Monthly Archives: January 2018

How Management Can Help Prevent Insider-Caused Data Breaches

In 2017, some of the world’s most devastating cyber attacks were seen. Insider threats continue to be the primary reason for such high profile data breaches year over year.

With the rise of malware as a service, insiders are now more than capable of sabotaging a company’s operations or stealing data to sell on the darknet. Without the right support from management, preventing severe data breaches can become near impossible. Malicious insiders paired with increasingly dangerous malware means that management needs to be actively involved in security.

It is common for management to assume that cyber security is a matter best handled by the IT department or the internal cyber security team. However, this is far from what good cyber security practice means today. Much of this illusion is due to the inherent technical nature of cyber security; the other aspects of people and processes are not emphasized as much.

This article specifically focuses on best management practices to improve the people and process side of cyber security. Let us discuss how organizations of any size can take measures to ensure that their cyber security is top of the line.


The operational definition that we use for asset comes from the ISO 55000.

According to the ISO standard, an asset is something with current or potential value to an organization, and is under their responsibility.

While the ISO 55000 is focused on physical asset management, this definition also applies to digital assets as well, including data. What makes a “critical asset” goes beyond value; rather, a critical asset could severely damage the ability of an organization to continue operations if the asset is ever degraded in any way.

Data is one of the single most important assets for any organization in today’s world.

However, not all data is equal in business. Every business is responsible for the data of their customers, partnerships, inventory, vendors, and their own operations. Data that flows through an organization usually includes financial data of the company, operations data, personal identifiable data of customers, and at times classified data.

The first step to helping with data breach prevention is to identify and categorize data. While IT has insight into how your information systems are running, they do not have full insight into the operations and processes of the business as a whole. As a manager, this is where you come to their aid.

When categorizing data, typically they fall into the following groups: public, internal, classified, and regulation required. It is important to label which types of data are associated with each process in your organization. Cyber criminals often do not try to target all categories of data. At times, it could be only internal data they seek; other times, it could be internal, classified, or regulation required. Often, cyber criminals and insiders have very specific data they are attempting to acquire.


Insider threats are a very unique security issue that each organization faces. They thus require specialized resources for addressing the problem.

This is where an insider threat program comes in. An insider threat program is an organization-wide program that features a unified vision and mission, roles, duties, and specialized training. Insider threat programs should ideally include HR, legal, IT, engineering, data owners, and department directors. Above all, the program should include only the most trusted individuals in the organization.

Insider threat programs work to establish a source of relevant information, set of protocols, and mechanisms to detect, prevent, and respond to insider threats. Included in the insider threat program should be: mission, detailed budget, governance structure, and a shared platform.

Those are just for the formation; the work of the insider threat program should include:

  • Compliance and Process Oversight Board: This group exists to review as-is work processes for the organization and recommends changes to prevent insider threats before a data breach occurs.
  • Reporting Mechanisms: Office politics, clique behavior, and a host of other factors can prevent an employee from reporting suspicious behavior. This is why reporting mechanisms of suspicious insiders need to be made confidential to prevent any retaliatory action against whistleblowers.
  • Incident Response Plan: So you’ve identified an insider threat, and you may even have proof of a data breach from them. Do you just fire them and report them to authorities? These questions and more clearly answered as you develop an insider incident response plan. These plans explain step by step how alerts are identified, managed, and escalated. With those details, you will also need to include time frames for every action and procedure.
  • Specialized Training: The insider threat training details an awareness and training program for all personnel in the organization. However, people directly involved in the Insider Threat Program will receive even more specialized training to better detect and mitigate insider threats.
  • Infrastructure: This component is straightforward; it is simply infrastructure to detect, prevent, and respond to insider threats. The technology that supports management’s effort to achieve its mission. The technology deployed should be reviewed regularly for the most optimal alternatives.

There are in total about thirteen components to a typical insider threat program. The other ones not listed include: civil liberty protections, communication framework, insider threat program supporting policies, data collection tools, vendor management, and risk management integration.


When hiring personnel, one of the preemptive moves you can do to secure your organization is to perform a background check on the candidate. While organizations often perform these checks for cost-reduction purposes, in the context of cyber security, the hiring process is the beginning with personnel.

Some things to look out for are a criminal history and truth about employment. Malicious insiders, who can at times be spies, can make their way into your organization by presenting themselves as the perfect candidate.

The NIST Cybersecurity Framework recommends that an organization should assign a risk levels to each position.

The higher the risk level, the more trust and security prerequisites required to work that position. When a new hire comes into a position with a higher risk, they should be monitored more closely by supervisors for high risk behavior. Additionally, any incidents should be documented and analyzed for behavior trends. Behavior analytics and risk profiling technology can be a great aid in this process.

