ISP Brought Down by Warring Malware Families

A battle between two rival families of malware is being blamed for the downtime that a Californian ISP suffered earlier this month.

As BleepingComputer reports, customers of Sierra Tel unexpectedly found themselves without telephone and internet connectivity on April 10.

In a statement issued by the ISP the following day, the blame was put firmly on “a malicious hacking event” that had disabled the Zyxel HN-51 routers in many Sierra Tel customers’ homes.

In a desperate attempt to resolve an escalating problem, Sierra Tel’s affected customers were advised to physically take their broken routers into the ISP’s offices and pick up a replacement. However, supply shortages meant that replacements quickly ran out, and users reliant on an internet connection had to drop off their devices and wait for news that they had been properly repaired.

It took almost two weeks before Sierra Tel felt ready to announce on its Facebook page that it would soon have finished fixing the last of the affected modems:

Now, BleepingComputer reports that the blame for the outage is being put at the door of two warring malware families: Mirai and Brickerbot.

Mirai needs little introduction, having infamously hijacked hundreds of thousands of IoT devices to launch a massive distributed denial-of-service attack last year against Dyn’s domain name system infrastructure.

BrickerBot, however, appears to be the creation of a vigilante grey-hat who goes by the online handle of “Janit0r”. If his claims are to be believed, Janit0r wrote BrickerBot to firstly attempt to fix the security holes on vulnerable IoT devices and – if that fails – adopt what is euphemistically known as Plan B: Brick the devices.

The thinking? A broken device can’t be infected by further malware in the future, and effectively becomes the vendors’ problem to sort out.

You can’t deny that a non-working broadband router is more likely to get the attention of the typical internet user than the standard security advisory.

ICS-CERT warned organizations of the threat posed by Brickerbot earlier this month

Those of you with a long memory may recall that Zyxel broadband routers were also at the centre of an attack which knocked offline customers of the UK Post Office, TalkTalk, Deutsche Telekom, and Ireland’s biggest telcoms provider, Eir, offline last year.

Sierra Tel seems to have worked hard to retain the support of its customers, and to be transparent in its communications about what was going on. But you can’t help but feel that too many ISPs are foisting poorly protected routers onto the public, without properly considering the security implications.

Much of the malware that has been seen impacting IoT devices has relied upon default passwords, or functionality which allows service providers to manage customers’ hardware remotely without restricting such access to, say, the ISP’s own managed network.

My fear is that this won’t be the last time we see innocent people inconvenienced while malware battles for control over their poorly-secured IoT gear.

 

via:   tripwire


Save pagePDF pageEmail pagePrint page

Air Force Issues Challenge to “Hack the Air Force”

The Air Force is inviting vetted computer security specialists from across the U.S. and select partner nations to do their best to hack some of its key public websites.

The initiative is part of the Cyber Secure campaign sponsored by the Air Force’s Chief Information Office as a measure to further operationalize the domain and leverage talent from both within and outside the Department of Defense.

The event expands on the DoD ‘Hack the Pentagon’ bug bounty program by broadening the participation pool from U.S. citizens to include “white hat” hackers from the United Kingdom, Canada, Australia and New Zealand.

“This outside approach–drawing on the talent and expertise of our citizens and partner-nation citizens–in identifying our security vulnerabilities will help bolster our cybersecurity. We already aggressively conduct exercises and ‘red team’ our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team,” said Air Force Chief of Staff Gen. David Goldfein.

White hat hacking and crowdsourced security concepts are industry standards that are used by small businesses and large corporations alike to better secure their networks against malicious attacks. Bug bounty programs offer paid bounties for all legitimate vulnerabilities reported.

“This is the first time the AF has opened up our networks to such a broad scrutiny,” said Air Force Chief Information Security Officer Peter Kim.  “We have malicious hackers trying to get into our systems every day. It will be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cybersecurity and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities.”

