Archive for the ‘Security’ Category
Thursday, April 10th, 2014
By Allan Maurer
UPDATED! ATLANTA – If you haven’t heard about the nasty Internet bug dubbed “Heartbleed” by now, you should immediately find out about it because you probably need to take action. So do IT administrators, likely in a time-consuming job that has to be done by hand, says , Adam Allred of the Georgia Tech Information Security Center (GTISC) in Atlanta.
In brief, a major security flaw in the way many web sites – including Gmail, Yahoo, Tumblr, and many others means hackers potentially had or have access to users personal information – which may include credit card numbers, log-in passwords, and more.
It also means you’ll probably have to change some passwords to be safe. Experts say change Yahoo right away, as well as gmail, although both have since patched the problem.
Amazon, Evernote, Microsoft, and others were not affected. Mashable published this “Heartbleed Hit List” of which sites were affected and which passwords you may need to change.
Reports this morning (Friday, 4/11/2014) say the bug is also in Cisco and Juniper Network routers, firewalls and networking equipment used by many businesses. The necessary fixes could be long and one source says, “A trip to the trash can and Best Buy.”
Allred says the question he’s been asked most today as a computer security expert is “How important is it really? Is it really that bad?” What makes it so important?
We’ve gotten used to these security breaches cropping up almost daily, but this one really is different, Allred tells the TechJournal. Why?
“Because,” he says, “It’s logistically difficult. People have to do more work by hand to get the problem solved, patching alone is not enough.”
Also, and probably the scary part, is that the flaw in the Open SSL security allows the theft of private keys, Allred says. They can be exposed anonymously with the user none the wiser until consequences show up. They can do this via just this one ezploit, which makes it worse, he adds.
“On many servers that used Open SSL today, if you can obtain the private key, you can use it to decrypt any information every encrypted on that server.” Yikes!
Does this have to keep going on? These terrible security breaches affecting not just millions of people but in this case, almost anyone using the Internet. There is security process that would prevent this particular sort of problem.
That’s “Perfect Forward Secrecy.” It uses a temporary set of keys for each user session. A hacker might conceivably obtain one key, but it wouldn’t work on every thing ever encrypted and would only affect one person, not everyone who came along in the past.
“It’s already found in many modern browsers. Firefox, Chrome and Explorer all have the capability. It’s relatively new in encryption and requires changes on the server side. But there are already concepts and ideas that would help. We just have to turn it on everywhere.”
In general, though, coming up with a “forever solution, and whoever is able to write that solution will be a very popular and rich person.”
Forbes had this to say on Heartbleed. “Avoiding Heartbleed Hype.”
If you want to avoid hype and hear the real deal from digital thought-leaders from brands including Google, Bing, Yahoo, and Huffington Post, but also tech icons such as Apple co-founder Steve Wozniak, check out the Digital Summit Atlanta, May 20-21.
Tuesday, August 6th, 2013
So what’s next on the cybercrime front? Persistent speak phishing, say researchers.
The American public and businesses today are under a constant, ever-growing threat of attack from cybercriminals attacking as many people and businesses as quickly as possible in order to access large amounts of sensitive information.
In the first half of 2012 alone, there was an average of almost 33,000 phishing attacks per month, with an estimated worldwide loss of nearly $700,000,000 from phishing scams alone (1). Internet security awareness training firm KnowBe4 has long spoken out about the rise of cybercrime, and is now predicting an unprecedented level of hacking—persistent spear phishing.
Usually conducted by criminals
Spear phishing consists of a phony, but authentic-looking, e-mail designed to target a particular individual or organization, in an attempt to “fish” out valuable information for financial, business or military gain.
It differs from traditional phishing attacks in that it is not typically initiated by indiscriminate hackers, but rather is more likely to be conducted by criminals out for financial gain, trade secrets or military information.
Recent government inspired cyber attacks on US businesses, organizations and government entities reportedly used this technique successfully.
KnowBe4 founder, Stu Sjouwerman, says that criminals are now becoming relentless in their attempts, and will continuously attack the same target until they get the information they seek, an act he has coined “persistent spear phishing.“ And these attacks, per Sjouwerman, leave both businesses and the general public at risk of being targeted:
- 45% of banks have seen an increase in spear phishing attacks targeting employees over the last year;
- Criminals target consumers by relying on personal information collected from public posts on social media sites and blogs, as well as with data collected from other breaches, to make the fraudulent e-mails appear legitimate. They ultimately convince consumers to click links that take them to spoofed sites which contain malware, or to provide login usernames and passwords that allow the attackers to compromise online banking accounts (2).
“Spear phishing creates a domino effect—once a business has been infiltrated, a hacker potentially has access to everything,“said Sjouwerman. “At that point, all the company can do is attempt to halt the attack and recover any stolen information. But the best bet is to prevent these incidents from occurring in the first place.”
Avoid Becoming a Spear Phishing Victim
Sjouwerman insists that businesses and the public can limit their risk of falling victim to persistent spear phishing attempts by remembering the following:
- Be wary of e-mails that appear to be genuine but redirect to strange or unknown links.
- Never click a link to a website contained within an e-mail—always enter the URL manually instead or through a bookmark.
- Legitimate businesses will never request personal information via e-mail. Never reply to an e-mail providing any sensitive information—if in doubt, contact the business directly using a verified telephone number.
