Info Security

Subscribe to Info Security  feed
Updated: 1 hour 45 min ago

#BHUSA The Value of Skills, Education and Experience in Information Security Hiring

Thu, 08/09/2018 - 21:51
#BHUSA The Value of Skills, Education and Experience in Information Security Hiring

In a panel entitled “Winning the Information Security Job Hunt” at the Black Hat conference in Las Vegas, moderator Kelly Sheridan from Dark Reading asked panelists Dawn-Marie Hutchinson, executive director and executive advisory at Optiv, and Drew Fearson, head of daily operations at NinjaJobs, about whether there is a skills shortage and what is in the highest demand.

Fearson said the discussion around the skills shortage is interesting as there is a shortage in some countries and some markets, “but it is not as crazy as it is meant to be.”

“There wouldn’t be any shortage if folks were allowed to work remotely,” Fearson said, citing an example of two jobs where the one with a remote working option had 74 applications and one that required working on site in Ohio had no applications.

Hutchinson said, “It is hard to be a security leader and not be in the office, and if you’re not willing to relocate you’re going to have a problem.”

In terms of which skills were in demand, Fearson said that he saw a lot more demand for DevSecOps roles, while Huchinson encouraged delegates to specialize in one area but to avoid becoming too siloed in their work.

She said, “Focus on one thing you do well and if you’re just starting out, decide where to go and if you’re a risk manager or a compliance person, stay there and own it. When you take on multiple tasks, you become a jack-of-all-trades and a master of none.”

Asked about the value of certifications and experience, Hutchinson said that certs can be valuable if you’re new to the industry and you need to show security knowledge, but don’t focus too heavily on working with one product. 

Said Fearson, “Keep your résumé simple, but add a section on technologies used and skills gained, and add all of your buzzwords there.”

Asked by Infosecurity Magazine about the value of an education that is not in an IT-related subject, Hutchinson said she would not care what an applicant went to college for “but [that] you went to college and you demonstrated that you worked hard in teams and you pursued something that maybe had some ROI in it, maybe not, but I am happy if you went to college.”

Answering the same question, Fearson said, “There is value in having a computer science degree when you’re just starting out, as that shows you get certain things. On the surface level that does help, but once you have some more experience I don’t think it matters.”

Categories: Cyber Risk News

#BHUSA Focus on Hiring and Retaining Female Security Employees

Thu, 08/09/2018 - 19:16
#BHUSA Focus on Hiring and Retaining Female Security Employees

Speaking at the Black Hat conference in Las Vegas, Ashley Holtz from NBCUniversal looked at common mistakes and preconceptions in hiring and retaining female cybersecurity engineers.

She said that a lot of studies claim that women are unhappy and discriminated against, while other studies say that careers in cybersecurity are popular because they offer “travel opportunities, flexibility and remote work.” It's important to realize, she said, that not all people are the same but are “affected by the same expectations on being treated fairly.”

Holtz cited industry research that claimed that as they advance in their careers, women are more likely to become project managers and people managers and less likely to be technical leaders and that we need remove the factors that cause that early on.

Looking at female-only environments and mentors and citing research from ISACA, she said that many women do not feel that they need a female mentor but having a woman saying "I get treated fairly here" would be good. She later claimed that if there were a female mentor, she would want her to talk about opportunities, but “I do not need a need a female mentor just because I’m female.”

In terms of the three key areas of hiring, retaining and promoting, Holtz said that women are keen to be evaluated and treated the same as other employees, and she encouraged hiring companies to connect with local hacker and security meet-up groups and consider the language used in job descriptions.

Regarding hiring, she asked where jobs are posted and which higher education partnerships a company has. She also asked companies to consider opportunities for training and how candidates are being selected for interview, whether it is on skills, experience, education or other factors.

For retention of staff, she said that people want recognition, as “it is not always about the individual’s contributions technically but how they work with the team.”

Following on from the earlier talk by Makenzie Peterson on sexual harassment, Holtz encouraged having a way to comfortably report sexual harassment without stigma or retaliation.

Finally, with regard to promotion, she asked if women are actively sponsored and mentored to achieve career goals and if all employees know the success criteria for their roles. “What this means is are they identifying people to get the right training and are they discussing their career goals with them?”

Categories: Cyber Risk News

West Virginia Goes Mobile, Georgians Sue for Paper Vote

Thu, 08/09/2018 - 17:00
West Virginia Goes Mobile, Georgians Sue for Paper Vote

While the Trump administration grapples with looming concerns over election security, West Virginia’s servicemen and servicewomen stationed overseas will be casting their ballots via a smartphone app, according to CNN. The convenience of voting by mobile devices will likely make it easier for troops living abroad to partake in the upcoming elections, and West Virginia's secretary of state Mac Warner is reportedly confident that the mobile app is secure.