HR should also have a termination protocol prepared for when it is time to let an employee go.

The protocol should require managers to conduct an exit interview, provide final performance appraisal, and discuss final paycheck arrangements. IT should delete all of the departing employee’s accounts.

If they are a privileged user, then IT needs to change all shared passwords. HR needs to make clear once again any intellectual property agreements to the departing employee.


Managers face the challenge of balancing employee stress levels and productivity.

Often, productivity is chosen; it could mean meeting goals that would drive anyone to high stress levels. When people are stressed, all sorts of negative things start happening, such as more mistakes, ill will towards one another, and a feeling of being ignored.

These are just a few, but even in these few, you have the perfect conditions for both negligent and malicious insider threats to flourish. To avoid these conditions, it helps to understand what are the most pressing challenges to developing a healthy work culture.

One challenge was mentioned above: managing productivity and stress levels. Other challenges include baselining employee productivity and understanding the costs and benefits of reducing stress. Identifying how these challenges apply to your organization will help you understand some operational process improvements that can be made.

Reducing stress may mean a new management style needs to be implemented, such as project-oriented task management. Another method of reducing stress may be to understand how you’re measuring success, key performance indicators (KPI), and how those are contributing to work culture.

An example of harmful KPIs would be if a call center was measuring phone calls made as their KPI rather than customers landed. By measuring phone calls made, the quantity of phone calls forces employees to meet a certain goal that could contribute to poor customer service, unnecessary competitiveness, and increased mistakes.

Simply changing the KPI to customers landed also changes where the pressure is for employees. Now employees can have more meaningful interactions with customers and will be more likely to take care to ensure there are fewer mistakes.

The core take away from this example is to use KPIs that align with your context. Encourage thought before action. For your organization, try to identify the root cause of issues in work culture and then work to fix it.


While you are working to ensure your organization is secure from insider threats from employees, your vendors and business partners may not have been so diligent.

It is for this reason that you need a vendor management program. Vendor management programs are a series of protocols that are designed for accountability and monitoring between your organization and the vendors you work with. Vendor management programs are a responsibility of management. IT can only do so much, and if management is not setting some standards prior to vendor engagement, then IT will have to dedicate limited resources to mitigating vulnerabilities.

These programs are defined by a four phases: definition, specification, controls, and integration.

The definition phase of a vendor management program involves identifying the most mission-critical vendors to your organization. Mission critical in this context means vendors that you rely on to be successful and that any relationship issue could have a negative impact on operations and revenues.

The next phase, specification, is concerned with appointing a security liaison for each vendor you work with. The responsibilities of this liaison are to maintain compliance knowledge, perform audits, facilitate security communications, provide training, track contracts and all documentation, and impose general oversight.

Once those two phases are covered, then comes the heavy lifting for management, the development of vendor policy and controls.

When drafting vendor policy, the document should include the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach.

By developing these policies, the security liaison will have a strong base to work with to perform their duties. However, the success of the liason is very dependent on what management requires of vendors and sets as controls in this phase.

The final phase is integration, which is primarily concerned with data collection, analysis, and validation.

Information about your supply chain should be accessible to you. Without that data, you will be unable to understand your full security position. The information collected needs to be integrated with your organization’s existing security practices and auditing procedures. Without full integration, the vendor management program becomes a side activity, which is not how you want to handle cyber security.


Preventing insider threats is not the job of IT alone. Only with the dedicated support of management can a business best prevent insider threats.

The recommendations above are just a few ways in which management help prevent insider threats. Leadership in an organization impacts process development, hiring practices, business relationships, and work culture.

If either one of those areas creates vulnerabilities, then the business will remain at high risk for an insider-related data breach. Managers can stay alert by following the CERT Insider Threat Center to find more resources.


via:  tripwire

Unusual Ransomware Strain Encrypts Cloud Email

OK, here is something unusual and really scary.


KnowBe4’s Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working “ransomcloud” strain, which encrypts cloud email accounts like Office 365 in real-time . My first thought was: “Holy $#!+”.

I asked him: “Can you show it to me?”, and Kevin sent me a video demo, you can see it below. Lucky for us, this type of ransomware strain is not in the wild at the moment.

When I started looking into it, the proof of concept that he mentions in the video has been around for a while, but it’s on the horizon, because if a white hat can do this, so can a black hat. I am wondering why they haven’t already, because it’s not all that hard to do.

This strain uses a smart social engineering tactic to trick the user to give the bad guys access to their cloud email account, with the ruse of a “new Microsoft anti-spam service”.

