Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 SAP Cyber Threat Intelligence Report – January 2017 Fri, 13 Jan 2017 03:00:00 -0600 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • The first set of SAP Security Notes of 2017 consist of 23 security patches. Most of them address XSS and Missing authorization check vulnerabilities.
  • The most dangerous security issue was assessed 9.8 (of 10) by CVSS base score v.3.0.
  • SAP SSO has a DoS vulnerability. This mechanism provides access for cloud and on-premises solutions, web applications, via mobile devices, and native SAP clients. Thus, by exploiting the vulnerability, an attacker can prevent numerous SAP customers from accessing applications required to their work.

SAP Security Notes – January 2017

SAP has released the monthly critical patch update for January 2017. This patch update closes 23 vulnerabilities in SAP products (19 SAP Security Patch Day Notes and 4 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 2 of all the Notes are updates to a previously released Security Notes.

1 of the released SAP Security Notes has a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.8.

The most common vulnerability type is Missing Authorization check.

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Single Sign-On (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389042. An attacker can use Denial of service vulnerability to terminate a process of vulnerable component. For this time, nobody would be able to use this service, which negatively influences on a business processes, system downtime, and, as a result, business reputation.
  • An XML external entity vulnerability in SAP Netweaver Visual Composer (CVSS Base Score: 6.4). Update is available in SAP Security Note 2347439. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.
  • A Cross-Site Scripting vulnerability in SAP Enterprise Portal Real Time Collaboration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2341302. The component does not sufficiently encode user input, resulting in a Cross-Site Scripting vulnerability
  • An SQL Injection vulnerability in SAP Netweaver UDDI Server (CVSS Base Score: 4.1). Update is available in SAP Security Note 2356504. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, removedata or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands.

About Denial of service vulnerability in SAP Single Sign-On

SSO (Single Sign-On) is a mechanism that allows a user to use one set of login credentials instead of numerous sets of passwords, which may be weak, reused, or written down somewhere, to access multiple applications the user has rights to access. Thus, it enhances the security level and protects sensitive company and personal data.

SAP states that SAP SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).

Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, as a result, legitimate users won’t be able to access all linked applications. A downtime may prevent a victim company of profit.

It is not the first time ERPScan researchers discover vulnerabilities in solutions introducing security measures. For example, there is a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP).

The most critical issues closed by SAP Security Notes January 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2407862: SAP Sybase Asset Management has Multiple buffer overflows vulnerabilities (CVSS Base Score: 9.8), CVE-2015-8277. An attacker can use a Buffer overflow vulnerability to inject specially crafted code into a working memory that will be executed by a vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and others. Install this SAP Security Note to prevent the risks.
  • 2361633: SAP Business Intelligence platform has an SQL Injection vulnerability (CVSS Base Score: 6.4). An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, remove data or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2377626: SAP Enterprise Portal Theme Editor has an Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Copyright 2010 Respective Author at Infosec Island]]>
Neutrino Bot Distributed in Post-Holiday Spam Run Thu, 12 Jan 2017 21:39:24 -0600 A spam distribution campaign spotted just after the holiday season has ended is distributing the Neutrino Bot via a linked malicious Office document, Malwarebytes Labs security researchers warn.

Usually, cybercriminals attach the malicious documents directly to the spam emails, but they took a different approach this time, by including only a link to that document. This approach is unexpected mainly because the servers on which these malicious files are hosted usually have a short time to live window.

The emails included in this campaign were supposedly from Microsoft Security Office, while the linked document, named “,” would allegedly include a full security report. Once the user attempts to open the document, however, they are prompted to enable macros to view the content.

As soon as the malicious macro is executed, however, the final payload is downloaded and executed, and the victim’s computer is infected with the Neutrino bot. This piece of malware can perform a variety of malicious activities, such as the launch of distributed denial of service (DDoS) attacks, keystroke capturing, form grabbing, and screenshot taking, the spoofing of DNS requests, and malware download.

The malware installs itself in %APPDATA% in a folder called “UmJn,” a folder typical for this version of the malware. Next, Neutrino attempt to connect to the C&C to start receiving commands and perform malicious actions, by querying a script called “tasks.php.”

The list of URLs is hardcoded in the malicious app, and security researchers say that a cookie with a hardcoded value is used for authentication. Moreover, they reveal that this value has been modified between versions, and that the malware’s code appears to have been partially rewritten as well, although the purpose and major features didn’t change much.

The features in the new variant, which researchers say is 5.2, have been reorganized, although they are about the same. The screenshot-taking functionality, for example, is still there, albeit the implementation details have changed.

The malware takes screenshots of the victim’s desktop when it receive a command from the C&C, and immediately sends the shot to the server. Previously, the feature was associated with a keylogger, but the new implementation provides the malware author with increased control over execution.

“Just like in the previous case we are dealing with a fully-fledged multipurpose bot – with various features allowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other malware,” Malwarebytes Labs researchers explain.

As always, users are advised to be extremely careful with Office documents masquerading as invoice reports, especially those that leverage the macro feature to execute code. Users should not enable macros unless they completely trust source of the file, or if they open it in a virtualized environment. Network admins should set policies to permanently disable macros, the researchers say.

Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware

Related: Tofsee Malware Distribution Switched From Exploit Kit to Spam

Related: Necurs Botnet Fuels Jump in Spam Email

Copyright 2010 Respective Author at Infosec Island]]>
Why Simply Increasing Cybersecurity Staffing Won’t Resolve All of Today’s Issues Thu, 12 Jan 2017 04:00:00 -0600 Last month, the Commission on Enhancing National Cybersecurity delivered its report to the President of the United States, providing six Imperatives and other, associated recommendations and action items with the goal of improving the overall security posture of the nation’s public and private infrastructures. These commendations cover a range of both technical and non-technical guidance, with a very substantial weight placed in Imperative 4 for training, hiring and increasing the overall cybersecurity workforce in order to match the growing need for such expertise.

Specifically, Action Items 4.1.1 and 4.1.2 recommend the training of 100,000 new cybersecurity practitioners for the workforce by 2020 and an additional 50,000 trained through an apprenticeship program within the same timeframe. This signifies an enormous increase to the current total number of trained cybersecurity workers, and should make a large indentation in the endless need for more security experts everywhere. 

However, most every Chief Information Security Officer (CISO) or Chief Security Officer (CSO) today has an immediate need for this kind of expertise, and as the number of cyberattacks continues to explode, most can’t afford to wait until 2020 to tap into this flood of eligible, and available, potential employees.

Thankfully, the Commission has presented a few other recommendations that, in my view, recognize the need for additional, more socially-focused security measures which should help to improve the overall effectiveness of individual security programs and augment the proposed increase in the workforce.

Two in particular are:

  • Action Item 2.2.2 which states, “The U.S. government should support cybersecurity-focused research into traditionally underfunded areas, including human factors and usability, policy, law, metrics, and the social impacts of privacy and security technologies…”
  • Action Item 3.2.1 which states, “The next Administration and Congress should prioritize research on human behavior and cybersecurity, of the basis of the 2016 Federal Cybersecurity Research and Development Strategic Plan.”

These two, seemingly small statements represent a massive shift in the thinking of not only the government in how it approaches cybersecurity strategy, but the industry as a whole. Specifically, in putting a focus on the more human and policy-centric needs for strengthening cybersecurity, it starts to move away from the idea of simply acquiring the latest and greatest piece of software, all-in-one appliance or other security technology which promises the solution to all of your security despairs.

However, applying more and more technology is not adequate to fully protect a network infrastructure and the critical data stored there. Attackers will simply fine-tune their tactics to evade new protections put in place and continue to launch assaults against their targets.

After all, no matter the number of layers of defense put in place, it only takes one authorized user within your organization to click on a malicious link in a phishing email that captures their credentials and feeds them to an attacker who can then use those credentials to sidestep every security control that a user is allowed to navigate.  

Since humans will make mistakes like this, social engineering continues to be an effective form of attack, no matter the technology controls put into place.  It has been long past time for organizations to put more focus on the human side of their security program, specifically in the areas mentioned by the Commission in Action Items 2.2.2 and 3.2.1.

Any security program can benefit immediately by beginning a review of their own internal policies, improving the types of metrics used to measure the success of the program, and consulting with legal counsel to ensure proper insurances and other risk mitigation plans are in place. These activities cost very little, have immediate turnaround timeframes, and can deliver quite a lot of return to the organization.

Perhaps most importantly is to comprehend the behavior of their employees and implement programs to help them work and operate in a more secure manner. Security awareness training and education programs may not be the glitziest pieces of a security program, but they are critical to its success. Even beyond that, is to involve employees more directly and understand why social engineering attacks work on them and to help address any questions and concerns.

