cybersecurity teams should be able to add unmanaged devices and begin a scan, or tag unmanaged devices to initiate cloud agent installation to enable more comprehensive compliance checks.

Thankfully, the same platforms and technologies that make network visibility more complex and challenging also provide the power, scalability, and accessibility to deliver comprehensive, continuous visibility and tools and platforms that make it easier to run compliance and vulnerability programs. With the appropriate sensors placed strategically throughout the network and on devices, you can actively and continuously collect the necessary data.

The data can be stored in the cloud where the relevant IT, security and compliance information can be analyzed, categorized, enriched, and correlated. Because the data is stored and analyzed in the cloud, it has the flexibility and scalability to address spikes in assets resulting from high demand on containerized applications. It also simplifies and streamlines the ability to search for any asset and quickly determine its security posture.

With the right platform and tools, organizations have access to clean, reliable data—providing continuous visibility and relevant context to enable effective business decisions. It is also crucial for IT and cybersecurity teams to be able to quickly and easily find what they need. The information has to be available and accessible in seconds rather than minutes or hours or days so threats and issues can be addressed with urgency.

Knowledge Is Power

You can’t protect what you can’t see…or what you don’t know about. Don’t be the guy who thinks he is safe in the house while the monster crawls through an unlocked window at the back of the house. Effective cybersecurity is about knowing—with confidence and accuracy—what devices and assets are connected to your network and having the information and tools necessary to respond to threats in real-time.

Without comprehensive visibility, there will always be the chance that your false sense of security could be shattered at any time as attackers discover the vulnerable assets you aren’t aware of and exploit them to gain access to your network and data. Start with visibility. It is the foundation of effective cybersecurity, and it is absolutely essential.

About the AuthorShiva Mandalam is Vice President, Asset Management & Secure Access Controls at Qualys.

Copyright 2010 Respective Author at Infosec Island]]>
Ransomware: Why Hackers Have Taken Aim at City Governments Mon, 19 Aug 2019 07:09:19 -0500 When the news media reports on data breaches and other forms of cybercrime, the center of the story is usually a major software company, financial institution, or retailer. But in reality, these types of attacks are merely part of the damage that global hackers cause on a daily basis.

Town and city governments are becoming a more common target for online criminals. For example, a small city in Florida, Riviera Beach, had their office computers hacked and ended up paying $600,000 to try to reverse the damage. Hackers saw this as a successful breach and are now inspired to look at more public institutions that could be vulnerable.

Why are cities and towns so susceptible to hacking, how are these attacks carried out, and what steps should administrators take to protect citizen data?

How Hackers Choose Targets

While some cybercriminals seek out exploits for the sole purpose of causing destruction or frustration, the majority of hackers are looking to make money. Their aim is to locate organizations with poor security practices so that they can infiltrate their networks and online systems. Sometimes hackers will actually hide inside of a local network or database for an extended period of time without the organization realizing it.

Hackers usually cash in through one of two ways. The first way is to try to steal data, like email addresses, passwords, and credit card numbers, from an internal system and then sell that information on the dark web. The alternative is a ransomware attack, in which the hacker holds computer systems hostage and unusable until the organization pays for them to be released.

City and town governments are becoming a common target for hackers because they often rely on outdated legacy software or else have built tools internally that may not be fully secure. These organizations rarely have a dedicated cybersecurity team or extensive testing procedures.

The Basics of Ransomware

Ransomware attacks, like the one which struck the city government of Riviera Beach, can begin with one simple click of a dangerous link. Hackers will often launch targeted phishing scams at an organization's members via emails that are designed to look legitimate.

When a link within one of these emails is clicked, the hacker will attempt to hijack the user's local system. If successful, their next move will be to seek out other nodes on the network. Then they will deploy a piece of malware that will lock all internal users from accessing the systems.

At this point, the town or city employees will usually see a message posted on their screen demanding a ransom payment. Some forms of ransomware will actually encrypt all individual files on an operating system so that the users have no way of opening or copying them.