Kim made the announcement at a kick-off event held at the headquarters of HackerOne, the contracted security consulting firm running the contest.

“Every business or organization has a finite amount of time and specialized skills necessary to find vulnerabilities within their networks, but when you open them up to such a diverse group you get amazing results at low cost,” said Chris Lynch of the Defense Digital Service (DDS), an organization comprised of industry experts incorporating critical private sector experience across numerous digital challenges.

The competition for technical talent in both the public and private sectors is fiercer than it has ever been according to Kim. The Air Force must compete with companies like Facebook and Google for the best and brightest, particularly in the science, technology, engineering, and math fields.

Keen to leverage private sector talent, the Air Force partnered with DDS to launch the Air Force Digital Service team in January 2017, affording a creative solution that turns that competition for talent into a partnership.

In fact, Acting Secretary of the Air Force Lisa S. Disbrow and Gen. Goldfein visited the Defense Digital Service and Air Force Digital Service in early April to discuss a variety of initiatives the Air Force can benefit from.

“We’re mobilizing the best talent from across the nation and among partner nations to help strengthen the Air Force’s cyber defenses.  It’s an exciting venture, one that will make us better, and one that focuses an incredible pool of capabilities toward keeping our Air Force sites secure,” said Acting Secretary Disbrow.

The DoD’s ‘Hack the Pentagon’ initiative was launched by the Defense Digital Service in April 2016 as the first bug bounty program employed by the federal government. More than 1,400 hackers registered to participate in the program. Nearly 200 reports were received within the first six hours of the program’s launch, and $75,000 in total bounties was paid out to participating hackers.

Registration for the ‘Hack the Air Force’ event opens on May 15th on the HackerOne website. The contest opens on May 30thand ends on June 23rd. Military members and government civilians are not eligible for compensation, but can participate on-duty with supervisor approval.


Save pagePDF pageEmail pagePrint page

MasterCard trials biometric bankcard with embedded fingerprint reader

MasterCard is trialling a Chip and PIN bankcard that includes an embedded fingerprint reader, introducing a biometric authentication layer for card payments — and taking a leaf out of the book of Apple Pay et al in the process. The thinking here being: why pay by entering a four-digit PIN when you can stick your thumb on it?

So far the biometric card has been trialled at two locations in South Africa, with additional trials planned over the next few months in Europe and Asia Pacific, according to a spokeswoman, and a full rollout expected later this year.

“We are targeting consumer rollout by end of 2017 through issuers that choose to offer biometric cards,” she told us.

MasterCard is touting convenience and security as the drivers for embedding a fingerprint sensor in plastic bankcards — after all, you can’t shoulder-surf a fingerprint as you can a PIN number. Although the use of contactless payment technology in bankcards (a tech that’s widespread in Europe) already offers a faster (and usually PIN-less) way to make card payments.

That said, there are some security risks with contactless payments, given there’s usually no authentication performed — so there could be an advantage to combining a contactless bankcard with a biometric one that also contains a fingerprint sensor in order to get speedy payments with at least a layer of security. (Although mobile fingerprint sensors have been shown to be spoofable. So the size of the sensor and the process for capturing a user’s print during enrollment are key considerations here.)

In this instance the MasterCard trial bankcard does not include contactless payment technology — but the spokeswoman told us that a future version will include contactless “adding to the simplicity, and convenience at checkout”.

For now, testers are required to insert the card into the POS terminal and then place their finger/thumb on the reader to authenticate the payment, as pictured above (vs entering a PIN into the keypad in the usual way).

The spokeswoman said the card is configured to expect the fingerprint for authenticating a purchase but does still have a PIN as a fall-back. “If the finger is too greasy or sweaty and the biometric doesn’t go through, the cardholder would experience a small delay and then asked to put in their PIN to complete the transaction,” she added. “The PIN also allows cardholders to use the card at ATMs globally.”