Security teams who sit down with staff at all levels, whether it’s through roundtable sessions, town hall forums, brown bag lunch sessions or other similar gatherings have a much stronger understanding of the needs and challenges of the employees in the organization who are the front line of defense for the entire infrastructure. With this understanding comes the means to develop more germane policies and procedures, offer better, more focused solutions for the security problems being faced by staff, and can even guide technology purchasing decisions to help best fill in the gaps.

At AsTech Consulting, we believe that there is plenty of work yet to do, and we will certainly need a larger cybersecurity workforce. Nonetheless, while waiting for that to come about, there is a lot more that every organization can do today to refocus their efforts around the more human elements of information security and bring about a much stronger security posture for everyone.

Copyright 2010 Respective Author at Infosec Island]]>
Using Artificial Intelligence for Security Automation, Orchestration and Response Wed, 11 Jan 2017 11:42:00 -0600 Artificial Intelligence is a term being used to describe everything from chat bots to self-driving cars, and marketers are jumping on the bandwagon to take advantage of the trend. In this article, we will define and delineate AI, machine learning, and deep learning, and the expected consequences each will have on information security. And while the movement to involve systems more in functions traditionally attributed to human cognition is well underway, let’s take a step back to see what these terms actually mean.

The Cybersecurity Capacity Problem

The way companies approach cybersecurity is evolving, and can be examined in three phases:

  1. Prevention Just 10 years ago, companies focused their efforts on prevention: avoiding compromise. Companies built walls and fortified networks to keep their adversaries out.
  2. DetectionBased on an increase in the volume and sophistication of attacks, organizations then implemented detection systems to alert them when potentially malicious threats made it through their defenses.
  3. Response Looking at prevention and detection systems, you’ll notice that these technologies are automated and very fast. However, until now, organizations have relied on people to make sense of the alerts generated by these products, and expect them to perform manual tasks to investigate whether the threats are real or benign. The resulting response is slow and repetitive, and incident response teams are drowning in alerts with no chance of keeping up.

The incident response challenge coupled with a staggering cybersecurity skills gap presents a cybersecurity capacity problem. As Doug Graham, CISO at Nuance Communications puts it:

"It’s easy to end up in a cycle where one buys more tools, gets more alerts and, despite working hard to correlate those alerts, still finds the volume of resulting actions staggering.

Companies need to find ways to break this cycle or turn down the volume of alerts, as there will never be enough staff bandwidth to properly process every alert."

The only way organizations can keep up with the volume of threats and subsequent alerts is through security automation, and artificial intelligence is a critical capability of security automation technology.

Defining the Terms

An article in the Wall Street Journal by Yann LeCun, director of artificial-intelligence research at Facebook asks the question “What’s Next for Artificial Intelligence”? From the article:

The traditional definition of artificial intelligence is the ability of machines to execute tasks and solve problems in ways normally attributed to humans. Some tasks that we consider simple—recognizing an object in a photo, driving a car—are incredibly complex for AI. Machines can surpass us when it comes to things like playing chess, but those machines are limited by the manual nature of their programming; a $30 gadget can beat us at a board game, but it can’t do—or learn to do—anything else.

The article then goes on to delineate AI, machine learning, and deep learning, and the expected consequences each will have on careers, the economy, and a fundamental change in the way humans interact with machines. And while the movement to involve systems more in functions traditionally attributed to human cognition is well underway, let’s take a step back to see what these terms actually mean.

What is Artificial Intelligence?

A quick look at the Wikipedia definition of AI:

Artificial intelligence (AI) is the intelligence exhibited by machines. In computer science, an ideal "intelligent" machine is a flexible rational agent that perceives its environment and takes actions that maximize its chance of success at an arbitrary goal.[1] Colloquially, the term "artificial intelligence" is likely to be applied when a machine uses cutting-edge techniques to competently perform or mimic "cognitive" functions that we intuitively associate with human minds, such as "learning" and "problem solving".

Without wandering too far down the rabbit hole, the definition of rational agent:

In economics, game theory, decision theory, and artificial intelligence, a rational agent is an agent that has clear preferences, models uncertainty via expected values of variables or functions of variables, and always chooses to perform the action with the optimal expected outcome for itself from among all feasible actions. A rational agent can be anything that makes decisions, typically a person, firm, machine, or software.

Artificial Intelligence in the context of a computer system needs to be able to solve problems and execute tasks that mimic the human cognitive process including:

  • Understanding the scope of the problem at hand
  • Knowing where to find sources of information to help solve the problem
  • Being able to ingest data from the outside
  • Having the capacity to analyze data
  • Deciding what actions to take based on data analysis
  • Determining whether those actions solved the problem
  • Running an analysis to see whether what was uncovered in the course of the above process can be applied elsewhere

Let’s take these one-by-one as they relate to cybersecurity automation and orchestration.

Understanding the Scope of a Cyber Threat

An automated system that aims to investigate, evaluate, and then remediate a cyber threat must also be able to understand the scope and breadth of the threat. Without knowing the magnitude of the problem, such a system would never be able to fully solve the problem.

Let’s look at a common incident response scenario as a human cyber analyst.

When a detection system like FireEye sends an alert about a known malicious IP address to a cyber analyst, the analyst could perform the following logical steps:

  1. Determine which machine on the network has connected to the offending IP address
  2. Inspect the endpoint and perform an investigation to see if the machine has malware that is connecting to the IP address
  3. Take remediation steps to clean the machine and make sure there’s nothing left behind
  4. Add a firewall block rule to stop any other machine from accessing the IP address

Those four steps can solve the issue as it was presented, and you could argue that the analyst did what they were expected to do. However, a system that uses artificial intelligence and security automation would need to perform additional steps:

  1. Query network resources to determine what other machines on the network have accessed (or attempted to access) the IP address
  2. Automatically trigger additional investigations on each machine to kill processes, quarantine files, and remove anything malicious from memory
  3. Send the results of each investigation back to a ticketing system

In many cases, a single alert is a symptom of a much larger issue and an artificially intelligent system must be able to understand the bigger picture.

Knowing Where to Find Sources of Information to Help Solve the Problem

Keeping with the example of a FireEye alert about a malicious IP address, we saw that the artificially intelligent system was able to query network resources to determine what other machines had accessed the offending IP address. In that one step, the system had to perform a complex chain of actions that are necessary to be considered AI:

  • The system must know where and how to access additional network resources
  • It must know the purpose of these resources and what data should be there
  • It must have the ability to parse through the data to find what is relevant and actionable
  • The system is required to apply the relevant findings to translate what it has found into a series of subsequent actions

All of these steps seem elementary to us, as they are both logical and how our brains function. However, being able to codify the decision-making process involved when looking for additional information to solve a problem is incredibly complex and a hallmark of artificial intelligence.

The Ability to Ingest Data from Outside

Resourcefulness is an innate human trait. Just think of how often you look for external sources of information every day. From checking the weather to reading a paper on artificial intelligence, we are constantly querying data from the outside to help us make decisions.

In the cybersecurity world, the ability to access up-to-date information about known threats is essential for any security tool to function. The volume and sophistication of threats require constant updates to things like AV signatures and threat intel feeds in order to thwart attacks at scale.

An artificially intelligent incident response system must be able to access an array of different threat intelligence sources constantly if it aims to evaluate every cyber alert it sees. In doing so, the system is able to always incriminate or exonerate potential threats with the highest level of confidence possible.

The Capacity to Analyze Data

Analysis of data by an artificially intelligent system can only be accomplished by determining content, context, and meaning.

  • ContentPut simply: what are we looking at? In the case of an alert, what pieces of data should the system be looking for in order to take the next step. Examples could include IP address and location of potential threat.
  • ContextWhat type of alert is this? Was it sent by an AV? A DLP system? A SIEM?
  • MeaningGiven content and context, what should the system do next?

Deciding on a Course of Action Based on Data Analysis

Once an artificially intelligent system has performed the requisite analysis, it must know what to do next based on codified logic. And while a similar investigation flow can be applied to multiple alerts, the remediation process can be vastly different. Some examples:

  • Phishing Email Who is the sender? What files are attached? Has anyone clicked the attachment? Downloaded and run the executable? Given their credentials? The resulting remediation actions based on the answers to these questions are conditionally dependent and require advanced decision logic.
  • Malicious IP Address If an IP address deemed to be malicious is accessed by a device on a network, what happens next? Is the IP address just a symptom of a malware-based infection on an endpoint? What kind? Is it ransomware making a call to the IP address and encrypting files? How many other machines are making calls to the IP? Once the root problem is cleaned on the endpoint, does it make sense to automatically add a firewall block rule to prohibit others from accessing that IP?
  • AV Alert If the system gets an alert about a Trojan on a laptop and sees that the AV has successfully removed the offending files, is that a sign of a successful remediation? Or should the system instead run a full investigation to ensure that the Trojan wasn’t just an entry point to spawn malicious processes and morph into something the AV has missed?

Knowing what to do after a determination has been made about a potential threat is arguably the most critical capability of an artificially intelligent cybersecurity solution. Understanding how to rigorously investigate, remediate, and continue the cycle is what makes an AI solution valuable.