Ways to Defend Yourself

Cybersecurity threats should be taken seriously by all members of an organization. The first step to stopping hackers is promoting awareness of potential attacks. This can be done through regular training sessions. Additionally, an organization’s IT department should evaluate the following areas immediately.

  • Security Tools: City governments should have a well-reviewed, full-featured, and updated virus scanning tool installed on the network to flag potential threats. At an organization level, firewall policies should be put in place to filter incoming traffic and only allow connections from reputable sources.
  • Web Hosting: With the eternal pressure to stick to a budget, cities often choose a web host based on the lowest price, which can lead to a disaster that far exceeds any cost savings. In a recent comparison of low cost web hosts, community-supported research group Hosting Canada tracked providers using Pingdom and found that the ostensibly “free” and discount hosts had an average uptime of only 96.54%.For reference, 99.9% is considered by the industry to be the bare minimum. Excessive downtime often correlates to older hardware and outdated software that is more easily compromised.   
  • Virtual Private Network (VPN): This one should be mandatory for any employee who works remotely or needs to connect to public wi-fi networks. A VPN encodes all data in a secure tunnel as it leaves your device and heads to the open internet. This means that if a hacker tries to intercept your web traffic, they will be unable to view the raw content. However, a VPN is not enough to stop ransomware attacks or other forms of malware. It simply provides you with an anonymous IP address to use for exchanging data.

Looking Ahead

Local governments need to maintain a robust risk management approach while preparing for potential attacks from hackers. Most security experts agree that the Riviera Beach group actually did the wrong thing by paying out the hacker ransomware. This is because there's no guarantee that the payment will result in the unlocking of all systems and data.

During a ransomware attack, an organization needs to act swiftly. When the first piece of malware is detected, the infected hardware should be immediately shut down and disconnected from the local network to limit the spread of the virus. Any affected machine should then have its hard drive wiped and restored to a previous backup from before the attack began.

Preparing for different forms of cyberattack is a critical activity within a disaster recovery plan. Every organization should have their plan defined with various team members assigned to roles and responsibilities. Cities and towns should also consider investing in penetration testing from outside groups and also explore the increasingly popular zero-trust security strategy as a way to harden the network. During a penetration test, experts explore potential gaps in your security approach and report the issues to you directly, allowing you to fix problems before hackers exploit them.

Final Thoughts

With ransomware attacks, a hacker looks to infiltrate an organization's network and hold their hardware and data files hostage until they receive a large payment. City and town government offices are becoming a common target for these instances of cybercrime due to their immature security systems and reliance on legacy software.

The only way to stop the trend of ransomware is for municipal organizations to build a reputation of having strong security defenses. This starts at the employee level, with people being trained to look for danger online and learning how to keep their own hardware and software safe.

About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.


Copyright 2010 Respective Author at Infosec Island]]>
5 Limitations of Network-Centric Security in the Cloud Mon, 19 Aug 2019 06:55:48 -0500 Traditional security solutions were designed to identify threats at the perimeter of the enterprise, which was primarily defined by the network. Whether called firewall, intrusion detection system, or intrusion prevention system, these tools delivered “network-centric” solutions. However, much like a sentry guarding the castle, they generally emphasized identification and were not meant to investigate activity that might have gotten past their surveillance.

Modern threats targeting public clouds (PaaS or IaaS platforms) require a different level of insight and action. Since executables come and go instantaneously, network addresses and ports are recycled seemingly at random, and even the fundamental way traffic flows have changed, compared to the traditional data center. To operate successfully in modern IT infrastructures, we must reset how we think about security in cloud.

Surprisingly, many organizations continue to use network-based security and rely on available network traffic data as their security approach. It’s important for decision makers to understand the limitations inherent in this kind of approach so they don’t operate on a false sense of security.

To help security professionals understand the new world of security in the cloud, below are five specific use cases where network-centric security is inadequate to handle the challenges of security in modern cloud environments:

1. Network-based detection tends to garner false positives

Nothing has confounded network security as much as the demise of static IP addresses and endpoints in the cloud. Endpoints used to be physical; now they are virtual and exist as containers. In the cloud, everything is dynamic and transient; nothing is persistent. IP addresses and port numbers are recycled rapidly and continuously, making it impossible to identify and track over time which application generated a connection just by looking at network logs. Attempting to detect risks, and threats using network activity creates too many irrelevant alerts and false positives.

