Monthly Archives: April 2017

DARPA taps BAE Systems to speed network development that will help restore grid after a malicious cyber attack.

The Defense Advanced Research Projects Agency (DARPA) continues to hone the system it hopes would quickly restore power to the U.S. electric grid in the event of a massive cyberattack. The research agency this week said it awarded defense system stalwart BAE Systems an $8.6 million contract to develop a system under its Rapid Attack Detection, Isolation and Characterization (RADICS) program that has as its central goal to develop technology that will detect and automatically respond to cyber-attacks on US critical infrastructure.

BAE is the latest vendor to join the RADICS program which has doled out millions in research funds to key vendors such as Raytheon, SRI International, Vencore and includes government agencies such as the Department of Homeland Security and ICS-CERT.

When it announced RADICS in 2015, DARPA said an early warning capability for power suppliers could prevent an attack entirely or blunt its effects, such as damage to equipment.

“But the vast scale of the nation’s electrical infrastructure means that some number of systems are likely to be in an abnormal state at any given time, and it can be difficult to distinguish between routine outages and actual attacks. RADICS four-year plan looks to develop advanced anomaly-detection systems with high sensitivity and low false positive rates, based on analyses of the power grid’s dynamics,” DARPA stated.

“Recognizing that in some locations Internet infrastructure may not be operational after an attack, or that hackers may have embedded malicious code in utilities’ IT systems during an attack, RADICS also calls for the design of a secure emergency network that could connect power suppliers in the critical period after an attack. The creation of such a network will require new research into advanced security measures, as well as innovative technologies to facilitate the rapid connection of key organizations, without relying on advance coordination among them,” DARPA said.

Basically, the RADICS system would detect a cyberattack and direct grid system control centers and traffic to a back-up wireless network – what’s called a secure emergency network (SEN) that would be completely disconnected from the Internet. The SEN would be made up of wireless networks, satellite or cell systems that would let impacted organizations communicate with each other, while preventing the adversary from gaining access.

For its part once activated, BAE Systems technology would detect and disconnect unauthorized internal and external users from local networks within minutes, and creates a robust, hybrid network of data links secured by multiple layers of encryption and user authentication, according to Victor Firoiu, senior principal engineer and Manager of Communications and Networking for BAE. The system uses network traffic control and analysis that will let utilities establish and maintain emergency communications amongst key now isolated control centers, Firoiu said.

The final component of RADICS is forensics. The idea is to rapidly localize and characterize cyber-weapons that have gained access to power grid infrastructure. These intrusions may take the form of malicious code or data. Malicious code may be injected into ICS devices or control center computers, whereas data attacks may change the configuration data of ICS devices, causing them to behave incorrectly. TA-3 systems must be able to map industrial control systems, gather configuration data, determine which devices are behaving incorrectly, and discover and characterize malware.

Forensic analysis of industrial control systems and devices is largely a manual process. Scanning an ICS network with conventional IT network analysis tools can cause industrial devices to become non-responsive, DARPA is looking for what it calls innovative approaches for safely mapping and assessing the state of such networks.

“Clearly the need for RADICS is there as attacker technology has developed and the threat to the electrical grid has increased,” Firoiu stated.

via:  networkworld

On 10th anniversary of report, classic attack vectors re-emerge; Cisco reduces “Time to Detection” to six hours.

According to the Cisco 2017 Annual Cybersecurity Report (ACR), over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent. Ninety percent of these organizations are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). The report surveyed nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries in the Security Capabilities Benchmark Study, part of the Cisco ACR.

Now in its 10^th year, the global report highlights challenges and opportunities for security teams to defend against the relentless evolution of cybercrime and shifting attack modes. CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Leaders also reveal that their security departments are increasingly complex environments with 65 percent of organizations using from six to more than 50 security products, increasing the potential for security effectiveness gaps.

To exploit these gaps, ACR data shows criminals leading a resurgence of “classic” attack vectors, such as adware and email spam, the latter at levels not seen since 2010. Spam accounts for nearly two-thirds (65 percent) of email with eight to 10 percent cited as malicious. Global spam volume is rising, often spread by large and thriving botnets.