Determining Whether Actions Taken Solved the Problem

Evaluating whether the actions taken actually solve the entirety of the problem is the critical last step of the alert to investigation and remediation workflow. While some products and processes will stop at the remediation phase, any artificially intelligent system must be able to both verify that the remediation actions have been successful and that no additional actions are necessary.

Keeping with the AV example referenced earlier, an AI-based cybersecurity solution would verify that the AV product successfully removed the files and processes at the root of the infection, check for anything left in memory, launch parallel investigations to determine if there was any lateral movement, and re-investigate to make sure those steps have fully remediated all traces of the infection environment-wide.

Applying Results Elsewhere

Finally, once an AI-based cybersecurity solution has completed the end-to-end flow from alert to remediation and verification, it must be able to apply its findings universally. For example, if an alert from a detection system is determined to be an unknown threat, the system can then detonate the suspicious entity in a sandbox to examine behavior and incriminate or exonerate based on characteristics observed. Just because a threat is unknown to threat intelligence feeds, for instance, does not mean investigation should stop. When a new threat is uncovered, an artificially intelligent system is able to apply its newly-found knowledge to all other systems in its network, launching investigations to find out whether other machines exhibit evidence of the threat or threat type.

About the Author: Nathan Burke is Vice President of Marketing at Hexadite, where he is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action. 

Related ReadingThe Role of Artificial Intelligence in Cyber Security

Copyright 2010 Respective Author at Infosec Island]]>
Stop the Phishing Frenzy; Arm Against the Danger with Detection and Response Fri, 23 Dec 2016 08:37:00 -0600 Phishing is now the No. 1 delivery vehicle for ransomware and other malware. Even with all the phishing prevention solutions available for several years, it’s clear that phishing continues to pose serious risk for today’s businesses that face significant financial loss, exfiltration of data, compromised credentials, loss of productivity and damaged reputations. Consider the following facts:

  • 85 percent of organizations have suffered phishing attacks in the last 12 months.(Wombat Security’s 2016 State of the Phish report) The number and sophistication level of phishing attacks organizations experience has gone up. Two-thirds of the organizations in the study reported attacks that were targeted and personalized, up 22 percent from the year prior. 
  • 30 percent of phishing emails get opened. (Verizon’s DBIR 2016) It’s a delivery tactic that works—zero day attacks are proven to defeat prevention systems—so there is no need for attackers to develop anything more sophisticated to scam money or information from their victims.
  • No. 1 delivery vehicle for malware is email attachments. (Verizon’s DBIR 2016) Despite email filtering and user education, well-disguised content influences the user to click and download.
  • $1.6 million is the average cost of a spear phishing attack. (Cloudmark) Companies hit by a successful spear phishing attack in the past 12 months suffered an average financial cost of $1.6 million.

The evidence is clear, phishing and other email-related attacks exploit either technical vulnerabilities or leverage social engineering to take advantage of human weakness.

With the risks for an inevitable breach so high, it’s clear that companies need to take more active measures in preparing for the inevitable moment when a phishing, spear-phishing or whaling attack is successful. User awareness education, signature-based technologies and email filtering is not enough, especially where zero-day attacks are concerned. To accomplish this, the enterprise must direct its efforts at rapid detection and blocking of successful attempts at a speed fast enough to minimize and/or avoid any significant high value data access or loss.

While many technologies exist today that tackle elements of threat detection, including machine learning, user behavior and entity analytics, threat modeling, etc., the most effective solutions are those that combine the best of these capabilities to deliver rapid, real-time detection and response. Consider techniques and solutions that correlate machine learning, feature, device and user behavior analytics to derive insight, detect legitimate threats and create prioritized alerts that allow enterprise systems to direct or take prescript action immediately, shutting down invasive threats before humans even realize they are there. Automated solutions effective at stopping these threats within minutes exist today. By providing visibility and fully automating the immediate analysis, detection and elimination of threats, these solutions can finally give the enterprise a leg up in defending against any successful phishing attack.

When evaluating solutions to compliment your existing cybersecurity posture around phishing, consider the following questions:

  • Can it detect abnormal use of credentials from that of normal usage?  Can it detect abnormal activity from both north-south through the firewall, and east-west activity within the organization to verify credentials have been lost? Can it monitor credential usage and detect abnormal usage behavior from that of normal usage?
  • Does it avoid false positives by leveraging a combination of data collection and analysis, machine learning, predictive and behavioral analytics and then correlate findings to surface legitimate threats?

False positives can lead to needlessly generating too many incidents that need looking into, and unnecessary remediation. The ideal solution should correlate and verify threat behavior from various sources in real-time so that an accurate depiction of the threat can be detailed and enough information can be correlated together to corroborate the threat is real.

  • Can its architecture scale to process billions of inputs and generate correlated outputs of all related threat behavior in seconds so that it can detect such threats accurately in minutes after compromise?

Knowing the volume and complexity of phishing threats are on the rise, consider systems that can scale to meet even the largest enterprise need.

  • Can it be set-up to be fully automated, including rule sets, analysis, alerts, remediation and reports – so that it works 24x7x365 without need for human involvement?

Automation saves time, which is critical to mitigating the damage of such attacks, while also saving on dedicated 24x7 monitoring resources.

  • Most importantly, has it been proven to be effective in stopping the threat and blocking the exfiltration and/or damage of critical data?
  • Can it write rules to a firewall to block command and control communication? Can it isolate devices that have been infected? Can it write policy to directory services to disable compromised users credentials?  Can all this be done with a single click from the detection application or be fully automated to speed the time to stopping the threat once detected to seconds?

Threat actors will assuredly continue to employ phishing techniques to tempt users with appealing documents and links, but next-generation threat detection and elimination technologies arm today’s organizations with greater capability than ever to catch and eliminate phishing threats before they do damage.

About the author: Gary Southwell is co-founder and chief strategy officer for Seceon, a cyber security startup offering the first-fully automated threat detection and remediation system to detect, analyze and eliminate all cyber-threats in minutes.

Copyright 2010 Respective Author at Infosec Island]]>
Stop Living with FUD: Build Security with Confidence, Assurance and Resiliency Fri, 23 Dec 2016 05:33:00 -0600 With expensive and damaging cybercrime on the rise, companies and organizations across the globe are constantly trying to improve their security stance. As a result, many security vendors have taken advantage of this vulnerability with a FUD approach. The FUD strategy, standing for fear, uncertainty and doubt, is a scare tactic that plays on a prospect’s fears to win a sale. The sales pitch often includes lines like “there are bad things in your network or application” or “this product is your only hope.” The security industry is ripe for FUD tactics as the costs of cybercrime is skyrocketing. The costs are rising because companies are hiring more and more security engineers but the “scale out” approach isn’t efficient as you can never hire more manual resources than the automated attacks that the hackers are launching.

If companies give into the FUD, they’ll continue to buy more and more point solutions in search of the “right one.” This is essentially the same approach as trying to lose weight by purchasing quick fixes, instead of putting together a targeted plan on how to move the needle. Here are four best practices on how to avoid FUD and build security with confidence, assurance and resiliency. 

Demand Transparency

Too few cybersecurity vendors practice transparency. They don’t give users a look beneath the hood of their technology and often overpromise on capabilities. Cybersecurity isn’t some sort of black magic yet security vendors have been treating it that way, framing their product as the sole solution to all the fear, uncertainty and doubt. By not providing this transparency, everyone loses out with a lack of education and improvement. Transparency enables organizations to have full visibility into their software development life cycle – meaning which tools are integrated into what part of the pipeline, if there are any vulnerabilities found and what they are, and recommendations on how to rapidly remediate them. With full transparency and visibility of the whole situation, organizations can protect themselves with confidence, assurance and resiliency rather than falling into FUD. 

Incorporate Security In At Every Stage

The software development life cycle needs to have security tests built in at every stage, from code commit to application delivery. Putting implicit checks into place increases overall confidence that your code and application are much more resilient to application security attacks. This also increases assurance, as everyone knows exactly what tests were performed and what the results were in real-time. Instead of taking the insurance approach, where you simply hope that nothing bad ever happens, take the assurance route by being proactive with your application security testing.

Know Your Strengths and Weaknesses

Most security professionals can’t confidently answer the following question: how secure are we really?

If you don’t have the answer to this seemingly simple yet fundamental question, your security team is working blindly, which puts your company, its reputation and its customers at an unnecessarily increased risk. All organizations should do a full examination of their security processes and vulnerabilities to uncover their security strengths and weakness. Without this knowledge, there is no confidence, assurance and resiliency.

Understand that Security Isn’t a One-Size Fits All

There is no one cybersecurity solution that will be a perfect fit for every company. Each organization has unique security needs, strengths and weaknesses and a good security plan should take all of those factors into account. Too many companies have fallen into the FUD trap that “tool X” or “package Y” will be the solution to every security need. Cybersecurity isn’t a silver bullet so organizations need to do their research to figure out what the best security plan for them entails and not fall into the one-size-fits-all security package built on FUD.