2. Network data doesn’t associate cloud sessions to actual users

The common DevOps practice of using service and root accounts has been a double-edged sword. On one hand, it removes administrative roadblocks for developers and accelerates even further the pace of software delivery in cloud environments. On

the other hand, it also makes it easier to initiate attacks from these “privileged” accounts and gives attackers another place to hide. By co-opting a user or service account, cybercriminals can evade identity-aware network defenses. Even correlating traffic with Active Directory can fail to provide insights into the true user. The only way to get to the true user of an application is to correlate and stitch SSH sessions, which is simply not possible with network only information.

3. The network attack surface is no longer the only target for cyber attacks

Illicit activities have moved beyond the network attack surface in the cloud. Here are four common attack scenarios that involve configuration and workloads (VMs or containers) in public clouds, but will not appear in network logs:

  • User privilege changes: most cyber attacks have to operate a change of privilege to succeed.
  • The launch of a new application or a change to a launch package.
  • Changes in application launch sequences.
  • Changes made to configuration files.

4. When it comes to container traffic, network-based security is blind

Network logs capture network activities from one endpoint (physical or virtual server, VM, user, or generically an “instance”) to another along with many attributes of the communication. Network logs have no visibility inside an instance. In a typical modern micro-services architecture, multiple containers will run inside the same instance and their communication will not show up on any network logs. The same applies to all traffic within a workload. Containerized clouds are where cryptocurrency mining attacks often start, and network-based security has no ability to detect the intrusion.

5. Harmful activity at the storage layer is not detected

In cloud environments, the separation of compute and storage resources into two layers creates new direct paths to the data. If the storage layer is not configured properly, hackers can target APIs and conduct successful attacks without being detected by network-based security. On AWS specifically, S3 bucket misconfigurations common and have left large volumes of data exposed. Data leaks due to open buckets will not appear on network logs unless you have more granular information that can detect that abnormal activity is taking place.

Focusing exclusively on network connections is not enough to secure cloud environments. Servers and endpoints don’t yield any better results as they come and go too fast for an endpoint-only strategy to succeed. So, what can you do? Take a different approach altogether. Collect data at the VM and container level, organize that data into logical units that give security insights, and then analyze the situation in real-time. In other words, go deep vertically when collecting data from workloads, but analyze the information horizontally across your entire cloud. This is how you can focus on the application’s behaviors and not on network 5-tuples or single machines.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island]]>
1 Million South Korean Credit Card Records Found Online Thu, 08 Aug 2019 04:54:19 -0500 Over 1 million South Korea-issued Card Present records have been posted for sale on the dark web since the end of May, Gemini Advisory says. 

The security firm could not pinpoint the exact compromised point of purchase (CPP), but believes the records may have been obtained either from a breached company operating several different businesses or from a compromised point-of-sale (POS) integrator. 

Amid an increase in attacks targeting brick-and-mortar and e-commerce businesses in the Asia Pacific (APAC) region, South Korea emerges as the largest victim of Card Present (CP) data theft by a wide margin, Gemini Advisory says.

Although EMV chips have been used in the country since 2015 and compliance is mandatory since July 2018, CP fraud still frequently occurs, especially due to poor merchant implementation. 

In May 2019, Gemini Advisory found 42,000 compromised South Korea-issued CP records posted for sale on the dark web, with a 448% spike in June, when 230,000 records were observed. In July, there were 890,000 records posted, marking a 2,019% increase from May. 

Overall, more than 1 million compromised South Korea-issued CP records have been posted for sale on the dark web since May 29, 2019. 

The security firm also identified 3.7% US-issued cards, with a credit union that primarily serves the US Air Force emerging as one of the most impacted US financial institutions (the Air Force maintains multiple air bases in South Korea). 