"There is nobody that deserves the right to vote any more than the guys that are out there and the women that are out there, putting their lives on the line for us," Warner told CNN. Yet the option to vote using the mobile app is currently only available to troops serving abroad, which raises questions about how confident officials and security experts are when it comes to election security issues.

“Unfortunately, securing electronic and online voting systems presents us with a set of unique challenges that are notoriously difficult to overcome,” said Sam Small, CSO of ZeroFOX. “In particular, experts in this area must find a way to simultaneously address three key requirements: voter anonymity, verification of individual votes, and end-to-end election integrity."

“Until the scientific community makes further advancements, I'd wager that virtually no credible electronic voting security expert would endorse or encourage plans to run an election on consumer-owned mobile devices,” said Small.

It’s not only mobile device voting that has people concerned. Citizens have been repeatedly told that it is possible for adversaries to compromise electronic voting systems, which is the root of a suit filed earlier this week by a second group of plaintiffs in Georgia. The suit aims to switch Georgia to using paper ballots for the November election rather than using possibly insecure electronic voting machines.

“The preliminary injunction,” said David Cross, partner at Morrison & Foerster, “seeks to achieve what the secretary of state has refused to do: implement an election system in Georgia that is reasonably secure from hacking and other interference.”

Few states still use an electronic voting system, but Georgia does, which means there is no paper trail and no means to audit the election results. “Numerous election security experts, including Prof. Alex Halderman, and federal officials, including members of Congress from both parties, have confirmed the inherent unreliability and vulnerabilities with Georgia’s electronic voting machines,” Cross said.

“Our motion details these vulnerabilities as well as those that are specific to Georgia, including public access to highly sensitive voter registration and other election information, such as passwords of election officials.”  

Categories: Cyber Risk News

A New Guide to Implementing a Successful DLP Program

Thu, 08/09/2018 - 16:08
A New Guide to Implementing a Successful DLP Program

With an ever-expanding attack surface, organizations are at greater risk of having sensitive data leaked, according to Information Security Forum (ISF), which announced the release of its new digest, Data Leakage Prevention (DLP).

Intended to provide guidance to organizations looking to implement a successful DLP program, the paper offers tips on DLP deployment garnered from the experience of ISF members. The authors detail 10 key attributes of a successful program and try to impress that focusing solely on technology will likely be unsuccessful.

Because ISF members have reported that they experience greater success with DLP technologies when used within a dedicated DLP program, ISF recommends implementing a more structured approach to detect and prevent data leaks.

“DLP has gained in popularity as organizations recognize the importance of adopting a data-centric approach to security,” said Steve Durbin, managing director of ISF. “To fully realize the benefits that DLP can deliver, organizations need to take a structured and systematic approach to implementation that extends beyond simply installing DLP tools and technology. Our latest digest will help organizations to prepare, implement and maintain a DLP program, which achieves objectives and demonstrates risk reduction.”

Preventing data leaks is a greater challenge in today’s mobile workforce, particularly with the advent of cloud computing, but ISF said that implementing a DLP program can significantly reduce an organization’s risk of data leakage. According to ISF, DLP tools need to be implemented as part of a formal program supported by the right blend of people, process and technology when deployed in three phases: governance, preparation and implementation.

“A prerequisite of a successful DLP program is support from executive management and ongoing collaboration with business representatives,” continued Durbin. “By implementing a comprehensive DLP program that encompasses awareness training, tools, supporting technologies and other security controls, organizations can compensate for weaknesses in DLP technology and proactively manage the risk. By deploying DLP technology, organizations can be more vigilant in protecting data whilst ensuring that the right people have the right access to the right data at the right time.”

Categories: Cyber Risk News

Hacker Gets a Hole in One with PGA Servers

Thu, 08/09/2018 - 15:21
Hacker Gets a Hole in One with PGA Servers

While the 100th PGA of America tournament is under way at Bellerive Country Club in St. Louis, Missouri, it is unclear whether PGA has had access to its servers returned after it was struck with a ransomware attack earlier this week, according to news from Golfweek.

Members of the PGA staff allegedly discovered the attack Tuesday morning when they received a message stating that their network had been hijacked and all files had been encrypted. Golfweek reported that an attacker used malware to lock down official files and then demanded Bitcoin payments be sent to a specified wallet number. The messages to the victims reportedly stated that efforts to decrypt the files “may lead to the impossibility of recovery of certain files.”

Infosecurity Magazine contacted PGA, and a media spokesperson said that they have no comment at this time, but an anonymous source told Golfweek that PGA did not intend to pay the ransom. It was also reported that as of Wednesday, 8 August, PGA officials had not gained complete access to its servers.

According to BleepingComputer, the hacker’s message included the misspelling of the word “algorithm,” suggesting that PGA was the victim of BitPaymer Ransomware, which allows attackers to hack into remote desktop services connected to the internet and then move within the network to infect any computers they can access.