Selling products on the basis of FUD is a scam and security vendors who are guilty of inducing FUD need to make it right. The current state of cybercrime has rightfully put the security industry on edge but we are not helpless and cybersecurity tools shouldn’t been seen as an enigmatic quick fix. Leave FUD behind and build security with confidence, assurance and resiliency by demanding transparency, incorporating security at every stage, knowing your strengths and weakness, and understanding that security isn’t one-size-fits-all. We have access to the best cybersecurity technology but each organization needs to build a personalized security plan built on confidence and assurance to ensure their resiliency.

Copyright 2010 Respective Author at Infosec Island]]>
Security of IIoT Devices: Time to Operate in Tandem with the Drive for Productivity? Thu, 22 Dec 2016 07:44:00 -0600 Manufacturers are increasingly adopting IIoT technology with the goal of boosting manufacturing productivity, but are security practices falling by the wayside? Here is why ensuring the security of these devices is key to long-term profitability:

The value of Industrial Internet of Things (IIoT) technology within manufacturing is becoming clearer than ever to industry. Used correctly, it has the potential to revolutionise manufacturing environments - driving a shift from reactive to predictive maintenance, boosting productivity, and deciphering swathes of big data for optimised business intelligence. A key factor behind uptake, however, is ROI and the IIoT’s potential to greatly increase profitability within whichever environment it is implemented.

The IIoT is set to be valued at $13.49 billion by 2020 – a 228 percent increase from its value of $4.11 billion in 2015. Furthermore, investment within IIoT has been estimated to exceed $60 trillion over the next 15 years. While it is clear businesses are taking notice of the opportunities that come with connected devices, they aren’t the only ones. A greater number of security issues are surfacing each day, attributed to both an increased number of vulnerable points within a network and the number of threat actors looking to take advantage of them.

The double-edged sword of IIoT profitability

With the networking of traditionally non-connected devices comes an increased risk of threats not often associated with Operational Technology (OT). Malware such as ransomware, worms and Trojans are now as much of a threat to OT systems as IT. In some cases, the threat carries even greater consequences due to underdeveloped security barriers within industrial environments. Because of these risks, without significant investment in IIoT security, the reliability and safety of manufacturing and industrial facilities is more than likely to be negatively affected in the long-term.

A variety of threats to OT systems have recently been unveiled – technology which had previously remained unexposed due to the practice of air-gapping systems and the implicit barrier between IT and OT. This includes threats such as rogue firmware in controllers, PLC worms, and IoT botnets utilised for launching massive DDoS attacks.

As attackers discover IIoT to be a lucrative business, a greater market for cyber threats is developed. Cybercrime-as-a-Service through the dark web, for example, is a serious issue that will increasingly affect industrial facilities. Due to the increased availability of ‘do-it-yourself’ hacking kits, less skilled attackers can target larger organisations - aiming for greater levels of profit. Often these kits require no upfront fee, instead claiming a percentage of the total dividend resulting from the hack, thus adding a ‘no win, no fee’ type incentive to utilising the malicious software. 

Securing future profits; IIoT security as a business enabler

The boost in productivity offered by IIoT devices comes with an increased level of vulnerability. Currently, IIoT security is still immature and requires significant attention. As industrial systems shift from isolated, air gapped systems to an open and inherently insecure infrastructure, systems that were once presumed to be secure are now ripe for attack. Overall, industries still focus solely on the business benefits of IIoT, with security considerations addressed as a secondary concern. IIoT security must therefore be addressed at an early stage through two key avenues – namely, through ensuring a baseline of security within manufacturing environments and a push towards comprehensive testing and assurances around the IIoT device ecosystem prior to deployment.

In the first instance, a product must be created that is, at its core, secure by design and secure during deployment. In short – end users must be placed within an environment which already operates under a high standard of security, operates under the assumption that attacks will almost certainly happen, and takes steps to mitigate these risks. Once this has been achieved, the education of developers into appropriate secure coding practices can be considered, placing manufacturers in a position to protect products against both prevalent security risks and the associated costs of remediation.

It is simply a matter of time until the threat actors behind Cybercrime-as-a-Service begin to expand their offering to Industrial Internet with a greater focus on vulnerable, networked systems. With a greater number of threats and vulnerabilities surrounding IIoT, the onus is therefore on manufacturers and end users to ensure security and long-term profitability – an approach that will often require expert guidance. With a significant, concerted focus on security as a core business practice, organisations will be able to ensure both short and long-term gains within manufacturing environments.

About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk.

Copyright 2010 Respective Author at Infosec Island]]>
The Dark Side of the Force: Hacktivism Takes Center Stage in 2016 Wed, 21 Dec 2016 13:23:00 -0600 Rogue One: A Star Wars Story is certainly well-timed — epitomizing outsiders joining together to bring down powerful enemies, against great odds, to steal confidential plans. This plot, in many ways, reminds me of hacktivist agendas over the past year.

Any summary of 2016 must start by recognizing that a global anti-establishment mood brought upsets that defied "expert" predictions — both online and offline. The surprising Brexit vote, Donald Trump’s shocking election victory and Italy’s "no" vote in a referendum on constitutional reform are just a few examples of how this "anti" trend stunned the world in major events led by anti-elitist uprisings.

Online, hacktivists engaged in a long list of diverse acts of hacktivism — even prior to the election, which took center stage in supporting (or opposing) a vast array of causes that range from anti-Wall Street to anti-free trade to anti-corruption to anti-fill-in-the-blank. This is not just about distributed denial of service (DDoS) attacks, but stealing data in a variety of ways — for their causes.  

As I sit here, a number of questions are swirling about election hacking: who knew what and when, Russian involvement and motives in picking winners and losers, President Obama’s promised retaliation, and much more. What is clear is that this major, end-of-the-year hacking story, will bleed well into 2017 and beyond. 

"Hackers will hack" for an overabundance of reasons, and plenty of black hats were, and still are, trying make a buck or two via old-fashioned online robbery, extortion and stealing credentials from Yahoo and many others. Still, the top hacker impacts revolved around politics and wealthy people being exposed for hiding money in offshore accounts in the Panama Papers — which some experts called history’s biggest data leak ever.

From Clinton campaign emails revealed by WikiLeaks to DDoS attacks against governments, banks and other corporations, the dark side of the Web never slept in 2016.

The Top Cyber Stories For 2016  

Without question, the top cyber trend in 2016 was hacktivism. Specifically, the uncovering of hidden information went into hyper-drive — with groups such as Anonymous, WikiLeaks and DC Leaks shaping the news and impacting global dialogue, while undermining trust in digitally stored information.

Second was the growth in ransomware attacks. The overall numbers were up a staggering 6,000 percent according to IBM — with hospitals, governments and many others experiencing major cyber incidents.

As CNBC reported: “The problem is, the business model works: 70 percent of business victims paid the hackers to get their data back, the study found. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000. …”

Third, overall data breach numbers and incidents remained high. Yahoo topped the list, with announcements about two huge breaches that actually happened a few years back. Other notable data breaches in 2016 occurred with Olympic athletes, the IRS, Wendy’s, Medstar and the Justice Department. 

Fourth, Distributed denial of service (DDoS) attacks brought down large parts of the Internet using Internet of Things devices. 

Fifth, Power grids and other significant infrastructure cyberattacks made headlines. 

Sixth, the so called "Apple vs FBI encryption battle" foreshadows future arguments over privacy of data versus national security. 

Seventh, whaling and online fraud schemes make social engineering attacks a top FBI issue for cybercrime. There were many stories about the people side of cyber fraud, one of which highlights whaling (phishing 3.0), while others point to social engineering attacks.

Finally, there were no cyber 9/11 or crippling Internet surprise that lasted days. This is actually good news. Most technology worked well, and we recovered well from security and infrastructure outages. While some want to see Russian hacking here or other nation-state cyber battles, I am grouping those still-debated topics under #1 — with more to come on that front below.   

Why 'Hackers with a Cause' Compare to the Heroes of Rogue One

On a global stage, hacktivism took the spotlight in 2016, and that is why it is my #1 cyber story for the year. Some will say that many of these hacks were sponsored by major world powers such as Russia. Foreign government involvement is likely the case, but there is disagreement in the intelligence community over who was behind which hacks and what their motives were.

In Rogue One: A Star Wars Story, unknown rebels accomplish unpredicted results. Yes, the story is science fiction, but the similarity lies in the way hackers stole center stage from powerful establishment organizations that were overconfident in 2016.  

"In a time of conflict, a group of unlikely hero’s band together on a mission to steal the plans to the Death Star, the Empire's ultimate weapon of destruction. This key event in the Star Wars timeline brings together ordinary people who choose to do extraordinary things, and in doing so, become part of something greater than themselves."

