Infosec Island Latest Articles https://www.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 If You Don’t Have Visibility, You Don’t Have Security https://www.infosecisland.com/blogview/25217-If-You-Dont-Have-Visibility-You-Dont-Have-Security.html https://www.infosecisland.com/blogview/25217-If-You-Dont-Have-Visibility-You-Dont-Have-Security.html Tue, 20 Aug 2019 05:01:00 -0500 If you’ve ever watched a thriller or horror movie, you’re probably familiar with the scene where someone is trying to keep a monster or attacker out so they barricade the doors and lock the windows and feel safe for 10 seconds…until someone remembers that the cellar door is unlocked and they discover the threat is already inside. That’s a pretty good metaphor for cybersecurity. IT security professionals scramble to protect and secure everything they’re aware of—but the one thing they’re not aware of is the Achilles heel that can bring everything crumbling down. That is why comprehensive visibility is crucial for effective cybersecurity.

You Can’t Protect What You Can’t See

As illustrated in the example above, you can have the best security possible protecting the attack vectors and assets you’re aware of, but that won’t do you any good if an attacker discovers an attack vector or asset you aren’t aware of and haven’t protected. It may not seem like a fair fight, but an attacker only needs one vulnerability to exploit. The burden is on the IT security team to make sure that everything is secured.

That’s easier said than done in today’s network environments. When you’re trying to keep a monster out of the house, you’re at least only dealing with a static and manageable number of doors and windows. In a dynamic, hybrid cloud, DevOps-driven, software-defined environment running containerized applications, the entire ecosystem can change in the blink of an eye and the number of assets to protect can increase exponentially. Employees have installed unauthorized routers and wireless access points and connected to unsanctioned web-based services that expose the network and sensitive data to unnecessary risk since the dawn of networking, but the advent of IoT (internet-of-things) has created an explosion in the volume of rogue devices.

Organizations need a tool that provides visibility of all IT assets—both known and unknown—including endpoints, cloud platforms, containers, mobile devices, OT and IoT equipment across hybrid and multi-cloud environment. It’s urgent for IT and cybersecurity teams to have comprehensive visibility and the ability to assess their security and compliance posture and respond in real-time to address challenges as they arise.

Vulnerability and Patch Management Can’t Replace Visibility

Since the dawn of cybersecurity, vulnerability and patch management have formed the backbone of effective protection. It makes sense. If you can proactively discover vulnerabilities in the hardware and software you use and deploy patches to fix the flaws or take steps to mitigate the risk, you should be able to prevent almost any attack.

Vulnerability and patch management are still important elements of effective cybersecurity, but comprehensive visibility is crucial. Finding and patching vulnerabilities without visibility provides a false sense of security. The assumption is that the environment is secure if all of the discovered vulnerabilities have been patched, but the reality is that only the vulnerabilities of the hardware and software you’re aware of have been patched. If you aren’t confident that you have an accurate, real-time inventory of your hardware and software assets, you’re not really secure.

Continuous Visibility Leads to Better Cybersecurity

Ideally, organizations need to have visibility of all IT assets—both known and unknown—throughout the entire IT infrastructure, spanning local networks and hybrid cloud environments. Imagine how much better your security and compliance posture would be if you actually knew—with confidence—what is on your global hybrid-IT environment at any given moment rather than relying on periodic asset scans that are already obsolete. What would it be like to have a single source of truth that enables you to identify issues and respond in real-time?

Visibility alone is not enough, though. It’s also crucial to have the right tools to do something with the information. Beyond visibility, you also need workflows to seamlessly connect to vulnerability and compliance solutions. For example, IT and cybersecurity teams should be able to add unmanaged devices and begin a scan, or tag unmanaged devices to initiate cloud agent installation to enable more comprehensive compliance checks.

Thankfully, the same platforms and technologies that make network visibility more complex and challenging also provide the power, scalability, and accessibility to deliver comprehensive, continuous visibility and tools and platforms that make it easier to run compliance and vulnerability programs. With the appropriate sensors placed strategically throughout the network and on devices, you can actively and continuously collect the necessary data.

The data can be stored in the cloud where the relevant IT, security and compliance information can be analyzed, categorized, enriched, and correlated. Because the data is stored and analyzed in the cloud, it has the flexibility and scalability to address spikes in assets resulting from high demand on containerized applications. It also simplifies and streamlines the ability to search for any asset and quickly determine its security posture.

With the right platform and tools, organizations have access to clean, reliable data—providing continuous visibility and relevant context to enable effective business decisions. It is also crucial for IT and cybersecurity teams to be able to quickly and easily find what they need. The information has to be available and accessible in seconds rather than minutes or hours or days so threats and issues can be addressed with urgency.

Knowledge Is Power

You can’t protect what you can’t see…or what you don’t know about. Don’t be the guy who thinks he is safe in the house while the monster crawls through an unlocked window at the back of the house. Effective cybersecurity is about knowing—with confidence and accuracy—what devices and assets are connected to your network and having the information and tools necessary to respond to threats in real-time.

Without comprehensive visibility, there will always be the chance that your false sense of security could be shattered at any time as attackers discover the vulnerable assets you aren’t aware of and exploit them to gain access to your network and data. Start with visibility. It is the foundation of effective cybersecurity, and it is absolutely essential.

About the AuthorShiva Mandalam is Vice President, Asset Management & Secure Access Controls at Qualys.

Copyright 2010 Respective Author at Infosec Island]]>
Ransomware: Why Hackers Have Taken Aim at City Governments https://www.infosecisland.com/blogview/25212-Ransomware-Why-Hackers-Have-Taken-Aim-at-City-Governments.html https://www.infosecisland.com/blogview/25212-Ransomware-Why-Hackers-Have-Taken-Aim-at-City-Governments.html Mon, 19 Aug 2019 07:09:19 -0500 When the news media reports on data breaches and other forms of cybercrime, the center of the story is usually a major software company, financial institution, or retailer. But in reality, these types of attacks are merely part of the damage that global hackers cause on a daily basis.

Town and city governments are becoming a more common target for online criminals. For example, a small city in Florida, Riviera Beach, had their office computers hacked and ended up paying $600,000 to try to reverse the damage. Hackers saw this as a successful breach and are now inspired to look at more public institutions that could be vulnerable.

Why are cities and towns so susceptible to hacking, how are these attacks carried out, and what steps should administrators take to protect citizen data?

How Hackers Choose Targets

While some cybercriminals seek out exploits for the sole purpose of causing destruction or frustration, the majority of hackers are looking to make money. Their aim is to locate organizations with poor security practices so that they can infiltrate their networks and online systems. Sometimes hackers will actually hide inside of a local network or database for an extended period of time without the organization realizing it.

Hackers usually cash in through one of two ways. The first way is to try to steal data, like email addresses, passwords, and credit card numbers, from an internal system and then sell that information on the dark web. The alternative is a ransomware attack, in which the hacker holds computer systems hostage and unusable until the organization pays for them to be released.

City and town governments are becoming a common target for hackers because they often rely on outdated legacy software or else have built tools internally that may not be fully secure. These organizations rarely have a dedicated cybersecurity team or extensive testing procedures.

The Basics of Ransomware

Ransomware attacks, like the one which struck the city government of Riviera Beach, can begin with one simple click of a dangerous link. Hackers will often launch targeted phishing scams at an organization's members via emails that are designed to look legitimate.

When a link within one of these emails is clicked, the hacker will attempt to hijack the user's local system. If successful, their next move will be to seek out other nodes on the network. Then they will deploy a piece of malware that will lock all internal users from accessing the systems.

At this point, the town or city employees will usually see a message posted on their screen demanding a ransom payment. Some forms of ransomware will actually encrypt all individual files on an operating system so that the users have no way of opening or copying them.