Once your employee clicks “accept” to use this service,  it’s game over: all email and attachments are encrypted real-time!  The ransomcloud attack will work for any cloud email provider that allows an application giving control over the email via oauth. With Google it will work if you get the app past their verification process. Outlook365 doesn’t verify the app at this point so its much easier.

See it for realz here (video is just 5 minutes) and shiver:



What Kevin recommends at the end of this video: “Stop, Look and Think before you click on any link in an email that could potentially give the bad guys access to your data.” is now more true than ever. 

If you are a KnowBe4 customer and use either Gmail or O365, I recommend sending the special phishing template we created for this called “Microsoft AntiSpamPro Ransomcloud” and it lives in the “Phishing for Sensitive Information” category.

What Percentage Of Your Users Would Click On That Link?

Organizations are moving millions of users to O365. However, this video proves that being in the cloud does not automatically mean you are secure.  The Phish-prone percentage of your users is your number one vulnerability, as they remain to be the weakest link in your IT security, cloud or not.


via:  knowbe4

Hospital Shut Down Its Computer Network Following Ransomware Attack

A hospital shut down its network after a ransomware attack restricted authorized personnel access to some of its computer systems.

On 12 January, Hancock Regional Hospital confirmed in a statement that it had suffered a ransomware attack. As quoted by FOX59:

Hancock Regional Hospital has been the victim of a criminal act by an unknown party that attempted to shut down out operations via our information systems by locking our computer network and demanding payment for a digital key to unlock it. Unfortunately this sort of behavior is widespread in the world today, and we had the misfortune to be next on the list. We are working closely with an IT incident response company and national law enforcement. At this time, we are deep into the analysis of the situation and see no indication that patient records have been removed from our network. In addition to excellent performance by our IT Department, our clinical teams have performed exceptionally well, and patient care has not been compromised. Our doors are open at Hancock Regional Hospital.

The Daily Reporter writes that the trouble first started on 11 January when staff noticed the network was running much slower than usual. Not long thereafter, a message appeared on at least one hospital-owned computer’s screen stating that authorized personnel wouldn’t be able to access parts of the Greenfield-based healthcare provider’s systems until it paid a ransom in Bitcoin. The amount of that ransom demand isn’t known at this time.

Hancock Regional’s IT team decided to immediately suspend the hospital’s network while it works with the FBI and a “national IT security company” to determine what happened and how it should respond. Hancock Health CEO Steve Long said the ransomware attack didn’t originate from a malicious email but declined to provide additional comments about its delivery vector.

Long did say, however, that the ransomware didn’t significantly affect patient care. The hospital posted a notice at its entrances on 12 January informing patients of a “system-wide outage.” Even so, doctors and nurses were able to update patients’ medical records using pen and paper and to fulfill most of the scheduled appointments that weren’t cancelled due to inclement weather.

A notice hangs outside an office at Hancock Regional Hospital, alerting patients and employees of problems with the hospital’s computer system.(Tom Russo | Daily Reporter)

Rob Matt, the hospital’s chief strategy officer, told IndyStar that the hack affected the Hancock Regional’s electronic health records, among other systems, but that it had not exposed patients’ information:

What we do know is that no patient information has been affected, so at this point, there’s no understanding of any consequence other than our system is being held. We, like other hospitals, do disaster drills all the time, so this aligns perfectly well with drills that we’ve had throughout the years on how to continue to deliver world-class care when you have system failures or system breaches.

Unfortunately, Hancock Regional isn’t the first hospital to suffer a ransomware attack. Hollywood Presbyterian Medical Center made headlines in February 2016 when the southern California medical center paid $17,000 for the restoration of its systems following a ransomware attack. More than a year later, the May 2017 global outbreak of WannaCry ransomware affected 34% of National Health Service (NHS) trusts in England.

Attackers will continue to target hospitals with ransomware going forward. With that said, it’s important that healthcare providers everywhere protect their systems against crypto-malware and other digital threats. To learn how Tripwire’s solutions can help in this regard, click here.


via:  tripwire

Between Walmart and Kroger, 500 stores are about to ditch cashiers

  • Walmart, Kroger and Amazon are exploring ways consumers can shop without interacting with a cashier.
  • Walmart is expanding its “Scan & Go” technology to an additional 100 locations across the U.S. this year.
  • Kroger’s “Scan, Bag, Go” platform will roll out to 400 stores in 2018.



Walmart is expanding its “Scan & Go” technology to an additional 100 locations across the U.S., the retailer announced Tuesday, playing into a growing trend of companies giving consumers the option to shop their stores without interacting with a cashier.