This could very well describe the global hacktivists view of the world in 2016.

Note: the "Death Star plans" are synonymous with any data, plan, information or emails that hackers deem are relevant to achieving their wider cause.

Regardless of whether you can relate to any cyber analogies thrown at you, hacking for a cause is set to explode into a complex set of state and local government challenges.

Final Thoughts

What have we learned over the past year? Sadly, we’re not winning more global cyber battles. The bad guys are still outgunning the good guys.

While many cyber defenses are improving in global enterprises, the number of bad actors is also growing rapidly. As the list above shows, the breadth and depth of cyber threats and online vulnerabilities continues to grow online — especially with new Internet of Things (IoT) devices coming onto the market.

The U.S., our allies and foreign adversaries are progressively engaging in sophisticated cyberbattles that equate to a cyber cold war and cybersecurity arms race. New relationships, partners in cyberspace and causes are evolving in unpredictable ways, and third-world hackers are teaming with first-world experts to achieve desired results.

What's disconcerting to me is the new thinking that is emerging regarding right, wrong and ethics in cyberspace — with hacktivists all around the world. The mix of fake news, misinformation, ransomware websites that come and go, and other hacker dirty tricks results in a diminishing of the public’s trust and legitimacy of data — both online and offline. This trend is impacting governments, mainstream news media, private corporations and global relationships.

A new world of hacking motivations and causes is starting to develop — along with convenient, easy-to-use tools for computer novices to do many dangerous things online. Who knows what "Death Star plans" the hacktivists will go after next.

Copyright 2010 Respective Author at Infosec Island]]>
Securing Executive Buy In as the Cyber Security Threat Landscape Expands Fri, 16 Dec 2016 06:57:34 -0600 The people, processes, and technology that protect digital resources and manage cyber risk are essential to sustaining businesses and societies. Even so, in many enterprises, boards and executives are just beginning to truly engage in cyber security strategy and leadership.

A recent NASDAQ survey highlights alarming gaps between awareness and accountability at the highest levels of global enterprises: too many board members and executives are unable to understand security briefings and unwilling to accept responsibility for data breaches.

The simultaneous explosion of connected technology and devices, Big Data, and cybercrime has led to wider adoption of new executive roles such as the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Digital Officer (CDO). As information governance, risk management, and compliance activities grow in scope and complexity, there is more than enough high-level strategy and oversight to keep an expanded C-suite challenged and busy. However, additional silos of responsibility can create confusion and inefficiencies when roles are not clearly defined, or collaboration is subdued.

When it comes to cyber security, it’s more important than ever for board members and core executives—especially those not directly involved with deploying security programs—to fully participate and contribute on a continuous basis.

The roles of the CEO, CFO, CIO, and CMO have undergone significant transformation over the past decade. Public scrutiny of business leaders is at an all-time high, in part due to enormous hacks and global data breaches. It’s become increasingly clear in the last few years that in the event of a breach, the hacked organization will be blamed and held fully accountable. Therefore, everyone in the C-suite is potentially going to have their feet held to the fire.

The good news, however, is that executives are beginning to pay more attention to the security measures protecting their organization’s assets, data, employees and customers. The cautionary tales, Armageddon scenarios, and the threat of public humiliation have made a significant impact. Executive awareness and engagement are finally increasing to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration. Leaders must commit to adopting a culture of responsibility from the top, making sure their message reaches out to the edges of the enterprise and everywhere in between.

Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives. Let’s take a look at each role within the C-Suite:


CEOs are on the hot seat and being pulled in a million directions at once. They face an influx of new regulations and risk factors related to the IT infrastructure and services that keep their enterprise up and running. These challenges can only be addressed through collaborative teamwork. Building a robust, encompassing cyber security program requires strong leadership from the CEO and a willingness to coordinate with the board and other executives to bridge traditional silos and redefine roles. By keeping security programs aligned with strategic business objectives, CEOs can help their organizations develop competitive advantage and dive into emerging opportunities with confidence.

In order to maintain an accurate, big picture understanding of their organization’s security preparedness, CEOs must actively solicit and distill security-related concerns, opinions, and contributions from multiple stakeholders. It’s important to make sure your team thinks of security breaches in terms of “when” not “if”—cyber-attacks are so numerous and sophisticated, it is foolish to think they can be entirely avoided.

In the event of a breach, you have to be ready with a quick and effective incident response; the faster the response, the better the outcome. In the eyes of regulators and consumers, credibility is bolstered by evidence of comprehensive, ongoing cyber security efforts. CEOs must espouse strategies that intentionally build resilience through security analysis, training, planning, and testing. The CEO leads the way by emphasizing the importance of ongoing communication and collaboration. Championing a culture of security awareness throughout the organization and supply chain strengthens your defenses; “insider threats” are still the most common attack vector.


Cyber criminals attack financial systems directly and indirectly, and data breaches of all kinds impact an organization’s bottom line. These ongoing threats require CFOs to become intimately involved in security measures and cyber risk management. CFOs are also concerned with loss of funds through theft, waste, and supply chain issues, all of which can originate or proliferate in the cyber realm.

From internal operations to investor relations, every part of a CFO’s role involves highly sensitive data that must be closely controlled and protected. To fulfill their fiduciary duties, CFOs must maintain a thorough understanding of where this vital information is, who might want to steal it, and how they might gain access to it. Their responsibilities include disclosing to the board the potential impact of a cyber-attack. This includes integrating security risks into discussions and decisions about investments, procurement, and partnerships. Analyzing the feasibility and cost effectiveness of cyber insurance and security solutions also falls in the CFO’s domain. Last but not least, CFOs should be intimately involved in crafting and rehearsing the portion of the organization’s incident response plan that involves communicating with shareholders, partners, suppliers, and customers.

CFOs have always played an important role in advocating for and pursuing critical investments that promote long-term business growth. Forward-looking CFOs recognize the importance of investing in cyber security as a primary method of protecting reputation, stock price, financial resources, and proprietary information.


The CIO role is, of course, most closely connected to cyber security responsibilities. It’s clear that CIOs have the most to gain from a broader, more collaborative approach. A united front that recruits champions from across the organizations is stronger than a thin, overwhelmed line of defense made up on only IT team members.

As new roles like CISO and CDO step in to alleviate their workload, CIOs should take the lead in engaging non-technical executives and board members. Their new directive is to excel at calm, clear communication with all stakeholders in order to obtain better funding and support for security initiatives. They have to speak the language of business and risk in order to convince boards and investors of the crucial link between IT enablement and risk management. Boards want regularly updated metrics and assessments they can compare over time as well as a way to form these into an accurate, holistic picture of information technology risk. The NASDAQ survey found that a vast majority of board members, especially those at vulnerable organizations, were unable to interpret cyber security reports. It is the CIO’s job to bridge this dangerous divide.

The CIO’s mandate is maintaining an effective, working balance between technology benefits, security controls, and risk management. By aligning their efforts with strategic business objectives, CIOs will partner more closely with their colleagues in the C-suite to shape business decisions, competitive strategy, and sustainable innovation.


The CMO oversees a digital realm that is more closely tied to the customer than ever before, so it’s not surprising that their role has seen the biggest changes in recent years. The advances made possible by mobile marketing, social media, ad tech and Big Data have prompted an astonishing rise in the amount of consumer data that is gathered and analyzed for marketing purposes. Part of managing this data, much of which falls under privacy regulations, is securing it against theft and abuse. After all, cybercriminals are just as interested in that data as you are. Data-driven marketing depends on customer trust, and repeated headlines about spectacular breaches are eroding that trust.

More and more, we see brands and customer relationships damaged in the aftermath of an attack. In the event of a breach, CMOs will find themselves front and center, so they should make sure they are part of the incident response and data security planning. One of the big lessons learned from recent incidents is that financial and reputational damage will be amplified or mitigated depending on how quick, credible, and efficient the brand response is. All of a CMO’s hard work can go up in smoke if customers sense a lack of care or transparency.

In today’s enterprise, the CMO’s organization drives digital based growth. The board and executive team rely on them to lead brand, product, and innovation efforts to competitive advantage, without coming into conflict with data privacy legislation. It’s the CMO’s job to make sure the brand stands out for all of the right reasons.

Responsibility Starts at the Top

The C-Suite has the clearest, broadest “big picture” view of how their organization’s components intersect. A serious, shared commitment to common values and strategies is key to a productive relationship between the executive team and the board. Only through sincere, ongoing collaboration, can complex threats like cyber-crime and espionage be managed. Without synchronized oversight, risk factors will multiply unimpeded.

In a global enterprise, there are so many elements beyond the C-suite’s control and traditional risk management isn’t agile enough to deal with the dangers of cyberspace activity. By building on a foundation of preparedness, executives can create cyber resilience by assessing threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the sure-fire way to secure assets and protect customers, partners and employees.