Measuring effectiveness of security practices in the face of these attacks is critical. Cisco tracks progress in reducing “time to detection” (TTD), the window of time between a compromise and the detection of a threat. Faster time to detection is critical to constrain attackers’ operational space and minimize damage from intrusions. Cisco has successfully lowered the TTD from a median of 14 hours in early 2016 to as low as six hours in the last half of the year. This figure is based on opt-in telemetry gathered from Cisco security products deployed worldwide.

The Business Cost of Cyber Threats: Lost Customers, Lost Revenue

The 2017 ACR revealed the potential financial impact of attacks on businesses, from enterprises to SMBs. More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organizations that experienced an attack, the effect was substantial:

• Twenty-two percent of breached organizations lost customers — 40 percent of them lost more than 20 percent of their customer base.
• Twenty-nine percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue.
• Twenty-three percent of breached organizations lost business opportunities, with 42 percent of them losing more than 20 percent.

Hacker Operations and New “Business” Models

In 2016, hacking became more “corporate.” Dynamic changes in the technology landscape, led by digitization, are creating opportunities for cybercriminals. While attackers continue to leverage time-tested techniques, they also employ new approaches that mirror the “middle management” structure of their corporate targets.

• New attack methods model corporate hierarchies: Certain malvertising campaigns employed brokers (or “gates”) that act as middle managers, masking malicious activity. Adversaries can then move with greater speed, maintain their operational space, and evade detection.
• Cloud opportunity and risk: Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns.
• Old-fashioned adware ‑ software that downloads advertising without user permission – continued to prove successful, infecting 75 percent of organizations investigated.
• A bright spot emerged with a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down in 2016, but smaller players rushed in to fill the gap.

Secure the Business, Maintain Vigilance

The 2017 ACR reports that just 56 percent of security alerts are investigated and less than half of legitimate alerts remediated. Defenders, while confident in their tools, battle complexity and manpower challenges, leaving gaps of time and space for attackers to utilize to their advantage. Cisco advises these steps to prevent, detect, and mitigate threats and minimize risk:

• Make security a business priority: Executive leadership must own and evangelize security and fund it as a priority.
• Measure operational discipline: Review security practices, patch, and control access points to network systems, applications, functions, and data.
• Test security effectiveness: Establish clear metrics. Use them to validate and improve security practices.
• Adopt an integrated defense approach: Make integration and automation high on the list of assessment criteria to increase visibility, streamline interoperability, and reduce the time to detect and stop attacks. Security teams then can focus on investigating and resolving true threats.

Cisco Annual Cybersecurity Report – 10 Years of Data and Insights

Cybersecurity has changed drastically since the inaugural Cisco Annual Security Report in 2007. While technology has helped attacks become more damaging and defenses become more sophisticated, the foundation of security remains as important as ever.

• In 2007, the ACR reported web and business applications were targets, often via social engineering, or user-introduced infractions. In 2017, hackers attack cloud-based applications, and spam has escalated.
• Ten years ago, malware attacks were on the rise, with organized crime profiting from them. In today’s shadow economy, thieves now run cybercrime as a business, offering low barrier-to-entry options to potential customers. Today perpetrators can be anyone, anywhere; they don’t require a security background and can easily purchase “off-the-shelf” exploit kits.
• The 2007 report tracked 4,773 Cisco IntelliShield Security Alerts, mapping closely to the level seen by the National Vulnerability Database. By the 2017 report, for the same time period, the vendor-disclosed vulnerability alert volume had increased by 33 percent to 6,380. We believe the increase is driven by greater security awareness, an increased attack surface and an active adversary.
• In 2007 Cisco advised defenders to own a holistic approach to security, integrating tools, processes and policies, and educating stakeholders to protect their environments. Businesses looked to vendors for a comprehensive answer, often in vain, who instead prescribed piecemeal point solutions. In 2017 CSOs are grappling with the complexity of their environments. Cisco is combatting this through an architectural approach to security, helping customers get more from existing security investments, increasing capability while decreasing complexity.

