Monthly Archives: April 2018

Putting PCI-DSS in Perspective

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves.

Yet the volume of ‘real world’ transactions for tangible goods and services currently paid for with cryptocurrency is still relatively niche in comparison to those that are being paid for every minute of the day with the pieces of plastic we know as payment cards.

According to the British Retail Consortium, last year here in the UK card payments overtook cash for the first time ever. An upward trend assisted no doubt by the increasingly ubiquitous convenience of contactless micro payments.

No coincidence either perhaps that contactless related card fraud in the UK also overtook cheque-based fraud in the first half of 2017.

For the foreseeable future, card payment channels are likely to present a continued risk to both businesses and individuals for the exact same reason that bank robber Willie Hutton gave us in the last century for his chosen means of income. In today’s digital economy, however, agile cyber criminals will not only ‘go’ as Mr. Hutton suggested “where the money is” but will swiftly adapt and evolve their tactics to ‘go where the insecurity is.’ Hence, whilst according to a range of sources EMV chip cards have cut counterfeit fraud at ‘point of sale’ (POS) in the UK by approximately a third since the technology was introduced and similar improvements are now being cited for its more recent adoption in the US, a marked and plausibly corresponding uptake in online ‘card not present’ (CNP) fraud continues to rise.

The Payment Card Industry Data Security Standard (PCI-DSS) has formally existed since 2004 to help reduce the risk of card fraud through the adoption and continued application of a recognized set of base level security measures. Whilst many people have heard of and will often reference PCI-DSS, the standard isn’t always as well understood, interpreted, or even applied as best it could be. A situation not entirely helped by the amount of myths, half-truths, and outright FUD surrounding it.

The PCI Security Standards Council website holds a wealth of definitive and authoritative documentation. I would advise anyone seeking either basic or detailed information regarding PCI-DSS to start by looking to that as their first port of call. In this blog however, I would simply like to call out and discuss a few common misconceptions.

Myth One: “PCI just doesn’t apply to our business/ organization/vertical/sector”

It doesn’t matter if you don’t consider yourself a fully-fledged business, if it’s not your primary activity, or if card payments are an insignificant part of your overall revenue. PCI-DSS applies in some form to all entities that process, store, or transmit cardholder data without exception. Nothing more to say about this one.

Myth Two: “PCI applies to our whole environment, everywhere, and we simply can’t apply such an obdurate standard to it all”

Like many good myths, this one at least has some origin in truth.

Certainly, if you use your own IT network and computing or even telephony resources to store, process or transmit cardholder data without any adequate means of network separation, then yes, it is fact. It could also rightly be stated that most of the PCI-DSS measures are simply good practice which organizations should be adhering to anyway. The level of rigor to which certain controls need to be applied may not always be practical or appropriate for areas of the environment who have nothing to do with card payments however. A sensible approach is to, therefore, reduce the scope of the cardholder data environment (CDE) by segmenting elements of network where payment related activity occurs. Do remember though, that wherever network segmentation is being used to reduce scope it must be verified at least annually as being truly effective and robust by your PCI assessor.

Whilst scoping of the CDE is the first essential step for all merchants on their road to compliance, for large and diverse environments with a range of payment channels, such an exercise in itself is rarely a straightforward task. It’s advisable for that reason to initially consult with a qualified PCI assessor as well as your acquirer who will ultimately have to agree on the scope. They may also advise on other ways of reducing risk and therefore compliance scope such as through the use of certified point-to-point encryption solutions or the transfer of payment activities away from your network altogether. Which takes us directly on to discussing another area of confusion.

Myth Three: “Outsourcing transfers our PCI risk”

Again, there is a grain of truth here but one that is all too frequently misconstrued.

Outsourcing your payment activity to an already compliant payments service provider (PSP) may well relieve you of the costs and associated ‘heavy lifting’ of applying and maintaining all of the necessary technical controls yourself. Particularly where such activity is far-removed from your core business and staff skill sets. As per Requirement 12.8 in the standard, however, due diligence needs to be conducted before any such engagement, and it still remains the merchant’s responsibility to appropriately manage their providers. At the very least via written agreements, policies and procedures. The service provider’s own compliance scope must, therefore, be fully understood and its status continually monitored.

It is important to consider that this doesn’t just apply to external entities directly processing payments on your behalf but also to any service provider who can control or impact the security of cardholder data. It’s therefore likely to include any outsourced IT service providers you may have. This will require a decent understanding of the suppliers Report or Attestation of Compliance (ROC or AOC), and where this is not sufficient to meet your own activity, they may even need to be included within your own PCI scope. Depending on the supplier or, service this may, of course, be a complex arrangement to manage.