It’s time for all executives to step up and bridge the gap between awareness and action. Organizations that create a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of today’s ever-expanding, global cyber threats. 

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island]]>
The Home of Cyber Security Best Practice: Public or Private Sector? Thu, 15 Dec 2016 07:04:00 -0600 Whilst parts of the public sector are not generally held up as shining beacons of security best practice, there are areas where private and public sector can take a leaf out of each other’s books, as the security challenges facing both continue to escalate. The recent reinforcement by the Chancellor of the Exchequer, Philip Hammond, of a £1.9 billion investment in bolstering the UK’s cyber defences also highlights the increasing need for cooperation between business, government, academia and industry to confront the growing menace of cybercrime.

Over the last decade, one could argue that parts of the private sector have demonstrated more examples of best practice in cyber security. That doesn’t mean to say that all businesses are adequately secure – on the contrary. However, by the same token those businesses, whose very existence in a global competitive market depends on good security, offer a good blueprint for success in protecting sensitive data. One fundamental principle that such organisations have embraced is the importance of balancing security against the competing challenges of usability and cost. An inability to focus on all three will result in failure, as users will find ways to sidestep security measures if they prove too onerous and managers will continue to weigh up cyber risk and the cost of compromise against the corresponding cost of investing in cyber security. Only relatively recently has this triple imperative been widely recognised by government; a reality which has in the past been hampered by out-dated practices including slow and cumbersome certifications and accreditation processes.

Cost, risk and usability, the triple imperative

In the past three to four years there has been a cultural shift within government as the term ‘commercial best practice’ became pervasive. This has had a profound effect on the way that systems have been architected, procured and deployed and how government is looking to the private sector for both inspiration and guidance in the introduction of technology and practices. The recently introduced Government Classification Scheme (GCS), is reflective of this approach to security, which in part seeks to redress the balance between cost, risk and usability. For example, today processes like the Commercial Product Assurance (CPA), run by the National Cyber Security Centre, which dictates the process for new products to be certified for government use, is much more flexible and efficient than its past equivalents. There has also been a real drive to give responsibility for informed risk management to the data owner rather than using process to obscure responsibility. However, the nature and scale of threats faced by government within the cyber domain today is of an unprecedented scale and magnitude. This means that some differences will continue to exist between the public and private sector, however the principle of efficiency, cost and usability is now well established.

World-leading ambitions

On a global scale the UK has a world leading reputation for security expertise, but arguably this has not yet translated into a vibrant home-grown cyber security industry of a scale that fulfils national potential. Cyber security is recognised by the British government as a tier one national threat that is attracting substantial government funding and driving an increased need for collaboration between government, academia and industry, which is in turn driving innovation in the cyber security ecosystem.  

Both private and public sectors face a fundamental challenge: to address the asymmetry that exists between the capabilities most businesses present to the world and the huge number of adversaries wishing to exploit them, reflecting the cost and effort required to detect and respond effectively to today’s threats. One area that government is arguably ahead of industry, is in gaining confidence in the identity and state of end user devices. Most high-profile data breaches involve the exploitation of vulnerabilities on end user devices. In the field of identity and access management, technologies exist to enable the authentication not only of users but also to determine the level of trust that can and should be conferred on devices. By increasing the level of trust in both devices and users, businesses can significantly reduce their attack surface. 

A move towards the secure desktop

Many of the building blocks in use today in government have evolved out of the commercial space.  One such example is the Trusted Platform Module (TPM), a cryptographic chip that ships with most Intel devices (with Trust Zone a similar technology for ARM-based devices). These ‘trust anchors’, as they are known, are hardware standards becoming increasingly adopted in government circles, to enable the establishment of a level of trust in the state of a device by taking cryptographic measurements of systems and patches deployed on that device.  Initiatives such as these are leading to the widespread deployment of secure desktops in government.  Systems for accessing cloud based platforms, containing some of these trust-supporting features to offer secure browser-based access to virtual applications across varying form factors. This move towards secure desktops is making it an order of magnitude more difficult for attackers to exploit than common desktop systems. Typically using open-source operating systems at their core, they are mature enough to address cyber threats, using a robust architecture, whilst balancing the triple challenge of security, usability and cost efficiency that is critical for success. This is an example of where government are driving standards adoption that the private sector may do well to embrace. 

Another area where government has a natural advantage is the area of data classification. An important element of any mature IT security strategy involves conducting regular security audits, which as part of an ongoing risk management regime should entail identifying and prioritising data assets. Introducing appropriate data classification schemes is likely to become increasingly relevant to commercial businesses, faced with the need to comply with the EU General Data Protection Regulations, due to come into effect in 2018, as they seek to avoid the threat of substantial fines of up to 4 per cent of turnover, associated with the loss of personally identifiable information.

The role of legislation

In future, we are likely to see continued convergence between public and private sector with approaches to Cyber security. There is an imperative for businesses to demonstrate security best practice, and industry giants like Google and Facebook are investing in some areas of cyber significantly beyond related investments from national budgets, driving innovation in multiple fields of cyber security. This will ensure that there will continue to be an interchange of skills, knowledge and technology between the private and public sectors. The question for both commercial and public organisations to address, is how their organisation lines up on a spectrum of security conscience ranging between ‘best practice’ at one end and ‘negligence’ on the other. Government is increasingly taking a lead in publicising the threat of cyberattack, but to date has only enjoyed limited success in raising awareness of good practice with initiatives like the Cyber Security Essentials Scheme. Recent history suggests that for many businesses, left to their own devices, they will continue to minimise their investment in security. As the EU GDPR is somewhat non-prescriptive in the measures that businesses need to deploy to demonstrate best practice, it’s likely that either further regulation or more compelling guidance will be needed to drive many businesses to take the necessary steps to protect themselves, their employees and the public, in a world where digital transformation and increasingly interconnected devices forms a potent mix with a cyber threat that continues to grow.

About the author: Co-founder and Chief Executive Officer of BeCrypt, Bernard Parsons is a technology expert with more than 25 years of experience spanning robotics, embedded systems and telecommunications as well as high-end security technology.

Copyright 2010 Respective Author at Infosec Island]]>
Driving ROI from Threat Intelligence & Security Operations Wed, 14 Dec 2016 09:06:00 -0600 Over the last few years, the issue of corporate cyber security has gone high profile and accordingly, budgets allotted to combating malicious infiltrators have grown exponentially. According to Gartner, in 2016 security spending was set to grow 7.9 percent, and the typical 1000-employee company is spending approximately $15 million attempting to keep their enterprise safe.  With a significant chunk of that spend directed to Threat Intelligence feeds. Yet in the rush to gather as much intelligence as possible, many organizations lack the structure to translate this data into actionable intelligence and measurable improvement in security. At the same time, CISOs are increasingly under the gun to prove ROI from current and future security investments.

ROI challenge isn’t isolated to Threat Intelligence

It’s pretty clear enterprise security teams have poured money into Threat Intelligence in recent years with lackluster results. Largely driven by the inability to triangulate external threats to their own environment in real time. Yet Threat Intelligence is just one symptom of the ROI challenge within the broader issue. The fact is when thinking about how to maximize the ROI of Threat Intelligence spend, it can’t be addressed in isolation.

Threat Intelligence – One Facet of Effective Security Operations & Orchestration

As stand-alone data Threat Intelligence feeds are of nominal value. The key is integration and context. Humans must contextualize alerts, threat intelligence and other security data into a threat storyline as the basis for effective response.  Integrating Threat Intelligence into a comprehensive security operations platform is table-stakes to navigate the full scope of security operations and incident response from the initial alert through remediation.

For example, consider the relationship of Threat Intelligence and Automation -- utilizing automation security teams can now use incoming threat intel as a trigger to search/operationalize incoming threats and match it against any existing security investments. By normalizing threat intelligence with all other security data and expanding case context one can help make Threat Intelligence much more actionable by allowing you to identify threats relevant to your organization. Imagine a threat actor is targeting your industry and is known to be exploiting a vulnerability in one of your external hosts. Automated, real-time integration to existing alerts provides the needed context to prioritize accordingly and set the stage for remediation. 

With the right integration and context we can begin to ask the broader question on how do we drive and measure ROI across the entire security infrastructure. 

Even with the right structure how do we measure ROI?

By definition, it’s challenging to prove the worth of security investments because they aren't really about returns - there is no actual monetary gain. The gain is achieved by preventing loss and by driving productivity with limited analysts, both of which are much harder to quantify than gain that comes in the form of dollars and cents.