Rob Embers, CCO of Dionach, said, “In our experience, and as the PGA ransomware attack illustrates, information security breaches such as this are becoming more frequent across all sectors, not just those that are considered typical targets such as financial services.

“It’s imperative to conduct regular security assessments and remediate against known issues – and improve staff knowledge and awareness so they don’t inadvertently give cyber-attackers a foothold in your IT infrastructure," Embers continued. "In this instance, it seems that the breach involves the loss of creative materials which is undoubtedly costly from a business perspective, but we see cases every month where sensitive customer or commercial data is exposed, compounding the risks of reputational damage and even regulatory penalties.”

Categories: Cyber Risk News

Chinese Cyber-Criminals Take Chances on the Surface Web

Thu, 08/09/2018 - 11:05
Chinese Cyber-Criminals Take Chances on the Surface Web

The Chinese hacking community operates by-and-large out in the open, using code words to avoid government scrutiny and benefitting from state support when attacks are aimed outside the country, according to a new report.

While most news analysis of Chinese cyber-attacks focuses on state-sponsored campaigns, there is in fact a thriving and fast-maturing domestic cybercrime underground, according to IntSightsDark Side of Asia report.

On the one hand these players are restricted in that the Tor browser is blocked by the Great Firewall, cryptocurrency is banned, VPN use is severely restricted and the authorities can access WeChat communications.

However, where money is involved there will always be a way. IntSights claimed that “clear net” websites are seen as the best way to reach large numbers of customers, with hackers using special code words to avoid scrutiny.

Popular social networks like QQ, WeChat, Baidu Tieba and Baidu Zhidao are used to communicate and advertise everything from DDoS tools and stolen data to forged documents, malware and hacking-as-a-service, the firm said.

“The government does attempt to fight against Chinese cyber-criminals, for example shutting down their websites and making arrests when they can, but due to the sheer number of websites and users in China, even the monitoring and censoring activity being done by the government cannot stop all cyber-criminal activity on the Chinese web,” it claimed.

“While there are tens of thousands of dark websites in Russian and English, the number of Chinese websites is rather small. Moreover, some of the web pages originate from Hong Kong and Taiwan.”

To fill the gap, Chinese cyber-criminals also populate Russian dark web forums to obtain “tools and information” and flood Western sites to sell drugs and other illegal items, the report claimed.

It goes without saying that if a Chinese cyber-criminal or group were to attack a foreign target — for financial gain or in nationalist-fueled hacktivism — the government is likely to turn a blind eye, according to the report.

Categories: Cyber Risk News

Accenture: CNI and Supply Chains at Risk

Thu, 08/09/2018 - 09:32
Accenture: CNI and Supply Chains at Risk

Attacks on critical infrastructure and industry supply chains and cryptomining represent some of the biggest threats facing organizations today, according to Accenture.

The firm’s latest Cyber Threatscape Report claimed CNI is an increasingly high value target for cyber-criminals and nation state actors alike, while a wide range of attackers will continue to focus on supply chains as a weak link in the corporate security chain.

“Third- and fourth-party environments provide adversaries with an entry point, even in verticals with mature cybersecurity standards, frameworks, and regulations,” the report noted. “Recent campaigns highlight the challenges of combatting weaponized software updates, pre-packaged devices, and supplier ecosystems as they fall outside the control of victim organizations.”

The consulting giant also pointed to a “radical shift” in the use of cryptocurrency mining malware targeting alternative coins like Monero, a trend likely to continue well into 2019.

The report highlighted a growing cyber-threat from Iran and APT groups using the same TTPs as espionage campaigns but for money-making ventures. The infamous Cobalt Group and Fin7 are just two examples.

While not earth-shattering, the report’s findings back-up many of the trends other industry experts and vendors have highlighted in the past. The NCSC has warned of supply chain attacks this year and increasingly brazen Russian attacks on UK critical national infrastructure in the energy, telecoms, media and other sectors.

A report in July from Check Point revealed cryptomining malware detections more than doubled from the second half of 2017 to the first six months of this year.

In response to these emerging threats, organizations must get more proactive in their thinking about business risk, according to Accenture Security managing director, Josh Ray.

“Learning from previous incidents and understanding what is coming next based on timely and actionable threat intelligence is key to keeping data and systems safe,” he said.

However, a survey from Accenture earlier this year found that 71% of CISOs interviewed believe cyber-threats are still a “bit of a black box; we do not quite know how or when they will affect our organization.”

Further, it found that only 13% of organizations think about future threats when drawing up their security budgets.

Categories: Cyber Risk News

Over 20 Flaws Discovered in Popular Healthcare Software

Thu, 08/09/2018 - 08:51
Over 20 Flaws Discovered in Popular Healthcare Software

Multiple vulnerabilities in a popular healthcare software provider’s products may have put at risk the data of over 90 million patients.