Ways to Defend Yourself

Cybersecurity threats should be taken seriously by all members of an organization. The first step to stopping hackers is promoting awareness of potential attacks. This can be done through regular training sessions. Additionally, an organization’s IT department should evaluate the following areas immediately.

  • Security Tools: City governments should have a well-reviewed, full-featured, and updated virus scanning tool installed on the network to flag potential threats. At an organization level, firewall policies should be put in place to filter incoming traffic and only allow connections from reputable sources.
  • Web Hosting: With the eternal pressure to stick to a budget, cities often choose a web host based on the lowest price, which can lead to a disaster that far exceeds any cost savings. In a recent comparison of low cost web hosts, community-supported research group Hosting Canada tracked providers using Pingdom and found that the ostensibly “free” and discount hosts had an average uptime of only 96.54%.For reference, 99.9% is considered by the industry to be the bare minimum. Excessive downtime often correlates to older hardware and outdated software that is more easily compromised.   
  • Virtual Private Network (VPN): This one should be mandatory for any employee who works remotely or needs to connect to public wi-fi networks. A VPN encodes all data in a secure tunnel as it leaves your device and heads to the open internet. This means that if a hacker tries to intercept your web traffic, they will be unable to view the raw content. However, a VPN is not enough to stop ransomware attacks or other forms of malware. It simply provides you with an anonymous IP address to use for exchanging data.

Looking Ahead

Local governments need to maintain a robust risk management approach while preparing for potential attacks from hackers. Most security experts agree that the Riviera Beach group actually did the wrong thing by paying out the hacker ransomware. This is because there's no guarantee that the payment will result in the unlocking of all systems and data.

During a ransomware attack, an organization needs to act swiftly. When the first piece of malware is detected, the infected hardware should be immediately shut down and disconnected from the local network to limit the spread of the virus. Any affected machine should then have its hard drive wiped and restored to a previous backup from before the attack began.

Preparing for different forms of cyberattack is a critical activity within a disaster recovery plan. Every organization should have their plan defined with various team members assigned to roles and responsibilities. Cities and towns should also consider investing in penetration testing from outside groups and also explore the increasingly popular zero-trust security strategy as a way to harden the network. During a penetration test, experts explore potential gaps in your security approach and report the issues to you directly, allowing you to fix problems before hackers exploit them.

Final Thoughts

With ransomware attacks, a hacker looks to infiltrate an organization's network and hold their hardware and data files hostage until they receive a large payment. City and town government offices are becoming a common target for these instances of cybercrime due to their immature security systems and reliance on legacy software.

The only way to stop the trend of ransomware is for municipal organizations to build a reputation of having strong security defenses. This starts at the employee level, with people being trained to look for danger online and learning how to keep their own hardware and software safe.

About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.

 

Copyright 2010 Respective Author at Infosec Island]]>
5 Limitations of Network-Centric Security in the Cloud https://www.infosecisland.com/blogview/25216-5-Limitations-of-Network-Centric-Security-in-the-Cloud.html https://www.infosecisland.com/blogview/25216-5-Limitations-of-Network-Centric-Security-in-the-Cloud.html Mon, 19 Aug 2019 06:55:48 -0500 Traditional security solutions were designed to identify threats at the perimeter of the enterprise, which was primarily defined by the network. Whether called firewall, intrusion detection system, or intrusion prevention system, these tools delivered “network-centric” solutions. However, much like a sentry guarding the castle, they generally emphasized identification and were not meant to investigate activity that might have gotten past their surveillance.

Modern threats targeting public clouds (PaaS or IaaS platforms) require a different level of insight and action. Since executables come and go instantaneously, network addresses and ports are recycled seemingly at random, and even the fundamental way traffic flows have changed, compared to the traditional data center. To operate successfully in modern IT infrastructures, we must reset how we think about security in cloud.

Surprisingly, many organizations continue to use network-based security and rely on available network traffic data as their security approach. It’s important for decision makers to understand the limitations inherent in this kind of approach so they don’t operate on a false sense of security.

To help security professionals understand the new world of security in the cloud, below are five specific use cases where network-centric security is inadequate to handle the challenges of security in modern cloud environments:

1. Network-based detection tends to garner false positives

Nothing has confounded network security as much as the demise of static IP addresses and endpoints in the cloud. Endpoints used to be physical; now they are virtual and exist as containers. In the cloud, everything is dynamic and transient; nothing is persistent. IP addresses and port numbers are recycled rapidly and continuously, making it impossible to identify and track over time which application generated a connection just by looking at network logs. Attempting to detect risks, and threats using network activity creates too many irrelevant alerts and false positives.

2. Network data doesn’t associate cloud sessions to actual users

The common DevOps practice of using service and root accounts has been a double-edged sword. On one hand, it removes administrative roadblocks for developers and accelerates even further the pace of software delivery in cloud environments. On

the other hand, it also makes it easier to initiate attacks from these “privileged” accounts and gives attackers another place to hide. By co-opting a user or service account, cybercriminals can evade identity-aware network defenses. Even correlating traffic with Active Directory can fail to provide insights into the true user. The only way to get to the true user of an application is to correlate and stitch SSH sessions, which is simply not possible with network only information.

3. The network attack surface is no longer the only target for cyber attacks

Illicit activities have moved beyond the network attack surface in the cloud. Here are four common attack scenarios that involve configuration and workloads (VMs or containers) in public clouds, but will not appear in network logs:

  • User privilege changes: most cyber attacks have to operate a change of privilege to succeed.
  • The launch of a new application or a change to a launch package.
  • Changes in application launch sequences.
  • Changes made to configuration files.

4. When it comes to container traffic, network-based security is blind

Network logs capture network activities from one endpoint (physical or virtual server, VM, user, or generically an “instance”) to another along with many attributes of the communication. Network logs have no visibility inside an instance. In a typical modern micro-services architecture, multiple containers will run inside the same instance and their communication will not show up on any network logs. The same applies to all traffic within a workload. Containerized clouds are where cryptocurrency mining attacks often start, and network-based security has no ability to detect the intrusion.

5. Harmful activity at the storage layer is not detected

In cloud environments, the separation of compute and storage resources into two layers creates new direct paths to the data. If the storage layer is not configured properly, hackers can target APIs and conduct successful attacks without being detected by network-based security. On AWS specifically, S3 bucket misconfigurations common and have left large volumes of data exposed. Data leaks due to open buckets will not appear on network logs unless you have more granular information that can detect that abnormal activity is taking place.

Focusing exclusively on network connections is not enough to secure cloud environments. Servers and endpoints don’t yield any better results as they come and go too fast for an endpoint-only strategy to succeed. So, what can you do? Take a different approach altogether. Collect data at the VM and container level, organize that data into logical units that give security insights, and then analyze the situation in real-time. In other words, go deep vertically when collecting data from workloads, but analyze the information horizontally across your entire cloud. This is how you can focus on the application’s behaviors and not on network 5-tuples or single machines.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

Copyright 2010 Respective Author at Infosec Island]]>
1 Million South Korean Credit Card Records Found Online https://www.infosecisland.com/blogview/25215-1-Million-South-Korean-Credit-Card-Records-Found-Online.html https://www.infosecisland.com/blogview/25215-1-Million-South-Korean-Credit-Card-Records-Found-Online.html Thu, 08 Aug 2019 04:54:19 -0500 Over 1 million South Korea-issued Card Present records have been posted for sale on the dark web since the end of May, Gemini Advisory says. 

The security firm could not pinpoint the exact compromised point of purchase (CPP), but believes the records may have been obtained either from a breached company operating several different businesses or from a compromised point-of-sale (POS) integrator. 

Amid an increase in attacks targeting brick-and-mortar and e-commerce businesses in the Asia Pacific (APAC) region, South Korea emerges as the largest victim of Card Present (CP) data theft by a wide margin, Gemini Advisory says.