Supporting Quotes

“In 2017, cyber is business, and business is cyber –that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”

– John N. Stewart, Senior Vice President and Chief Security and Trust Officer, Cisco

“One of our key metrics highlighted in the 2017 Annual Cybersecurity Report is the ‘time to detection’ – the time it takes to find and mitigate against malicious activity. We have brought that number down to as low as six hours. A new metric – the ‘time to evolve’ – looked at how quickly threat actors changed their attacks to mask their identity. With these and other measures gleaned from report findings, and working with organizations to automate and integrate their threat defense, we can better help them minimize financial and operational risk and grow their business.”

– David Ulevitch, Vice President/General Manager, Security Business, Cisco

About the Report

The Cisco Annual Cybersecurity Report, now in it’s tenth year, examines the latest threat intelligence gathered by Cisco security experts, providing industry insights that reveal customer security trends.   The 2017 report also highlights key findings from the third annual Cisco Security Capabilities Benchmark Study (SCBS), which examines security professionals’ perceptions of the state of security in their organizations. It shares geopolitical trends, global developments around data localization, and the importance of cybersecurity as a boardroom topic.

For a complete copy of the 2017 Cisco Annual Security Research report, and to read more about Cisco’s recommendations as to how businesses can mitigate against risk, click here.

via:  cisco

Mozilla released its Firefox 53 update on April 19, introducing a new browser engine and patching 39 vulnerabilities in the open-source web browser.

The new browser engine technology in Firefox 53 is known as Project Quantum and is a multipart effort to accelerate and improve the web browsing experience for users. The Project Quantum component included in Firefox 53 is known as the Quantum Compositor; it is designed to help reduce the number of browser crashes due to graphics issues.

With the Quantum Compositor, graphics rendering is now done separately from the main Firefox process. Mozilla’s early testing for the Quantum Compositor found that it reduces the number of browser crashes by 10 percent.

“The compositor determines what you see on your screen by flattening into one image all the layers of graphics that the browser computes, kind of like how Photoshop combines layers,” Nick Nguyen, vice president for Firefox at Mozilla, wrote in a blog post.

Firefox 53 also introduces two new user interface themes. The Compact Light theme provides users with a more compact, smaller user interface using the default Firefox color scheme. The Compact Dark theme also has a compact user interface, but it provides a darker color scheme for night browsing.

Security Updates

In addition to the browser improvements, Mozilla patched 39 security vulnerabilities in the Firefox 53 update. Of those 39 vulnerabilities, seven are rated by Mozilla as being critical.

As with nearly all Firefox updates, one of the critical vulnerability updates deals with memory safety bugs.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla warned in its advisory.

Among the other critical vulnerabilities patched in Firefox 53, two are use-after-free (UAF) memory vulnerabilities (CVE-2017-5435 and CVE-2017-5433). Two other critical vulnerabilities are out-of-bounds memory errors (CVE-2017-5436 and CVE-2017-5461), plus there is a critical buffer overflow issue (CVE-2017-5459) that has been patched.

Beyond the critical issues that Mozilla fixed, it also patched three sandbox escape issues (CVE-2017-5454, CVE-2017-5455 and CVE-2017-5456) in Firefox 53 that are rated as having high impact. The Firefox sandbox is intended to restrict the ability of a given process to access areas of a system outside of the process sandbox.

“A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths,” Mozilla warns in its advisory. “This allows for read only access to the local file system.”

via:  eweek

Microsoft acquired the popular mobile to do list application Wunderlist back in 2015, and now it’s preparing users for its eventual demise with the release of its new application “To-Do,” announced today. The new app was built by the team behind Wunderlist, and will bring in the favorite elements of that app in the months ahead, Microsoft says. The company also added that it won’t shut down Wunderlist until it’s confident that it has “incorporated the best of Wunderlist into To-Do.”