Others working to perfect their own digital shopping scanners include grocery giant Kroger and internet behemoth Amazon, which has been piloting a store without checkout lines, called Amazon Go, near its Seattle headquarters.

Kroger’s recently introduced platform, known as “Scan, Bag, Go,” will roll out to 400 of the grocery chain’s stores later this year. That will put the company ahead of Walmart, which anticipates having its “Scan & Go” service at fewer than 200 stores by the end of 2018.

With “Scan, Bag, Go,” shoppers simply scan bar codes on items they will be purchasing, either with a handheld scanner or via Kroger’s smartphone app, as they walk throughout the store.

Self-checkout kiosks will await customers at the end of their shopping, where valid coupons have been tallied and a final total is instantly calculated. Eventually, shoppers should be able to bypass those kiosks altogether and pay directly through the app, Kroger has told Business Insider.

The process at Walmart looks similar: Using an app, customers will scan items (even produce) on their own as they walk through the store. They will be able to pay on their phones when they’re finished. A Mobile Express lane will also be situated at the front of Walmart’s stores for those shoppers to walk through, for security purposes, before they leave.

Walmart's scan and go technology.

Source: Walmart

Walmart’s scan and go technology.

The impetus behind these efforts is the idea that many consumers today want a speedy, seamless experience, especially when shopping for grocery items.

While some shoppers are getting comfortable with ordering groceries online, a majority of Americans are still reluctant to do so. Although grocery stores are still vital to many communities, those locations often lack technology upgrades. 2018 could be a year to change that — or at least start.

Grocers are under pressure, in an already thin-margin business, to cut costs and make the shopping experience more enjoyable for customers. The front of those stores merits a refresh, where long lines can be slashed and resources can be employed elsewhere.

As the cashier ranks dwindle, displaced employees can work other areas of the store, focusing on certain merchandise categories or assisting customers.

For now, Amazon Go is still only open to the company’s employees in Seattle. But Kroger and Walmart are opening the floodgates for this new technology at hundreds of stores in 2018.


Via:  cnbc

Here’s a map of where Walmart is closing more than 60 Sam’s Club stores

  • Walmart abruptly announced plans to close 63 of its Sam’s Club locations across the country.
  • The wholesale club location closings span from Alaska to Puerto Rico.
  • Some of the shuttered stores will be converted into e-commerce fulfillment facilities.



Walmart abruptly announced Thursday plans to close more than 60 of its Sam’s Club locations, or nearly 10 percent of its store fleet, across the country.

The wholesale club locations closing span from Alaska to Puerto Rico. Some of the shuttered stores will be converted into e-commerce fulfillment facilities, the company said.

The news came on the same day the big-box retailer announced it would be boosting its starting wage for hourly employees and handing out bonuses, among other benefits, after the passage of new tax legislation.

As local media outlets began to report on the store closures, though, disgruntled shoppers took to sites like Twitter and Facebook to learn what was going on. Many customers were seen asking for refunds on memberships, which cost $45 annually, and others were concerned about where they would pick up prescriptions.

Late in the day Thursday, Sam’s Club CEO John Furner wrote in a companywide email:

“Transforming our business means managing our real estate portfolio — we need a strong fleet of clubs that are fit for the future. After a thorough review, it became clear we had built clubs in some locations that impacted other clubs, and where population had not grown as anticipated. We’ve decided to right-size our fleet and better align our locations with our strategy. … We will work to place as many associates as possible in new roles at nearby locations, and we’ll provide them with support, resources, and severance pay to those eligible.”

Walmart said it would book a charge of 14 cents per share related to the closures, which would show up mainly in its fourth-quarter results. The company said it would share more details when it reports earnings on Feb. 20.

Walmart “is taking prudent steps to prepare for the next generation of retail warfare, one in which speed will be king and delivery will be judged by hours and not days,” Cowen and Co. analyst Oliver Chen wrote in a note to clients Friday morning.

“We believe Sam’s Club leadership will continue to execute against other initiatives … as management noted that while results have improved over the last several quarters, the retailer can do better as Sam’s Club has under-performed club peers,” Chen said. Those competitors include Costco, BJ’s Wholesale Club and Boxed.

Moving forward, many analysts anticipate Sam’s Club will focus on growing its e-commerce business, amassing a higher-quality grocery selection, marketing its private labels and finding new members.

Furner has said the brand is looking to tap into households with annual income between $75,000 to $125,000.