Although EMV chips have been used in the country since 2015 and compliance is mandatory since July 2018, CP fraud still frequently occurs, especially due to poor merchant implementation. 

In May 2019, Gemini Advisory found 42,000 compromised South Korea-issued CP records posted for sale on the dark web, with a 448% spike in June, when 230,000 records were observed. In July, there were 890,000 records posted, marking a 2,019% increase from May. 

Overall, more than 1 million compromised South Korea-issued CP records have been posted for sale on the dark web since May 29, 2019. 

The security firm also identified 3.7% US-issued cards, with a credit union that primarily serves the US Air Force emerging as one of the most impacted US financial institutions (the Air Force maintains multiple air bases in South Korea). 

“Through an in-depth analysis of the compromised cards, analysts determined that many of them belong to US cardholders visiting South Korea. Since South Korea has received just over 1 million US travelers in the past 12 months, this should account for the high level of US payment records,” Gemini Advisory says. 

The median price per record is $40, significantly higher than the $24 median price of South Korean CP records across the dark web overall, the security firm notes. While 2018 marked a relatively large supply of such records, but a low demand, 2019 saw lower supply, but a growing demand.

“The demand continued to increase while the supply remained stagnant until the recent spike in South Korean records from June until the present. This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand,” Gemini Advisory notes. 

The security firm says attempts to explore potential CPPs were not fruitful, as there were too many possible businesses affected by this breach. The most likely scenarios suggest that either a large business was compromised, or that a POS integrator was breached, impacting multiple merchants.

“South Korea’s high CP fraud rates indicate a weakness in the country’s payment security that fraudsters are motivated to exploit. As this global trend towards increasingly targeting non-Western countries continues, Gemini Advisory assesses with a moderate degree of confidence that both the supply and demand for South Korean-issued CP records in the dark web will likely increase,” the security firm concludes.

RelatedA Crash-Course in Card Shops

RelatedPayment Card Data Stolen From AeroGrow Website

Copyright 2010 Respective Author at Infosec Island]]>
Top Three Cross-Site Scripting Attacks You Need to Know Now https://www.infosecisland.com/blogview/25214-Top-Three-Cross-Site-Scripting-Attacks-You-Need-to-Know-Now.html https://www.infosecisland.com/blogview/25214-Top-Three-Cross-Site-Scripting-Attacks-You-Need-to-Know-Now.html Wed, 31 Jul 2019 03:35:00 -0500 Cross-Site Scripting or XSS is and will remain to be a major pain for anyone trying to create a secure web application for their end-users.

Cross-Site scripting attacks occur when an attacker can squeeze nasty code into your web application from any input field or functionality where a user can have their input reflected in the source code of your application.

The primary issue usually always falls down to sanitizing user input, in other words; it is essential to check the data going into the web application and also where it shows or how it is handled in the output from the site. Easier said than done!

A basic concept

Let’s say you post a comment online like Hello World.. (a cliche example). The web application will then show the text for everyone to see…. If this web application was vulnerable to a cross–site scripting attack then we could inject code into the application!

If an attacker can inject code similar to this on your site, they can do all kinds of malicious activity!

There are a few types of Cross-site scripting and we will have look at the most common three.

Types Of Cross Site Scripting

  • Reflected:

Reflected injections are inserted in a URL link that an attacker wants a victim to click!

First of all, we shall look at reflected Cross-Site Scripting occurs when the data is passed in a parameter in the URL.

HTTPS://www. google.com/ *notreal?ThisIsAParameter=IamTheValue*

The Injection would be passed in the value of this link and if an attacker loaded this with malicious script and victims began clicking it, they could exploit various attacks, such as… Stealing Cookies to take over accounts or stick a java-script keylogger on the site...

Reflected attacks only work when the URL is sent to someone – although if we were lucky in testing we’d find the next kind of XSS…

  • Stored:

These injections are stored on the server… like a Facebook or Twitter post, its there for the long-haul! This is as bad as it can get.

So once we find an XSS hole that lets us store our injections on the server, things get a little more interesting.

The attack surface of the exploit greatly raises. We no longer need to click the link in the previous example. Instead just by visiting the page where the injection is stored, it will fire.

As before we could steal cookies etc. but also start altering the entire web page layout for good.

  • Dom:

Lastly is Dom. This XSS injection is a tricky one. It can be hard to find, hard to exploit and even for me it can be hard to explain. In this attack surface, we are feeding data into already existing Java-script to create an exploit. A short snippet from the OWASP guide states:

DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client sidecode runs in an ‘unexpected’ manner.”

So we have given some basics on the types of XSS…

As an attacker we need to know the landing spaces of the data, then we can start to craft attacks and by-passing filters!

Landing spaces for Cross–Site Scripting

There are four landing spaces for XSS

  1. In White space
  2. Attribute space
  3. URI (Uniform Resource Identifier)
  4. Script space

- White space / Text space

This is when the user input lands in clear space.

If your injection lands here in the source this would be White space

Therefore, White space injections need to open tags ‘<>’ to create HTML and apply events or to directly open script tags for an exploit.

- Attribute space

If your input lands inside an Event Attribute then we can craft a different stlye injection but achieve the same results!

The ‘on’ attributes like, onerror, onload, onmouseover etc can involve Java-script and as such provide room for an attack. We have cleverly closed out the value attribute with our double quote. This allows us to create a new event handler, onclick, and give it some script to run. Even more so, we can create these attribute space exploits in the previous example.

NOTE: The asterisks above will break our injection, there are there to outline the specific landing spot!

- URL

More Acronyms.. URL Universal Resource Location
A URL is a basic web address: http://www.google.com
Landing in a URI spot is common enough and also gives a variety of injections to work with.

  < a *href=javascript:alert()>Click Me!* < / a >

Here we have set the HREF attribute to some basic java-script to show your cookies for the current web page. If our supplied data lands at the beginning of the HREF= value, then a world of possibilities opens up. The ability to execute javascript above is a great place to start in exploiting XSS.

Additional and more complex injections in this landing space become available to us, like the following:

< *a href=data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==* >

This example is using the data URI and then specifying the media type ‘html’ and then the encoding ‘base64’ followed by the encoded JavaScript. This is a small glimpse into how we can create complex injections to bypass filters.

- Script Space

Script space injections are my personal favourite. When our data lands inside script tags our main objective is to add additional Javascript, without breaking the syntax of the code around us. Sometimes this is extremely straightforward, other times it can be hours of restructuring code to flow with the script around us. These injections can come to be a plethora of quotes, parenthesis, braces and functions.

In previous landing spaces above, we addressed the concept that we can close out html tags and create our new code on the fly. Script space injections are no different than this. Additionally, this is the only instance where we do not need to worry about the previous syntax of the landing space as we do not care if it runs or fails. Although, landing in script space and having the ability to close out the code with a simple tag is not so common. Therefore we need to start assessing which special characters we can work into the landing space. () `` {} ; //[] The more special characters we can get in, the more we have to work with, and in-turn have a great chance of getting a working exploit!

This has been a brief cover of XSS… Soon I will address the other concepts in this field such as encoding types, such as URL, HTML, BASE64 etc. for special characters and also various browsers and how each can handle or interpret injections differently to increase our attack surface.

About the author: Jonny Rice works as a vulnerability web application specialist for leading application security provider WhiteHat Security.

Copyright 2010 Respective Author at Infosec Island]]>
Arkose Labs Launches Private Bug Bounty Program https://www.infosecisland.com/blogview/25213-Arkose-Labs-Launches-Private-Bug-Bounty-Program.html https://www.infosecisland.com/blogview/25213-Arkose-Labs-Launches-Private-Bug-Bounty-Program.html Mon, 29 Jul 2019 13:04:18 -0500 Fraud prevention technology provider Arkose Labs announced the launch of a private bug bounty program on crowdsourced security platform Bugcrowd.