Myth Four: “Compensatory means we can have some complacency”

PCI is indeed pragmatic enough to permit the use of compensatory controls. But only where there is either a legitimate technical constraint or documented business constraint that genuinely precludes implementing a control in its original stated form. This is certainly not to be misjudged as a ‘soft option,’ however, nor a way of ‘getting around’ controls which are just difficult or unpopular to implement.

In fact, the criteria for an assessor accepting a compensatory control (or whole range of controls to compensate a single one in some cases) means that that the alternative proposition must fully meet the intent and rigor of the original requirement. Compensatory controls are also expected to go ‘above and beyond’ any other PCI controls in place and must demonstrate that they will provide a similar level of defense. They will also need to be thoroughly revaluated after any related change in addition to the overall annual assessment. In many cases and especially over the longer term, this may result in maintaining something that is a harder and costlier overhead to efficiently manage than the original control itself. Wherever possible, compensatory controls should only be considered as temporary measure whilst addressing the technical or business constraint itself.

Myth Five: “We bought a PCI solution so we must be compliant, right?”

The Payment Application Data Security Standard (PA-DSS) is another PCI Security Standards Council controlled standard that exists to help software vendors and others develop secure payment applications. It categorically does not, however, follow that purchasing a PA-DSS solution will in itself ensure that a merchant has satisfactorily met the PCI-DSS. Whilst the correct implementation or integration of a PA-DSS verified application will surely assist a merchant in achieving compliance, once again it is only a part of the overall status and set of responsibilities.

IT security vendors of all varieties may also claim to have solutions or modules that although they may have nothing directly to do with payments themselves have been specifically developed with PCI-DSS compliance in mind. They are often sold as PCI-related solutions. If deployed, used and configured correctly, many of these solutions will no doubt support the merchant with their compliance activity whilst tangibly reducing cardholder data risk and hopefully providing wider security benefits. No one technology or solution in itself will make you PCI compliant, however, and anyone telling you (or your board) that it does either does not understand the standard or is peddling ‘snake oil.’ Or both.

Myth Six “We’re PCI-DSS compliant, so that means we must be ‘secure’ right?”

PCI-DSS should certainly align and play a key part within a wider security program. It should and cannot be an organizations only security focus, however. Nor should being compliant with any standard be confused with some unfeasible nirvana of being completely ‘secure’ whatever that may mean at any given point in time. There have, after all, been plenty examples of PCI-compliant organizations who have still been harshly and significantly breached. Some reports of high profile incidents have voiced scathing comments about the potentially ostensible nature of the breached organization’s PCI compliance status, even questioning validity of the standard itself. Such derision misses some key points. In the same way that passing a driving test does not guarantee you will never be involved in an accident, reasonably speaking, it will certainly decrease those chances. Far more so than if nobody was ever required to take such a test. PCI or any other security compliance exercise should be viewed with a similar sense of realism and perspective.

Applying PCI-DSS controls correctly, with integrity and unlike a driving test re-assessing them annually, must surely help to reduce the risk of card payment fraud and breaches. More so than if you weren’t. Something that is to everyone’s benefit. It cannot possibly, however, protect against all attacks or take into account every risk scenario. That is for your own wider security risk assessment and security program to deal with. Maybe yes, it’s all far from perfect, but in the sage fictional words of Marvel’s Nick Fury, “SHIELD takes the world as it is, not as we’d like it to be. It’s getting damn near past time for you to get with that program.”


via:  tripwire

70 Percent of Energy Security Pros Fear Digital Attacks Could Produce a “Catastrophic Failure”

Digital attackers are targeting organizations in the energy sector like never before. For example, just a few weeks ago, the FBI and Department of Homeland Security issued a joint report describing a massive Russian hacking campaign to infiltrate America’s critical infrastructure. In a first, the US government publicly blamed Russia’s government for attacks on energy infrastructure.

News like this and recent threats like Triton and Industroyer beg two questions: how concerned are energy security professionals concerned about digital threats, and what do they think will happen at their organization if a digital attack is successful?

To find out, Tripwire commissioned Dimensional Research to examine the security of industrial control systems (ICS) in the energy industry. It did so by surveying 151 IT and operational technology (OT) security professionals at energy and oil and gas companies in March 2018.

A majority of respondents to Tripwire’s study said they were concerned about the potential impacts a digital attack might have on their organization. Close to all participants said they feared operational shutdowns and threats to their employees’ safety at 97 percent and 96 percent, respectively. Additionally, 70 percent of these security professionals feared more dire consequences like an explosion and other “catastrophic failures.”