Here is a list of the stores being closed:

  • 8801 Old Seward Hwy, Anchorage, AK
  • 1074 N Muldoon Rd, Anchorage, AK
  • 48 College Rd, Fairbanks, AK
  • 3900 Grants Mill Rd, Irondale, AL
  • 2425 E Florence Blvd, Casa Grande, AZ
  • 5757 E State Route 69, Prescott Valley, AZ
  • 1375 S Arizona Ave, Chandler, AZ
  • 15255 N Northsight Blvd, Scottsdale, AZ
  • 3360 El Camino Ave, Sacramento, CA
  • 17835 Gale Ave, City of Industry, CA
  • 12540 Beach Blvd, Stanton, CA
  • 12920 Foothill Blvd, Sylmar, CA
  • 69 Pavilions Dr, Manchester, CT
  • 2 Boston Post Rd, Orange, CT
  • 355 FL-436, Fern Park, FL
  • 7233 N Seacrest Blvd, Lantana, FL
  • 5135 S Dale Mabry Hwy, Tampa, FL
  • 2994 Turner Hill Rd, Lithonia, GA
  • 501 N Randall Rd, Batavia, IL
  • 21430 S Cicero Ave, Matteson, IL
  • 6600 44th Ave, Moline, IL
  • 808 S Illinois Rte 59, Naperville, IL
  • 900 S Barrington Rd, Streamwood, IL
  • 1055 McHenry Rd, Wheeling, IL
  • 460 S Weber Rd, Romeoville, IL
  • 3015 W 86th St, Indianapolis, IN
  • 10859 E Washington St, Indianapolis, IN
  • 4024 Elkhart Rd #1, Goshen, IN
  • 9598 Cortana Pl, Baton Rouge, LA
  • 9750 Reisterstown Rd, Owings Mills, MD
  • 1 Tobias Boland Way, Worcester, MA
  • 340 E. Edgewood Boulevard, Lansing, MI
  • 32625 Northwestern Hwy, Farmington Hills, MI
  • 3745 Louisiana Ave S, St Louis Park, MN
  • 2800 27th Ave S, Moorhead, MN
  • 11 Batchelder Rd, Seabrook, NH
  • 81 International Dr S, Budd Lake, NJ
  • 1900 E Linden Ave, Linden, NJ
  • 301 Nassau Park Boulevard, Princeton, NJ
  • 2649 Erie Blvd E, Syracuse, NY
  • 720 Fairmount Ave, Jamestown, NY
  • 700 Elmridge Center Dr, Rochester, NY
  • 1600 Marketplace Dr, Rochester, NY
  • 5085 Dawn Dr, Lumberton, NC
  • 1101 Shiloh Glenn Dr, Morrisville, NC
  • 4825 Marburg Ave, Cincinnati, OH
  • 9570 Fields Ertel Rd, Loveland, OH
  • 615 Old Hickory Blvd, Nashville, TN
  • 1805 Getwell Rd, Memphis, TN
  • 1615 S Loop W, Houston, TX
  • 13331 Westheimer Rd, Houston, TX
  • 22296 Market Place Dr, New Caney, TX
  • 12919 San Pedro Ave, San Antonio, TX
  • 741 E Little Creek Rd, Norfolk, VA
  • 4571 S Laburnum Ave, Richmond, VA
  • 901 S Grady Way, Renton, WA
  • 1101 Outlet Collection Way, Auburn, WA
  • 13550 Aurora Ave N, Seattle, WA
  • 7050 Watts Rd, Madison, WI
  • 1540 S 108th St, West Allis, WI

This list does not contain three additional stores in Puerto Rico.


via:  cnbc

WhatsApp flaw could allow anyone to sneak into your private group chat

WhatsApp likes to brag about its end-to-end encryption, but researchers from Germany’s Ruhr University Bochum have discovered a flaw that could allow unwanted eyes to spy upon your private group chats.

In a technical research paper that explores the end-to-end security of three different secure messaging apps capable of allowing “private” group chats, researchers found the most serious shortcomings in the immensely popular WhatsApp platform.

The research paper, presented at the Real World Crypto security conference in Switzerland, describes how it would be possible for a complete stranger to add themselves to an encrypted WhatsApp group chat. Although past messages sent to the group would not be visible to the intruder, they could receive future messages.

Clearly, that’s far from good news, but avid WhatsApp users will be relieved to hear that the addition of the unauthorized party is no secret. Every member of the group receives a message saying that someone new has joined the chat, albeit apparently at the invitation of the group chat’s administrator.

Eagle-eyed members of the group, of the administrator themselves, may notice the interloper and warn the legitimate group’s members.