Based in San Francisco, Calif., the company leveragesglobal telemetry with a proprietary challenge–response mechanism to help organizations prevent fraud in sectors such as online marketplaces, travel, banking, social media, ticketing and online gaming. 

A public bug bounty program that Arkose Labs launched on Bugcrowd last year has improved development process with the inclusion of crowdsourced cybersecurity testing as an additional validation step, the company says.

With the new private program, the company wants to tap into the skill sets of Bugcrowd’s Elite Crowd and tailor testing to help eliminate account takeover attacks, fake user registrations, and other types of fraud and application abuse.

The new program will also allow the company to have a more direct communication with a smaller group of testers and gain more control over testing, while continuing to benefit from the crowdsourced model.

“As a security company in the fraud prevention space with an end-user facing product, we are lucrative targets for a wide range of attackers using innovative methods, such as Single Request Attacks. Compromising our proprietary challenge—response mechanism, Enforcement, requires a very specific skill set and partnering with Bugcrowd ensures we have a more informed path forward to stay ahead of attackers,” said Anna Westelius, senior director of engineering at Arkose Labs.

RelatedGoogle Increases Bug Bounty Program Rewards

RelatedMicrosoft Launches Bug Bounty Program for Dynamics 365

RelatedSingapore Government Announces Third Bug Bounty Program

Copyright 2010 Respective Author at Infosec Island]]>
Eight Steps to Migrate Your SIEM https://www.infosecisland.com/blogview/25210-Eight-Steps-to-Migrate-Your-SIEM.html https://www.infosecisland.com/blogview/25210-Eight-Steps-to-Migrate-Your-SIEM.html Mon, 22 Jul 2019 07:12:19 -0500 In a large enterprise, the ingestion of security logs, IT system logs and other data sources can easily reach a range of hundreds of thousands to millions of events each day and lead to storing terabytes of logs daily. It’s impossible for humans to manually keep up with this deluge of data, so they turn to security information and event management (SIEM) tools to do the work more efficiently.

With the relentless wave of cyberattacks and data breaches, however, the performance of legacy SIEMs is under scrutiny due to their inability to scale to detect the huge number of threats facing organizations today, and their limitations when it comes to helping security teams investigate and respond to incidents efficiently. In response to this, many enterprises are re-evaluating their SIEM and migrating to new technology. While this is exciting, migrating a SIEM is no trivial task.

Why migrate from a legacy SIEM?

The surge in cyberattacks, shortage of qualified security analysts, sheer volume of events and number of devices pumping data into the enterprise SIEM are posing several operational issues. For example, security operations center (SOC) teams universally complain about time wasted by chasing false positive alerts. The culprit for issues like this is that legacy technology in many SIEMs is completing its second full decade since it was introduced to the market. Four legacy characteristics include:

Excessive logging costs – Charging SIEM usage based on the amount of data ingested and processed is a characteristic of legacy SIEMs, but it never really made sense given that SOC teams benefit from having the most information possible about their environment to detect and investigate incidents. This licensing model penalizes SOC teams for collecting more data and limits capabilities for threat detection and creates blind spots during incident investigations.

Inability to catch unknown threats – The legacy SIEM model typically was based on correlation rules which requires analysts to know what they are looking for. But as the variety of threats has risen, a reliance on rules has left legacy SIEMs unable to detect unknown and advanced threats such as malicious insiders.

Untraceable distributed attacks – When tracking is substandard, SOC analysts get an incomplete picture of users’ activities. A common scenario is lateral movement, where an attacker first breaches a network and then moves around inside an organization, across credentials, devices or login locations. Consequently, the team misses threats and is unable to determine the full scope of attacks.

Manual investigation and remediation – When legacy SIEM technology has limited automation, the organization is faced with increased risk and longer exposure to threats. For example, every investigation requires construction of a timeline to evaluate events and understand their implications for security. For legacy SIEMs, those steps are usually manual and time consuming.

Solving these legacy issues is a strong motivation for SIEM migration. Before initiating the process of migration, it’s useful for stakeholders to get a big-picture sense of what these steps entail. A few days of planning upfront can save the team weeks of time and help avoid mis-steps later in the process.

Process Flow for SIEM Migration

1. Determine SIEM Priorities - It will typically take 2-4 weeks to identify all of the stakeholders and get a consensus on your top business issues and priorities. When deciding on these priorities, the SIEM migration team must consider the organization’s risk management framework in determining priorities for the SIEM, including compliance with relevant industry guidelines, regulations and statutes.

2. Select Use Cases - Selection of use cases for the SIEM migration should answer the question: what problems are we trying to solve with the new SIEM?

Examples of typical use cases include protecting against insider threats; identifying compromised credentials, prioritizing security alerts, and more. It’s common for a legacy SIEM to have 50 or even hundreds of use cases. Replicating all legacy use cases may be unnecessary as new technology can eliminate the need to manually manage some scenarios. For example, a new SIEM can reduce the need to create and maintain correlation rules with out-of-the-box detection models.

3. Scope Data Collection Sources - The ultimate purpose of a SIEM is to allow analysts to quickly detect and remediate security threats. Having a SIEM that integrates data logs from a broad array of IT and security products is essential for effective remediation. Data sources need to map to the use cases identified in the previous step.

4. Configure Log Sources – Configuration of log sources is a non-trivial process for teams to take on themselves. Investigate provider’s ability to help with standardizing and parsing data sources if assistance if needed.

5. Prepare SIEM Content - Train SOC analysts in the approach of the new SIEM if you are moving from exclusive reliance on rules triggering alerts to models built using behavioral analytics based on machine learning. In most cases, behavioral analytics speeds detection, provides more accurate results, and enables rapid, precise response to critical incidents.

6. Define Operational Processes - Getting good results from the new SIEM will require SOC analysts to adjust their daily operating processes. Analysts will especially want to know if they have to learn a new query language. A modern SIEM often has a point-and-click interface, which alleviates the need for command line controls.

7. Establish Benchmark Criteria - Establishing benchmark criteria for the new SIEM will help your organization measure and evaluate its performance. Benchmarks should employ criteria from the management framework or frameworks currently used by your organization. This could be ISO for compliance, PCI DSS for payment security, and operational benchmarks such as search times, mean time to detection, mean time to response, number of alerts closed, and so forth. It’s important to choose metrics carefully in order to accurately gauge success. For example, a modern SIEM’s analytics will often dramatically reduce the number of alerts to be investigated compared to a legacy SIEM

8. Evaluate Next Steps - The last stage of SIEM migration is evaluating next steps like developing new use cases as business priorities change.

Conclusion

By making the decision to migrate a legacy SIEM, organizations will launch a journey touching many parts of the enterprise. The migration will entail changes to a wide array of people, process and technology.

Process is an integral part of the eight considerations, and implementation will directly affect daily roles of some stakeholders. It’s important for organizations to approach migration with a positive outlook about the new benefits that will appear as a result of this process.

By approaching security with a new SIEM, your enterprise will enable better security and compliance. As the technical enabler, the new SIEM will also help stakeholders be more productive and fruitfully engaged in this vital mission.

About the author: Trevor Daughney is Vice President of Product Marketing at Exabeam. Trevor is a marketing executive with a track record of building high performing teams to take enterprise cybersecurity SaaS and software technology and turn them into successful global businesses.

Copyright 2010 Respective Author at Infosec Island]]>
What Call Center Fraud Can Teach Us about Insider Threats https://www.infosecisland.com/blogview/25209-What-Call-Center-Fraud-Can-Teach-Us-about-Insider-Threats.html https://www.infosecisland.com/blogview/25209-What-Call-Center-Fraud-Can-Teach-Us-about-Insider-Threats.html Mon, 22 Jul 2019 07:08:29 -0500 Call centers are often the weakest link in otherwise robust corporate security networks, because of the human dimension. They are staffed by people who make mistakes and are prey to scams and blackmail. Call centers are also vulnerable to malicious employees with an ax to grind or those willing to commit fraud for monetary gain.  