One relatively large drawback for the convenience of the biometric card is that the spokeswoman confirmed users are currently required to go to a bank branch in order to register and enroll their fingerprint. (Which is then converted into an encrypted digital template that is stored on the card.) Whereas bankcard users are normally mailed both their card and its PIN through the post so there’s no need to go to a branch to register before being able to use the card.

When asked about this the spokeswoman said MasterCard is “exploring ways to make remote registration possible”. Although again, while remote registration would be more convenient it could also open up the possibility for vulnerabilities with the implementation of the biometric technology — depending on how the fingerprint enrollment is performed.

One thing is clear, global payments giants are taking plenty of inspiration from mobile tech.

“Consumers are increasingly experiencing the convenience and security of biometrics,” said Ajay Bhalla, president, enterprise risk and security, MasterCard, in a supporting statement. “Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected.”

MasterCard has also previously trialled facial biometrics for payments — launching a so-called ‘selfie pay’ app last October which lets people authenticate an online payment by showing their face to their phone’s camera.

 

via:  techcrunch


Save pagePDF pageEmail pagePrint page

Security certificates gone wrong

Some websites, including one secured by the U.S. Department of Homeland Security, fail in their use of security certificates and break the chains of trust.

Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are.

Sites masquerading as legitimate sites, however, employ sad little tricks, such as “punycode”—URL links embedded in otherwise official-looking phishing emails. These tricks are malicious. There are also sites that should be well-administrated but are not.

Then there are sites, important sites, that botch their own security with certificates ostensibly granted by places such as the U.S. Department of Homeland Security (DHS).

My case in point is a website that explains the U.S. Safety Act. The Act speaks to the practice of offering legal liability protection for products or services that have been certified for anti-terrorism protection.

Any legitimate browser at the moment of this writing, will block you from that site and warn you that the chain of authorities needed to vet the site as protected by SSL/TLS does not exist. The site is untrusted.

safety act security certificate warning

As of this writing, this is the security certificate warning you receive when you go to the U.S. Safety Act website.

A quick trip to DigiCert’s SSL testing site currently reveals that the certificate isn’t signed by a trusted authority despite the fact that the rest of the certificate, which is managed by the DHS, is correct in its implementation.

I do not know if DHS or a contractor enabled the site. I do not know who wrote the site or negotiated its DNS listing. I do not know the authors of the site’s content.

I do know that if someone tested it, they should know instantly that there’s a trust problem with the site and to report it to the salient fixer of such a problem. And if it wasn’t tested, I would not be surprised.

I would be embarrassed to be a security researcher in a country that doesn’t automatically test the veracity of their security infrastructure so frequently that this would appear as a super-red flag.

And I would be embarrassed that after the first time I found this, three weeks ago, that it still wasn’t fixed today.

Is there anybody awake at the guardhouse?

 

via:  networkworld


Save pagePDF pageEmail pagePrint page

HipChat Prompts Password Resets Following Server Hack

Group messaging platform HipChat this week prompted users to reset their passwords following a security incident involving one of its servers.

Atlassian-owned HipChat claims that a vulnerability in a popular third-party library used by HipChat.com was at fault, and that the incident affected only a server in the HipChat Cloud web tier. No other Atlassian systems or products appear to have been affected, the company says.

However, to ensure that users’ data remains secure, the company decided to invalidate passwords on all HipChat-connected user accounts. It also sent notifications to those users and provided them with details on how to reset their passwords.

The incident, HipChat Chief Security Officer Ganesh Krishnan reveals, resulted in attackers possibly accessing user account information such as name, email address and password (hashed using bcrypt with a random salt) for all instances (each of which is represented by a unique URL in the form company.hipchat.com). Room metadata such as room name and topic might have also been accessed.

In some cases, messages and content in rooms may have been accessed as well. The company says that, for more than 99.95% of instances, there was no evidence that messages or content in rooms have been accessed.