“Through an in-depth analysis of the compromised cards, analysts determined that many of them belong to US cardholders visiting South Korea. Since South Korea has received just over 1 million US travelers in the past 12 months, this should account for the high level of US payment records,” Gemini Advisory says. 

The median price per record is $40, significantly higher than the $24 median price of South Korean CP records across the dark web overall, the security firm notes. While 2018 marked a relatively large supply of such records, but a low demand, 2019 saw lower supply, but a growing demand.

“The demand continued to increase while the supply remained stagnant until the recent spike in South Korean records from June until the present. This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand,” Gemini Advisory notes. 

The security firm says attempts to explore potential CPPs were not fruitful, as there were too many possible businesses affected by this breach. The most likely scenarios suggest that either a large business was compromised, or that a POS integrator was breached, impacting multiple merchants.

“South Korea’s high CP fraud rates indicate a weakness in the country’s payment security that fraudsters are motivated to exploit. As this global trend towards increasingly targeting non-Western countries continues, Gemini Advisory assesses with a moderate degree of confidence that both the supply and demand for South Korean-issued CP records in the dark web will likely increase,” the security firm concludes.

RelatedA Crash-Course in Card Shops

RelatedPayment Card Data Stolen From AeroGrow Website

Copyright 2010 Respective Author at Infosec Island]]>
Top Three Cross-Site Scripting Attacks You Need to Know Now Wed, 31 Jul 2019 03:35:00 -0500 Cross-Site Scripting or XSS is and will remain to be a major pain for anyone trying to create a secure web application for their end-users.

Cross-Site scripting attacks occur when an attacker can squeeze nasty code into your web application from any input field or functionality where a user can have their input reflected in the source code of your application.

The primary issue usually always falls down to sanitizing user input, in other words; it is essential to check the data going into the web application and also where it shows or how it is handled in the output from the site. Easier said than done!

A basic concept

Let’s say you post a comment online like Hello World.. (a cliche example). The web application will then show the text for everyone to see…. If this web application was vulnerable to a cross–site scripting attack then we could inject code into the application!

If an attacker can inject code similar to this on your site, they can do all kinds of malicious activity!

There are a few types of Cross-site scripting and we will have look at the most common three.

Types Of Cross Site Scripting

  • Reflected:

Reflected injections are inserted in a URL link that an attacker wants a victim to click!

First of all, we shall look at reflected Cross-Site Scripting occurs when the data is passed in a parameter in the URL.

HTTPS://www. *notreal?ThisIsAParameter=IamTheValue*

The Injection would be passed in the value of this link and if an attacker loaded this with malicious script and victims began clicking it, they could exploit various attacks, such as… Stealing Cookies to take over accounts or stick a java-script keylogger on the site...

Reflected attacks only work when the URL is sent to someone – although if we were lucky in testing we’d find the next kind of XSS…

  • Stored:

These injections are stored on the server… like a Facebook or Twitter post, its there for the long-haul! This is as bad as it can get.

So once we find an XSS hole that lets us store our injections on the server, things get a little more interesting.

The attack surface of the exploit greatly raises. We no longer need to click the link in the previous example. Instead just by visiting the page where the injection is stored, it will fire.

As before we could steal cookies etc. but also start altering the entire web page layout for good.

  • Dom:

Lastly is Dom. This XSS injection is a tricky one. It can be hard to find, hard to exploit and even for me it can be hard to explain. In this attack surface, we are feeding data into already existing Java-script to create an exploit. A short snippet from the OWASP guide states:

DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client sidecode runs in an ‘unexpected’ manner.”

So we have given some basics on the types of XSS…

As an attacker we need to know the landing spaces of the data, then we can start to craft attacks and by-passing filters!

Landing spaces for Cross–Site Scripting

There are four landing spaces for XSS

  1. In White space
  2. Attribute space
  3. URI (Uniform Resource Identifier)
  4. Script space

- White space / Text space

This is when the user input lands in clear space.

If your injection lands here in the source this would be White space

Therefore, White space injections need to open tags ‘<>’ to create HTML and apply events or to directly open script tags for an exploit.