According to the Pindrop 2017 Call Center Report, voice fraud rates climbed at more than 350% since 2013 across several industries, including banking.  

Most Identity Data is Stolen  

Consider this fictional example of call center fraud. A caller contacts a U.S. bank and informs the customer service representative (CSR) that he/she wants to do an electronic funds transfer to pay their child’s college tuition bill for a school in France. 

The caller says he/she needs to send the money urgently, explaining they tried unsuccessfully a number of times to perform the transaction online, and need help. The CSR asks the caller a battery of security questions to authenticate their identity. Without missing a beat, the caller provides the correct account number, physical address, the last four digits of the social security number on file, etc.  

Eager to help ‘the long-time customer,’ the CSR approves the funds transfer and schedules the transaction for the next business day. Since the caller provided all the correct answers, the CSR has no way of knowing he/she was a fraudster.  

Since personally identifiable information (PII) has and continues to be stolen in an endless stream of data breaches, most of the details required to carry these type of attacks are available for purchase on the dark web. However, the fraudster could also be working with a malicious insider who has provided the necessary PII required to compromise the target account.  

Three Ways to Reduce Call Center Fraud   Use the Cloud  

Instead of relying on call center employees to handle sensitive personal information, some organizations employ a secure, cloud platform to process payments. Employees can see that transactions are taking place but they have no visibility into sensitive customer data and card numbers.  

Enhanced Authentication  

Increasingly, companies are abandoning crude forms of authentication like passwords which are too easily breached, copied or shared. Instead, they are supplementing knowledge- based questions with advanced authentication methods such as biometrics and one-time passwords. Some banks and credit card companies use one-time passwords to verify the identity of an account holder before a CSR can perform any requested transactions.  

Fraud Behavior Analytics  

To automate fraud detection, an increasing number of organizations are turning to behavior-based security and fraud analytics. These analytics engines ingest and process enormous amounts of data from disparate systems — and then use machine learning models to pinpoint anomalous activity.  

In the call center fraud scenario described above, data from the ticketing system would show that the account password was changed a few days earlier. Meanwhile, data from the core banking solution would identify that the destination foreign account for the funds was recently created. In addition, phone system records would show that the time of day of the (fraud) call is inconsistent with previous calls associated with the account. And finally, data from public records would show that the real account holder is childless.  

By correlating data from different information “silos” behavior- based fraud behavior analytics could predict the risk and prevent the funds transfer.  

Detecting and preventing call center fraud embodies many of the same challenges associated with fighting insider threats, since the attacker in both cases is authenticated to perform sensitive transactions. As a result, the advanced security measures described above, especially enhanced authentication and security analytics, can be used to predict and prevent fraud and data exfiltration by both insiders and outsiders.

About the author: Saryu Nayyar is CEO of Gurucul, a provider of behavior based security and fraud analytics technology. She is a recognized expert in information security, identity and risk management, and author.

Copyright 2010 Respective Author at Infosec Island]]>
Best Practices for Remote Workers’ Endpoint Security https://www.infosecisland.com/blogview/25207-Best-Practices-for-Remote-Workers-Endpoint-Security-.html https://www.infosecisland.com/blogview/25207-Best-Practices-for-Remote-Workers-Endpoint-Security-.html Mon, 22 Jul 2019 07:04:16 -0500 Remote workers often use corporate devices and computers when working at home or from a local office. When travelling, they might use personal mobile phones or computers to carry out their official tasks. Regardless of the endpoint used to access corporate data, one of an IT admin’s most important jobs is to secure that data while it’s stored on and accessed by corporate and personal endpoints. Below, we’ll look at best practices for getting that job done as well as one company embracing them.

Encrypt devices - When users travel, your organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access particularly if a device was lost or stolen.

Practice the principle of least privilege - Only grant necessary and sufficient permissions that users need to carry out their activities, for a limited time. Restricting users to the minimum rights required by their tasks will greatly reduce the attack surface of the remote workforce.

Make access conditional – Before remote workers connect to the corporate network, ensure their endpoints comply with your security policies such as running up-to-date patches and security products. This applies to both corporate and personal devices.

Sandbox work applications -Sandbox your enterprise applications so that corporate data can't be accessed by other, possibly malicious apps installed on users’ personal devices. Sandboxing will stop the corporate data leak.

Secure remote connection - Any corporate resource on the corporate network should be accessed through a VPN secure connection.

Use two factor authentication - When end users want to connect to the network, they must enter their password as well as a one-time password sent to a personal mobile device.

Create awareness among remote workers - Implementing more security policies will decrease the user’s privacy. Alternatively, you should educate remote workers about the use of strong passwords, the basics of social engineering attacks, and your company’s security policies overall.

Relieve remote workers of security tasks - Enterprises should manage the endpoints and keep them secure when they're on the network and away from it. Expecting end user to connect to VPN and apply patches or security policies on their own is unrealistic. Similarly, the endpoint management and security tasks should be adequately automated to ensure your IT team is not overwhelmed by the work.

Patch your endpoints - Keep your operating systems and applications up to date to stop the exploitation of the known vulnerabilities. Patching should happen whether endpoints are connected to the network or not.

It is easy for an employee to delay or decline updating a patch, as they likely don’t fully comprehend the potential ramifications from these simple actions. This is part of the reason that 8x8, a provider of cloud communication and customer engagement solutions, automated patch management across its global workforce. An automation strategy allows remote and local endpoints to be updated, without relying on individual employees. This ensures that all endpoints, including PCs, Macs, tablets and mobile devices, remain secure and compliant.

For most organizations, remote workers are an unavoidable fact of life. The upside is employees are often happier and teams are more efficient. The downside is security is often compromised due to poorly managed endpoints. But as we’ve seen, you can mitigate threats posed by remote workers’ endpoints and significantly improve your overall network and data security with a few best practices.

About the author: Mathivanan Venkatachalam is vice president of ManageEngine, a division of Zoho Corp., and has been part of the Zoho team since its inception. Prior to working with ManageEngine, he was associated with IIT Madras for their V5.2 protocol stack in layer 1 and layer 2 development.

Copyright 2010 Respective Author at Infosec Island]]>
Cisco Patches Critical Flaw in Vision Dynamic Signage Director https://www.infosecisland.com/blogview/25211-Cisco-Patches-Critical-Flaw-in-Vision-Dynamic-Signage-Director.html https://www.infosecisland.com/blogview/25211-Cisco-Patches-Critical-Flaw-in-Vision-Dynamic-Signage-Director.html Sat, 20 Jul 2019 14:45:36 -0500 Cisco this week released a security patch for the Vision Dynamic Signage Director, to address a Critical vulnerability that could allow attackers to execute arbitrary actions on the local system. 

Tracked as CVE-2019-1917, the vulnerability was found in the REST API interface of Vision Dynamic Signage Director and could be exploited by an unauthenticated, remote attacker to bypass authentication on an affected system.

“The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system,” Cisco explains.

An attacker able to exploit the vulnerability would execute arbitrary actions through the REST API with administrative privileges. 

Enabled by default, the REST API cannot be disabled. According to Cisco, there is no workaround for this issue, but a software update has been released to address the bug. 

This week, Cisco also addressed High severity vulnerabilities FindIT Network Management Software, and IOS Access Points Software 802.11r. Tracked as CVE-2019-1919 and CVE-2019-1920, these bugs could be exploited to log in with root-level privileges or cause a denial of service (DoS), respectively.

Cisco also releasedfixes for several Medium severity vulnerabilities in Industrial Network Director (IND), Small Business SPA500 Series IP Phones, Small Business 200, 300, and 500 Series Switches, and Identity Services Engine (ISE).

These vulnerabilities include information disclosure, local command execution, open redirect, Cross-Site Scripting, and blind SQL injection flaws. 