- Keep the Operating System, third party applications, firewalls and antivirus software constantly updated. Many browsers come with phishing filters, and these should be enabled for better protection against attacks.
Employee awareness training may help
In addition to the above tactics, Sjouwerman suggests that business owners consider educational resources for employees.
“For business owners looking to introduce security awareness training programs, engaging employees with an actual encounter of being spear-phished by sending out mock spear phishing e-mails is often an effective measure,“ said Sjouwerman.
“Imitated persistent spear phishing e-mails present a memorable and highly relevant experience to employees, and also train them to properly react when a spear phishing attempt arrives in their inbox. Employee education and heightened awareness are more important than ever.”
KnowBe4 provides an extensive collection of free cybercrime education resources so that executives and system administrators can arm themselves and their staff against cyberattacks. The company also offers a free phishing security testto help business owners and managers determine what percentage of employees are Phish-prone™, or susceptible to phishing attacks.
For more information, visit KnowBe4 online at www.knowbe4.com.
1. “Phishing in Season: A Look at Online Fraud in 2012.” RSA.com. RSA FraudAction Research Labs, n.d. Web. 19 Feb. 2013. blogs.rsa.com/phishing-in-season-a-look-at-online-fraud-in-2012/.
2. Kitten, Tracey. “FBI Warns of Spear-Phishing Attacks.” Bankinfosecurity.com. Bank Info Security, 02 July 2013. Web. 25 July 2013. bankinfosecurity.com/fbi-warns-spear-phishing-attacks-a-5878/op-1.
Monday, August 5th, 2013
This is scary, but it’s no wonder Chinese and other hackers are so successful at breaking and entering Enterprise networks.
Lancope, Inc., a leader in network visibility and security intelligence, has released a survey indicating that many enterprises possess an unrealistic confidence surrounding the security of their networks. According to the survey, more than 65 percent of IT/security professionals did not think, or were unsure whether, they had experienced any security incidents within the last 12-18 months.
While we can understand confidence if deserved, we question how much confidence they should have it they don’t know or are unsure if they have had a break-in.
According to Lancope’s director of security research, Tom Cross, such confidence is not likely. “Any system you connect to the Internet is going to be targeted by attackers very quickly thereafter,” he said. “I would assert that if you’re unsure whether or not your organization has had a security incident, the chances are very high that the answer is yes.”
A third think security violations did not affect them
The survey also revealed that 38 percent believe recent security incidents had no impact on their organization. According to Cross, “even the most basic malware infection has some financial cost to the organization, even if it’s just the cost to clean infected machines. Not to mention the additional serious consequences that can result from a breach, including data loss, customer distrust, regulatory fines and many others.”
We’ve had our own problems with the explosion of malware attacks at the TechJournal and controlled it only via continual pro-active effort. Those attacks can cripple your SEO and harm your reputation.
Nearly 18 percent of respondents did admit to recently suffering from malware, and 16 percent said they had been the victim of distributed denial-of-service (DDoS) attacks. It is possible that many of these organizations have also suffered from other, more stealthy attacks and are just not aware. Insider threats, for example, can be difficult to detect because attackers have authorized access to the data they are looking to steal. Advanced, external attackers can also fly under the radar by constructing attacks that are likely to evade commonplace network security solutions.
Organizations were more realistic when evaluating the potential risk of insider threats to their infrastructure, with 32 percent naming it as one of the greatest risks. However, this concern was far overshadowed by fears associated with BYOD and mobile devices, coming in at over 50 percent. Because traditional security strategies cannot be easily applied to employee-owned assets, enterprise security professionals suffer from a lack of network visibility when it comes to mobile devices. This blind spot is obvious; but what about the blind spots that organizations don’t realize they have?
Areas of blind spots within the typical enterprise are many, including applications, network traffic, network devices, user activity, virtualized appliances and data centers, to name a few. Lancope was encouraged to also see “lack of visibility” top the list of greatest risks identified by survey participants, as well as “monitoring user activity” designated as a key challenge. Technologies like NetFlow can provide the much-needed visibility that many organizations currently lack.
“Organizations need to make sure that, when faced with the inevitable, they can identify an incident as quickly as possible,” said Cross. “With new attacks making headlines on a nearly weekly basis, it’s time for organizations to take a more strategic, holistic approach when it comes to network security.”
To access the full Lancope survey, go to: http://www.lancope.com/files/documents/Industry-Reports/Lancope-Security-Report-2013.pdf.
Wednesday, June 12th, 2013
Managing application connectivity has become the number one firewall management challenge, according to a Tufin Technologies recent survey.
This survey, conducted in April at InfoSecurity, was designed to get a better understanding of the problem. 105 IT professionals, ranging from network administrators to CIOs, reported that network security teams deploy applications based on incomplete or inaccurate connectivity data, resulting in delays, downtime, and unnecessary risk and compliance exposure.
Application Connectivity Challenges: A Quick Overview
- 1/3 of the sample report their organization has more than 500 applications, 74% report they will be deploying up to 100 new applications this year.
- There is little standardization as to how organizations structure Application Connectivity processes. Network Operations teams work mainly with Application Owners (30%), but other Application Connectivity stakeholders include App Developers (26%), other network engineers (16%), or any variety of other parties such as a consultant, a VAR, the application vendor or an MSP (29%).
- When it comes to determining connectivity requirements, 72% report they are given a list of ports to open. 19% look it up on the Internet, 13% look at logs, and 9% rely on trial and error.