Tim Erlin, vice president of product management and strategy at Tripwire, says these concerns reflect the types of threats confronting organizations in energy and other critical infrastructure:

Energy companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so.

In December 2017, FireEye disclosed its discovery of TRITON, an attack framework which is capable of shutting down plant operations as well as producing more serious outcomes. Just six months before that, ESET shed light on Win32/Industroyer, modular malware which can take down ICS systems by speaking to industrial communication protocols and deploying wiper malware.

In the survey, 59 percent said their companies increased security investments because of ICS-targeted attacks like Trisis/Triton, Industroyer/CrashOverride and Stuxnet. However, many feel they still don’t have the proper level of investment to meet ICS security goals.

More than half (56 percent) of respondents to Tripwire’s survey felt it would take a significant attack to get their companies to invest in security properly. This may be why just 35 percent of participants are taking a multilayered approach to ICS security – widely recognized as a best practice. Thirty-four percent said they were focusing primarily on network security and 14 percent on ICS device security.

Erlin is troubled by these findings:

It’s concerning that more than half would wait for an attack to happen before investing properly given what’s at stake with critical infrastructure. The energy industry should invest in establishing more robust cybersecurity strategies with a proper foundation of critical security controls and layers of defense.



via:  tripwire

For the first time ever, Microsoft will distribute its own version of Linux

  • Microsoft  announced Azure Sphere, a new technology designed to protect the processors that power smart appliances, connected toys, and other gadgets.
  • Azure Sphere is powered in large part by Linux, a free operating system that Microsoft once viewed as a major threat.
  • It’s the first time that Microsoft has made Linux part of a product offering.

Microsoft announced  a new technology called Azure Sphere, a new system for securing the tiny processors that power smart appliances, connected toys, and other gadgets.

We’ll get to the specifics in a moment, but here’s the really notable part: To power Azure Sphere, Microsoft has developed a custom version of Linux, the free open-source operating system that Microsoft once considered the single biggest threat to the supremacy of its Windows software.

“After 43 years, this is the first day that we are announcing – and will be distributing – a custom Linux kernel,” Microsoft’s president, Brad Smith, said onstage at an event in San Francisco.

Smith said that by Microsoft’s reckoning, the fact that most new gadgetry comes with a processor is cause for concern.

In 2016, unsecured cameras and other appliances were harnessed by bad guys to mount a massive cyberattack that took down major websites for hours. Two years later, people are still buying smart gadgets, but security hasn’t always kept up.

Azure Sphere takes a combined approach to this problem, using hardware, software, and the cloud.

First, Microsoft has designed a more powerful kind of microprocessor that the company says it will make available to chip manufacturers for free.

Second, Microsoft has developed Azure Sphere OS, the Linux-based operating system that will run on those chips – Smith says that while Microsoft is a “Windows company,” a full-fledged version of its flagship OS was too big and unwieldy for what it had in mind.

Third, the chip-OS combo will be integrated with an Azure Sphere cloud security service, designed to keep the devices up to date with security patches for at least 10 years.

Smith says the first Azure Sphere-powered hardware will hit the market later this year, with more details to come.

But, hey, Microsoft is making its own Linux! That’s weird – and yet, it has been a long time coming.

When Satya Nadella took Microsoft’s CEO job in 2014, one of the first things he did was announce that “Microsoft loves Linux.” Since then, Microsoft has added robust support for Linux in its Azure cloud platform while letting developers integrate Linux with their copies of Windows 10.

In 2015, too, Microsoft developed a much smaller Linux-based technology as part of a larger open-source software package.

This, though, is the first time Microsoft developed a version of Linux and then made it the cornerstone of a product offering. It’s just proof that anything is possible.



via:  businessinsider

Planet Fitness evacuated after WiFi network named ‘remote detonator’ causes scare

A Michigan gym patron looking for a WiFi connection found one named “remote detonator,” prompting an evacuation and precautionary search of the facility by a bomb-sniffing dog.

The Saginaw News reports nothing was found in the search Sunday at Planet Fitness in Saginaw Township, about 85 miles (140 kilometres) northwest of Detroit.


Saginaw Township police Chief Donald Pussehl says the patron brought the WiFi connection’s name to the attention of a manager, who evacuated the building and called police. The gym was closed for about three hours as police responded.

Pussehl says there’s “no crime or threat,” so no charges are expected. He notes people often have odd names for WiFi connections.

Planet Fitness says the manager was following company procedure for when there’s suspicion about a safety issue.


via:  windsorstar

Are We Taking Our Online Privacy Seriously Enough?