OpenEMR develops open source electronic health record (EHR) and practice management tools, which are used to serve an estimated 30 million patients in the US and over three-times that number globally.

However, according to a report released by researchers at Project Insecurity this week, its products were riddled with over 20 serious issues.

These included nine separate SQL injection vulnerabilities, four remote code execution flaws and several arbitrary file read, write and delete bugs. Others included a portal authentication bypass, unauthenticated information disclosure, and cross-site request forgery.

The group reached out to the vendor on July 7 and gave it a month to fix the bugs before going public.

The firm has now patched “most” of the vulnerabilities disclosed, according to the BBC.

"The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication,” a statement noted.

Healthcare was the industry most affected by breaches (24%) last year, and also the only sector in which insider threats (56%) outweighed those from external attackers (43%), according to Verizon.

Separate research from Thales eSecurity claimed that 70% of global healthcare organizations have been breached.

“Organizations such as OpenEMR who handle sensitive data are a prime target for attackers globally and cannot afford to have any gaps in their cybersecurity,” argued Keith Graham, CTO at SecureAuth Core Security.

“Keeping data available, confidential and safe isn’t just a business issue — it allows healthcare personnel to provide the best patient care possible. This discovery should act as a warning to other healthcare organizations to examine their own cybersecurity posture, including extensive pen testing, and improve their approach to authentication.”

Categories: Cyber Risk News

#BHUSA: Companies Encouraged to Adopt Sexual Harassment Policies

Thu, 08/09/2018 - 08:00
#BHUSA: Companies Encouraged to Adopt Sexual Harassment Policies

Speaking at the Black Hat conference in Las Vegas on 'How can Communities Move Forward After Incidents of Sexual Harassment or Assault?', Makenzie Peterson, wellness program director at Cornell University College of Veterinary Medicine, followed instances of sexual assault and asked how as a community can we address the issues.

At the first Black Hat after the emergence of the #MeToo movement against sexual harassment and assault, and after accusations against notable security researchers, Peterson said that sexual violence “is about power and control,” and looked at how best to respond.

“Offer unconditional support, listen to them, tell them you believe them, offer resources and realize that there are resources available in the community, and knowing what is available is really nice, as well as knowing there are people to talk to,” she said. “Also, don’t tell them what to do, and challenge the statements of self-blame.”

She recommended the “listen, validate, refer” method of listening to them and acknowledging that you’re here for them, and refer them to resources.

From a leadership perspective, Peterson said that there are ways that companies can be more progressive on this and she recommended adopting “a clear stance and make it very clear on your platforms” that everyone should know about what is and what is not OK.

She also recommended taking all complaints seriously, training and teaching community members at least twice a year about sexual harassment and what it is and what they can do about it.

Peterson concluded by calling for better prevention, education and accountability. “Sexual violence is not discriminatory, it is very much impacting everyone,” she said.

“Please think thoughtfully about community: always put the survivor at the center of your discussions as they are feeling something worse, and come up with something that people can read and understand and make it known and make it clear and very open, the more open you make the topic the much easier it is for a survivor to come forward in a male community.”

Categories: Cyber Risk News

#BHUSA: Companies Encouraged to Adopt Sexual Harrassment Policies

Thu, 08/09/2018 - 08:00
#BHUSA: Companies Encouraged to Adopt Sexual Harrassment Policies

Speaking at the Black Hat conference in Las Vegas on 'How can Communities Move Forward After Incidents of Sexual Harassment or Assault?', Makenzie Peterson, wellness program director at Cornell University College of Veterinary Medicine, followed instances of sexual assault and asked how as a community can we address the issues.

At the first Black Hat after the emergence of the #MeToo movement against sexual harassment and assault, and after accusations against notable security researchers, Peterson said that sexual violence “is about power and control,” and looked at how best to respond.

“Offer unconditional support, listen to them, tell them you believe them, offer resources and realize that there are resources available in the community, and knowing what is available is really nice, as well as knowing there are people to talk to,” she said. “Also, don’t tell them what to do, and challenge the statements of self-blame.”

She recommended the “listen, validate, refer” method of listening to them and acknowledging that you’re here for them, and refer them to resources.

From a leadership perspective, Peterson said that there are ways that companies can be more progressive on this and she recommended adopting “a clear stance and make it very clear on your platforms” that everyone should know about what is and what is not OK.

She also recommended taking all complaints seriously, training and teaching community members at least twice a year about sexual harassment and what it is and what they can do about it.

Peterson concluded by calling for better prevention, education and accountability. “Sexual violence is not discriminatory, it is very much impacting everyone,” she said.

“Please think thoughtfully about community: always put the survivor at the center of your discussions as they are feeling something worse, and come up with something that people can read and understand and make it known and make it clear and very open, the more open you make the topic the much easier it is for a survivor to come forward in a male community.”