Impact on Business Agility
- 55% report that applications are not deployed correctly the first time, mainly (67%) due to incorrect or missing connectivity data.
- 1/3 report the Service level Agreement (SLA) for application-related firewall changes is a week or more; 81% believe it should be between 1-3 days.
- When asked what would enable a faster SLA, 1/3 cited more accurate information from application owners, 26% said knowing what ports to open, and 24% said faster risk/compliance approvals.
Impact on Security and Compliance
- Administrators often have no insight into why a rule was created. 41% either use the (limited) firewall comments field or rule base sections to document the business justification for a rule. 13% don’t document at all.
- 40% are not notified when an application is decommissioned.
- 30% take a “best effort” approach to remove unneeded connections when an application is decommissioned. 1/6 of respondents do nothing to decommission applications.
“This survey highlights the fact that security engineers are having to adopt new processes on the fly – processes that require them to interact with a new set of stakeholders,” said Reuven Harrison, CTO, Tufin.
“As a result they are not just changing who they work with but how they work. Anyone who has experienced this kind of change knows it is not easy.”
Tuesday, June 11th, 2013
People have said they would rather give up sex than lose their smartphone and we know folks equally attached to a tablet computer. So a new app from McAfee and Intel that offers protection against lost or theft of mobile devices may do well.
The app, called Smart Perimeter, thwarts this activity by creating a perimeter that allows devices to track each other and alerts the user immediately when their Android smartphone or tablet moves out of the pre-defined range created among devices.*
The Smart Perimeter feature, created jointly by Intel and McAfee, solves challenges associated with multi-device growth.
The McAfee Mobile Innovations app is a free application that is available today in the Google Play marketplace https://play.google.com/store/apps/details?id=com.mcafee.mmi&feature=search_result#?t=W10.
According to recent research, 60% of US consumers own a smartphone and 39% own a tablet, and half of consumers say they would rather lose their purse or wallet than their smartphone. Despite that fact, a mere 20% of multiple device owners have security software on their smartphones and even fewer (13%) have security on their tablet.
“The McAfee Mobile Innovations app will help us to obtain users’ input on device and web security, as well as strengthen anti-theft and privacy measures to protect personal data,” said Lianne Caetano, director of consumer mobile product marketing at McAfee.
The suite of capabilities in McAfee Mobile Innovations app today addresses a variety of threats to users on mobile devices. Features include:
- Smart Perimeter – Prevents theft or loss of consumer devices by creating a perimeter that can enable devices to track each other and alerts the user immediately. By linking multiple devices together, users are alerted when they are separated by more than 30 feet via an alarm helping consumers to quickly identify and recover their devices.
- Safe QR Code Reader – Ensures QR codes are safe for browsing and alerts users of malicious codes at the point of scanning.
- Data Vault – PIN protects private photos, videos and documents from prying eyes, locally on devices (Note: The app user will be prompted to download McAfee Mobile Security — to use the data vault feature – no purchase is required).
The McAfee Mobile Innovations features are currently in public beta in English and will allow users to test and provide feedback via email or community forum to the McAfee Mobile Security team in order to shape and enhance future versions of the app.
Thursday, June 6th, 2013
The majority of businesses (79%) had a mobile security incident in the past year, and the costs are substantial. The new report found mobile security incidents tallied up to over six figures for 42 percent of businesses, including 16 percent who put the cost at more than $500,000.
From smartphones to tablets, mobile devices continue to cause ongoing concern for IT teams responsible for information security. Sensitive corporate information can be easily transported, leaked, or lost while the Bring Your Own Device (BYOD) movement has dramatically increased the number of expensive security incidents.
Even so, corporate information, including sensitive customer information, are increasingly stored on personal mobile devices and not managed by corporate IT.
Based on a survey of nearly 800 IT professionals, the report quantifies the dramatic growth of BYOD, exposes the frequency and cost of mobile security incidents, and identifies the main challenges faced by businesses of all sizes.
Key findings include:
- Surge in Personal Mobile Devices Connecting to the Corporate Network - Among companies that allow personal mobile devices, 96 percent say the number of personal devices connecting to their corporate networks is growing, and 45 percent have more than five times as many personal mobile devices as they had two years ago.
- Mobile Security Incidents Common and Costly for Businesses Large and Small - More than half (52%) of large businesses report mobile security incidents have amounted to more than $500,000 in the past year. Even for 45 percent of SMBs with less than 1000 employees, mobile security incidents exceeded $100,000 in the past year.
- Mobile Platform with the Greatest Perceived Security Risks - Android was cited by 49 percent of businesses as the platform with greatest perceived security risk (up from 30 percent last year), compared to Apple, Windows Mobile, and Blackberry
- Corporate Information Not Managed on Mobile Devices - Despite costly mobile incidents, 63 percent of businesses do not manage corporate information on personal devices, and 93 percent face challenges adopting BYOD policies.
- More Mobile Devices Store Sensitive Customer Information - More than half (53%) of all businesses surveyed report there is sensitive customer information on mobile devices, up from 47 percent last year.
“Without question, the explosion of BYOD, mobile apps, and cloud services, has created a herculean task to protect corporate information for businesses both large and small,” said Tomer Teller, security evangelist and researcher at Check Point Software Technologies.
“An effective mobile security strategy will focus on protecting corporate information on the multitude of devices and implementing proper secure access controls to information and applications on the go. Equally important is educating employees about best practices as majority of businesses are more concerned with careless employees than cybercriminals.”