Furthermore, for someone to insert themselves into a group chat – they need to have first gained control over WhatsApp’s servers – something that would, one hopes, be beyond the abilities of the typical hacker but may be within the realm of a state-sponsored attacker or a regime that is able to put legal pressure on the company.

WhatsApp’s failing is possible because the platform fails to properly authenticate group invitations, the paper makes clear:

The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces, since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.

As respected cryptography expert Matthew Green explains, the attacks are difficult to pull off successfully, and “nobody needs to panic.”

Nonetheless, that doesn’t mean that the problem should be ignored. Green told Wired that “It’s just a total screw-up” and described the flaw as “eminently fixable.”

In their technical paper, the researchers recommend that group management messages are signed so they can be properly authenticated:

In order to ensure that only administrators of a group can manipulate the member set, the authenticity of group manipulation messages needs to be protected. This can be achieved, for example, by signing these messages with the administrator’s group signature key.

Even though typical WhatsApp users may not lose too much sleep about this particular attack, it may certainly be a concern for journalists and whistleblowers who might have been attracted to WhatsApp in the misguided belief that it delivered total security and privacy.

A WhatsApp spokesperson confirmed the researchers’ findings but reiterated that chat group members would be notified if new parties were added to a conversation:

We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.

That response may be technically accurate, but I think most WhatsApp users would expect a group chat’s membership to be controlled by the group’s administrator – and not something that could be manipulated by an unauthorized party.

Let’s hope that WhatsApp responds appropriately to the researchers’ findings and plugs this security hole before the threat evolves from being purely theoretical to real life.


via:  tripwire

What Are the Benefits of Using Managed Security Services?

Today’s cybersecurity executives have a lot of choices in how they wish to purchase and consume products and services.

The traditional approach of a large up-front capex investment in perpetual licenses works for some organizations, but many are looking towards managed services to reduce their up-front costs and move the overhead of managing the solution to a provider that can efficiently deliver results.

Very few security teams can boast of being fully staffed, but even so, given the propensity of security risks to multiply, those lucky few teams will soon find themselves underwater, as well.

Justifying a move to a managed service requires a realistic review of your infrastructure costs, operational support costs, staffing costs and intangible costs. You should look at those costs over at least three years. You may not own the budget for some of this, so it will require a little bit of investigation, but it is a very valuable exercise.

Here are some examples of the costs that you will want to consider:

It’s easy to forget about infrastructure costs especially if it is handled for your IT team. You’ll need to do a bit of digging here to come up with your costs, but this is an important part of the justification. Make sure that you consider growth in your calculations since environments tend to grow over time and resource requirements may change.


Now that you have calculated the cost of infrastructure, we’ll turn to the cost of managing the underlying platforms to ensure that they stay in compliance with your internal IT practices.


A realistic view of how much time you will need to spend to manage the solution is key. All security solutions require some level of care and feeding as well as an investment in sustaining application knowledge.

When you consider a managed service, that team becomes your application experts, and you can focus your efforts on responding to the information provided versus extracting the key bits for yourself. Expertise in any domain requires experience to develop; managed services teams leverage a breadth of expertise that is very difficult for most companies to acquire.


It’s important to realize that any managed service will require some time from internal resources. Typically, it is dramatically reduced (10-20% of a perpetual deployment), but any managed service that says they can deliver value without talking to you should be questioned.

It is also important to consider how many resources you would need to apply if you were to achieve maximum value from the product. A managed service can improve your ability to use more advanced features of the solution without requiring the burden of more overhead.

Finally, there is the intangible. This may not apply to everyone, but these could be very real scenarios.


Tripwire ExpertOps provides managed File Integrity and Secure Configuration from the cloud with the assurance of a team of experts delivering managed services to customers for nearly a decade.




via:  tripwire

List of Low or No-Cost Sources of Threat Intelligence

Here’s a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.

Organizations know they need to get serious about threat intelligence, but it’s not always clear where to find credible information. While just about every security industry vendor website offers up information on the latest threats, some are better than others. Here, we ‘ll point out the sites that are the most informative and useful.

Go through the list. You’ll find that there are many more than eight sites to choose from:


Department of Homeland Security, Automated Indicator Sharing

The Department of Homeland Security’s free Automated Indicator Sharing (AIS) website was set up for private companies to share cyber threat indicators with the federal government. Typical threat indicators available are information such as malicious IP addresses or the sender address of phishing emails. DHS aims to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared with all AIS participants. Federal officials say while AIS won’t eliminate sophisticated cyber threats, it will clear out the less sophisticated attacks, making it possible for the federal government and private companies to focus on the more pernicious targeted attacks.