- Attribute space

If your input lands inside an Event Attribute then we can craft a different stlye injection but achieve the same results!

The ‘on’ attributes like, onerror, onload, onmouseover etc can involve Java-script and as such provide room for an attack. We have cleverly closed out the value attribute with our double quote. This allows us to create a new event handler, onclick, and give it some script to run. Even more so, we can create these attribute space exploits in the previous example.

NOTE: The asterisks above will break our injection, there are there to outline the specific landing spot!


More Acronyms.. URL Universal Resource Location
A URL is a basic web address:
Landing in a URI spot is common enough and also gives a variety of injections to work with.

  < a *href=javascript:alert()>Click Me!* < / a >

Here we have set the HREF attribute to some basic java-script to show your cookies for the current web page. If our supplied data lands at the beginning of the HREF= value, then a world of possibilities opens up. The ability to execute javascript above is a great place to start in exploiting XSS.

Additional and more complex injections in this landing space become available to us, like the following:

< *a href=data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==* >

This example is using the data URI and then specifying the media type ‘html’ and then the encoding ‘base64’ followed by the encoded JavaScript. This is a small glimpse into how we can create complex injections to bypass filters.

- Script Space

Script space injections are my personal favourite. When our data lands inside script tags our main objective is to add additional Javascript, without breaking the syntax of the code around us. Sometimes this is extremely straightforward, other times it can be hours of restructuring code to flow with the script around us. These injections can come to be a plethora of quotes, parenthesis, braces and functions.

In previous landing spaces above, we addressed the concept that we can close out html tags and create our new code on the fly. Script space injections are no different than this. Additionally, this is the only instance where we do not need to worry about the previous syntax of the landing space as we do not care if it runs or fails. Although, landing in script space and having the ability to close out the code with a simple tag is not so common. Therefore we need to start assessing which special characters we can work into the landing space. () `` {} ; //[] The more special characters we can get in, the more we have to work with, and in-turn have a great chance of getting a working exploit!

This has been a brief cover of XSS… Soon I will address the other concepts in this field such as encoding types, such as URL, HTML, BASE64 etc. for special characters and also various browsers and how each can handle or interpret injections differently to increase our attack surface.

About the author: Jonny Rice works as a vulnerability web application specialist for leading application security provider WhiteHat Security.

Copyright 2010 Respective Author at Infosec Island]]>
Arkose Labs Launches Private Bug Bounty Program Mon, 29 Jul 2019 13:04:18 -0500 Fraud prevention technology provider Arkose Labs announced the launch of a private bug bounty program on crowdsourced security platform Bugcrowd.

Based in San Francisco, Calif., the company leveragesglobal telemetry with a proprietary challenge–response mechanism to help organizations prevent fraud in sectors such as online marketplaces, travel, banking, social media, ticketing and online gaming. 

A public bug bounty program that Arkose Labs launched on Bugcrowd last year has improved development process with the inclusion of crowdsourced cybersecurity testing as an additional validation step, the company says.

With the new private program, the company wants to tap into the skill sets of Bugcrowd’s Elite Crowd and tailor testing to help eliminate account takeover attacks, fake user registrations, and other types of fraud and application abuse.

The new program will also allow the company to have a more direct communication with a smaller group of testers and gain more control over testing, while continuing to benefit from the crowdsourced model.

“As a security company in the fraud prevention space with an end-user facing product, we are lucrative targets for a wide range of attackers using innovative methods, such as Single Request Attacks. Compromising our proprietary challenge—response mechanism, Enforcement, requires a very specific skill set and partnering with Bugcrowd ensures we have a more informed path forward to stay ahead of attackers,” said Anna Westelius, senior director of engineering at Arkose Labs.