For a full copy of the new report, The Impact of Mobile Devices on Information Security, please visit:
Wednesday, June 5th, 2013
Research shows widespread concern about how to maintain control of files as information security and privacy regulations tighten, fueling a rush to block access to consumer file sharing applications like Dropbox and YouSendIt, says Intralinks Holdings Inc. (NYSE: IL), a global SaaS provider of content management and collaboration solutions.
The research was reviewed by Hurwitz & Associates and leveraged for the firm’s whitepaper titled, “Enterprise Collaboration: Avoiding the Productivity and Control Trade-Off.”
Marcia Kaufman , COO and Principal Analyst at Hurwitz and Associates, says, “There is widespread recognition that being able to collaborate effectively with partners and customers provides a competitive edge, but organizations are increasingly concerned about ensuring they also retain control over their data wherever it travels. Today, only 30% of organizations think they have adequate visibility and control over information shared outside their firewall.”
Key findings from the research include:
- Employees are using consumer-grade file sharing without IT or business oversight. Many IT departments are not aware of the extent to which employees are sharing content using cloud tools designed for consumers. Across all the organizations included in one study, approximately 60% of employees are using consumer-grade tools for business, while 49% of organizations report attempting to block these services, clearly with limited success. This reality leaves organizations open to data leakage, inappropriate disclosures and regulatory risks.
- The accidental mishandling of information and data happens every day. Most organizations focus on preventing malicious data theft and hacking. While this is critical, the reality is that the vast majority of data loss is the result of accidental mishandling and inappropriate sharing. For example, 80% of study participants reported receiving an email not intended for them, while 53% confess to making the same mistake. An astonishing 43% say these errors occur on a monthly basis.
- Securing the perimeter and infrastructure does not ensure content security. Companies are moving to a more collaborative way of doing business, which results in an increased flow of data between parties both internal and external to an organization. Existing enterprise security strategies that provide security for data at rest are insufficient for sharing data that moves across corporate boundaries. Therefore, protection at the file level is needed in order to protect information wherever it travels.
- Regulatory issues around content security are real and evolving. New, more onerous regulatory requirements are being introduced at increasing rates. With the proliferation of consumer-grade technologies entering enterprise environments, IT and compliance departments are having difficulty meeting these new requirements. Almost 90% of the organizations participating in the study expressed concerns about meeting future regulatory demands around information security in their industry, with 43% expecting they will need to change their existing policies.
How about you? Are you using consumer file-sharing tools such as Dropbox at work? What about other consumer tools such as Evernote? Both of those experienced serious data breaches once already, exposing personal passwords and potentially, the information in their files.
John Landy , CTO Intralinks, said, “We have invested a lot of time talking to global businesses about their enterprise collaboration needs and how they can safely share information. The reality is most organizations have limited insight into what content is being shared, where it is being shared and who is sharing it. Companies need to strike that fine balance between usability and diligent control when evaluating their collaboration strategies.
“Based on the intelligence collected through these studies, this research paper advises businesses on best practice guidelines for implementing collaboration tools to ensure regulators are appeased, corporate IP is protected and employees remain productive.”
You can download a full copy of the whitepaper here.
Tuesday, June 4th, 2013
A majority of Americans are concerned about data breaches involving large organizations, but are evenly mixed on whether legislation should require private businesses to share cyber attack information with the government, according to new research conducted by Unisys Corporation (NYSE: UIS).
Results from the Unisys Security Index, which regularly surveys more than 1,000 Americans on various areas of security concern, showed high levels of concern about data breaches among Americans.
Respondents to the survey said they were most worried about data breaches hitting their banks and financial institutions, with two-thirds (67 percent) reporting concern.
Here at the TechJournal, we see weekly reports of companies, agencies and organizations suffering serious cyber intrusions, the theft of personal information, and high costs of repairing their security. The old saying that an ounce of prevention is worth a pound of cure seems applicable here.
Split on federal legislation
A majority of Americans surveyed also reported concern about data breaches involving government agencies (62 percent), health organizations (60 percent) and telecommunications and Internet service providers (59 percent).
Findings released last month from the same survey also showed most Americans harbor some level of concern about identity theft (83 percent) and credit card fraud (82 percent), both of which can arise from breaches at large organizations.
Despite these concerns, Americans polled were split on whether federal legislation to strengthen the country’s cybersecurity defenses should require organizations like banks, utilities and healthcare organizations to disclose breaches to the government.
Roughly half (48 percent) of respondents said they do not believe private businesses should be forced to disclose and share cyber attack intelligence, but a similar proportion (46 percent) said they think Congress should pass cybersecurity legislation mandating that the private sector share cyber-attack information with the government.
You have to wonder why people worry about having these security breaches disclosed. What are they hiding besides lax security?
Cost of breaches outweigh those of prevention
The poll was undertaken in March, via 1,006 telephone interviews, approximately a month before the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the United States House of Representatives. CISPA is not expected to be considered by the Senate this year, and many point to a lack of consensus on its information-sharing requirements as the reason.
“Americans clearly see a need for stronger methods to prevent cyberattacks, and many see a natural role for government in that process, but they differ on precisely how government and the private sector should interact in that regard,” said Steve Vinsik, vice president of enterprise security for Unisys.