Categories: Cyber Risk News

#BHUSA Reality of Infosec Mental Health Issues Detailed

Wed, 08/08/2018 - 23:33
#BHUSA Reality of Infosec Mental Health Issues Detailed

Speaking on “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” at the Black Hat conference in Las Vegas, the problems that employees can typically face were detailed, as well as solutions that employees and employers can turn to.

Christian Dameff, clinical informatics fellow at the University of California, San Diego where he is also a security researcher, detailed instances where he was led to feel burned out. The other speaker, Jay Radcliffe, cyber security researcher at Boston Scientific, highlighted the common symptoms of burnout including “feeling cynical, no satisfaction from accomplishments, dreading going to work and no work life balance” which he said were “prevalent in the information security community.”

Radcliffe said: “I’ve seen friends leave and find new jobs after a year as they are burned out and tired of the rigmarole, and only working and traveling.” 

The two speakers said that there are lots of options to resolve issues, including counselors, clinicians, therapists and psychologists, with the latter “trained and providing therapy for mental health conditions” according to Dameff. He recommended using the C-SSRS screening tool, while self tests are available to diagnose depression.

Speaking to Infosecurity about what businesses can do, Radcliffe said he felt that small things can make a difference, such as making sure employees take their vacation time, making sure that they are encouraged if they are over-burdened all of the time.

He said: “If you think your employees have a lot of burnout, then do a burnout survey and actually measure your employees. Have them fill it out on a quarterly basis and if they show symptoms of burnout then you can make changes so that they are aware of that burnout and do something about, it like make vacation mandatory or change their work schedules.”

Radcliffe acknowledged a “hero complex” in information security of taking on work regardless, but this is not healthy. “But this gives us value and it makes us feel like valuable employees, but it is unhealthy,” he said. 

Dameff said that there is often privacy concerns on burnout surveys, and people are often concerned about confidentiality. “A feeling that if my score was really high, I’m forced to go on vacation and my colleagues have to pick up the slack, so therefore I am depressed: you’ve got to be really careful about stuff like that,” Dameff said.

“But Jay is right, you’ve got to be able to see the trends and anticipate them and indicate how bad it is going to be, and figure out alternative strategies so you can keep people healthy and happy and sane.”

Categories: Cyber Risk News

#BHUSA Politics and Cyber-Defense Are Colliding

Wed, 08/08/2018 - 21:19
#BHUSA Politics and Cyber-Defense Are Colliding

Opening Black Hat USA in Las Vegas, Black Hat founder Jeff Moss commented on the convergence of cybersecurity and political issues and said that world events “have caught up with us and we’re being tested.”

Saying that if offense is a purely technical endeavor, defense is “largely political” in spend, strategy and what is being defended.

“I believe the technology we are delivering favors offense, the machine learning, the reinforcing algorithms, so the momentum is on offense, but in defense we’re stuck with politics,” he said.

Moss claimed that a culture needs to be built for defense, while for offense, it is more present.

“What are the political issues we’re facing? GDPR compliance is pretty political, you cannot twiddle a router and fix GDPR," he said. "Soon we might have a California law to deal with and more third-party agreements as we move more and more to the cloud, [and] that’s a political decision, too."

“If you look at some of the problems Facebook had with data retention," he continued, "and Cambridge Analytica got their hands on some data, how do you claw that data back? Who has access to your data and what are they doing with it? Not a technical thing; it sounds more political.”

Because of this, Moss said, business models are running into political models. So if your business model is to "connect the world’s users" but you’re dealing with a government whose model is to “control consent for the stability for society,” there is going to be some conflict.

“We’re starting to see that on a global scale,” he said. “That is ratcheting up the tension, and that seems new to me. That is why we are in the final exam stage, where all of these issues are conflating, and they are going to look to us for answers. It’s going to be people in this room who are involved in these conversations. Together we can probably figure this out.”

He said that it feels like the adversaries have strategies while we have tactics, and that's not good.

Moss concluded by saying that there are maybe 20 companies in the world that are in a position to raise the level of security and resilience for all of us. “I cannot fix the problems in the Microsoft operating system, only Microsoft can do that,” he said. “So if we politically influence Microsoft to build a better product, that will help everyone on the planet.”

Categories: Cyber Risk News

#BHUSA Better Collaboration and Recognition Can Make a Safer Internet

Wed, 08/08/2018 - 18:37
#BHUSA Better Collaboration and Recognition Can Make a Safer Internet

Delivering the keynote address at Black Hat USA in Las Vegas, Google’s director of engineering Parisa Tabriz talked about the need to collaborate, celebrate progress and recognize those doing the defensive work.

Tabriz claimed that there are times when she feels we are “living in a reality version of Whac-A-Mole,” and she admitted that as the head of Google’s Project Zero she gets frustrated when there are reports of vulnerabilities not addressed. 

She said that “98% of security issues that Project Zero reported fixed within in 90 days,” and while she later acknowledged that it “was and is controversial,” the project's aim is to challenge the status quo and pushback, and sometimes efforts move faster with collaboration.