But proving the difficult-to-pin-down ROI of your current and future investments is critical, and to do that the right metrics must be in place. While there is no standard model with which to assess risk vs. investments, there are some pretty clear metrics security leaders should look to as they seek to drive productivity from their security operations: 

Viewing the complete spectrum of your SOC as one holistic unit where all events and intelligence are interrelated will help your team:

  • Reduce the number of alerts (including duplicate alerts) that come in and consume valuable analyst time. By weeding out false positives and repeated alerts, analysts can concentrate on remediating real incidents.
  • Increase the percent of alerts that are investigated. With fewer alerts being created, analysts can tackle a greater percentage of alerts, leading to fewer casualties.
  • Decrease investigation time. With proper tools and context analysts can intensify their efforts on high yield incidents, accelerating response and recovery time.
  • Increase analyst caseload capacity.  Clustering of alerts, reduction in cases, enriched context, and eliminating the need to jump from screen to screen drives productivity and enables analysts to work more efficiently, negating the need to add manpower.
  • Drive down mean time from threat to remediation. When all the above factors come together, the bottom line is that mean time from threat to mitigation drops from days to minutes. If you have to prove your ROI, there can be no more compelling proof than that.

The average breach costs businesses north of $10M, which makes the status quo no longer tenable. Given the stakes, security leaders recognize the importance of driving analyst productivity. The analyst is more important than ever, and must be armed with the right tools to respond to next generation threats. Threat Intelligence is one important facet of those tools but can’t be viewed in a silo.

Copyright 2010 Respective Author at Infosec Island]]>
Top 10 Cloud and Security Predictions for 2017 Wed, 14 Dec 2016 07:06:00 -0600 In the coming year, I think we’ll see a number of significant changes with respect to both the public cloud and information security and, thus, would like to offer five predictions for each space.

Top Five Public Cloud Predictions

1. SaaS will be first choice. People have been talking “cloud” for years. Moving forward, however, I think the conversation is set to become more structured, more specific. As organizations increasingly begin to differentiate Software as a Service (SaaS) from Infrastructure as a Service (IaaS), I foresee SaaS picking up the most steam in 2017. In fact, I think the SaaS space is going to explode with more and more providers offering a larger variety of applications. Enterprises will first look to “SaaS-ify” their on-premise applications and, if unable to do so, will then turn to IaaS, failing which they will fall back to the private cloud.

2. Network visibility to aid the shift. Traditionally, the move to the public cloud—and IaaS, specifically—was hampered by security considerations and perhaps a lack of equivalent security and monitoring solutions as in the on-premise world. That’s changing today—catalyzed in large part, I believe, by a new generation of visibility tools coming online that enable greater transparency into and security of data-in-motion. This will push organizations to accelerate their plans to take advantage of the elasticity and agility that IaaS offers.

3. “Crown jewels” in the cloud. Enterprises will also increasingly move beyond using the public cloud solely for test/dev or burst capacity purposes. And again, because they want to benefit from the elasticity and the capacity on demand the cloud has to offer, they will now be looking to leverage IaaS for hosting always-on, mission-critical, Tier-1 applications—aka the crown jewels.

4. Even more data breaches. Moving the crown jewels into the cloud is a big shift. Unfortunately, it follows that as the data value increases so, too, will attackers’ efforts to gain access to that more lucrative, mission-critical or client-specific information. Enterprises will become subject to more targeted attacks and the number of breaches will rise. On the plus side, I think 2017 will see organizations making security a higher priority, migrating their security platform and tools in parallel with their critical applications.

5. Amazon and Azure to stay on top. I see an oligopoly in the near future—with Amazon and Azure cementing their roles as the leading IaaS solution providers; IBM and Google becoming secondary IaaS players; and Oracle emerging as a key player in the Platform as a Service (PaaS) space. The remaining players . . . will fade away.

Top Five Information Security Predictions

1. Security of IoT will become a life-threatening issue. The IoT devices coming online today range from heart-rate monitors to insulin pumps to automobiles. Think about the potentially life-threatening challenges that can arise—especially when device security has most often been an afterthought. The whole model needs reversing—with security as the top priority.

2. Increased regulation. There will be a massive push for increased industry regulation around the security of IoT devices—a problem that will not be solved by asking software vendors to write more secure code. And while I do not believe regulation will come about in 2017, I think the call to regulate will rise significantly.

3. Shift in security responsibility. Service providers have historically taken a relatively agnostic view towards security. But as part of the push toward regulation, they will be forced to take a more active role—especially as they are in the best position to do something about security in the world of IoT, and will likely soon be regulated to do so.

4. Security workflow automation. In the coming year, the volume of online attacks will outpace the human capacity to address them. As a result, “security workflow automation” will become a new mantra, with organizations clamoring for the ability to eliminate the need for manual intervention to secure systems.

5. The role of nation states in cyber warfare will change and grow. In a world that’s been dominated by traditional military might, cyber may become a great equalizing force. Smaller nation states, in particular, will take a more active role, investing in building cyber warfare and intelligence capabilities. No longer does it require a huge army to knock out a national power grid or inflict significant physical damage.

About the author: Shehzad Merchant serves as Chief Technology Officer of Gigamon, bringing over 20 years of experience in the high-tech industry. Prior to joining Gigamon, Shehzad served as the CTO at Extreme Networks, and is the author of several networking and communications patents

Copyright 2010 Respective Author at Infosec Island]]>
The IT Security Flip: Inside More of a Concern than Outside Fri, 09 Dec 2016 09:30:00 -0600 Every once in awhile, a survey provides insights that at first glance don’t seem out of the ordinary. They generally validate a hypothesis. That is why we were somewhat surprised when we commissioned a survey of IT security professionals working in enterprises large and small. While there is a realization that insider threats are on the rise, what we learned was that the problem is rising very quickly in the minds of IT professionals. In fact, about half of them are more concerned about internal threats than external threats. Upon further analysis, we found:

  • About half (49 percent) are more concerned about internal threats than external threats.
  • Top concerns are malware installed by careless employees (73 percent), stolen or compromised credentials (66 percent), stolen data (65 percent), and abuse of admin privileges (63 percent).
  • The majority of security professionals (87 percent) are most concerned about naive individuals or employees that bend the rules to get their job done; only 13 percent are more concerned about malicious insiders that intend to do harm.

There are probably many reasons why this could be true, including:

  • The dissipating enterprise network boundary
  • The trust businesses place in their employees and the potential negative side effects of such trust
  • The rise of sophisticated hacking, malware, ransomware, etc. and its impact on business profits, brand, reputation, etc.

What this means, though, is that the solutions that exist today have to be significantly different from those that were used to protect the enterprise perimeter. And the budget priorities that have traditionally driven IT security projects have to change to reflect this new reality. This has implications for staffing, product choices, vendor priorities, managed services, and the rest of the security ecosystem.

At the perimeter, distinguishing between good and bad actors is usually a binary question. Allow and deny are perfectly adequate responses once such a determination is made. Most security products reflect that narrative. For the internal network, though, identifying what is good or bad is very nuanced as employee behavior can change for various reasons – change in project, role, location, etc. In such cases, making a binary decision can lead to business disruption.

The easy way out is to have solutions that notify security administrators about potentially risky activity that they can then investigate. This leads to the staffing challenge: the significant shortage of qualified security professionals. Solutions that only perform detection will be transitional and obsolete in the next few years. Integrated enforcement will be a requirement going forward. Such enforcement will need to be granular and flexible enough to meet the needs of different types of enterprises. Allow and Block will be among the different options to respond to threats. Multi Factor Authentication, Notify, Re-authenticate, NAC enforcement, SSO restrictions, etc. will be the norm. Using such response mechanisms will also get end users involved in the security effort, while continuously educating them to potential security risks.

With the changing emphasis on the internal network and users, it is recommended to develop a plan that will address this class of threats effectively. The end result will be significantly improved network security, both for internal as well as external threats. The key components of building the strategy include:

  1. Creating a strategic security plan that give equal attention to internal as well as external threats
  2. Identifying solutions that can adapt to the dynamic nature of internal enterprise networks
  3. Deploying solutions that reduce manual security analyst interventions
  4. Engaging end users in the security process

These steps can help you to improve visibility, reduce risk levels and respond to threats in real time all this while empowering your users and giving them a chance to take part in the security effort. In the end, both external and internal security threats can be addressed.

About the author: Ajit Sancheti is the Co-Founder & CEO at Preempt Security

Copyright 2010 Respective Author at Infosec Island]]>
Decrypting the Gender Imbalance: Hiring Women in Cybersecurity Fri, 09 Dec 2016 07:30:00 -0600 Not too long ago, I spoke on a panel about the scarcity of women in information security positions. During the session, an attendee spoke up, “I really support the need to bring more women into IT security roles, but when I review resumes, I don’t even find women among the applicants. How can we feed more women into the pool of candidates, when they’re not even showing up in our hiring searches?”

A fair question, and one that encapsulates an ongoing challenge in the IT security space.  According to a 2012 study by the National Center for Women and Information Technology, women make up only 18 percent of undergraduate computer and information science degrees. (As an aside, I tried to find more recent national data on women with these degrees, but to no avail. If anyone has more up-to-date information to show this issue is being tracked more recently, I look forward to your comments.) While this ratio may sound low, it’s significantly higher than the 10 percent representation of women in information security positions today. What’s more, if you broaden the scope of qualified candidates for entry level positions to include those with any STEM-related degree and technical aptitude, the percentage of women that could start on the IT career path surges to approximately 40 percent.