“Regardless of where the legislation ends up, businesses and government agencies need to realize that the costs of breaches far outweigh those of prevention – and that Americans are paying close attention.”
They should be paying close attention. We don’t know anyone with digital segments in their business who has not had to deal with security problems and we know few private individuals who have not had to replace credit cards and change passwords due to these continuing security troubles.
Friday, May 31st, 2013
Risky applications and business applications are being used side-by-side on devices owned by employees that are used for work, according to a survey on Mobile Application Security conducted during April and May 2013 by the SANS Institute and sponsored by Box, SAP and Veracode.
Nearly 80% of the 600 survey respondents who completed the substantive sections of the survey allowed communications and collaborative apps on personal mobile devices, nearly 60% of which also have general Internet apps (such as web browsing and media file sharing), while another 44% allow VPN access from BYOD and 26% allow access directly to business systems.
Four percent of the respondents answered that personal mobile devices are also accessing control system applications, while another 8 percent are allowing access to field service applications.
Here at the TechJournal, we see a new report looking at the Bring Your Own Device problems companies are experiencing just about daily.
BYOD should raise huge red flags
“Personal mobile device access to critical business and infrastructure systems should raise huge red flags to organizations thinking that their only concern will be e-mail on employee-owned smartphones, pads and tablets,” says Deb Radcliff , chief of the SANS Analyst Program, which developed the report. “Meanwhile, the means to protect access, applications and data are more difficult to develop and unify in mobile BYOD computing.”
For example, providing a unified identity management framework was both the least practiced and the most difficult to achieve, according to respondents. They are also trying to discern which tools and techniques make the best sense in protecting their networks and data from BYOD risks.
Securing devices and the mobile platforms was the top method of protection being implemented by 66% of respondents, with application lifecycle management being practiced by only 36% of organizations.
Repeating past mistakes
“Mobile application development seems to be repeating many of the mistakes from the past,” says Kevin Johnson , SANS Analyst and author of the report. “And these weaknesses need to be resolved due to the sensitive nature of the data on the devices.”
Of those 253 survey takers that also develop applications, the majority are web-based, with 32% of developers saying they also developed line of business applications. The good news that nearly 60% of them indicated they had application security lifecycle processes embedded in their development and testing cycles.
“The prominent use of mobile devices together with cloud computing have even greater potential to expose critical information than in the past,” adds Barbara Filkins , SANS Analyst consulting on this survey. “Mobile application development can no longer afford to ignore security best practices.”
Full results will be shared during a June 6 webcast at 1 PM EDT, sponsored by Box, SAP and Veracode, and hosted by SANS atwww.sans.org/info/124512. Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and mobility expert, Kevin Johnson .
Thursday, May 30th, 2013
Chinese hackers steal US trade secrets; organized cybercriminals empty bank accounts; government agencies, medical institutions and businesses are routinely breached. IPCopper, manufacturer of network security hardware, finds that, by and large, US businesses do not take cybersecurity seriously enough to innovate out of the complacent mindset that has allowed a multitude of vulnerabilities to form in US technology infrastructure and business systems.
Not surprisingly, many lack the packet capture data necessary to figure out what happened when the inevitable breach occurs.
Cyber attacks unfold through sequences of bits and bytes that command the victim’s computer to, for example, send out or delete data. One sequence may constitute computer commands for one computer / OS, while appearing as gibberish to another. Whether those commands are malicious is another question.
Cybersecurity, by its nature, is reactionary, and much of today’s network security equipment is predicated on catching already-known malware signatures – of little use against current threats, in the face of the infinite combinations of code possible.
In an attempt to root out malicious communications, organizations with deeper pockets often use SIEMs to analyze netflow, which represents only a fraction of network data – much like guessing a letter’s contents from the address label.
Accepted security practices remain rooted in the technology of the 90s, when networks were slower, the internet smaller and malware exotic.
The cyber-threat landscape now, however, is scarier and more complex: breaches occur every day, malware is increasing exponentially and the old standbys (antivirus, firewalls, IDSs and IPSs) are failing to keep up. As last year’s breach in South Carolina shows, at today’s speeds attackers can steal 15 years of tax records for a whole state in hours.
One approach we think has considerable promise is to sandbox incoming data in an appliance that keeps hackers from ever getting to your primary equipment. Herdon, VA-based InZero has created one such system we’ve covered here at the TechJournal (there are others). InZero had enviable success in preventing hackers from breaching its system.
In an environment where computer breaches are as sure as death and taxes, the cybersecurity winners are those who react the quickest.
Given the high volumes of data on today’s networks and the subtle and insidious ways that hackers get in and hide their tracks, quick incident response times are dependent on surveillance: recording and timestamping every packet, in every corner of the corporate network. Since surveillance is all about coverage, installing multiple packet capture appliances at key network locations is crucial says IPCopper.
Visit www.ipcopper.com to learn more.
Friday, May 24th, 2013
Despite the numerous security incidents that took place during the first quarter of the year, the fight against cyber-crime is on the right track, says security firm PandaLabs.
Though there is still a long way to go, international co-operation among security agencies is paying off and criminals around the world are being brought to justice. The quarterly report is available here and on the PandaLabs blog.
“The start of the year has been witness to serious cyber-attacks, including the hacking of the Twitter accounts of major organizations such as the BBC or Burger King, and one of the biggest attacks ever, targeting some of the world’s leading technology companies: Apple, Facebook, Microsoft and Twitter. But there have been victories for security forces as well, including the arrest of a group of hackers accused of extortion using the infamous ‘Police Virus’,” said Luis Corrons , technical director of PandaLabs.