Additionally, Cisco updated the advisories published for several older vulnerabilities, including a High severity flaw in its Secure Boot implementation, which could allow an attacker to modify a device’s firmware, and which impacts a large number of Cisco products. 

The advisories for three command injection vulnerabilities in NX-OS software, namely CVE-2019-1776, CVE-2019-1783, and CVE-2019-1784, were updated as well, along with those for a Cross-Site Request Forgery bug in OS XE software Web UI and a Denial of Service in IOS software.

RelatedCertificates Issued to Huawei Subsidiary Found in Cisco Switches

RelatedCritical Flaws Found in Cisco Data Center Network Manager

Copyright 2010 Respective Author at Infosec Island]]>
Cybersecurity: Drones Will Soon Become Both Predator and Prey https://www.infosecisland.com/blogview/25208-Cybersecurity-Drones-Will-Soon-Become-Both-Predator-and-Prey.html https://www.infosecisland.com/blogview/25208-Cybersecurity-Drones-Will-Soon-Become-Both-Predator-and-Prey.html Fri, 19 Jul 2019 08:47:51 -0500 In the coming years, commercial drones will become a predator controlled by attackers to conduct targeted assaults on business. Drones will become smaller, more autonomous with increased range and equipped with cameras for prolonged surveillance missions. Flying in close proximity to operating environments, they will also be used to conduct advanced man-in-the-middle attacks, degrade mobile networks or spoof and jam other signals.

Conversely, drones will become prey as they are targeted by attackers in order to disrupt dependent businesses. Drones will be knocked out of the sky and hijacked. Information collected by drones will be stolen or manipulated in real time. Industries that leverage drones to become more efficient, such as construction, agriculture and border control, will see their drones targeted as attackers’ spoof and disrupt transmissions.

Technological breakthroughs in drone technologies, combined with developments in 5G, big data, the Internet of Things (IoT), and the relaxation of aviation regulations, will mean that drones will become increasingly important to operating models. Organizations will rely upon them for delivery, monitoring, imagery and law enforcement, whilst attackers will embrace drones as their new weapon of choice. The threat landscape will take to the skies.

Justification for This Threat: Predator

Drones used in the military for reconnaissance, targeted missile attacks and battlefield intelligence have been commonplace for years now. However, the line between military and civilian usage has somewhat blurred over the last few years as smaller, unmanned aerial vehicles or quadcopters have become more popular and commercialized. Close calls have been reported more frequently in the media with cases of assassination attempts, near fatal crashes, injuries and spying all being recorded. Moreover, two high-profile incidents of drones grounding flights at London’s Gatwick and Heathrow airports took place in late December 2018 and early 2019, illustrating significant business disruption from drone activity.

Quadcopter-style drones, supposedly capable of carrying out electronic warfare and cyber-attacks, are currently being developed. For example, American-Italian contractor, Selex Galileo, recently built a small drone that can interfere with communication systems such as Bluetooth or Wi-Fi and can self-destruct if captured. Septier Communications is developing a drone that can eavesdrop on mobile phone calls, intercept other mobile data or force devices on a high-security 4G network to downgrade to an older, lower quality and less secure network. If terrorist groups, hacking groups or hacktivists managed to get their hands on this technology then their armory would be significantly enhanced.

Justification for This Threat: Prey

Drone-based delivery is expected to start in European countries in 2019 following the relaxation of air traffic regulations, allowing drones to fly out of sight and above 400 feet. This will revolutionize the supply chain, opening up a range of new attack vectors that hackers will undoubtedly target. According to Goldman Sachs, the forecasted market opportunity for drones will grow to $100 billion by 2020, helped by growing demand from commercial and government sectors. There are over one million active drone devices currently operating in test environments in the US alone, with over 100,000 pilots registered with the FAA.

Drone usage will be particularly prominent across the agricultural, construction and oil and gas industries as business models are adapted to take advantage of drone technology. Activities such as monitoring of crop yields, airborne inspection of oil pipelines and safeguarding of construction sites will be entrusted to drones as businesses look to further automate key processes. Fire and police services will use drones to greatly enhance their capability to locate people, whether that be survivors of an incident or persons of interest. All industries that leverage this relatively immature technology will find themselves targeted as attackers aim to take advantage of drones.

Like other IoT devices, drones currently have very poor security controls, making them vulnerable to hijacking. Commercial drones will become a fresh privacy concern as they begin to store sensitive information on board. The majority will be fitted with cameras or a range of sensors, collecting information such as GPS location, credit card numbers, email addresses or physical addresses. This type of information will be a prime target for attackers over the coming years.

How Should Your Organization Prepare?

If an organization is reliant upon drones for critical operations then diligent risk assessments need to be conducted, and controls must be implemented or upgraded to mitigate risk to the business. As drones take to the skies, organizations must become more vigilant and wary.

In the short term, organizations should determine how drones are likely to be used across the business and incorporate business continuity arrangements should these drones be disrupted and regularly update or patch drones.  Additionally, organizations should apply specialized technical controls such as signal jamming, geofencing and hardening Wi-Fi and protect locations from drone spying by installing blinds and curtains, mirrored windows or white noise generators.

In the long term, lobby drone manufacturers or providers to ensure that drones have security features incorporated and keep up to date with future legal and regulatory requirements, considering that they may differ or conflict across jurisdictional boundaries.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments.

Copyright 2010 Respective Author at Infosec Island]]>
The Automotive Industry: Stepping up on Defense https://www.infosecisland.com/blogview/25206-The-Automotive-Industry-Stepping-up-on-Defense-.html https://www.infosecisland.com/blogview/25206-The-Automotive-Industry-Stepping-up-on-Defense-.html Fri, 19 Jul 2019 08:41:23 -0500 We are midway through 2019, and automotive hacks continue to rise. The global market for connected cars is expected to grow by 270% by 2022, with more than 125 million passenger cars with embedded connectivity forecast to ship worldwide by 2022.

The amount and quality of data is only destined to grow as manufacturers add more technology into the driver and the passenger experience, especially as we approach a time when cars will be capable of autonomously taking passengers from point A to point B.

Cyberattacks on automotive players were not very common until recently, likely due to the fact that not too long ago, there was simply nothing to hack in an automobile. In recent years our dashboards have grown from basic entertainment systems to computers. As the incentive for hackers is growing we should assume as are the efforts to breach the data in automobiles. There has been astounding progress with car technology in recent years, particularly in the connectivity channels, WiFi, GPS systems, Bluetooth and now cellular SIM cards embedded in the vehicle. The significant increase in mobility endpoints and the sheer amount of code that runs the modern car means that there is a great opportunity for hackers.

A Great Infotainment System means Great Vulnerability

Car dashboards today are a full computers, with a multitude of different functions, such as in-vehicle entertainment, mobile phone integration, navigation systems, and soon, payment systems. While advancements in technology have improved the user experience, there is also increased  vulnerability.

In addition, infotainment and telematics systems have become a gateway to the car’s advanced driver assistance systems, by linking to data that can affect a car’s safety features, such as sensors, anti-lock brakes, lane departure warnings, adaptive cruise control, and automatic stopping the car.

Black Hat Attacks

Recently a black hat attack was carried out that was far from simplistic. A hacker named L&M has gained access into two prominent applications companies [mention their names] use to monitor and manage fleets through GPS tracking devices. This hacker boldly called the companies requesting money for the information he or she stole from over 27,000 accounts. This was not a white hat attack nor was it a bug bounty – this was ransom.

What is unique about this situation is the hacker was also able to kill the engine of the vehicle of the account holder. L&M could have caused much more destruction and harm with this hack.

These situations should act as a light bulb for automakers to understand the vulnerabilities their vehicles face. Securing a modern car against a cybersecurity attack is about preventing them from the earliest stages of development. Original Equipment Manufacturers (OEMs) should consider incorporating defensive measures during the development phase.