“Additionally, we have found no evidence of unauthorized access to financial and/or credit card information,” HipChat revealed.

HipChat Server uses the same third-party library, but it has been deployed in a manner that minimizes the risk of this type of attack, the company says, adding that an update will be shared to customers directly through the standard update channel.

“We are confident we have isolated the affected systems and closed any unauthorized access. To reiterate, we have found no evidence of other Atlassian systems or products being affected,” the company notes.

Atlassian continues to investigate the incident and says that it is actively working with law enforcement authorities on this matter.

Owned and operated by Atlassian Pty Ltd, HipChat is a chat platform that aims at providing business users with group chat, video chat, screen sharing and required security in a single app. It brings together services that teams might be using every day, features 256-bit SSL encryption, and also packs cloud integration and synchronization across devices.

In an emailed comment, Michael Patterson, CEO of Plixer International, pointed out to SecurityWeek that this incident once again proves that any tool a manufacturer uses can be abused for compromise.

“HipChat hashes passwords using bcrypt with a random salt, which adds a layer of security, and they reset the passwords associated with effected accounts. In this case the compromise came from a trusted 3rd party, which highlights that threat surfaces for any tool extend beyond the manufacturer themselves,” Patterson said.

He also noted that the compromise of ChatOps tools like HipChat can do a lot of harm within an organization: “ChatOps tools are used to support a DevOps and collaboration culture, meaning that teams of people as well as technology systems are dynamically connected and critical business processes can be automated. When a ChatOps tool becomes compromised, there is a high likelihood that the attacker can suddenly gain access across the most trusted and an important system a company has.”

 

via:  securityweek


Save pagePDF pageEmail pagePrint page

Chipotle Reports Suspicious Actvity on POS System

Restaurant chain Chipotle has detected “unauthorized activity” on a network that supports its payment processing for purchases made at its restaurants.

According to Fortune, CFO Jack Hartung told Wall Street analysts during an investor presentation that the company’s payment processing system was hacked. He said: “We want to make our customers and investors aware we recently detected unauthorized activity on a network that supports payment processing for purchases made in our restaurants.

“We will refrain from providing additional commentary now or in the Q&A. We anticipate notifying any affected customers as we get further clarity about the time frames and the restaurant locations that might have been affected.”

He said that Chipotle had implemented additional security measures and were working with a cybersecurity firm, law enforcement and the payment processor to address the matter. It estimated that the incident occurred between March 24 and April 18.

Raj Samani, chief scientist at McAfee, said that whilst it is still unclear how many customers and restaurants were affected, it is imperative that businesses take control of their cybersecurity and introduce efficient security measures long before these hacks actually happen.

“Many customers across the US, Canada and UK will be left wondering today if they have been caught up in this hack and whether or not they have purchased a very expensive burrito,” he said.

“Until Chipotle release additional information, customers will be unsure whether they have been targeted and if their data or money is in the hands of criminals.”

Tim Erlin, Tripwire vice-president, added that while we may have become numb to breaches, criminals continue to target point of sale terminals.

“As long as compromised credit card data continues to be a valuable commodity on the black market, any company collecting or processing valid credit card information will continue to be a high value target,” he said.

“The best advice for companies running point of sale systems is to isolate and lock down the devices as much as possible. Point of sale terminals are typically low change environment; implementing security configurations and closely monitoring for any change can both prevent and detect any potential attacks. These systems should talk to predictable destinations both internally on the network as well as externally on the internet. Carefully monitoring communications for anomalies can help identify successful attacks.”

Javvad Malik, security advocate at AlienVault, said: “The attack against the payment systems highlights that even with PCI DSS controls in place to segment and protect payment networks, companies need to remain vigilant against attacks and have broad monitoring and threat detection capabilities in place that can alert to an attack in a timely manner so that the appropriate response may be taken.”

 

via:  infosecurity-magazine


Save pagePDF pageEmail pagePrint page

Apple will return heat generated by data center to warm up homes

A new Apple data center being built in Denmark is focused on returning to the community.