Police Virus Scams
One of the most infamous cases of malware in the last year was the ‘Police Virus,’ but in February, this virus once again hit the headlines, but for a very different reason. The Technological Investigation Brigade of Spain’s National Police, together with Europol and Interpol, dismantled the cyber-crime ring responsible for the Police Virus.
“The news mentioned the arrest of ‘the gang’ of cyber-criminals, yet the information we have at PandaLabs points to the existence of several gangs responsible for these attacks. We reached this conclusion after analyzing numerous variants of the malware over time, and observing significant differences between them. In short, we are afraid the Police Virus is not likely to go away anytime soon and users shouldn’t lower their guards,” said Corrons.
Social Media Attacks
During Q1, various Twitter accounts were also hacked, including celebrities and companies, one of the most notable was Burger King. The attackers managed to work out the account password and take control of the account. They changed the background image to that of McDonald’s and claimed that the company had been taken over by its main rival.
The Twitter account of car company Jeep was also the victim of a similar attack, in this case stating that the company had been bought out by Cadillac. Other attacks on Twitter accounts had a more political slant.
A group of cyber-crooks calling themselves the “Syrian Electronic Army” managed to hack accounts belonging to several organizations. Phishing attacks were first launched to get the passwords and then the accounts were hijacked. Their victims included Human Rights Watch, the French news channel France 24 and the BBC weather service.
Android, Top Target for Mobile Malware
Nearly all news regarding malware attacks on mobile platforms involved the Android operating system, which has the largest share of this market. In addition to the usual attacks, this quarter saw new techniques that deserve mention. A strain of Android malware – hidden inside Google Play – not only infected cell phones but could also infect computers via smartphones and tablets.
According to Corrons, cyber-war and espionage is becoming more interesting. “Many countries are looking suspiciously at Chinaregarding its suspected involvement in attacks on large organizations and public institutions around the world, and this could lead to real world consequences. There are those who argue for international agreements, a type of Geneva Convention, to attempt to establish limits to these activities,” he said.
For more detailed information on malware activity and trends in the first quarter of 2013, you can access the full report here and on the PandaLabs blog.
Thursday, May 23rd, 2013
A Harris Interactive survey shows that 85 percent of consumers know their mobile devices are very or somewhat vulnerable, 74 percent say keeping their devices secure is their responsibility, but many don’t take action.
However, consumers are more likely to be aware and protect themselves against a tangible threat, such as having a device stolen, than intangible threat such as malware or hacking.
The consumers whose devices were lost or stolen were more likely to use PINs or passwords than those who didn’t have their devices lost or stolen (69 percent versus 47 percent), but no more likely to take any other proactive actions, such as remote locking, tracking and/or erasing apps (45 percent versus 41 percent).
Editor’s note: The first thing we did after buying a new tablet computer was install anti-virus software, the same as we did with our mobile phone. But we’re in the minority.
Fewer than a third install anti-virus on mobile devices
Oddly, only one in five view smartphones as mini-computers, but more than half (53 percent) view cybersecurity the same way on mobile devices as they do on computers. Less than a third (31 percent) installed an anti-virus program on their smartphone, compared to 91 percent on a laptop.
Thankfully, consumers are nearly as likely to run updates on their smartphones (66 percent) as on their laptops (69 percent).
Disconnect on cybersecurity
Yet the survey clearly shows that there is a disconnect on cybersecurity between consumers awareness and their actions. However, consumers are beginning to take valuable steps to protecting themselves and their information.
A majority of consumers (66 percent) review their wireless bills for suspicious activity at least once a month. Of those who use their mobile devices for online banking, more than half (56 percent for tablets and 55 percent for smartphones) use encryption or security software.
When asked what would prompt them to add a password or install anti-virus software to their personal tablets or smartphones, 35 percent said having a friend or family member suffering a security break; 33 percent said an app that reminds them to update anti-malware software or to change the PIN; 32 percent said a tutorial that prompts them; 27 percent said a friend’s advice; 26 percent said advice from a device or network provider; and 23 percent said from the media stories that explains the benefits.
Of these same consumers surveyed, two thirds (67 percent) believe industry is better equipped to write cybersecurity regulations than the federal government.
“Cybersecurity is everyone’s responsibility, from the consumer to the app creator to operating system to the device manufacturer to carriers and everyone in between. Through our Cybersecurity Working Group, our members are working hard and being vigilant to protect their customers, but it’s great to see that end users recognize their vital role in preventing cyberthreats,” said Steve Largent , President and CEO of CTIA, which commissioned the survey.
“Yet there’s much to do, which is why CTIA and our members will continue to focus on consumer education so users know the wide variety of apps, tools and features available to help protect their information and their devices.”
The survey was conducted in November 2012 with more than 1,500 adults who own a cellphone or smartphone. The CTIA Cybersecurity Consumer Research survey by Harris Interactive presentation is available at: http://ctia.it/18Lzlv3 (PDF).
Wednesday, May 22nd, 2013
The rising frequency and complexity of attacks that are far more effective at breaching enterprise networks’ security detection systems have lent momentum to the global intrusion prevention system (IPS) market.
The development of next-generation IPS (NGIPS) products with advanced protection capabilities has further spurred adoption.