In case you’re hoping Wunderlist will get some sort of reprieve, Microsoft makes its forthcoming demise pretty clear. Stating its plans in black-and-white: “we will retire Wunderlist,” it says in a blog post. 

In the meantime, Microsoft is encouraging Wunderlist users to make the switch by offering an importer that will bring in your lists and to-dos from Wunderlist into To-Do, where those items will now be available in other Microsoft products, like Exchange and Outlook.

Microsoft’s plans for To-Do were previously leaked, when the company was found to be testing a new app, then under the codename Project Cheshire.

At the time of the leaks, that was a fairly bare bones to-do app that let users create lists, add items, set reminders, and sync lists across platforms. The only interesting feature was that it was able to offer suggestions of tasks to add to a list – something that has now transformed into To-Do’s “Intelligent Suggestions” feature.

According to Microsoft’s announcement, To-Do starts you off in a screen called “My Day” which offers a list of items that need to get done today. You can customize this list further by accessing the “Intelligent Suggestions” feature – available with a tap on the lightbulb icon – which will offer suggestions of things you may want to add to your list.

For example, if there was something you didn’t get done yesterday, but perhaps should have, that could appear as a task suggestion. As Microsoft explains it, you’ll also be able to review to-do’s from the day before as well as view what’s due and other upcoming tasks, via this feature.

More importantly – to Microsoft, at least – is that To-Do has been built to integrate with Microsoft Office. The app is built on Office 365, and its first integration is in Microsoft Outlook. Your Outlook Tasks will sync with To-Do, so you can access and manage them across your devices.

To-Do’s data is also encrypted in transit and at rest for added security. The Preview version of To-Do is available today for I.T. admins to enable through the Office 365 admin center, and is available on iPhone, Android, Windows and the web for consumers.

ZDNet clarified with Microsoft that the app is not just for Office 365 users, as the original blog post about the launch seemed to imply. Instead, anyone with a Microsoft account can use To-Do, even if they don’t have an Office 365 plan, the company confirmed.

The To-Do app is not ready at this point to meet the needs of all Wunderlist users, however. As many users realized, some platforms do not yet support To-Do, including Mac, iPad and Android tablet. List sharing is also not available. But Microsoft says these will roll out in time along with other integrations with Microsoft services.

A Microsoft employee in the comments section of the original blog post even offered some enthusiasm towards users’ requests for Amazon Alexa integrations, which could be interesting. And they noted that support for Work accounts would arrive on To-Do on the web in the coming weeks, and gave the timeframe towards the iPad app as the “coming months.”

via:  techcrunch

Learn how to sign-in to multiple Google accounts on the same computer and easily switch from one Gmail account to another using keyboard shortcuts.

Lots of us maintain multiple Google accounts for a variety of reasons. Maybe your day is mostly spent inside Gmail and Google Calendar associated with your work account but you prefer to store files inside Google Drive of your personal Google Account.

Google does make it easy for you to sign-in to multiple Google accounts simultaneously so you don’t have to log out of one Gmail account to check emails of the other one. Simply go to accounts.google.com/AddSession and sign-in with the other Google account inside the same browser session.

Sign-in is Easy, Switching Accounts is Difficult

One you are logged in, click your profile image in the upper right and select any Google account from the drop down to switch to that account.

The default account, the one that appears on top of that list, is the one that you signed in with first. Thus, if you type mail.google.com in your browser’s address bar, you’ll always be taken your Gmail account. If you need to set another Google account as the default one, you’d have to sign-out of all existing accounts and sign-in first with that account.

That’s obviously too many steps for users who have to constantly juggle between multiple accounts. So here’s a simple URL trick that will help you switch between Google accounts quickly.

Create Keyboard Shortcuts for Google Accounts

Go to the Gmail website and press Ctrl+D (or Cmd+D on Mac) to bookmark the Gmail website.

Click the Edit button to modify the bookmark. Here add ?authuser=email@gmail.com after the last slash(/) symbol and append the shortcut to the bookmark name as shown below. We use the short “gw” meaning Google Apps for Work Gmail.

Repeat the steps for all your other Gmail accounts.