Apple is building a new data center in Denmark, and it has some interesting ideas on how to power the data center with renewable energy, while also giving back to the community.

Excess heat generated by the data center will be captured and returned to the local district’s heating system, which will warm up homes in the community.

The data center in the Jutland region will be partly powered by recycling waste products from farms. Apple is working with Aarhus University on a system that passes agricultural waste through a digester to generate methane, which is then used to power the data center.

The digester reaction turns some of the waste into nutrient-rich fertilizer, which Apple returns to local farmers to use on their fields. It’s a “mutually beneficial relationship,” Apple said in its environment report for 2016, released this week.

The data center in Denmark will be fully powered by renewable energy and won’t put stress on the local grid, Apple said.

Apple is also building a data center in Athenry, Ireland, that will be powered by energy generated by ocean waves. The iPhone maker is supporting the Sustainable Energy Authority of Ireland to develop the new source of energy, the company said.

Apple’s making a major push to be one of the greenest companies on the planet. It’s new corporate headquarters in Cupertino, called Apple Park, will run on renewable energy. The company has cut its use of toxic materials and is also using more recycled materials in its products and packaging.

Apple’s commitment to renewable energy was applauded by activist organization Greenpeace. Samsung, Huawei, and Microsoft now need to catch up, the organization said.

Siri, iMessage and other cloud-based applications are processed at Apple’s data centers. The company has five data centers in the U.S., which are all powered by renewable energy.

The two new data centers in Europe are expected to come online this year. The company is spending about US$1.8 billion to build the two data centers.

Apple also uses colocation facilities worldwide depending on the capacity it needs.

All of Apple’s data centers are operated on renewable energy, and that’s a goal Apple is chasing for all its facilities. About 96 percent of Apple’s facilities worldwide are now run on renewable energy, the company said.

Data centers tend to be the most power hungry tech facilities, and electricity requirements go up as computing moves into the cloud. As servers are saddled with more tasks, the processing requirements go up. As a result, more heat is generated, and Apple has found an innovative way to recycle heat.

Many data centers find ways to recycle heat, while others let the resource go waste. Amazon recycles heat to warm up offices nearby, and other companies recycle the heat to generate hot water.

Iceland and the Scandinavian countries are hot spots to establish data centers because of naturally cool weather and easy availability of hydropower.

 

via:  cio


Save pagePDF pageEmail pagePrint page

R2Games compromised again, over one million accounts exposed

Hacker targeted the U.S., France, German, and Russian forums.

Online gaming company Reality Squared Games (R2Games) has been compromised for the second time in two years, according to records obtained by the for-profit notification service LeakBase. The hacker who shared the data with LeakBase says the attack happened earlier this month.

Headquartered in Shenzhen, China, R2Games operates a number of free-to-play, micropayment-driven games on iOS and Android, as well as modern browsers. The company currently supports 19 online games, and claims over 52 million players.

In December of 2015, stretching into July of 2016, more than 22 million R2Games accounts were compromised, exposing IP addresses, easily cracked passwords, email addresses, and usernames.

The company denied the breach reports, telling one customer that “R2Games is safe and secured, and far from being hacked.”

How the data involved with this most recent breach was compromised isn’t exactly clear. The forums impacted (including the U.S., France, German, and Russian variants) are all operating on different versions of vBulletin. Some of these older versions contain known vulnerabilities, based on a passive search of Exploit Database.

The hacker claims all forums were compromised, in addition to the Russian version of r2games.com.

The latest record set includes usernames, passwords, email addresses, IP addresses, and other optional record fields, such as instant messenger IDs, birthday, and Facebook related details (ID, name, access token).

LeakBase shared the most recent records with Troy Hunt, a security researcher and owner of the non-profit breach notification website “Have I Been Pwned?” (HIBP).