RelatedGoogle Increases Bug Bounty Program Rewards

RelatedMicrosoft Launches Bug Bounty Program for Dynamics 365

RelatedSingapore Government Announces Third Bug Bounty Program

Copyright 2010 Respective Author at Infosec Island]]>
Eight Steps to Migrate Your SIEM Mon, 22 Jul 2019 07:12:19 -0500 In a large enterprise, the ingestion of security logs, IT system logs and other data sources can easily reach a range of hundreds of thousands to millions of events each day and lead to storing terabytes of logs daily. It’s impossible for humans to manually keep up with this deluge of data, so they turn to security information and event management (SIEM) tools to do the work more efficiently.

With the relentless wave of cyberattacks and data breaches, however, the performance of legacy SIEMs is under scrutiny due to their inability to scale to detect the huge number of threats facing organizations today, and their limitations when it comes to helping security teams investigate and respond to incidents efficiently. In response to this, many enterprises are re-evaluating their SIEM and migrating to new technology. While this is exciting, migrating a SIEM is no trivial task.

Why migrate from a legacy SIEM?

The surge in cyberattacks, shortage of qualified security analysts, sheer volume of events and number of devices pumping data into the enterprise SIEM are posing several operational issues. For example, security operations center (SOC) teams universally complain about time wasted by chasing false positive alerts. The culprit for issues like this is that legacy technology in many SIEMs is completing its second full decade since it was introduced to the market. Four legacy characteristics include:

Excessive logging costs – Charging SIEM usage based on the amount of data ingested and processed is a characteristic of legacy SIEMs, but it never really made sense given that SOC teams benefit from having the most information possible about their environment to detect and investigate incidents. This licensing model penalizes SOC teams for collecting more data and limits capabilities for threat detection and creates blind spots during incident investigations.

Inability to catch unknown threats – The legacy SIEM model typically was based on correlation rules which requires analysts to know what they are looking for. But as the variety of threats has risen, a reliance on rules has left legacy SIEMs unable to detect unknown and advanced threats such as malicious insiders.

Untraceable distributed attacks – When tracking is substandard, SOC analysts get an incomplete picture of users’ activities. A common scenario is lateral movement, where an attacker first breaches a network and then moves around inside an organization, across credentials, devices or login locations. Consequently, the team misses threats and is unable to determine the full scope of attacks.

Manual investigation and remediation – When legacy SIEM technology has limited automation, the organization is faced with increased risk and longer exposure to threats. For example, every investigation requires construction of a timeline to evaluate events and understand their implications for security. For legacy SIEMs, those steps are usually manual and time consuming.

Solving these legacy issues is a strong motivation for SIEM migration. Before initiating the process of migration, it’s useful for stakeholders to get a big-picture sense of what these steps entail. A few days of planning upfront can save the team weeks of time and help avoid mis-steps later in the process.

Process Flow for SIEM Migration

1. Determine SIEM Priorities - It will typically take 2-4 weeks to identify all of the stakeholders and get a consensus on your top business issues and priorities. When deciding on these priorities, the SIEM migration team must consider the organization’s risk management framework in determining priorities for the SIEM, including compliance with relevant industry guidelines, regulations and statutes.

2. Select Use Cases - Selection of use cases for the SIEM migration should answer the question: what problems are we trying to solve with the new SIEM?

Examples of typical use cases include protecting against insider threats; identifying compromised credentials, prioritizing security alerts, and more. It’s common for a legacy SIEM to have 50 or even hundreds of use cases. Replicating all legacy use cases may be unnecessary as new technology can eliminate the need to manually manage some scenarios. For example, a new SIEM can reduce the need to create and maintain correlation rules with out-of-the-box detection models.

3. Scope Data Collection Sources - The ultimate purpose of a SIEM is to allow analysts to quickly detect and remediate security threats. Having a SIEM that integrates data logs from a broad array of IT and security products is essential for effective remediation. Data sources need to map to the use cases identified in the previous step.

4. Configure Log Sources – Configuration of log sources is a non-trivial process for teams to take on themselves. Investigate provider’s ability to help with standardizing and parsing data sources if assistance if needed.

5. Prepare SIEM Content - Train SOC analysts in the approach of the new SIEM if you are moving from exclusive reliance on rules triggering alerts to models built using behavioral analytics based on machine learning. In most cases, behavioral analytics speeds detection, provides more accurate results, and enables rapid, precise response to critical incidents.