Tabriz said that the “world is dependent on being safe, so we need to be more strategic in our approach to defense” and that to be successful we need to:

  • Identify and tackle root causes
  • Be more intentional on projects, pick milestones and celebrate progress
  • Invest in bold defense projects and champions outside of security so efforts are successful

In terms of the first aim, she pointed to the work of Project Zero, which she said is “leading to positive change” with time to fix flaws and update users having been massively shortened.

“Today we see examples with vendors with better response, and no longer see pushback [to vulnerability disclosure] and see investment in sandboxing,” she said. However, with more transparency, more collaboration and more interest in user security, we can move to more shared security goals.

As part of this, Tabriz publicly thanked defenders “for being unsung heroes” and said it was time to “recognize and celebrate defenders more.”

On the second point, she pointed at the recent launch of Chrome 68, which will flag non-HTTPS websites as not secure, saying that “without HTTPS there is no security and no privacy.”

She acknowledged that initial plans, which began in 2014, did not happen due to concerns on website performance and user experience. But when it did happen, the team celebrated it as it was “fun but important to keep morale up” and it was important to “celebrate progress as we tackle gnarly security problems.”

Finally, on investing in defense, Tabriz encouraged investment in core technologies and said that when the benefits are not immediately clear, they need to be communicates. “Impactful is not adding new things but simplifying existing code.”

She concluded by saying that the right problems and technical solutions can be found, but everyone must work together to clear the path for a safer future. 

“Band together to stop playing Whac-A-Mole, so strategically pick milestones, remember to reflect on progress made and celebrate progress,” she said. “As we invest in a project where the benefits are not clear, build coalition of champions. We care about making positive change. It’s up to all of us.”

Categories: Cyber Risk News

Industrial IoT Enables Attacks in Manufacturing Industry

Wed, 08/08/2018 - 16:31
Industrial IoT Enables Attacks in Manufacturing Industry

The proliferation of industrial internet of things (IIoT) devices is reportedly at the root of the higher than normal rates of reconnaissance related to cyber-attacks and lateral movement activity in the manufacturing industry, according to a new report from Vectra.

The new 2018 Spotlight Report on Manufacturing analyzed attacker behaviors and network trends from more than 250 manufacturing enterprises that opted to be part of Vectra’s research. For six months, Vectra monitored network traffic, collecting metadata from customer cloud, data center and enterprise environments. Analysis of the metadata garnered from over 4 million devices, and workloads revealed the ways in which the manufacturing industry is a prime target for attack.

Attackers who are able to bypass perimeter security gain network access, where they collect intel on their victims. The research revealed an unusually high volume of reconnaissance behavior, suggesting that attackers are mapping out manufacturing networks to locate critical assets.

Because the networks often have insufficient internal access controls, criminals are able to steal sensitive information with relative ease, the report found. Once attackers infiltrate the network, they proliferate the attack inside the network, evidenced by the findings that there is an abnormally high level of lateral movement. 

Given that security controls can interrupt and isolate manufacturing systems, many manufacturers fail to invest in them. Instead, factories connect IIoT devices to flat, unpartitioned networks that have to communicate with general computing devices and enterprise applications, according to the report.

“In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal,” the report stated.

According to Vectra, attempts to automate real-time data collection across integrated digital systems, IIoT devices and cloud computing resources in the manufacturing supply chain is an effort known as Industry 4.0. Using IIoT devices to converge enterprise information technology with operational technology networks in manufacturing organizations has enabled not only intellectual property theft but also business disruption.

Said Chris Morales, head of security analytics at Vectra, “The interconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of IIoT devices, has created a massive attack surface for cybercriminals to exploit.”

Categories: Cyber Risk News

What's Up with WhatsApp's Fake Messages?

Wed, 08/08/2018 - 15:01
What's Up with WhatsApp's Fake Messages?

Have you found yourself put off by a friend's comment or shocked by words Mom wrote in a group message on WhatsApp? WhatsApp users who have been questioning the content of comments from friends and family could be victims of a malicious actor, according to research released by Check Point.

According to a blog posted today, Check Point researchers discovered a vulnerability in WhatsApp that would allow an attacker to not only intercept messages but also manipulate them to put fake quotes into someone's digital mouth. Thus far, the researchers have found that there are three possible attack methods an attacker can use when exploiting the vulnerability. 

  1. Changing a reply from someone to put words into their mouth that they did not say.
  2. Quoting a message in a reply to a group conversation to make it appear as if the message came from a person who is not part of the group.
  3. Sending to a member of a group a message that looks to be a group message but is in fact only sent to this member. However, the member's response will be sent to the entire group.

The more than 1.5 billion WhatsApp users reportedly send over 65 billion messages per day. With more than 1 billion groups on the Facebook-owned application, there is a wealth of opportunity for attackers to have some fun scamming and scrambling people's exchanges.