FBI InfraGard Portal

The FBI’s InfraGard Portal serves as a clearinghouse for the public and private sectors to share information to protect America’s critical infrastructure. The government breaks critical infrastructure into 16 sectors ranging from the defense industrial base to manufacturing to dams. The site offers a news feed on events relevant to the 16 sectors, plus has Cyber Crimes and Cyber Fugitives links that contain information on the most recent attacks and potential threats being tracked by the FBI

National Council of Information Sharing and Analysis Centers

While the National Council of ISACs was formed in 2003, the ISAC concept was first introduced in 1998, almost 20 years ago. Today, there are 24 ISACs. Some of them, like the financial services ISAC (FS-ISAC), are expensive to join. But many of them offer low or no-cost threat intelligence. The basic idea is for each critical infrastructure sector to have its own organization that monitors and ferrets out threat information specific to that industry vertical. Most ISACs have 24×7 threat warning and incident reporting capabilities, and many also set the threat level for their sectors. Follow this link to look up the ISAC that applies to your industry.

Ransomware Tracker

Managed by, Ransomware Tracker is a Swiss security site that focuses on tracking and monitoring the status of domain names, IP addresses, and URLs that are associated with ransomware. This includes botnet command-and-control servers, distribution sites, and payment sites. According to the Ransomware Tracker website, by using data provided by the site, hosting, and ISPs, as well as national CERTs, law enforcement agencies and security researchers can receive an overview on infrastructure exploited by ransomware and whether these are actively being used by bad threat actors to commit fraud. The site also offers guidelines for mitigating ransomware as well as blocklists for stopping ransomware at the network edge.

The Spamhaus Project

Founded in 1998, The Spamhaus Project is an international non-profit based in Geneva and London that tracks spam and related cyber threats such as phishing, malware, and botnets. While it is best-known for publishing DNS-based blocklists, according to its website, Spamhaus produces special data for use with Internet firewall and routing equipment, such as the Spamhaus DROP lists, botnet C&C data, and the Spamhaus Response Policy Zone data for DNS resolvers, a tool that helps prevent millions of internet users from clicking on malicious links in phishing and malware emails.

Internet Storm Center

The Internet Storm Center was founded in 2001 following the collaboration that took place in the security community following the Li0n worm. Today, the ISC gathers millions of intrusion detection log entries every day, from sensors covering more than 500,000 IP addresses in more than 50 countries. The ISC is a free service supported by the SANS Institute from tuition paid by students attending SANS security education programs. The site offers numerous links to tools, educational podcasts, forums, and a job board for security professionals.

Free anti-malware sites

The Verizon 2017 Data Breach Investigations Report found that 51 percent of data breaches analyzed involved malware. Here are links to free sites that offer analysis of the leading malware infecting networks:, and

Vendor blogs

Vendors will always try to sell you product in the end, but that doesn’t mean that they don’t maintain informative blogs that serve as excellent sources to learn more about what the vendor has found about recent attacks and remedies for protecting your network. Here are some to consider: Alien Vault, Cisco Threat Research Blog, CrowdStrike Research and Threat Intel Blog, FireEye Threat Research Blog, Palo Alto Networks Unit 42, Recorded Future, and Windows Security Blog.

Malware Processing

This is pretty much what you’d imagine: collecting and activating malware to record and store the results for analysis.

This can be conducted internally by cyber-savvy organizations, but is usually performed on a much larger scale by security vendors. The resulting intelligence is used to inform everything from security protocols to the latest antivirus products.

Most importantly from our perspective, analysis of the latest malware is a direct glimpse into the mind of the attacker. Historically there have been clearly identifiable trends in malware creation and distribution, so malware processing is extremely valuable as a means of staying one step ahead.

The Good: Malware processing provides verifiable, actionable indicators of compromise (IOCs) that can be used to tighten security controls across the board. Although the approach is technically passive, requiring malware to be written and released before it can take place, it usually enables organizations to prepare for new malware before they themselves have been affected by it.

The Bad: To some extent malware processing lacks context, since it’s usually not conducted in the environments at risk of being attacked. Equally, since malware can only be analyzed after initial distribution has taken place, this approach is often more about damage minimization than total prevention.

Example: Team Cymru processes malware on a large scale, and provides a range of free and commercial products enabling users to search and splice captured metadata.


Scanning and Crawling

Unlike darknets and telemetry, scanning and crawling are a highly proactive approach to threat intelligence. They involve actively exploring the open web, scanning and cataloguing a huge range of ports and services, and providing information for analysis.