Hunt checked the data by testing a small sample of email addresses and usernames against the password reset function on R2Games. Every address checked was confirmed as an existing account. From there, Hunt did some number crunching.

There were 5,191,898 unique email addresses in the data shared by LeakBase. However, 3,379,071 of those email addresses were using mail.ar.r2games.comor mail.r2games.com; and another 789,361 looked generated, as they were all [number]@vk.com addresses.

LeakBase speculates that the r2games.com addresses are the result of registrations from third-party services.

After stripping the questionable addresses Hunt was left with 1,023,466 unique email addresses to load into HIBP. Of this set, 482,074 have been seen before in other breaches, leaving 541,392 new entries for his index – and new notifications for 1,105 subscribers.

When asked about the passwords, Hunt told Salted Hash many of them are MD5 with no salt, but a large number of them have a hash corresponding to the password “admin” and a few hundred thousand others are using the plain text word “sync”.

“The observation I’d make here is that clearly, they don’t seem to be learning from previous failures. The prior incident should really have been a wake-up call and to see a subsequent breach not that long after is worrying. Perhaps the prior denials are evidence that they just don’t see the seriousness in security,” Hunt said, when asked his opinion about the latest R2Games data breach.

Salted Hash reached out to R2Games, but the company didn’t respond to questions. Emails were sent to support, as well as recruiting and sales, on the off chance someone could direct them to the proper resources.

For their part, LeakBase said since this data breach isn’t in the public domain, they will not add the records to their service and it will not be searchable. However, they do plan to email impacted users and inform them of the incident.

HIBP has been updated, and those changes are live now.

If you’re an R2Games player, it might be wise to change your password and make sure the old password isn’t used on any other websites.

Also, keep an eye out for gaming related offers and emails, as well as “notifications” from domains that aren’t related to R2Games itself – as those could be scammers looking to cash-in on the breach. While the hacked data isn’t public yet, there’s nothing preventing the person who shared it with LeakBase from selling it or trading it.

 

via:  csoonline


Save pagePDF pageEmail pagePrint page

DARPA fortifies early warning system for power-grid cyber assault

DARPA taps BAE Systems to speed network development that will help restore grid after a malicious cyber attack.

The Defense Advanced Research Projects Agency (DARPA) continues to hone the system it hopes would quickly restore power to the U.S. electric grid in the event of a massive cyberattack. The research agency this week said it awarded defense system stalwart BAE Systems an $8.6 million contract to develop a system under its Rapid Attack Detection, Isolation and Characterization (RADICS) program that has as its central goal to develop technology that will detect and automatically respond to cyber-attacks on US critical infrastructure.

BAE is the latest vendor to join the RADICS program which has doled out millions in research funds to key vendors such as Raytheon, SRI International, Vencore and includes government agencies such as the Department of Homeland Security and ICS-CERT.

When it announced RADICS in 2015, DARPA said an early warning capability for power suppliers could prevent an attack entirely or blunt its effects, such as damage to equipment.

“But the vast scale of the nation’s electrical infrastructure means that some number of systems are likely to be in an abnormal state at any given time, and it can be difficult to distinguish between routine outages and actual attacks. RADICS four-year plan looks to develop advanced anomaly-detection systems with high sensitivity and low false positive rates, based on analyses of the power grid’s dynamics,” DARPA stated.

“Recognizing that in some locations Internet infrastructure may not be operational after an attack, or that hackers may have embedded malicious code in utilities’ IT systems during an attack, RADICS also calls for the design of a secure emergency network that could connect power suppliers in the critical period after an attack. The creation of such a network will require new research into advanced security measures, as well as innovative technologies to facilitate the rapid connection of key organizations, without relying on advance coordination among them,” DARPA said.

Basically, the RADICS system would detect a cyberattack and direct grid system control centers and traffic to a back-up wireless network – what’s called a secure emergency network (SEN) that would be completely disconnected from the Internet. The SEN would be made up of wireless networks, satellite or cell systems that would let impacted organizations communicate with each other, while preventing the adversary from gaining access.