You can now type gw in the address bar to quickly launch your work Gmail account even if that account may not be your default Google account.

If you are a keyboard ninja, shortcuts are a much faster way to do things that using your mouse to click a bunch of menu items. The trick works with all Google Apps services including Google Drive, Contacts and Calendar.

https://calendar.google.com/?authuser=email@domain.com
https://drive.google.com/?authuser=email@gmail.com
https://contacts.google.com/?authuser=email@domain.org

You should check out the most important Google URLs.

via:  labnol

But cybercrime gangs worldwide are increasingly using encrypted peer-to-peer chat platforms for their communications outside online underground forums, new study finds.

When cybercriminals take their conversations outside their underground forums, their favorite mode of communication is Skype, according to a study of global cybercriminal operations.

Skype, which does not encrypt messaging end-to-end like some of the newer-generation messaging apps such as WhatsApp, Jabber, Telegram, and Signal, ranks at the top-most identified messaging platforms, according to FlashPoint, which studied the number of times cybercriminals in the Deep and Dark Web mentioned the use of messaging services over a four-year period. While they couldn’t confirm why Skype got the most love, the researchers theorize that it’s because the well-known messaging application now bundled with most Microsoft software is the most readily available and convenient way to communicate.

Leroy Terrelonge, Flashpoint’s director of Middle East and Africa Research and director of Americas Research, says he and his team wanted to see where cybercriminals go to communicate and drill down on their deals and hacking operations after first meeting in their online forums. “Yes, they are meeting in [online underground forums]: that serves as a vital way to bring people together. But the really meaty conversation where they go to [discuss] targeting is not happening in forums, but in different messaging applications,” he says.

Cybercriminals around the world also tend to follow and emulate what Russian-speaking cybercrime groups do. Russian-speaking cybercrime is considered the most sophisticated, and Flashpoint noted that there’s a large adoption of the nonencrypted ICQ messaging platform around the world. ICQ traditionally has been heavily used by Russian cybercriminals, although Skype has bumped it from the number one slot in those groups.

“Russian-speaking actors … sit at the top of the food chain,” and cybercriminals in other regions look to them for the latest communications tools, as well as to communicate and collaborate with them, Terrelonge says.

Flashpoint investigated four years of data it had collected via its Deep Web and Dark Web monitoring, and found that Skype in 2016 landed in the top five-most mentioned messaging platforms in communities that speak Russian (#1) English (#1), Spanish (#2), Arabic (#2), French (#2), Chinese (#3), and Persian/Farsi (#3). Skype overall was used much less within Chinese-, French-, and Persian-speaking cybercrime communities, however.

“Skype, which is not considered to be a very secure messaging platform is still used across many different language communities as one of the top five messaging apps,” Terrelonge says.

Most of the regions are trending toward adopting end-to-end encrypted messaging as well. The shift began sometime after Edward Snowden’s leak of documents from the National Security Agency (NSA) that illustrated the agency’s surveillance capabilities: “In general, across all [groups], there was a move from 2012 to 2016 away from less secure to more secure messaging,” Terrelonge says.

The new generation of encrypted messaging apps is much easier to use, he says, than the old days of non-user friendly interfaces that were “clunky.”

Among the Russian-speaking groups, the top five mentioned messaging apps in 2016 were Skype (38.72%); Jabber (24.77%); ICQ (21.05%); Telegram (7.26%); and Viber (4.47%). Jabber (45.84%) topped the French-speaking list, while WhatsApp (27%) and Skype (25%) topped the Arabic-speaking one; Telegram (88.5%), the Persian-speaking one; and Jabber inched up to number two behind Skype in the English-speaking cybercrime community, with 11.75%, followed by ICQ (9.81%), and Kik Messenger (5.63%). Chinese-speaking groups mosty use the less-secure QQ (63.33%), followed by WeChat (35.58%); Skype (0.44%); WhatsApp (0.22%); and Jabber (0.31%), according to the Flashpoint report.

via:  darkreading

One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know?