As the in-vehicle technology continues to innovate, hackers are continuing to learn and find vulnerabilities to exploit the physical car as well as the personal, financial and driver data. Through a vehicle’s infotainment and telematics system, we see these vulnerabilities more clearly and can understand just how white hat hackers are gaining access. Through these discoveries, security companies are helping car manufacturers outfit their vehicles with embedded cybersecurity software that protects vehicles from all endpoints as to not allow access to the vehicle’s data or alter the settings from factory settings. As we approach the second half of 2019, we anticipate automotive and other connected device manufacturers to recognize their vulnerabilities and step up their defensive strategy. 

About the author: David Barzilai is co-founder and chairman at Karamba Security.

Copyright 2010 Respective Author at Infosec Island]]>
Beyond the Endpoint: Fighting Advanced Threats with Network Traffic Analytics https://www.infosecisland.com/blogview/25205-Beyond-the-Endpoint-Fighting-Advanced-Threats-with-Network-Traffic-Analytics.html https://www.infosecisland.com/blogview/25205-Beyond-the-Endpoint-Fighting-Advanced-Threats-with-Network-Traffic-Analytics.html Fri, 19 Jul 2019 08:36:07 -0500 Safeguarding enterprise assets is no longer just about protecting endpoints from malware, spam and phishing. Enterprise infrastructures are much more complex today than even a few years ago. In a bid to optimize processes and maximize profits, businesses are deploying cloud services, IoT and mobile solutions at an unprecedented rate. Keeping pace with digital demands can result in an expanded attack surface. This means cybersecurity chiefs need an approach that ensures enterprises are protected from both external and internal threats.

The effectiveness of an organization’s incident response capabilities poses a major challenge in the face of a constantly expanding threat landscape riddled with sophisticated attackers. Business leaders are aware of the risks associated with an attack on their IT infrastructure, and they know a breach is imminent if their security posture is weak.Additionally, the rising costs of downtime, incident response and recovery have revealed a worrying fact: security operations centers (SOCs) can no longer rely only on traditional security tools and processes to protect their organizations’ data. Late warning signs, limited support for incident response, unpatched endpoints, spotty detection of insider threats, and a long stream of false positives give attackers the advantage.

If these concerns were not enough, studies also show that SOC teams are feeling overburdened, and CISOs are no longer coping with the responsibilities of their job. Information security chiefs today are looking for ways to modernize their security architecture, to improve their ability to quickly detect and effectively respond to advanced attacks, and to stop losing sleep over the fear of single-handedly sinking their business.

The race for superior threat detection

Traditional solutions are no longer useful in the face of advanced threats, and new approach is needed--one designed to catch malicious activity in transit, before it can reach any endpoint on a targeted infrastructure. Thus, Network Traffic Analytics (NTA) was born.

Endpoint protection solutions are great at preventing the execution of threats at the endpoint level. They can even detect advanced attacks that pass through some of the prevention layers. NTA augments EPP by adding specialized detection for the most advanced threats, at the network level. This means SOCs get a bird’s eye view of all network activity to detect breaches and malicious or irresponsible user behavior, and also have access to additional historic information for regulatory compliance (PCI, GLBA, NIST and GDPR) and other retroactive investigations.

Industry watchers agree. According to Eric Ogren, an analyst with 451 Research, “What network traffic analytics sees is what is actually happening in the business in real time, with the possibility to thwart attacks before catastrophic damage occurs.”

“Network traffic analytics (NTA) is fast becoming the easiest-to manage choice to detect infected devices, track account activity and catch data being staged for later exfiltration. NTA goes beyond catching unauthorized east-to-west traffic and improper use of protocols, to include alerts when clients start acting as servers, signs of ransomware via suspicious file share activity, connections to external domains within a few milliseconds of opening an email attachment, and more.” Ogren said.

High fidelity threat reports – the key to a SOC team’s success

Probably the biggest benefit of NTA technology is that SOC teams get intelligent, automated alert triage.Automated triage significantly improves incident response. It makes incident security investigation approachable and affordable for organizations stretched between limited resources and significant cyber risks. Additionally, it provides “security visibility” into network traffic using reasoning (AI/machine learning and behavior analysis) with insights from cloud threat intelligence. An efficient NTA implementation automatically detects threats for all entities, managed or unmanaged, for encrypted or un-encrypted network traffic.

The ideal NTA deployment must be capable of automating security incident alert processing and provide context, enabling security operations to stay focused on incidents that really matter, reducing the risk of overlooking important security incident alerts.

With cyber incidents continually on the rise, high fidelity threat reports are key to empowering SOC teams to detect attacker tactics and techniques, to sniff out risky user activity, to improve analysts’ threat-hunting efficiency, as well as to achieve regulatory compliance.

About the author: Filip Truta is an information security analyst with more than twelve years of experience in the technology industry.

Copyright 2010 Respective Author at Infosec Island]]>
Today’s Top Public Cloud Security Threats …And How to Thwart Them https://www.infosecisland.com/blogview/25203-Todays-Top-Public-Cloud-Security-Threats-And-How-to-Thwart-Them.html https://www.infosecisland.com/blogview/25203-Todays-Top-Public-Cloud-Security-Threats-And-How-to-Thwart-Them.html Fri, 21 Jun 2019 11:02:00 -0500 Many enterprises today have inadvertently exposed proprietary information by failing to properly secure data stored in public cloud environments like AWS, Azure, and GCP. And while cloud computing has streamlined many business processes, it can also create a security nightmare when mismanaged. A simple misconfiguration or human error can compromise the security of your organization's entire cloud environment.

Whether your whole business or small portions operate in the cloud, it’s imperative to understand the cloud-specific threats facing your organization in order to find creative and impactful solutions for remediation and protection. Let’s start by walking through the top security challenges in the cloud today to gain a better understanding of this complicated and ever-evolving landscape.

Top Security Challenges in the Cloud

Top threat: Phishing

Phishing is very popular in the cloud today. It’s often deployed using PDF decoys hosted in public cloud that arrive as email attachments and claim to have legitimate content, such as an invoice, employee directory, etc. Furthermore, since the malicious pages are stored in public cloud, they fool users into thinking that they are dealing with a legitimate entity, such as Microsoft, AWS, or Google. Once received, such content is saved to cloud storage services, like Google Drive. As soon as attachments are shared, malware can propagate within an organization, leading to cloud phishing fan out. In a matter of minutes, a legitimate user’s account can be compromised and used as part of a phishing campaign, which is far harder to detect and mitigate.

Top threat: Cryptojacking

Cryptojacking occurs when a nefarious actor uses your public cloud compute resources without your authorization. Such attacks are indifferent to device type, service, or OS, making them especially dangerous. What’s more, because such attacks usually appear to be coming from legitimate users, they often go undetected for quite some time, allowing the actors to execute a number of attacks under the radar.

A deeper understanding of these threats is critical, but it doesn’t solve the problem. So, where do we go from here? Below are my recommendations on steps for combating the above risks (and others) in the cloud.

Recommendations for Better Cloud Security

Assess Your Risk Exposure

Organizations must deploy a real-time visibility and control solution for sanctioned and unsanctioned accounts to perform continuous assessment of the security posture of these accounts and to provide visibility into what is going on with your IaaS accounts. You must also track admin activity using logging services like Amazon CloudTrail and Azure Operational Insights to gather logs about everything that is going on in an environment. Additionally, consider deploying an IaaS-ready DLP solution to prevent sensitive data loss in web facing storage services, like AWS S3 and Azure Blob. And lastly, get real-time threat and malware detection and remediation for IaaS, SaaS, and Web. It’s imperative to continuously monitor and audit for IaaS security configuration to ensure compliance with standards and best practices and to make sure that the bad guys do not split in and fly under the radar.