Check Point researchers wrote that they followed the process of responsible disclosure to inform WhatsApp of the vulnerability they found. “Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams," said Oded Vanunu, head of products vulnerability research at Check Point.

"As one of the main communication channels available today, WhatsApp is used for sensitive conversations, ranging from confidential corporate and government information to criminal intelligence that could be used in a court of law.”

Categories: Cyber Risk News

Get Schooled in Hacking at Bugcrowd University

Wed, 08/08/2018 - 11:42
Get Schooled in Hacking at Bugcrowd University

According to a CISO survey conducted by Bugcrowd, 30 percent of CISOs plan to implement crowdsourced security programs in the coming year. To help fill the growing need for skilled researchers in the crowdsourced security field, Bugcrowd announced yesterday at Black Hat USA 2018 that it has launched Bugcrowd University.

Driven by the goals of improving the state of application security training and community engagement, the new Bugcrowd University will educate white hat hackers with the latest skills and methodologies. Delivering content that will empower security researchers, Bugcrowd University provides free, hands-on training and is open to all security researchers, even those who are not on the Bugcrowd platform.

According to Bugcrowd, organizations around the globe have seen a steady increase in the number of application vulnerabilities, which has resulted in more companies depending on crowdsourced bug bounty and vulnerability disclosure security programs that can identify their own vulnerabilities before an attacker is able to exploit them. This increased reliance on crowdsourced security programs has created a demand for more researchers.

The Bugcrowd Ambassador Program will continue to run in tandem with Bugcrowd University. By welcoming new researchers to the crowdsourced security field, Bugcrowd University will help to narrow the skills gap while offering continued training in new methodologies, enabling the white hat hacker community to level up their existing skills. 

“Making Bugcrowd home for researchers is one of our highest priorities. The goal of Bugcrowd University is to empower researchers with training and content to strengthen the security community,” said Jason Haddix, Bugcrowd's VP of trust and security, in a press release.

“With this Bugcrowd University program we will not only train and empower our Crowd to find high-priority vulnerabilities, we will also introduce this model to would-be security researchers around the world to increase the number of skilled researchers looking for vulnerabilities.”

Commenting on the announcement, a 16-year-old hacker from Hungary, xdavidhu, reportedly told Bugcrowd, “I am actually pretty excited for Bugcrowd University because I think for beginners it's extremely hard (at least was for me) to get started and to get a basic idea of how this really works. But getting learning material from official sources like Bugcrowd would help a lot of people out when they are just considering to start doing bug bounty.” 

Categories: Cyber Risk News

Grey Hat Warning as UK Security Pros Consider the Dark Side

Wed, 08/08/2018 - 09:46
Grey Hat Warning as UK Security Pros Consider the Dark Side

One in 13 UK cybersecurity professionals have admitted they also participate in black hat activities, according to new research from Malwarebytes.

The security vendor commissioned Osterman Research to poll 900 professionals in the US, UK Germany, Australia and Singapore to compile its latest study, White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime.

The UK stood out for three reasons. Its companies had the lowest average security budget of any globally, 97% of UK firms have fallen victim to a significant security threat over the past year, the highest of any country, and nearly 8% of respondents admitted to grey hat activity, versus a global average of 4.5%.

The study also revealed that 40% of UK security pros have known someone that has participated in black hat activity, 32% have been approached to take part and 21% have considered doing it.

The most popular reasons given for doing so were to earn more money (54%), the challenge that it offers (53%), retaliation against an employer (39%), philosophical reasons or some sort of cause (31%) and that it is not perceived as wrong (30%).

The financial challenge is likely to continue as the average security budget in the UK for a 2500-employee organization is set to grow by just 10% to £220,000 in 2018, according to the report. The largest chunk of this (17%) is apparently spent on remediation, with respondents claiming they’d spend on average more than £188,000 to remediate an incident.

"Companies need to assign more resources to their security budget, and that includes salaries for security researchers and other technicians. If an employee begins grumbling about pay, and if human resources are unresponsive to his or her requests, then organizations may be setting themselves up for a much larger financial loss down the line,” senior malware intelligence analyst, Jérôme Segura, told Infosecurity.

"Companies need to look for signs of individuals becoming unhappy or unfulfilled in their position and address them early on. Having regular dialogues between HR, managers and employees can help avoid more complicated situations at a later date.”

Segura added that tightening access controls can also help to mitigate the inside threat.

Categories: Cyber Risk News

ONS Report Highlights Confusion Over ‘Smartphone Security’

Wed, 08/08/2018 - 09:14
ONS Report Highlights Confusion Over ‘Smartphone Security’

The Office of National Statistics (ONS) has warned that a lack of awareness about mobile security may be a cause for concern in the future, as smartphone threats mount.