For its part once activated, BAE Systems technology would detect and disconnect unauthorized internal and external users from local networks within minutes, and creates a robust, hybrid network of data links secured by multiple layers of encryption and user authentication, according to Victor Firoiu, senior principal engineer and Manager of Communications and Networking for BAE. The system uses network traffic control and analysis that will let utilities establish and maintain emergency communications amongst key now isolated control centers, Firoiu said.

The final component of RADICS is forensics. The idea is to rapidly localize and characterize cyber-weapons that have gained access to power grid infrastructure. These intrusions may take the form of malicious code or data. Malicious code may be injected into ICS devices or control center computers, whereas data attacks may change the configuration data of ICS devices, causing them to behave incorrectly. TA-3 systems must be able to map industrial control systems, gather configuration data, determine which devices are behaving incorrectly, and discover and characterize malware.

Forensic analysis of industrial control systems and devices is largely a manual process. Scanning an ICS network with conventional IT network analysis tools can cause industrial devices to become non-responsive, DARPA is looking for what it calls innovative approaches for safely mapping and assessing the state of such networks.

“Clearly the need for RADICS is there as attacker technology has developed and the threat to the electrical grid has increased,” Firoiu stated.

 

via:  networkworld


Save pagePDF pageEmail pagePrint page

Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations are Taking

On 10th anniversary of report, classic attack vectors re-emerge; Cisco reduces “Time to Detection” to six hours.

According to the Cisco 2017 Annual Cybersecurity Report (ACR), over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent. Ninety percent of these organizations are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). The report surveyed nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries in the Security Capabilities Benchmark Study, part of the Cisco ACR.

Now in its 10th year, the global report highlights challenges and opportunities for security teams to defend against the relentless evolution of cybercrime and shifting attack modes. CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Leaders also reveal that their security departments are increasingly complex environments with 65 percent of organizations using from six to more than 50 security products, increasing the potential for security effectiveness gaps.

To exploit these gaps, ACR data shows criminals leading a resurgence of “classic” attack vectors, such as adware and email spam, the latter at levels not seen since 2010. Spam accounts for nearly two-thirds (65 percent) of email with eight to 10 percent cited as malicious. Global spam volume is rising, often spread by large and thriving botnets.

Measuring effectiveness of security practices in the face of these attacks is critical. Cisco tracks progress in reducing “time to detection” (TTD), the window of time between a compromise and the detection of a threat. Faster time to detection is critical to constrain attackers’ operational space and minimize damage from intrusions. Cisco has successfully lowered the TTD from a median of 14 hours in early 2016 to as low as six hours in the last half of the year. This figure is based on opt-in telemetry gathered from Cisco security products deployed worldwide.

The Business Cost of Cyber Threats: Lost Customers, Lost Revenue

The 2017 ACR revealed the potential financial impact of attacks on businesses, from enterprises to SMBs. More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organizations that experienced an attack, the effect was substantial:

  • Twenty-two percent of breached organizations lost customers — 40 percent of them lost more than 20 percent of their customer base.
  • Twenty-nine percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue.
  • Twenty-three percent of breached organizations lost business opportunities, with 42 percent of them losing more than 20 percent.

Hacker Operations and New “Business” Models

In 2016, hacking became more “corporate.” Dynamic changes in the technology landscape, led by digitization, are creating opportunities for cybercriminals. While attackers continue to leverage time-tested techniques, they also employ new approaches that mirror the “middle management” structure of their corporate targets.

  • New attack methods model corporate hierarchies: Certain malvertising campaigns employed brokers (or “gates”) that act as middle managers, masking malicious activity. Adversaries can then move with greater speed, maintain their operational space, and evade detection.
  • Cloud opportunity and risk: Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns.
  • Old-fashioned adware ‑ software that downloads advertising without user permission – continued to prove successful, infecting 75 percent of organizations investigated.
  • A bright spot emerged with a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down in 2016, but smaller players rushed in to fill the gap.