Technology has become the lens through which we perceive and experience day-to-day life. Take the smartphone as an example. What used to be a technological rarity and business-oriented tool has become the nexus of our personal and recreational lives.

Pew Research Center has found that more than three-quarters (77 percent) of Americans currently own and use Android, iOS, or Windows mobile smartphones. And they found that the percentage is even higher among younger generations. An astounding 92 percent of 18- to 29-year-olds own smartphones.

Of course, smartphones and other portable devices help us access the Internet, which facilitates communication and seamless, simultaneous, and instantaneous sending and receiving of information. We also use it to make purchases.

Source: Statista

In 2017 alone, U.S. citizens spent approximately $780 billion in mobile payments on smartphones, tablets, and other portable devices. And due to the increased frequency with which we’re using mobile shopping apps like Amazon and eBay, peer-to-peer payment services (i.e., PayPal), and even in-app purchases, this figure is expected to surpass $1 trillion in 2019.

For all the benefits (and convenient shopping) the Digital Age has afforded us, the Internet is also a major cause for concern regarding privacy and security. Although a lot of the information that we send and receive over the World Wide Web is innocuous and of nominal importance, we exchange a ton of sensitive data, too.

For instance, data from 2016 showed that 62 percent of Americans managed their finances primarily online rather than in-person. This means lots of credit card and loan applications sent, accounts logged into, balances checked, credit reports requested, and so on over the Internet every day. Even if we only consider banking and finance, that’s a lot of sensitive information – current and past addresses, birth dates, and Social Security Numbers – sent across the web.

We often assume our sensitive data makes it from point A to point B without interference. But in reality, the Internet can be easily misused. If recent news reports are any indication, the safe transmission of our sensitive digital data is not guaranteed.

The very real possibility of getting hacked, having sensitive information captured, or even having one’s identity stolen is something that we should all be prepared for. But relatively few people have taken steps to protect their digital livelihoods.

In fact, individuals usually only take steps to deter the ever-present threats to their digital privacy after they have been the victims of a hacking or another cyber attack.

Why are people so reactionary when it comes to their privacy? Should we be taking our privacy more seriously in this inherently-digital age?

Hacks, snaps, and selfies: Welcome to the Digital Age

Before we discuss issues about privacy, let’s take a second to really digest what it means to be part of “the Digital Age.”

Also commonly referred to as the “Information Age,” “New Media Age,” and “Computer Age,” the Digital Age is a place in time that accurately reflects the time that we currently find ourselves in. It’s characterized by the shift to “an economy based on information technology.”

Source: Science and Technology Facilities Council

The birth of the Digital Age was the so-called “Digital Revolution.” Whereas the Industrial Revolution saw the extensive use of machinery for the mass-production of goods and availability of services, the Digital Revolution marked a shift from mechanical machinery to digital technologies. More specifically, the Digital Revolution saw us beginning to mass-produce countless consumer products on a global scale. The use of circuit boards, computers, and eventually the Internet also became commonplace.

The digital landscape has evolved quite a bit since the Digital Revolution. The vast majority of our personal devices are extremely portable. And they’re continuously connected to the Internet, allowing us to transmit personal data around the globe on an almost continuous basis.

Similarly, social media has greatly increased the amount of personal data we share. But even before Facebook and Snapchat existed, there were plenty of digital avenues that users could share data on.

What happens to that data once it leaves our devices? As it turns out, the data we share is stored in databases that are scattered across the globe.

For the most part, we don’t worry about the security of our data, But it’s important to note that each of these databases is a point of vulnerability when it comes to data security and personal privacy. That’s because data is not only vulnerable where it’s stored. For every bit of data two people share, both the sender and the receiver have online accounts (i.e., email, social media, cloud storage, or some other digital channel) that can be compromised or hacked.

In case you underestimate how much data we share, the following figures will give you some perspective:

  • About 269 billion emails were sent and received every day in 2017.
  • Seven in ten American adults – and 89 percent of Americans from 18 to 29  years old – are using at least one of the major social networks.
  • There are approximately 6,000 tweets posted to Twitter every second. This equates to about 350,000 tweets per minute.
  • Snapchat users post nearly 9,000 photos to the platform every second.
  • In 2014, a study estimated that about 1.8 billion photos were posted somewhere on the Internet each day, a figure that’s surely higher today.
  • There are currently almost 230 million Facebook users in the U.S. and 2.13 billion Facebook users around the world.
  • Facebook users post over half a million comments, nearly 300,000 status updates, and 136,000 photos to the platform every minute.