Published yesterday, the latest ONS bulletin, Internet access – households and individuals, Great Britain: 2018, revealed that mobile phones are the most popular device used to access the internet, with 78% of UK adults logging-on in 2018.

However, there are question marks around security. Over a quarter (26%) of respondents said they didn’t have any on their device while 24% said they didn’t know if there was security installed.

“Although the proportion of adults who had lost information or data as a result of a virus or hostile program was only 2%, this could potentially become a concern in the future due to lack of awareness surrounding the importance of security installation,” the ONS warned.

However, experts claimed that most smartphones come with a good level of in-built protections. John Kozyrakis, staff research engineer at Synopsys’ Software Integrity Group, argued the ONS report confuses 'smartphone security' with third-party security apps.

“Both Android and Apple iOS automatically install several security software components on user devices to combat malware and viruses. Users are typically unaware of these actions, as the relevant security components are ‘under the hood’ of the operating systems,” he added.

“I attribute the 26% figure to the public being unaware of how much effort goes into securing and protecting against malware by Google and Apple. On an up-to-date, recent device released within the last three years, which has not been jailbroken intentionally, and does not get applications from places other than the official marketplaces (Google Play and Apple Store), there is absolutely no need to install any third-party security software.”

Imperva CTO, Terry Ray, claimed that the percentage of users that don't have security software installed is likely to be significantly higher than 26%, but that this isn’t a major issue.

“This isn’t overly critical yet, as there are only a small number of attack tools at the moment, and application stores are currently taking ownership of preventing user threats to these,” he argued.

Categories: Cyber Risk News

Healthcare Firm Exposes Data on 2m+ Mexicans

Wed, 08/08/2018 - 08:49
Healthcare Firm Exposes Data on 2m+ Mexicans

Highly sensitive data on over 2.3 million Mexican patients has been exposed via a misconfigured MongoDB installation.

Bob Diachenko, formerly of the Kromtech Security Center, made the discovery via a simple Shodan search last week and claimed in a post that the data was viewable and editable for anyone without a password.

It included full name and gender, unique identity code, insurance policy number, DOB, home address and disability and migrant flags.

The database owner, telemedicine company Hova Health, sent the following brief statement when notified: “All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of events.”

Along with the patient data, which appears to cover only individuals from a specific region of the country (Michoacán), Diachenko found hashed and salted admin account passwords and email addresses.

“It is unclear how long the data was publicly exposed or who else except myself had access. This is yet another warning to any company or service provider that handles and stores personal medical data,” he argued.

“Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak. With the wave of ransomware attacks on hospitals, and medical providers it is clear that the healthcare sector is being targeted by cyber criminals.”

Although there have been countless cases of misconfigured cloud accounts found publicly exposed, often thanks to mistakes by third-party suppliers, with MongoDB there’s an even greater risk.

Last year saw two waves of attacks on publicly accessible MongoDB databases in which cyber-criminals stole the data before deleting the original copy and demanding a ransom. There were nearly 76,000 victims in the September 2017 attack campaign.

For its part MongoDB released guidance for users, claiming that if they follow the “extensive security protections built into MongoDB” they would be protected. However, Diachenko claimed nearly 54,000 databases are still exposed.

Categories: Cyber Risk News

#BHUSA18: People are the Key to a Security Company

Wed, 08/08/2018 - 07:20
#BHUSA18: People are the Key to a Security Company

The future of cybersecurity product development relies on having a good idea, and the networking skills to get good feedback, customers and employees.

Speaking at the Black Hat conference in Las Vegas, CA Veracode CTO Chris Wysopal spoke on the ideas needed to start a company. Admitting that he was a “geeky kid” who later moved into software development, doing a computer engineering degree and vulnerability research, he said he was able to join local networks in the Boston, Massachusetts area by joining bulletin boards.

This later led him to join the working group L0pht, who were called to testify to the Senate in 1998 “and we took the leap and did the best job we could and took the opportunity and glad we did it.”

The theme of Wysopal’s talk was around networking though, and the need to overcome the comfort zone of not talking to people. He likened it to exercise “as it takes work and when you do it, you feel glad of it.”

He said: “If you start a company you need to know people, and you have to convince them to work for you. You need to meet them and see if they can work with you, and networking is critical if you want to start a company and meet people who are not exactly like you, such as developers and sales people. Not all security people.”

In terms of starting a company, he said that regardless of age, “if you have the urge to do it, go for it and be prepared to work on it for five, six or seven years and the best thing is to talk to people, find pitch challenges, apply to incubators and apply as you learn something from the application process and if it is rejected, ask why.”

Finally, in networking advice, Wysopal said that you need to talk to potential customers, and get feedback from customers and knowledgeable investors.

As well as identifying a niche idea to invent, he also recommended delegates look at getting along to local conferences, and take the leap of speaking at a small event and sharing knowledge. “That is what science is, and I urge you to try it.”

Categories: Cyber Risk News