Cybercriminals are testing the strength of your organization’s defensive wall, looking for the one crack they need to launch their attacks. Oftentimes that flaw isn’t a “what,” but a “who.”

Employees only need to download a bad attachment, click a malicious link, or give attackers one piece of information they need to break in. Security is a business-wide responsibility.

“Companies need to realize if their employees are picking up the phone and answering emails, they are making security decisions every day that can affect the company,” says Michele Fincher, COO for Social-Engineer, Inc. “They don’t realize how many good decisions employees need to make to be secure.”

Addressing the importance of security during annual training sessions isn’t enough, says Fincher. “If you only talk about it once a year, you’re doing the staff a grave disservice.”

Social engineering attacks also make it harder to differentiate legitimate from malicious activity. In the past, cybercriminals needed more technical skills to launch attacks. These days, they can wreak havoc with social network browsing, phone calls, and emails. They can conduct surveillance without raising red flags.

As Social-Engineer, Inc. CEO Chris Hadnagy explains, “There’s no bar for entry for an attacker.”

Here are seven common strategies attackers use to target employees. Share these with your teams to inform them of today’s dangers and where hackers may be hiding.

via:  darkreading

How can a CISO best negate the threats that BYOD and mobile devices pose to their organization?

Ever since there have been humans, there have been human errors – and some of them have been whoppers (like the Japanese trader’s “fat finger” trading error that cost his company $600 billion). Doing tasks that they really don’t understand, or mistakenly pushing a button or pulling a lever, people are the root cause of 90% of air traffic control errors, over 50% of factory equipment failures after maintenance, 37% of downtime at pharmaceutical firms, and in one of the biggest flubs of all time, human error nearly destroyed Kansas.  

Such errors can destroy a company, too – by allowing hackers access to sensitive data. Trying to detect and deflect such attacks is often fruitless; the solution security officers need to concentrate on is a prevention-based one.

It seems that there is a correlation between human error and an employee’s lack of understanding of what a job entails – a problem that is responsible for tens of billions of losses for companies every year. And it also appears that the more complex a job or system is, the greater the level of human error. So it should come as no surprise that human error, negligence, a lack of understanding of what they are supposed to do, and similar human failings are responsible for more than a third of data breaches, according to a Ponemon Institute study. Computer systems today are extremely complex, and the way organizations operate today – from focusing on detection of breaches and outage issues to encouraging employees to bring their own devices to work – only increases the chances that someone at some time will make a mistake, one that could prove fatal to the organization.

Examples of how errors by workers led to data breaches are rife – and many of them rely on social engineering, spear-phishing, and other e-mail and Internet-based exploits. In 2014, hackers ran a phishing exploit that netted them credential information from as many as 100 eBay employees, that enabled them to get access to the company’s systems – undetected – for months. In 2015, hackers got hold of personal data (including social security numbers) from employees and customers of Anthem Blue Cross and Blue Shield, apparently using social engineering techniques via an e-mail or other communication. And in one of the most infamous breaches of all time, hackers got access to Sony’s network using phishing techniques.  

Phishing and social engineering are far from the only source of human error-related data breaches. BYOD – where companies invite employees to use their own personal devices or laptops in the office, either for convenience or to save money – bring a load of security issues into the office. In 2014, a hacker managed to breach a BYOD service used by UK insurance giant Aviva to invade employee devices, possibly stealing credentials. And of course there are the “run of the mill” mobile device security issues; thousands of new mobile malware strains appear every day, and in fact, according to a major security study, some Android devices are coming with the malware pre-installed, making the work of hackers easier and more convenient than ever. And since nearly half of employees who use their devices for work don’t even think about about security as an issue, BYOD-friendly organizations could easily find themselves experiencing “perfect storm” security crisis at any time.