New analysis from Frost & Sullivan , Analysis of the Global Intrusion Prevention System (IPS) Market, finds that the market earned revenues of more than $1.21 billion in 2012 and estimates this to reach $2.44 billion in 2017.
NGIPS gaining acceptance
The growth in long-term, targeted advanced persistent threats (APTs) indicates that hackers are now well-organized and highly-skilled, and are most likely funded by nation-states or large criminal organizations. Hence, while enterprises continue to install IPS to detect traditional malware, the increase in APTs primarily compels customers to upgrade to IPS.
“NGIPS solutions are gaining acceptance owing to their ability to inspect traffic based on detailed contextual data such as application type and user identity, as well detecting malware for which there are no signatures or other detection methods available,” said Frost & Sullivan Network Security Industry Analyst Chris Rodriguez . “Optionally, many IPS products can provide basic web application firewall capabilities, data loss prevention, botnet detection, or distributed denial-of-service prevention services.”
IPS products are popular as they also offer performance and scalability not provided in other low-cost, multi-function security products. The availability of purpose-built hardware to better defend against polymorphic threats, along with investments in research and development to improve the products’ security efficacy has boosted IPS vendors’ margins.
High costs deter some businesses
However, the high costs of these IPS solutions, which on average are more expensive than firewalls and unified threat management (UTM) systems, deter businesses already wary of large capital investments during a weak global economy.
Here at the TechJournal, we’ve long said that the cost of serious data breaches at companies is, in the end, far more expensive than preventing those breaches in the first place. The resources state inspired cyber espionage and large criminal organizations bring to bear to break in have to be matched by equally strong preventative measures. Even then, it may be an ongoing battle.
The integration of IPS with multi-function security devices and firewalls gives rise to UTM products with lower costs of ownership, and thereby affects the market’s overall value. The expertise required for IPS’ optimal performance adds to the total cost of ownership.
“Creating awareness on the benefits of next-generation solutions, which can fulfill customers’ security, networking, and compliance requirements, will be crucial to accelerate uptake,” noted Rodriguez. “Vendors must also build solutions that support network throughput speeds, and develop comprehensive strategies that will secure virtualization and cloud computing environments.”
Monday, May 20th, 2013
A large and sophisticated cyber-attack infrastructure appears to have originated from India, says a new report from Norman Shark, the global security leader in malware analysis solutions for enterprises, service providers and government.
The attacks, conducted by private threat actors over a period of three years and still ongoing, showed no evidence of state-sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.
“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway.
Extreme diversity of sectors targeted
“The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”
While it’s probably unrelated, here at the TechJournal, we had to block India’s access due to continued and repeated attacks on our WordPress blog (that you’re reading right now). We regret that, because we also received legitimate traffic from India. We also had to block China, Hong Kong and Russia. Anyone else finding continual attacks from these countries?
The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland added.
The discovery is currently under investigation by national and international authorities.
The discovery began on March 17th when a Norwegian newspaper reported that Telenor, one of the world’s largest mobile phone operators, a member of the world’s top 500 companies, and Norway’s major telecommunications company, had filed a criminal police case for an unlawful computer intrusion. Spear phishing emails targeting upper management appeared to be the source of the infection.
The behavior pattern and file structure of malware files made it possible, for security analysts at Norman Shark, to search internal and public databases for similar cases utilizing Norman’s Malware Analyzer G2 automatic analysis systems.
The amount of malware found by Norman analysts and their partners was surprisingly large and it became clear the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.
Norman Shark titled the report “Operation Hangover” after one of the cyber espionage malwares most frequently used in this case.
Victims in more than a dozen countries
Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Specific targets include government, military and business organizations.
Attribution to India was based on an extensive analysis of IP addresses, website domain registrations, and text-based identifiers contained within the malicious code itself.
Despite all of the recent media attention on so-called “zero day” exploits encompassing brand new attack methods, Operation Hangover appears to have relied on well-known, previously identified vulnerabilities in Java, Word documents, and web browsers.
“This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” Fagerland concluded. “Our study, available on the Norman website (www.norman.com) provides assistance in what security teams need to look for.”
Friday, May 10th, 2013
Reports of high profile cyber security breaches at major companies have become almost routine despite studies showing that they are extremely costly to the firms invovled.
In a recent survey, the majority of corporate risk managers and senior executives expressed concern about cyber risks. Yet many U.S. companies do not have a network security or privacy liability insurance program to protect themselves.
In other words, they feel vulnerable but aren’t sure what to do about it. A new report by Lockton illuminates the issue, along with the solution to managing cybersecurity in a world where business often depends on technology.
The report, co-authored by Lockton’s Michael Schmitt and Lisa Phillips , is entitled “Cybersecurity: Most Companies Know Enough to Worry, But Not Enough to Take Action.”
“How an organization responds to a data breach can either cause or prevent lost customers, regulatory fines and investigations,” Schmitt said.
Preparation and testing essential
Phillips added that preparation and testing are essential for any responsible organization. She writes that it starts with an assessment of the type of data held, including where it is stored, who has access to it and whether there are proper security measures in place to protect it.
After analyzing risk and implementing security measures, the next step is to create and test a data breach response plan with participation from IT, Legal, HR, Risk Management, Finance and Customer Service. Lockton also suggests involving data breach experts outside the company who can provide insight and guidance.
If a breach does occur, the data breach response team must be ready to move quickly to verify, investigate and communicate internally – and with customers, as appropriate.