It’s not the status updates, comments, and selfies you post to your social media accounts that make you vulnerable. Or not exactly. But every time someone accesses his or her online account, there’s a possibility that someone will hack them.

Worse yet, we’ve seen password databases breaches that prove that a person doesn’t even need to be actively accessing an online account via an Internet-connected device (ICD) to have his or her security compromised. In fact, a billion users had their Yahoo! email accounts hacked just recently.

Email addresses are a popular target of hacking, and it makes a lot of sense for a hacker to want access to your email account. After all, we use our emails to create and manage all our other online accounts. Therefore, if someone hacks into your email, then there’s a pretty good chance they can also access your social media accounts, school and work accounts, Google and Apple accounts, banking and financial accounts, and so on.

To make matters worse, most people use a single password for all their online logins, meaning that getting the password to just one online account often means gaining access to most or even all of them. Granted, many of us don’t keep much sensitive data out in the digital open. But there have been a lot of people brought down by damning information uncovered through account hacking like the Ashley Madison scandal of 2015.

We’ve also seen that it’s a bad idea to assume that one’s cloud storage account will keep private photos safe from prying eyes indefinitely. This has backfired on numerous celebrities, including A-listers Jennifer Lawrence and Scarlett Johansson.

Why isn’t security a priority?

The most logical solution to the issue of privacy would be to increase your security. Adopt a complex password that isn’t simply a word in the dictionary. Take advantage of two-factor authentication or biometric security protocols when possible. Implement firewalls that make ICDs more secure as we use them.

However, research shows that we aren’t actually taking the initiative to protect our online privacy until it’s too late. But why?

Most of the hacks we see happening today weren’t as big an issue – or, in some cases, an issue at all – in the earlier days of the Digital Age. In 1995, a hacker couldn’t commandeer someone’s Google account by stealing his or her password because nobody had Google accounts, Twitter accounts, Facebook accounts, or numerous ICDs lying around their homes at that time.

As our Internet usage became more intensive and gave rise to additional security vulnerabilities, there was a collective failure to accommodate the increased risk by commensurately escalating our security practices.

Another inherent problem is that most people prioritize convenience over security. While fingerprint sensors and facial recognition have made more robust security protocols accessible and mainstream, the most effective deterrents for hacking require that we add more steps to the login process. In other words, it requires us to sacrifice some convenience.

Two-factor authentication, for instance, requires a user to provide his or her password to trigger an email or SMS message with a temporary code. In turn, the user must provide this code as a follow-up to the password, serving as additional proof of identity before gaining access to the account.

Source: Google

The entire process takes only a moment longer than using just a password, and it offers a much greater level of security. Unfortunately, most users don’t use two-factor authentication because they see it as being more complicated (and taking much longer) than simply entering a password.

The tendency for many people to prioritize convenience over security isn’t a new phenomenon. Before the Internet became the best thing since sliced bread, our forebears showed this tendency by choosing postcards over letters. And we continue to show it anytime we’re willing to pay a premium for convenience and ease of access.


Source: Frank on Fraud

When it comes to security breaches, there’s a popular misconception. People think, “That would never happen to me. Why would hackers target a random, inconsequential person when they can focus their energies on politicians, celebrities, and other persons of interest?”

For one thing, the people many of us would assume to be obvious targets for cyber attacks are actually the ones who are best prepared for them.

Although hacking a public figure is far from impossible – just ask former presidential candidate Hillary Clinton – it’s more likely that such individuals have taken steps to minimize the likelihood that their privacy would be compromised. They’ve probably implemented more robust security than the average John Smith or Jane Doe would.

By comparison, the average person probably doesn’t know much about cybersecurity or the countermeasures they can take to prevent breaches of privacy, which makes the seemingly inconsequential people the easiest targets.

Let’s not forget that as security methods become more robust, hacking methods become more advanced, too. Today’s hackers are more experienced, organized, and have more funding than ever before, making them increasingly efficient when it comes to finding chinks in the digital armor.

In 2018, many security experts have begun turning their focus to cloud storage, which is a logical target for hackers who are after your data. However, technology is ever-changing, so the threats we see today are likely to be quite different from the threats we might see ten years from now.

Finally, it’s worth noting that hackers usually play the long game. For this reason, many of us will downplay the threat of a security breach since the consequences of getting hacked — if there are any notable consequences at all — may not become apparent until many years later (if ever).

But is this a gamble anyone really wants to take?


via:  tripwire

Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer


Internet-connected technology, also known as the Internet of Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa to cars, watches, toasters, fridges, thermostats, lights, and the list goes on and on.