What’s a CISO to do? Well, the natural response among most security officers – especially when they have been targeted – is to take inventory and see where the breach came from, and how to close up the “hole” that allowed the data breach to occur in the first place. And since, as we’ve seen, most of these breaches are due to human error, there are some specific responses that promise to limit the damage.:

1. Just Don’t Click

When in doubt, that is. Many organizations have educational programs that stress over and over the dangers of clicking on suspicious links, or opening attachments. Sandboxes, firewalls, and anti-virus programs check incoming data six ways ’till Sunday. And in some companies, IT managers send out fake phishing messages in order to see whether employees have learned their lessons. Between the security systems and employees’ self restraint, phishing/social engineering exploits that use links or rogue script in attachments should be a thing of the past.

But as we see, they aren’t. Hackers keep up with the times, and they are able to slip malware code into files that sandboxes won’t catch; the malware is programmed to hide itself while it’s in the sandbox – and if the attack is a zero-day exploit (as most exploits today are), there is no way a signature-based anti-virus program will prevent a hack. And many phishing exploits are cleverly hidden in e-mail messages that employees would swear look legitimate.  

2. Best BYOD Practices?

By allowing -in many cases requiring – employees to use their own devices at work, IT security teams automatically increase their workload by a large amount. Now they are responsible not only for the security of their network, but for the security of the devices that connect to the network. To prevent breaches, organizations have developed acceptable use protocols: What apps can be installed on a device, what apps cannot be used, how and when to connect to social media, etc. In addition, many organizations require the use of encryption for organization communications and connections.

Which is all well and good – except for the fact that enforcing such policies is more difficult than enforcing network security. After all, the device belongs to the employee, who paid good money for it (or at least got it from the company for business and personal use). And while a really dedicated employee might be at his or her desk for 60 or more hours a week, there are still plenty of other hours in which they will be able to use their devices out of view of network personnel. Can a CISO guarantee that an employee won’t accidentally copy a file or sensitive data from an enterprise-approved app to their Facebook page?

3. Mobile Mess

Related to BYOD is the whole phenomenon of using mobile devices for work-related purposes, especially for e-mail and text messaging. While having access to the office – and managers having access to employees – at any time is certainly convenient, the risks of mobile in this context are high. Two-factor authentication to access apps could help, but it won’t prevent copying mistakes as described above. In addition, devices are vulnerable to many kinds of hacks that could allow cyber-criminals to attack devices. Text messages, for example, could include links to rogue sites that download malware on a device and implement key-logging techniques to steal credentials. The problem is so bad in fact that NIST, the National Institute of Standards and Technology, NIST, recommends dumping SMS as an authentication method, because it is too easy to hack.

Is this the best CISOs can hope for? It is, if they plan to fight hackers who have already gotten credentials, or are attempting to do so via a phishing/social engineering/malware attack. If hackers can beat sandboxes, a long-time venerable technology that organizations rely on to protect them, they can beat a company’s best educational efforts, penalty programs, or security protocols. The methods by which employees can slip up are just too many and too easy, and organizations cannot rely on such arrangements.  

What has to be implemented is a system that keeps threats away from employees and the IT system altogether. Network segregation goes beyond sandboxing; not just checking files and connections for rogue activity, but actually executing code and making connections in an isolated environment. If a problematic connection or file attempts to execute, it will do so – in a virtual container that keeps the executed code or connection way from the real network until it’s purpose is clear. If the connection or code checks out – and does what it is supposed to do, based on its profile – then it is allowed to move forward. And if not, it just gets rejected, kept away from the IT system altogether. Network segregation can also be used to isolate devices, keeping them from passing malware or copying data from an IT system. Thus, the threats of mobile and BYOD are obviated as well. With a system like this, CISOs can rest a little more easily, knowing that they did their best to plug up the many “security holes” that are a feature of the human experience – and of human employees.

via:  itproportal

Cyber security threats have done their part in encryption adoption among businesses.

Businesses are increasingly adopting encryption strategies, according to a new report by Thales. More than four in ten (41 per cent) of respondents in the report said their organisation has an encryption strategy that is applied ‘consistently’, across the enterprise.

What’s also interesting as that for the first time since Thales started making these reports (12 years), business unit leaders have more influence on these things than IT operations.