The Lockton experts also recommend speaking with an insurance professional about what may be covered and what breach response services may be available through an insurance policy.
Tuesday, May 7th, 2013
A cloud security survey by NetQ commissioned through IDG Connect, revealing that while companies have become increasingly comfortable with the security of third-party cloud service providers, data security – particularly at the end user level – as well as concerns over meeting compliance requirements, remain top-of-mind among cloud adopters.
Fifty-one percent of IT executives surveyed believe that the cloud increases data security overall. However, almost 70 percent of respondents indicated that consumer cloud services pose a risk to sensitive data in their organizations and 45 percent are not fully confident that their cloud provider’s security processes and programs meet their data security requirements.
Additional findings found a mix of concern and confidence in cloud security:
- Forty-five percent do not have full visibility and control of their cloud-based data when users sign up on their own.
- Only 46 percent train end users on how they should securely access data in the cloud.
- Forty-two percent of organizations are not fully confident that they demonstrate regulatory compliance concerning sensitive information/assets in the cloud.
- Fifty-nine percent are very confident in their ability to control and manage access from mobile devices to cloud services.
“These survey findings demonstrate that IT executives are feeling more confident in the execution of their cloud security strategies and programs. However, this confidence may be at odds with the concerns security teams have while addressing an ever-increasing number of threats to corporate information,” said Geoff Webb , director, Solution Strategy at NetIQ.
“Data-centric security programs remain the most targeted and effective way to build security programs ready to embrace the complexities inherent in adopting cloud. Identifying sensitive data, applying appropriate layers of protection around that data, and tracking who is accessing it remain the best ways to respond to threats, meet regulatory requirements and minimize organizational risk.”
This survey was conducted on behalf of NetIQ by IDG Connect to understand perceptions about cloud security worldwide. Researchers interviewed IT executives at companies with 500 or more employees. Sixty-one percent of respondents occupied director-level or higher roles within their organization.
The overall number of respondents was split between those from North America(36 percent), EMEA (36 percent) and APAC (28 percent). Full survey results are available at http://cloudreadyzone.com/.
Thursday, May 2nd, 2013
Now here’s a paradox – while most industries saw fewer security vulnerabilities in 2012, IT web sites actually had the highest number ov vulnerabilities per site. You would think that IT would be on the forefront of best practices, but that doesn’t appear to be so.
That’s according to WhiteHat Security, the Web security company, in the 2013 edition of the WhiteHat Security Website Security Statistics Report.
“Website security is an ever-moving target, and organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches,” said Jeremiah Grossman , co-founder and CTO of WhiteHat Security.
“This report – comprising survey and website vulnerability data – is the first time we can correlate various software security controls and SDLC behaviors to vulnerability outcomes and breaches. The results are both insightful and complex.”
The Current State of Website Security
In 2012, the average number of serious* vulnerabilities per website continued to decline, going from 79 in 2011 down to 56 in 2012. Despite this, 86 percent of all websites tested were found to have at least one serious vulnerability exposed to attack every single day of 2012.
Of the serious vulnerabilities found, on average 61 percent were resolved and only 18 percent of websites were vulnerable for fewer than 30 days in 2012. On average, resolving these vulnerabilities took 193 days from the first notification.
WhiteHat Security designated each tested site by industry, and a closer look revealed that:
- With the exception of sites in the IT and energy sectors, all industries found fewer vulnerabilities in 2012 than in past years.
- The IT industry experienced the highest number of vulnerabilities per website at 114.
- Government websites had the fewest serious vulnerabilities with eight detected on average per website, followed by banking websites with 11 on average per website.
- Entertainment and media websites had the highest remediation rate (the average percentage of serious vulnerabilities resolved) at 81 percent.
- In years past, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities of any industry. This year, banking came in second with 11 average serious vulnerabilities found per website and a below average remediation rate of 54 percent (average is 61 percent across all industries).
Top Ten Vulnerability Classes
The two most prevalent vulnerability classes in 2012 were Information Leakage and Cross-Site Scripting, identified in 55 percent and 53 percent of websites respectively.
The next eight most prevalent include: Content Spoofing – 33 percent; Cross-site Request Forgery – 26 percent; Brute Force – 26 percent; Fingerprinting – 23 percent; Insufficient Transport Layer Protection – 22 percent; Session Fixation – 14 percent; URL Redirector Abuse – 13 percent; Insufficient Authorization – 11 percent.
SQL Injection continued its downward slide from 11 percent in 2011 to 7 percent in 2012, no longer making the Top 10.
Best Practices May Not Result in Better Security
In correlating the survey results with vulnerability data, WhiteHat Security could see how software security controls, or “best practices” impacted the actual security of organizations. Some of the findings include:
- 57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.
- 39 percent of organizations said they perform some amount of Static Code Analysis on their websites underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.
- 55 percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.
Best practices may not be enough
Some of this data implies that best practices such as software security training are effective, yet some of the statistics clearly show that following best practices does not necessarily lead to better security.
The correlated data revealed that compliance is the primary driver for organizations to resolve vulnerabilities, but also the number one reason organizations do not resolve vulnerabilities. In other words, vulnerabilities are fixed if required by compliance mandates; however, if compliance does not require a fix, the vulnerability remains, despite possible implications to the overall security posture of the site.
“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman.
“This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”
To view the complete report, visit https://www.whitehatsec.com/resource/stats.html.