But of much greater concern, enterprises are unable to secure each and every device on their network, giving cybercriminals hold on their network hostage with just one insecure device.

Since IoT is a double-edged sword, it not only poses huge risks to enterprises worldwide but also has the potential to severely disrupt other organizations, or the Internet itself.

There’s no better example than Mirai, the botnet malware that knocked the world’s biggest and most popular websites offline for few hours over a year ago.

We have another great example that showcases how one innocent looking insecure IoT device connected to your network can cause security nightmares.

Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London on Thursday how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.

According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and “then pulled it back across the network, out the thermostat, and up to the cloud.”

Although Eagan did not disclose the identity of the casino, the incident she was sharing could be of last year, when Darktrace published a report [PDF], referencing to a thermometer hack of this sort on an unnamed casino based in North America.

The adoption of IoT technology raises concerns over new and more imaginative cybersecurity threats, and this incident is a compelling reminder that the IoT devices are theoretically vulnerable to being hacked or compromised.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” said Eagan.
“There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked.

Therefore, people can hardly do anything to protect themselves against these kinds of threats, until IoT device manufacturers timely secure and patch every security flaws or loopholes that might be present in their devices.

The best way you can protect is to connect only necessary devices to the network and place them behind a firewall.
Also, keep your operating systems and software up-to-date, make use of a good security product that protects all your devices within the network, and most importantly, educate yourself about IoT products.


via:  thehackernews

Ransomware Named Most Prevalent Malware in Verizons 2018 DBIR

Verizon Enterprise has named ransomware the most prevalent variety of malware in its 2018 Data Breach Investigations Report (DBIR).

For the 11th edition of its report, Verizon Enterprise analyzed 53,308 incidents with 2,216 confirmed data breaches. Researchers with the American multinational telecommunications conglomerate found that three in 10 incidents included malware. Of those that did, ransomware made itself known in 39 percent of cases.

Gabe Bassett, senior information security data scientist at Verizon and co-author of the DBIR, told TechRepublic he’s seen ransomware grow significantly since the company first discussed the threat in its 2013 report:

Ransomware has doubled year over year again—it happened last year as well. The reason we’re seeing this incredible prevalence is ransomware is a great value proposition for the attacker. They don’t have to do a lot of the complex work. They just drop a piece of malware and then let it run.

Criminals don’t even have to build their own crypto-malware families. Ransomware-as-a-service (RaaS) platforms like Data Keeper make it easy for affiliates with little-to-no technical skills to conduct their own attack campaigns across numerous devices including desktops and network assets.

Compared to other threats, ransomware also does not impose significant costs or risks on the attacker, nor does it require adversaries to monetize victims’ stolen data after a successful infection. It’s self-contained and leverages its built-in cryptographic functionality to generate profits for a bad actor.

Verizon’s 2018 Data Breach Investigations Report (DBIR) page 14

Another reason why ransomware is so prevalent is the fact that employees continue to fall for social attacks. Verizon detected 1,450 such incidents with 381 confirmed data breaches in its report. The vast majority of those leveraged phishing at 1,192 incidents with 236 instances of confirmed data disclosure. Pretexting, a common type of phishing, registered 170 incidents with 114 confirmed data breaches for the year.

With respect to success rates, researchers with Verizon Enterprise found that 78 percent of employees didn’t click on a phishing link all year. But it uncovered that four percent of targets in any campaign did and that the number of malicious employees opened by employees in the past increased their chances of clicking on an attack link in the future.

To protect against these threats, Verizon recommends that organizations log files, monitor for changes and patch their systems promptly.

Organizations should also implement measures to prevent a crypto-malware infection as well as train their employees to be the first line of defense against phishing attacks and other threats.


via:  tripwire

Navigating the Tech Industry’s ‘Great Shakeout’: Expert’s Advice for Securely Migrating to the Cloud

All indications suggest organizations’ adoption of the cloud is going to ramp up considerably in the next few years. According to Cisco’s Global Cloud Index: Forecast and Methodology (2016–2021) white paper, cloud data centers will process 94 percent of workloads and compute instances by 2021. Close to three-quarters of those resources will be Software-as-a-Service (SaaS) assets processed in the public cloud.

Global digital security strategist Ian Trump thinks these trends suggest the world is moving away from on-premise and private cloud data centers. Trump believes those developments could profoundly change how businesses deliver their services and how security teams work to protect those services.

For that reason, he recommends companies seriously consider migrating to the cloud if they haven’t done so already:

“A great shakeout in the tech industry is coming. If your business can’t afford to move to public cloud SaaS from its existing systems, a scrappy cloud startup is going to take your lunch money on the playground. For those in the current security space, adapt to this SaaS trend or become irrelevant to business,” warns Trump.