Secure the Business, Maintain Vigilance

The 2017 ACR reports that just 56 percent of security alerts are investigated and less than half of legitimate alerts remediated. Defenders, while confident in their tools, battle complexity and manpower challenges, leaving gaps of time and space for attackers to utilize to their advantage. Cisco advises these steps to prevent, detect, and mitigate threats and minimize risk:

  • Make security a business priority: Executive leadership must own and evangelize security and fund it as a priority.
  • Measure operational discipline: Review security practices, patch, and control access points to network systems, applications, functions, and data.
  • Test security effectiveness: Establish clear metrics. Use them to validate and improve security practices.
  • Adopt an integrated defense approach: Make integration and automation high on the list of assessment criteria to increase visibility, streamline interoperability, and reduce the time to detect and stop attacks. Security teams then can focus on investigating and resolving true threats.

Cisco Annual Cybersecurity Report – 10 Years of Data and Insights

Cybersecurity has changed drastically since the inaugural Cisco Annual Security Report in 2007. While technology has helped attacks become more damaging and defenses become more sophisticated, the foundation of security remains as important as ever.

  • In 2007, the ACR reported web and business applications were targets, often via social engineering, or user-introduced infractions. In 2017, hackers attack cloud-based applications, and spam has escalated.
  • Ten years ago, malware attacks were on the rise, with organized crime profiting from them. In today’s shadow economy, thieves now run cybercrime as a business, offering low barrier-to-entry options to potential customers. Today perpetrators can be anyone, anywhere; they don’t require a security background and can easily purchase “off-the-shelf” exploit kits.
  • The 2007 report tracked 4,773 Cisco IntelliShield Security Alerts, mapping closely to the level seen by the National Vulnerability Database. By the 2017 report, for the same time period, the vendor-disclosed vulnerability alert volume had increased by 33 percent to 6,380. We believe the increase is driven by greater security awareness, an increased attack surface and an active adversary.
  • In 2007 Cisco advised defenders to own a holistic approach to security, integrating tools, processes and policies, and educating stakeholders to protect their environments. Businesses looked to vendors for a comprehensive answer, often in vain, who instead prescribed piecemeal point solutions. In 2017 CSOs are grappling with the complexity of their environments. Cisco is combatting this through an architectural approach to security, helping customers get more from existing security investments, increasing capability while decreasing complexity.

Supporting Quotes

“In 2017, cyber is business, and business is cyber –that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”

– John N. Stewart, Senior Vice President and Chief Security and Trust Officer, Cisco

“One of our key metrics highlighted in the 2017 Annual Cybersecurity Report is the ‘time to detection’ – the time it takes to find and mitigate against malicious activity. We have brought that number down to as low as six hours. A new metric – the ‘time to evolve’ – looked at how quickly threat actors changed their attacks to mask their identity. With these and other measures gleaned from report findings, and working with organizations to automate and integrate their threat defense, we can better help them minimize financial and operational risk and grow their business.”

– David Ulevitch, Vice President/General Manager, Security Business, Cisco

About the Report

The Cisco Annual Cybersecurity Report, now in it’s tenth year, examines the latest threat intelligence gathered by Cisco security experts, providing industry insights that reveal customer security trends.   The 2017 report also highlights key findings from the third annual Cisco Security Capabilities Benchmark Study (SCBS), which examines security professionals’ perceptions of the state of security in their organizations. It shares geopolitical trends, global developments around data localization, and the importance of cybersecurity as a boardroom topic.

For a complete copy of the 2017 Cisco Annual Security Research report, and to read more about Cisco’s recommendations as to how businesses can mitigate against risk, click here.

 

via:  cisco


Save pagePDF pageEmail pagePrint page