Looking at the figures, the report states that two thirds (67 per cent) use one of two routes: They either perform on-premise encryption, or send the data into the cloud, where it’s encrypted using on-premise generated keys.

Almost four in ten (37 per cent) said their businesses turn over complete control of keys and encryption processes to cloud providers.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types,” commented Dr Larry Ponemon, chairman and founder of The Ponemon Institute.

“Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy. Encryption and key management continue to play critical roles in these strategies.”

It’s also interesting to learn that a third (31 per cent) are either using, or plan on using HSMs (Hardware Security Modules), together with the BYOK deployments (Bring Your Own Key). A fifth (20 per cent) said the same for CASB (Cloud Access Security Broker) deployments. Both HSM and CASB usage is expected to double in the next year, up from 12 to 24 per cent.

via:   itproportal

Now deleted updates to the hijacked business page link attackers to a Twitch hack in 2016.

On Sunday evening, the LinkedIn page for McAfee was hijacked by a single person or an unknown number of individuals who apparently watched Twitter for reactions. The business page was defaced with random remarks, and at one point made a passive reference to a Twitch hack in 2016. (See update at the bottom of this story.)

The LinkedIn defacement happened around 9:30 p.m. EST on Sunday evening. McAfee recently announced some changes to the company, including a return to its original name after being acquired by private equity firm TPG.

How the individual(s) obtained access to McAfee’s LinkedIn account is unknown, though someone claiming a connection to the incident says the key was recycled passwords.

Once word of their defacement started to spread however, those responsible for the hijacking watched Twitter for reactions and made comments on the McAfee LinkedIn page in response.

They also changed the company logo to a well-known meme after it was referenced on Twitter.

Another update to the hijacked McAfee LinkedIn page (deleted shortly after being posted) referenced a Gmail account used during the takeover of a Twitch account in 2016.

At the time BlackDotATV was compromised by someone during a broadcast. Taunting the channel owner, Dominik “Black^” Reitmeier, the person responsible told him to email the Gmail account for instructions on how to secure his account.

Salted Hash reached out to McAfee for comment, and we’ll update this story when they respond.

We reached out the referenced Gmail account as well. The person who responded claimed they were previously part of OurMine, a group that claims to be a security company, but promoted their services by compromising other high-profile social media accounts.

The person said Sunday’s McAfee hijack was possible due to recycled credentials, and that two-factor authentication was not enabled on the account. McAfee, the person said, was “a small hack, the first of many.”

“They’re going to gradually get bigger and bigger. Keep an eye on the twitter accounts of many high-profile companies, that’s all I’ll say.”

The takeover lasted for just over half-n-hour, until LinkedIn pulled the whole McAfee page. However, the changed logo propagated to many staff accounts, and were still present even after the business page was removed.

Update:

Shortly after this story was posted, a person going by the handle “Monarch” contacted Salted Hash with additional information. This individual also goes by “Monarch” on OGFlip, the forum reporting that LeakedSource was raided by law enforcement earlier this year.

After some conversation, Monarch put us in touch with the person who is claiming credit for the McAfee hijacking. This individual, who asked that they not be named, said the McAfee LinkedIn hijacking started out as an attempt to take over a two-letter Twitter account.

The Twitter takeover failed, but the password originally believed to be linked to the account turned out to be the person’s LinkedIn password. Salted Hash will not name the two-letter account, or the person who owns it. However, their password was discovered in the LinkedIn data breach records.

It was the compromised LinkedIn password that enabled the McAfee hijacker access, as the victim’s LinkedIn account was listed as an administrator on the McAfee company page.

Until McAfee comments, there is no way to prove this person’s claims, but the methodology and the OurMine references made by them were worth noting.

This incident highlights not only the risks in shared admin access on social media, it also serves as a reminder that passwords should be changed if they’ve been compromised. This is also true if there is a chance the password has been compromised by a large data breach like the one LinkedIn experienced in 2012.

Since the compromised records were exposed to the public, the LinkedIn data breach has been tied to several incidents in the years that followed. In many of the cases, it was the usage of recycled credentials that enabled the attackers.

via:  csoonline