Of course, organizations can’t just pick up and move all their IT resources to the cloud. They need to keep a few security concerns in mind if they decide to migrate. First and foremost, companies need to figure out what type of deployment model will work best for them.

“I’m an advocate of migrating to the cloud and the intrinsic of having improvements in security and compliance driven by multiple other clients, but this doesn’t mean you can set it and forget it,” explains Matthew Pascucci, Cyber Security Practice Manager at CCSI. “When migrating to the cloud, the deployment model is important to understand first. Will you be in a private, public, SaaS, or PaaS infrastructure? Understanding this will allow organizations to get a better feel for where their risks lie,” Pascucci says.

Companies must then formulate a security strategy for the applications and other assets that they’ll actively deploy in the cloud. Whitney Champion, a Senior Systems Architect, feels organizations need to go through this assessment by asking themselves if they intend to review their code and how regularly they’ll do so, how they’ll set up networks, and what operating systems they’ll use.

According to Champion, doing so can further elevate organizations’ awareness of the issues involved with cloud migration:

“It is crucial to be aware that not every cloud provider is the same, and many of these processes will be implemented differently across different platforms. Each organization needs to be mindful of these requirements and perform their due diligence to be prepared for the implications of moving any of their systems to the cloud,” she says.

Once companies have figured out what they want out of their cloud environment, it’s time for them to begin looking for a cloud service provider (CSP) that meets their needs. Digital security specialist Zoe Rose thinks companies should choose their CSP carefully. That’s especially the case if they’re looking to host sensitive data in the cloud.

“The cloud is simply computers someone else has ownership of and maintains,” Rose notes.

“If information is highly sensitive, you will want to review contractual requirements on security, patch management, and reporting of incidents for the third-party hosting company along with your agreed requirements with the data owners,” added Rose.

At this point in the migration response, it’s important to remember that signing a contract doesn’t mark the end of an organization’s responsibility for their cloud-based data. Under the Shared Responsibility Model, CSPs are responsible only for ensuring security of the cloud, or the infrastructure which supports their cloud computing services. Organizations are still responsible for security in the cloud, or the process of taking adequate measures to protect their data.

According to Ean Meyer, security controls for the cloud should factor into companies’ strategies for how to defend their cloud-based data against digital attackers.

“All too often, companies taking their first steps into the cloud make the mistake of believing security will be completely handled by their cloud hosting provider. Don’t make this mistake,” says Meyer.

“Take time to evaluate your current controls and look at how to enable them in your cloud instances. Once you have your existing controls in place, look at what additional controls cloud deployments can offer. Cloud systems often offer security features that many organizations couldn’t deploy on-premise. If you keep these things in mind when you start to migrate to the cloud, you will be well on your way to making the right security decisions,” suggests Meyer.

Stay tuned for a future post that explores these security controls for the cloud in detail.


via:  tripwire

The internet’s worst-case scenario finally happened in real life: An entire country was taken offline, and no one knows why

Mauritania cable Telegeography

A map of undersea internet cables showing Mauritania’s single link to the global infrastructure.TeleGeography

  • Mauritania was taken offline for two days late last month after a submarine internet cable was cut.
  • No one knows why or how it was cut, though Sierra Leone’s government appears to have interfered with its citizens’ internet access around that time.
  • Undersea web cables are uniquely vulnerable to sabotage.
  • UK and US military officials have previously indicated that Russia is capable of trying something like this, though there is no indication that it was involved in this break.

For years, countries have worried that a hostile foreign power might cut the undersea cables that supply the world with internet service.

Late last month, we got a taste of what that might be like. An entire country, Mauritania, was taken offline for two days because an undersea cable was cut.

The 17,000-kilometer African Coast to Europe submarine cable, which connects 22 countries from France to South Africa, was severed on March 30, cutting off web access partially or totally to the residents of Sierra Leone and Mauritania.

It also affected service in Ivory Coast, Senegal, Equatorial Guinea, Guinea, Guinea Bissau, Liberia, Gambia, and Benin, according to Dyn, a web-infrastructure company owned by Oracle.

ACE cable

Oracle Dyn

It is not clear how the cable was cut. But the government of Sierra Leone seems to have imposed an internet blackout on the night of March 31 in an attempt to influence an election there.

There had not been a significant outage along the cable in the past five years.

Loss of service to Mauritania was particularly severe, as the Dyn chart below shows.