Although not a particularly popular activity among security vendors, there are a number of legitimate uses for the information gathered this way, including searching for externally identifiable vulnerabilities in your own systems.

The Good: Again, this is low cost data that can be used to tighten your organization’s security controls.

The Bad: It’s important to realize that the results of scanning and crawling exercises are data, rather than intelligence. What we’re talking about is massive quantities of raw, unprocessed data.

To process this data into intelligence, you’ll need a substantial amount of skilled manpower, making the exercise much more expensive than it initially appears.

There’s also a significant risk of information overload. The vast majority of data collected from scanning and crawling exercises will be worthless, so identifying the valuable pieces will be difficult and time consuming.

Example: Shodan, the Internet of Things (IoT) search engine, is an example of a service that crawls the open web searching for and indexing internet-enabled devices.



via:  darkreading

In-House SOCs Vs. Outsourced – Which Should You Go For

Businesses of all shapes and sizes are moving their networks to the cloud at an increasingly fast rate!

Cloud computing has officially taken off, and with good reason! The benefit of being able to access your network files from anywhere in the world and the promise of potentially unlimited amounts of storage have opened up a world of new possibilities for organization everywhere.

The new technology, however, has brought its own set of challenges and risks to the IT industry.

The threat of cyber-attacks is more prevalent than it has ever been, and IT security teams need to be on top of their game if they want to keep out this modern generation of hackers. At the same time, organizations are cash-strapped, and most can’t afford to train and keep experienced in-house security staff.

In-house Vs. Outsourced

Modern day companies in the UAE are faced with a simple question: Does it make sense anymore to manage our security in-house, or should we opt for a managed SOC solution?

If your company is facing a similar situation, here are the factors you need to consider in this debate.

Building your own team:

In-house operation centers ultimately suit organizations who value the confidentiality and integrity of their data over the increased expenses.

  • The biggest benefit is that you ultimately have complete control over all of your sensitive data.
  • This minimizes the risk of the loss of critical data that a business may be particular about, like trade secrets or new innovations.
  • The solutions being used can be modified to suit your company’s needs.
  • Certain industries like nuclear or space exploration have regulations in place that make having an in-house team far more desirable.
  • The cost of hiring, training, and retaining specialist staff continues to increase as skill shortages in the industry grow. It is already a more expensive solution than outsourcing.
  • It can take anywhere from 18 to 24 months to hire and set up a new team. Time is a luxury new businesses can’t afford.
  • Most in-house teams won’t have the capacity or the required expertise to identify and respond to threats in real time.


Outsourced security solutions are far more cost-effective and stable for small and medium sized businesses.

  • There’s no time delay. Businesses that decide to outsource instantly get the full services of an experienced, professional team of experts.
  • There’s no 9 A.M – 5 P.M with managed SOCs. Your networks are monitored around the clock, 24 hours a day, 365 days a year.
  • You’ll only have to pay the monthly costs which the MSSP charges. There are no additional costs of setting up and training a team.
  • The identification of and response to threats is instant. 3rd party service providers have access to technologies and techniques which an in-house team might not even be aware off.
  • Outsourcing creates a dependency on an outside party to manage your security, which can’t be carried out effectively without proper communication.
  • An MSSP might employ solutions or services that are great for the general industry, but don’t suit your specific needs.
  • You lose control over the ability to manage confidential and sensitive information.

Choosing what’s right for you!

When making your decision, ask yourself the following question:

  • What is my current approach, and how efficiently is it working out?
  • Do I have the budget to hire and retain an in-house team full time?
  • How confidential is the data?

You’ll also want to consider the physical safety of your offices. A managed SOC allows you to monitor both virtual and physical networks at the same time, thanks to the advances in ELV systems like CCTV cameras and motion sensors etc.


via:  managedsecurity

AT&T Aims to Deploy 5G in 2018

Carrier announces it plans to be the first in the U.S. with 5G this year.

After years of development and hype about 5G potential, 2018 is likely going to be the year in which 5G wireless is officially deployed in the U.S And AT&T is predicting that it will be the first U.S. carrier to do so.

AT&T announced on Jan. 4 that it expects to deploy 5G in at least 12 cities across the U.S. by the end of 2018.
“5G will change the way we live, work and enjoy entertainment,” Melissa Arnoldi, president, AT&T Technology and Operations, said in a statement. “We’re moving quickly to begin deploying mobile 5G this year and start unlocking the future of connectivity for consumers and businesses.”

“With faster speeds and ultra-low latency, 5G will ultimately deliver and enhance experiences like virtual reality, future driverless cars, immersive 4K video and more,” Arnoldi added.



via:  enterprisenetworkingplanet