Protect Sensitive Data from Insider Threats

While it sounds like common sense, many of today’s breaches occur when a user either intentionally or inadvertently shares sensitive information that compromises the security of an organization. To combat this, it’s important to educate all employees of the risks associated with doing business in the cloud. Warn users against opening untrusted attachments and executing files. Teach employees to verify the domains of links and identify common object store domains. Deploy real-time visibility and control solutions, as well as threat and malware detection solutions to monitor, detect, and remediate nefarious activity. And lastly, scan for sensitive content and apply cloud DLP policies to prevent unauthorized activity, especially from unsanctioned cloud apps. People are often the weakest link and proper training and education should be a priority for your business.

Follow Best Practices

Businesses should leverage compliance standards, such as NIST, CIS, and PCI, to easily benchmark risk and security. A lot of these tools will provide insights and recommendations for how to remediate various violations, but you should still understand that customization is key.

In order to thwart exposure, companies must have the capability to look at all cloud environments and perform assessments of how such resources are secured. And remember, every organization is different, and there is no one-size-fits-all approach to proper protection in the cloud. That said, by better understanding the threat landscape (whether within or outside your organization) and putting the proper tools in place, comprehensive cloud security is, indeed, possible.

About the author: Michael Koyfman is a Principal Global Solution Architect with Netskope. In his role, he advises Netskope customers on best practices around Netskope deployments and integrating Netskope solutions within customer environment by leveraging integration with customer technology ecosystem.

Copyright 2010 Respective Author at Infosec Island]]>
Influence Operation Uses Old News of New Purposes https://www.infosecisland.com/blogview/25202-Influence-Operation-Uses-Old-News-of-New-Purposes.html https://www.infosecisland.com/blogview/25202-Influence-Operation-Uses-Old-News-of-New-Purposes.html Tue, 18 Jun 2019 10:11:54 -0500 A recently uncovered influence campaign presents old terror news stories as if they were new, likely in an attempt to spread fear and uncertainty, Recorded Future reports. 

Dubbed Fishwrap, the operation uses 215 social media accounts that leverage a special family of URL shorteners to track click-through from the posts. At least 10 shortener services are used, all of which run the same code and are hosted on the same commercial infrastructure.

The campaign was identified using a Recorded Future-designed “Snowball” algorithm that allows for the detection of “seed accounts” and the discovery and analysis of additional accounts engaged in an operation.

Fishwrap was initially detected through the automatic tracking of terror events only reported by social media, which led to the identification of around a dozen accounts engaged in spreading old terror news as if it were new. 

Recorded Future’s security researchers then applied the Snowball algorithm to the small set of identified posts which led them to the suspicious activities that more than a thousand profiles have been engaged into. 

To narrow down the activity, the researchers then looked at similarities related to temporal behavior, the domain of the URLs referred to in the accounts’ posts, and account status.

This revealed three different activity periods, with clusters of accounts active between May 2018 and October 2018, between November 2018 and April 2019, and active during the entire time period (May 2018 to April 2019). 

These patterns revealed the launch of a series of accounts in May 2018, many of which were shut down in October 2018, which resulted in new accounts being created only a few weeks later. 

Some of the accounts were found to post, to some extent, identical URLs. Overall, the researchers identified 215 accounts that posted only links created using 10 domains hosting URL shortener services. Some of the accounts use multiple shorteners, but each of the domains has a fairly large number of accounts referencing to it. 

Analysis of the HTML code for the 10 URL shorteners, all of which are anonymously registered, reveals that they all appear to be tracking all agents that follow the links, which suggests that the actors are looking into measuring the effectiveness of the operation or to profile the “captured audience” of the operation.

While a fair percentage of the accounts have been suspended, there has been no general suspension of accounts related to these URL shorteners, likely because they were posting links related to old, but real, terror events. 

RelatedIran-based Social Media Scheme Impersonated Press

RelatedHow China Exploits Social Media to Influence American Public

RelatedFacebook Blocks More Accounts Over Influence Campaigns

Copyright 2010 Respective Author at Infosec Island]]>
Spring Cleaning: Why Companies Must Spring Clean Out Their Social Media Accounts This Season https://www.infosecisland.com/blogview/25201-Spring-Cleaning-Why-Companies-Must-Spring-Clean-Out-Their-Social-Media-Accounts-This-Season.html https://www.infosecisland.com/blogview/25201-Spring-Cleaning-Why-Companies-Must-Spring-Clean-Out-Their-Social-Media-Accounts-This-Season.html Fri, 14 Jun 2019 12:03:00 -0500 Every year around this time, we collectively decide to open the windows, brush off the dust, and kick the spring season off on a clean foot. But as you are checking off your cleaning to-dos, be sure to add your social media profiles to that list. It’s obvious that social media profiles hold sensitive personal data but letting that information and unknown followers pile up can put your company, customers and employees at risk.

We live in a world where data privacy is top of mind, and in fact, this spring season marks the one-year anniversary of GDPR. Since the law went into effect, we have seen numerous cases of high profile data breaches making headlines. Now more than ever, businesses have an obligation to not only comply with data privacy laws but go above and beyond to secure proprietary, sensitive, and consumer data.

So, what can you do to protect your business, customers, and employees from data breaches and information leakage? Here are three tips for cleaning and securing your online data this spring.

#1: Clean what’s yours

You wouldn’t just clean your bedroom and leave the bathroom a mess, would you? Of course not. So, when managing your data, you first need to understand what online assets you own. Whether corporate or personal, start by taking stock of your owned social media accounts, domains, e-commerce sites, and any other digital channels where you or your company has a presence. Not only should you identify what accounts you own, but it’s necessary to review the privacy settings on those accounts. What are you sharing? Who can see your posts? Your locations? Your contact information?

One of the most overlooked ways of protecting your owned accounts is through strong passwords. You should have a unique password for each of your social media accounts, and for all accounts for that matter. The passwords should have a variety of cases, letters and symbols, and be hard to decipher. Be sure to avoid names, soccer players, musicians and fictional characters – according to the U.K. government’s National Cyber Security Center, these are some of the worst, most hackable passwords.

#2: Clean on behalf of your customers

For corporate channels, keeping owned accounts secure protects your brand’s reputation against impersonators, offensive content and spam. What’s more, it also protects your followers – which includes customers – from being exposed to that malicious content. As customers are more frequently using social media channels to engage with brands before making a purchase or obtaining a service, companies must prioritize retaining trust and loyalty among their customers.

To do so, your organization needs to, let’s say, “polish the windows” and be fully transparent with how the company will use their personal data. And with more state laws replicating the precedent set by GDPR, this visibility will not only be a best practice, but a law.

In addition, you should invest in the identification and remediation of targeted attacks and scams on your customers. This will not only help you gain their trust, but also provide them with ample protection. Finding and removing customer scams – i.e. malware links to social accounts impersonating your customer support team – will keep you and your valued customers safe online.

#3: Empower your employees to clean

Easy-to-use tools like Amplify by Hootsuite have turned employees into companies’ greatest brand ambassadors, particularly on social media. This type of promotion is invaluable to marketing teams, but whether on corporate or personal channels, employee use of social media must be addressed by security and marketing teams alike.

This spring, empower your employees to own their own social media cleanliness. By establishing and providing comprehensive education and training programs for your employees empowers them to learn the latest when it comes to corporate online policies and also social media security best practices. Traditionally, we find that companies have invested in trainings focused on email or insider threat risks but have neglected social and digital channels.

Don’t wait until next spring to clean again

Although it is best to incorporate social media security best practices into our everyday, this spring season make it a point to do a deep dive into your personal and professional social media profiles. Your brand, employees and customers will thank you, and your profiles will have a fresh glow after a long winter.

About the author: David Stuart is a senior director at ZeroFOX with over 12 years of security experiences.

Copyright 2010 Respective Author at Infosec Island]]>