With data supporting that there exists an untapped pool of qualified women that could help fill the workforce shortfall in IT security, recruiting these women should be a top priority among leaders in this industry, which is facing a 1.5 million-strong deficit in professionals by 2020. A successful effort to attract (and retain) top female talent to this field involves a steady commitment to a long-term vision of gender diversity in the industry and application of best practices such as these:

Don’t overstate the job qualifications.  Research shows that women tend to apply for jobs only when they believe they meet 100 percent of the stated requirements, while men submit their resumes if they believe that they meet 60 percent of the requirements. Essentially, this means that if 10 equally qualified candidates meeting 80 percent of the stated requirements see your job post, all of the men will apply, and none of the women.

A typical scenario of how this plays out: You believe that your ideal candidate should have a computer science degree along with five years’ IT experience, even though someone with an alternative degree and three years’ experience could do the job. You may think that by basing your job description on the ideal candidate, you’ll filter out less desirable resumes and reduce your workload. I’ll confess to having done this myself.

However, the unintended consequences may be that you turn women candidates away before they can be considered, because women are more likely to “follow the rules” in applying for the job. If a position absolutely requires a certain certification, by all means include it in the posting, but don’t create unnecessary prerequisites.

Work the networks. It’s a promising sign thatgender-focused security forums are springing up all around us. Look to industry associations like ISACA® and ISSA which offer webinars, networking events and special interest groups targeted to women. Organizations such as Women in Technology International (WITI) and Executive Women’s Forum also provide popular meeting places for female leaders in the industry. Forwarding your job posting to executives in these groups and telling them that you want to increase the pool of qualified women candidates is an effective way to get the position you want to fill seen. Another valuable resource to consult is the National Initiative for Cybersecurity Careers and Studies (NICCS).

Reinvent the hackathon (and give it a new name, please). Hackathons — those marathon coding events that attract so much press — may spotlight bright software engineers and technologists, but they tend to appeal to men. And, dare I say it, often repel women who are put off by the ultra-competitive environment and the bravado culture that pervades them. Slate Magazine provides compelling insight on this topic. The good news is that some groups are working to change this image, and are even creating new women-focused hackathons that emphasize collaboration, cooperation and mentoring, with positive results.

Make women in cybersecurity visible. Women in cybersecurity draw in other women in cybersecurity. If you are a woman security professional, be active!  Encouraging women to share new job postings to their social networks, interview new candidates, write security blog posts and articles, participate in online group and industry events and so on, will go far to bring about a more gender-diverse group of new applicants.

As one of the fastest-growing industries with the critical, strategic focus of defending businesses against advanced attacks on their increasingly large and complex networks, information security has an acute need to fill its shortage of skilled labor with talented female professionals. Organizations that seek to achieve greater representation of women in their IT security teams should maintain a steady, multi-faceted approach to recruitment — and continually evaluate their performance in terms of the advancement and retention of women in this area.

About the author: Michelle Johnson Cobb is the Vice President of worldwide marketing for Skybox Security

Copyright 2010 Respective Author at Infosec Island]]>
Internet Companies Partner to Combat Terrorist Content Wed, 07 Dec 2016 07:42:00 -0600 Major Internet players, including Facebook, Microsoft, Twitter, and YouTube, are teaming up to create a database designed help combat the spread of terrorist content online.

The involved organizations are already engaged in fighting terrorism online, either by removing offending content from their platforms, or by suspending accounts related to terrorism, but the new collaboration should help them better identify terrorist content on their consumer platforms and increase their efficiency in the fight against this global issue.

Earlier this year, Microsoft updated its terms of use to prohibit the posting of terrorist content on its services, while Twitter, which formed a Trust & Safety Council to tackle violent behavior on its platform, announced the suspension of over 360,000 accounts related to terrorism.

In a joint announcement this week, the four revealed that said shared database will contain hashes (unique digital “fingerprints”) for the “violent terrorist imagery or terrorist recruitment videos or images” that have been removed from their services, and that each of the participants will be able to tap into these hashes.

“There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies,” the joint statement reads.

As part of this collaboration, the four will start sharing hashes of “the most extreme and egregious” terrorist content they stumbled upon on their services. Such images and videos usually violate the content policies of these companies and end up being removed from the public services.

The participating companies will add to the database hashes of terrorist content found on their respective services, so that the others could use them to identify such images or videos on their own services. This will also allow participants to review the discovered content against their respective policies and definitions, as well as to remove the content as appropriate.

The sharing of information won’t include personally identifiable information and each company will independently determine what content it should contribute with. The matching content won’t be automatically removed from the other services, it seems.

“Each company will continue to apply its own policies and definitions of terrorist content when deciding whether to remove content when a match to a shared hash is found. And each company will continue to apply its practice of transparency and review for any government requests, as well as retain its own appeal process for removal decisions and grievances,” the announcement reads.

The participants are also considering getting more companies involved in the initiative, in the hope that it would improve users’ privacy and their ability to express themselves freely and safely. The ultimate goal is to engage with a wider community to prevent the spreading of terrorist content online while also protecting human rights.

Although not part of this initiative yet, other organizations are also focused on the removal of “propagandistic terrorist messages present on the Internet.” As part of a two-day concerted action that involved dedicated units in Belgium, France, the Netherlands and Romania, “1814 pieces of terrorist and violent extremist online content have been assessed for the purpose of referral to online platforms,” Europol announced today.

The campaign was held at Europol’s headquarters in The Hague on 29 and 30 November and focused on the terrorist content produced by media outlets associated with two specific organizations: IS and al-Qaeda.

While Internet companies and law enforcement intensify their fight against the content produced by terrorist organizations, so do these groups increase their efforts to spread their propaganda on social media platforms. What’s more, they have also “diversified their strategy by being active on several social media platforms and by using numerous accounts to radicalize, recruit and direct terrorist activity,” Europol also notes.

Copyright 2010 Respective Author at Infosec Island]]>
The 4 Cs of Automated Incident Response Tue, 06 Dec 2016 08:04:37 -0600 It’s almost a certainty that you’ve heard of the 4 Cs of diamond quality. Created by the Gemological Institute of America (GIA) in 1953 as an international standard for judging the most valuable characteristics of a diamond, the 4 Cs are cut, color, clarity and carat weight. It’s also a clever mnemonic device to easily remember the four categories of evaluation.

Just as there was no universally accepted method for judging a diamond’s quality or assessing relative value before 1953, we’re currently in a phase in security where there are an ever-expanding number of automated incident response solutions, and no standard method for judging quality or value.

The number of products is on the rise in categories like:

Taking a page from the GIA, what would be the 4 Cs for evaluating automating incident response? The question is open to interpretation, but from my perspective, they would include the following:

The First C: Connection

Any solution that intends to automate the process of responding to security alerts to investigate threats and remediate incidents must be able to integrate with its customers’ existing security tools. Expecting a single tool to replace all the existing solutions on the market is at best a pipe dream, and at worst a recipe for disaster.

The Second C: Capacity

Automating incident response should add capacity. By taking away the manual, repetitive and tedious work of investigating all potential threats, an automated solution should both add capacity by taking on the workload and letting valuable security resources focus on more important work.

The Third C: Capability

Any automated incident response solution worth its weight (pun intended) should provide new capabilities that simply weren’t possible otherwise. Simply adding speed is a nice-to-have, but adding new capabilities at machine speed makes IR automation a force multiplier.

A few examples of added capabilities:

  • An automated system that can immediately launch parallel investigations based on what it learns from investigating one alert
  • A solution that can use artificial intelligence to compare and incriminate threats against intelligence feeds
  • A tool that can stop a ransomware attack in-progress

The Fourth C: Confidence

Perhaps I’m shoe-horning the category name to fit the pattern, but in using confidence, I’m referring to a user’s ability to rest easy, knowing that every alert and threat – however big or small – is being investigated.

Many companies today have tuned their detection systems to meet their investigative capacity. But as many will tell you, they’re not ignoring low-fidelity alerts, but instead adding them to a backlog that is saved for another day. However, when you look at any of the headline-grabbing breaches in the last few years, you’ll note that breaches like Target or Sony weren’t due to a failure in detecting the threat. The threats were detected and alerts were sent – sometimes several times – but because of a capacity mismatch, they were never investigated.

Any automated IR system should be able to investigate everything in a timely way in order to give the customer the confidence that a front page headline isn’t hiding in the backlog.

Applying the 4 Cs

As we look to solve incident response challenges through automation, this simple framework is a guide as to what I see as the areas where automation can provide the most value. What do you think – which Cs would you add to the list?

About the author: Nathan Burke is Vice President of Marketing at Hexadite. He is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.

Copyright 2010 Respective Author at Infosec Island]]>