6. Define Operational Processes - Getting good results from the new SIEM will require SOC analysts to adjust their daily operating processes. Analysts will especially want to know if they have to learn a new query language. A modern SIEM often has a point-and-click interface, which alleviates the need for command line controls.

7. Establish Benchmark Criteria - Establishing benchmark criteria for the new SIEM will help your organization measure and evaluate its performance. Benchmarks should employ criteria from the management framework or frameworks currently used by your organization. This could be ISO for compliance, PCI DSS for payment security, and operational benchmarks such as search times, mean time to detection, mean time to response, number of alerts closed, and so forth. It’s important to choose metrics carefully in order to accurately gauge success. For example, a modern SIEM’s analytics will often dramatically reduce the number of alerts to be investigated compared to a legacy SIEM

8. Evaluate Next Steps - The last stage of SIEM migration is evaluating next steps like developing new use cases as business priorities change.


By making the decision to migrate a legacy SIEM, organizations will launch a journey touching many parts of the enterprise. The migration will entail changes to a wide array of people, process and technology.

Process is an integral part of the eight considerations, and implementation will directly affect daily roles of some stakeholders. It’s important for organizations to approach migration with a positive outlook about the new benefits that will appear as a result of this process.

By approaching security with a new SIEM, your enterprise will enable better security and compliance. As the technical enabler, the new SIEM will also help stakeholders be more productive and fruitfully engaged in this vital mission.

About the author: Trevor Daughney is Vice President of Product Marketing at Exabeam. Trevor is a marketing executive with a track record of building high performing teams to take enterprise cybersecurity SaaS and software technology and turn them into successful global businesses.

Copyright 2010 Respective Author at Infosec Island]]>
What Call Center Fraud Can Teach Us about Insider Threats Mon, 22 Jul 2019 07:08:29 -0500 Call centers are often the weakest link in otherwise robust corporate security networks, because of the human dimension. They are staffed by people who make mistakes and are prey to scams and blackmail. Call centers are also vulnerable to malicious employees with an ax to grind or those willing to commit fraud for monetary gain.  

According to the Pindrop 2017 Call Center Report, voice fraud rates climbed at more than 350% since 2013 across several industries, including banking.  

Most Identity Data is Stolen  

Consider this fictional example of call center fraud. A caller contacts a U.S. bank and informs the customer service representative (CSR) that he/she wants to do an electronic funds transfer to pay their child’s college tuition bill for a school in France. 

The caller says he/she needs to send the money urgently, explaining they tried unsuccessfully a number of times to perform the transaction online, and need help. The CSR asks the caller a battery of security questions to authenticate their identity. Without missing a beat, the caller provides the correct account number, physical address, the last four digits of the social security number on file, etc.  

Eager to help ‘the long-time customer,’ the CSR approves the funds transfer and schedules the transaction for the next business day. Since the caller provided all the correct answers, the CSR has no way of knowing he/she was a fraudster.  

Since personally identifiable information (PII) has and continues to be stolen in an endless stream of data breaches, most of the details required to carry these type of attacks are available for purchase on the dark web. However, the fraudster could also be working with a malicious insider who has provided the necessary PII required to compromise the target account.  

Three Ways to Reduce Call Center Fraud   Use the Cloud  

Instead of relying on call center employees to handle sensitive personal information, some organizations employ a secure, cloud platform to process payments. Employees can see that transactions are taking place but they have no visibility into sensitive customer data and card numbers.  

Enhanced Authentication  

Increasingly, companies are abandoning crude forms of authentication like passwords which are too easily breached, copied or shared. Instead, they are supplementing knowledge- based questions with advanced authentication methods such as biometrics and one-time passwords. Some banks and credit card companies use one-time passwords to verify the identity of an account holder before a CSR can perform any requested transactions.  

Fraud Behavior Analytics  

To automate fraud detection, an increasing number of organizations are turning to behavior-based security and fraud analytics. These analytics engines ingest and process enormous amounts of data from disparate systems — and then use machine learning models to pinpoint anomalous activity.  