“The most significant and longest-lasting disruption was seen in Mauritania, with a complete outage lasting for nearly 48 hours, followed by partial restoration of connectivity,” David Belson wrote in a Dyn research blog on Thursday.

ace cable

Oracle Dyn

The international cable system has several levels of built-in redundancy that allowed providers such as Africell, Orange, Sierra Leone Cable, and Sierratel to restore service.

But the break shows just how vulnerable the worldwide web is to the simple act of cutting a cable. About 97% of all international data is carried on such cables, according to the Asia-Pacific Economic Cooperation forum.

Here’s a map from the telecom analytics company TeleGeography of the cables in Europe:

undersea internet service cables map


And those connecting the US:

undersea internet cables map


UK and US military intelligence officials have repeatedly warned that relatively little is done to guard the safety of the cables and that Russia’s navy continually conducts activities near them.

In 2013, three divers were arrested in Egypt after attempting to cut submarine web cables.

“In the most severe scenario of an all-out attack upon undersea cable infrastructure by a hostile actor the impact of connectivity loss is potentially catastrophic, but even relatively limited sabotage has the potential to cause significant economic disruption and damage military communications,” James Stavridis, a retired US Navy admiral, said in a 2017 report for the think tank Policy Exchange.

“Russian submarine forces have undertaken detailed monitoring and targeting activities in the vicinity of North Atlantic deep-sea cable infrastructure,” he added.

There is no indication that Russia was involved in the ACE breakage. But military strategists are likely to study the Mauritania break as an example of the effect of knocking a country off the web by cutting its cables.


via:  businessinsider

Cloud vs. On-Premises: Understanding the Security Differences

More and more organizations are now entrusting their IT resources and processing to the cloud. This trend is likely to grow in the coming years. To illustrate, Gartner predicts that cloud data centers will process 92 percent of workloads by 2020. Cloud workloads are expected to increase 3.2 times in that same span of time, Cisco forecasts.

With migration on their minds, many organizations are beginning to wake up to the security challenges of hosting their data in the cloud. Some might be struggling to identify who’s responsible for their cloud security under the shared responsibility model with their chosen cloud service provider (CSP). Others might be looking to OneLogin and worry about falling victim to a breach that compromises their cloud-based data, not to mention succumbing to other threats that jeopardize their cloud security.

These concerns are all valid. But while cloud security does have its challenges, it’s not impossible to figure out.

Australian web security expert Troy Hunt recommends that organizations begin by not thinking about cloud security in a binary mode. He recommends adopting a conceptualization that involves “differently secure” aspects of the cloud as opposed to elements that are “secure” or not. The same goes for securing the cloud versus securing physical hardware and datacenters.

“On the one hand, you may hand over physical control, but on the other hand, you’re almost certainly doing so to an organization better-equipped to manage computing environments than your own,” Hunt observes. “Then there are concerns around the increased attack surface of putting services in the cloud, but there’s great things that can be done with virtualized networks and access to features that were previously cost-prohibitive for many organizations (WAFs, HSMs, etc.). So think of the cloud as ‘different’ and make the most of those hybrid scenarios where you can gradually move assets across in a fashion that suits your own organization’s comfort level.”

The cloud is certainly different from on-premises resources, so it makes sense that security would be different, too. It follows that organizations must sometimes rethink how they’re currently doing things with respect to implementing security in the cloud.

Adrian Sanabria, Director of Threatcare, says it’s not possible for companies to just “lift and shift” to Amazon Web Services (AWS) or Microsoft Azure without inviting a very expensive disappointment. Instead they must pay attention to the differences and use them. With that said, one of the most important differences in the cloud for Sanabria is the management plane:

“Since everything in the cloud is virtualized, it’s possible to access almost everything through a console. Failing to secure everything from the console’s perspective is a common (and BIG) mistake. Understanding access controls for your AWS S3 buckets is a big example of this. Just try Googling “exposed S3 bucket” to see what I mean.”

Consoles aren’t the only factor that separate the cloud from physical hardware. Craig Young, a security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), says the ways in which organizations can choose to process data in the cloud also stand out:

“Cloud service providers allow customers to build complex private network environments suitable for processing even the most sensitive data. The confidentiality of this data rests on security controls unlike those commonly used on-premise, and a slight mistake can ultimately expose this sensitive data to the public Internet. Network administrators need to keep a close eye on the external view of all IP space allocated for their cloud. Vulnerability scanners like Tripwire IP360 make it easy to recognize exposed services and close them up before attackers can exploit them.”

Understanding how cloud security differs from datacenter security is crucial for organizations. They need that knowledge not only to migrate to the cloud. It’s also essential for companies to implement security controls once they’ve completed the move.


via:  tripwire