In the call center fraud scenario described above, data from the ticketing system would show that the account password was changed a few days earlier. Meanwhile, data from the core banking solution would identify that the destination foreign account for the funds was recently created. In addition, phone system records would show that the time of day of the (fraud) call is inconsistent with previous calls associated with the account. And finally, data from public records would show that the real account holder is childless.  

By correlating data from different information “silos” behavior- based fraud behavior analytics could predict the risk and prevent the funds transfer.  

Detecting and preventing call center fraud embodies many of the same challenges associated with fighting insider threats, since the attacker in both cases is authenticated to perform sensitive transactions. As a result, the advanced security measures described above, especially enhanced authentication and security analytics, can be used to predict and prevent fraud and data exfiltration by both insiders and outsiders.

About the author: Saryu Nayyar is CEO of Gurucul, a provider of behavior based security and fraud analytics technology. She is a recognized expert in information security, identity and risk management, and author.

Copyright 2010 Respective Author at Infosec Island]]>
Best Practices for Remote Workers’ Endpoint Security Mon, 22 Jul 2019 07:04:16 -0500 Remote workers often use corporate devices and computers when working at home or from a local office. When travelling, they might use personal mobile phones or computers to carry out their official tasks. Regardless of the endpoint used to access corporate data, one of an IT admin’s most important jobs is to secure that data while it’s stored on and accessed by corporate and personal endpoints. Below, we’ll look at best practices for getting that job done as well as one company embracing them.

Encrypt devices - When users travel, your organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access particularly if a device was lost or stolen.

Practice the principle of least privilege - Only grant necessary and sufficient permissions that users need to carry out their activities, for a limited time. Restricting users to the minimum rights required by their tasks will greatly reduce the attack surface of the remote workforce.

Make access conditional – Before remote workers connect to the corporate network, ensure their endpoints comply with your security policies such as running up-to-date patches and security products. This applies to both corporate and personal devices.

Sandbox work applications -Sandbox your enterprise applications so that corporate data can't be accessed by other, possibly malicious apps installed on users’ personal devices. Sandboxing will stop the corporate data leak.

Secure remote connection - Any corporate resource on the corporate network should be accessed through a VPN secure connection.

Use two factor authentication - When end users want to connect to the network, they must enter their password as well as a one-time password sent to a personal mobile device.

Create awareness among remote workers - Implementing more security policies will decrease the user’s privacy. Alternatively, you should educate remote workers about the use of strong passwords, the basics of social engineering attacks, and your company’s security policies overall.

Relieve remote workers of security tasks - Enterprises should manage the endpoints and keep them secure when they're on the network and away from it. Expecting end user to connect to VPN and apply patches or security policies on their own is unrealistic. Similarly, the endpoint management and security tasks should be adequately automated to ensure your IT team is not overwhelmed by the work.

Patch your endpoints - Keep your operating systems and applications up to date to stop the exploitation of the known vulnerabilities. Patching should happen whether endpoints are connected to the network or not.

It is easy for an employee to delay or decline updating a patch, as they likely don’t fully comprehend the potential ramifications from these simple actions. This is part of the reason that 8x8, a provider of cloud communication and customer engagement solutions, automated patch management across its global workforce. An automation strategy allows remote and local endpoints to be updated, without relying on individual employees. This ensures that all endpoints, including PCs, Macs, tablets and mobile devices, remain secure and compliant.

For most organizations, remote workers are an unavoidable fact of life. The upside is employees are often happier and teams are more efficient. The downside is security is often compromised due to poorly managed endpoints. But as we’ve seen, you can mitigate threats posed by remote workers’ endpoints and significantly improve your overall network and data security with a few best practices.

About the author: Mathivanan Venkatachalam is vice president of ManageEngine, a division of Zoho Corp., and has been part of the Zoho team since its inception. Prior to working with ManageEngine, he was associated with IIT Madras for their V5.2 protocol stack in layer 1 and layer 2 development.

Copyright 2010 Respective Author at Infosec Island]]>